With The OMB Data Breach Cyber Security Sprint There Were 8 Principles And We Provide 8 Keys – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO


After suffering a massive data breach at the Office of Management and Budget (OMB), agencies were instructed by Tony Scott, Federal Chief Information Officer, to take instant and particular actions over the next four weeks to additionally improve the security of their data and systems. For this large organization it was a vibrant step, but the lessons learned from software development showed that acting quick or sprinting can make a lot of headway when approaching a problem in a small amount of time. For large organizations this can be particularly real and the OMB is certainly large.

There were 8 concepts that were concentrated on. We have actually broken these down and offered insight on how each principle could be more efficient in the timeframe to assist the government make substantial inroads in only a month. As you would expect we are taking a look at things from the endpoint, and by checking out the eight principles you will discover how endpoint visibility would have been essential to a successful sprint.

1. Protecting data: Better secure data at rest and in transit.

This is an excellent start, and rightly priority number one, however we would definitely encourage OMB to add the endpoint here. Lots of data security services forget the endpoint, but it is where data can be most susceptible whether at rest or in transit. The group must examine to see if they have the capability to evaluate endpoint software and hardware configuration, including the presence of any data protection and system security agents, not forgetting Microsoft BitLocker configuration checking. And that is just the start; compliance checking of mandated agents need not be forgotten and it must be carried out continuously, enabling the audit reporting of percentage coverage for each agent.

2. Improving situational awareness: Enhance indication and warning.

Situational awareness resembles visibility; can you see exactly what is really occurring and where and why? And naturally this has to be in real time. While the sprint is happening it should be validated that identity and tracking of logged-in users,, user focus activities, user existence indications, active processes, network contacts with process-level attribution, system stress levels, notable log events and a myriad of other activity signs throughout numerous thousands of endpoints hosting huge oceans of processes is possible. THIS is situational awareness for both warning and indication.

3. Increasing cyber security proficiency: Ensure a robust capability to recruit and keep cyber security workers.

This is an obstacle for any security program. Discovering great skill is hard and keeping it much more so. When you wish to attract this type of skillset then encourage them by offering the most recent tools for cyber war. Ensure that they have a system that provides complete visibility of what is taking place at the endpoint and the whole environment. As part of the sprint the OMB ought to analyse the tools that are in place and check whether each tool changes the security group from the hunted to the hunter. If not then replace that tool.

4. Boost awareness: Improve overall threat awareness by all users.

Threat awareness begins with effective threat scoring, and thankfully this is something that can be attained dynamically all the way to the endpoint and help with the education of every user. The education of users is a challenge that is never ever complete, as confirmed by the high success of social engineering attacks. However when security groups have endpoint threat scoring they have concrete products to show to users to show where and how they are vulnerable. This real life situational awareness (see # 2) boosts user understanding, in addition to supplying the security team with precise info on say, known software application vulnerabilities, cases of jeopardized credentials and insider enemies, as well as constantly monitoring system, user, and application activity and network points of contact, in order to use security analytics to highlight heightened threats resulting in security personnel triage.

5. Standardizing and automating procedures: Decrease time required to handle setups and patch vulnerabilities.

More protection must be required from security solutions, and that they are immediately deployable without tedious preparation, network standup or extensive personnel training. Did the services in place take longer than a few days to implement and require another full-time employee (FTE) or maybe 1/2 a FTE? If so you have to rethink those solutions due to the fact that they are most likely hard to use (see # 3) and aren’t getting the job done that you need so you will have to improve the existing tools. Also, search for endpoint solutions that not only report software and hardware setups and active services and processes, however uses the National Vulnerability Database to report on real running exposed vulnerabilities then associates a total vulnerability rating for each endpoint to help with patching prioritization by over worked support staff.

6. Controlling, containing and recuperating from events: Contain malware proliferation, privilege escalation, and lateral motion. Quickly recognize and fix events and occurrences.

The fast identification and response to issues is the primary goal in the brand-new world of cyber security. During their Thirty Days sprint, OMB must evaluate their services and make certain to find innovations that can not just monitor the endpoint, but track every process that runs and all of its network contacts consisting of user login efforts, to facilitate tracking of destructive software proliferation and lateral network movement. The data derived from endpoint command and control (C2) accesses associated with significant data breaches indicates that about half of compromised endpoints do not host identifiable malware, heightening the importance of login and contact activity. The right endpoint security will monitor OMB data for long term analysis, because lots of indicators of compromise appear only after the occasion, and even long afterwards, while persistent hackers may silently lurk or stay dormant for long periods of time. Attack code that can be sandbox detonated and recognized within minutes is not a sign of advanced hackers. This capability to retain clues and connect the dots across both spatial and temporal dimensions is vital to complete identification and complete non-recidivist resolution.

7. Strengthening systems lifecycle security: Boost inherent security of platforms by purchasing more safe and secure systems and retiring legacy systems in a timely manner.

This is a trustworthy goal to have, and an enormous difficulty at a big organization such as OMB. This is another place where appropriate endpoint visibility can instantly determine and report endpoint software and hardware configurations, operating system SKUs and patch levels, system stress levels, endpoint mishaps (such as application crashes or hangs, service failures, or system crashes), and other indications of endpoints outliving their useful or secure life span. Now you have a complete stock list that you can focus on for retirement and replacement.

8. Lowering attack surfaces: Decrease the intricacy and amount of things defenders have to protect.

If numbers 1 through 7 are completed, and the endpoint is thought about appropriately, this will be a big step in lowering the attack threat. However, in addition, endpoint security can likewise actually supply a visual of the real attack surface. Think about the capability to quantify attack surface area, based upon a variety of distinct binary images exposed across the whole endpoint population. For example, our ‘Ziften Pareto analysis’ of binary image occurrence stats produces a normal “ski slope” distribution, with a long skinny distribution tail suggesting huge numbers of really rare binary images (present on fewer than 0.1% of overall endpoints). Ziften determines attack surface area bloat aspects, including application sprawl and version expansion (which likewise exacerbates vulnerability lifecycle management). Data from many customer deployments exposes egregious bloat factors of 5-10X, compared with a tightly handled and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas develops a target-rich hackers’ paradise.

The OMB sprint is a terrific reminder to all of us that good things can be achieved quickly, however that it takes vision, not to mention visibility. Visibility, to the endpoint, will be a critical piece for OMB to consider as part of their 30-day sprint.


With The Costs Of A Data Breach Up Again The Third reason For This Should Surprise You – Chuck Leaver

Written by Patrick Kilgore presented by Chuck Leaver CEO Ziften.


Recently 2 significant reports were published that celebrated large anniversaries. On the one hand, we saw the Mary Meeker 20th yearly Internet research study. A part of the original industry analysis on the Internet was led by Meeker many years ago and this report saw her mark 20 years of influencing opinions on the Internet. And ten years after Meeker’s very first observations on the Internet there was the first research study of data breach expenses by the Ponemon Institute.

Just 10 years after the creation of the Internet it was revealed that there is an awful disadvantage to the service that supplies major advantages to our businesses and our lives. Today there are more annual research studies released about data breaches than the Internet itself. Just recently we invested hours evaluating and digesting two of the biggest data breach reports in the market, the already cited Ponemon report and the now very influential Verizon DBIR (the report is important enough simply to use an acronym).

There were intersections between the two reports, however the Verizon report is worthy of credit due to the fact that if you’ve been able to do anything in security for 10 years, you should be doing something right. There are numerous intriguing statistics in the report however the factors for the total costs of data breaches skyrocketing were of the most interest to us.

The Ponemon research studies have exposed three drivers behind the increased expense of a breach. The very first is that cyber attacks have increased in number and this has actually correlated in greater expenses to remediate these attacks. An increased per capita cost from $159 to $170 year on year has actually been cited. That’s a 5% jump from 42% to 47% of the overall root causes of a breach. Also, lost profits as a result of a data breach have actually increased. In the aggregate, this increased from $1.33 M to $1.57 M in 2015. The reasons are because of the abnormal customer turnover, the increased acquisition activity, and loss of goodwill that results from being the target of a harmful attack. However, the most interesting reason offered is that data breach expenses associated with detection and escalation have increased.

These costs consist of investigations and forensics, crisis group management and audits and evaluations. Now the pattern appears to be gathering pace at just shy of a whopping $1Billion. Organizations are only now beginning to deploy the systems required to continually monitor the endpoint and provide a clear picture of the origin and complete impact of a breach.

Organizations not only need to monitor the proliferation of devices in a BYOD world, but also aim to enhance the security resources they have actually already invested in to decrease the expenses of these investigations. Risks have to be stopped in real time, rather than recognized retrospectively.

“Avoidance might not be possible in the world we reside in.” With destructive threats ending up being more and more typical, organizations will need to develop their M.O. beyond standard AV services and look to the endpoint for total defense,” stated Larry Ponemon in his webcast with IBM.


Chuck Leaver – Passwords And Employee Sharing Are A Real Data Loss Risk With BYOD

Written By Ziften Technologies CEO Chuck Leaver

If your organization has carried out a bring your own device (BYOD) policy then you will be putting yourself at increased risk of cyber crime and the loss of your data, because the devices will normally have insufficient control and endpoint security in place. With mobile devices, workers frequently access customer cloud services and utilise password practices that are not secure enough, and this represents a large portion of the threats related to BYOD. The use of endpoint software applications that offers visibility into specifically exactly what is running on a device can help IT departments to comprehend and resolve their vulnerabilities.

BYOD is a typical technique for executives and employees to access delicate business data on their individual tablets, laptop computers and cell phones. Nearly 9 out of ten businesses in Australia had actually approved a number of their senior IT employee’s access to vital company information through their own BYOD devices, and 57% claimed that they had offered it to a minimum of 80% of their leadership, revealed by a ZDNet Study. With less privileged personnel and those that were brand-new the numbers offered BYOD access was still up at 64%. These workers were not given access to monetary details though.

With the number of BYOD devices growing, a great deal of companies have not implemented the correct endpoint management techniques to make their increasing mobile workflows secure. Nearly 50% of the respondents said that their organizations had no BYOD policies, and only 17% confirmed that their practices were ISO 27001 accredited.

Safe BYOD Is Most likely At Most Danger From Passwords

Those companies that had actually taken steps to secure BYOD the implementation of password and acceptable use policies were the most typical. But passwords might represent a crucial and distinct vulnerability in the application of BYOD, because users frequently utilize the very same passwords once again and they are not complex enough. While companies that have a BYOD policy will certainly increase the danger of a hacker attack, there may be an even greater risk which is internal stated former Federal Trade Commission executive Paul Luehr, in an interview with CIO Magazine’s Tom Kaneshige.

Luehr informed Kaneshige “the most typical method BYOD policies affect data security and breaches is in the cross-pollination of passwords.” “A person is probably utilizing the very same or extremely comparable password as the one they utilize on their home devices.”

Luehr kept in mind that prime threats for organizations that permit BYOD are disgruntled workers who will frequently leak important data once they have been let go, are prime risks for businesses that have actually allowed BYOD. Because of BYOD the distinction between work and home is vanishing, and risky habits such as using social networks on corporate networks is being practiced by some employees, and this can be a start to finally sharing delicate information either wilfully or carelessly using cloud services. The efficiency gains that are made with BYOD need to be maintained with the implementation of comprehensive endpoint security.