In The Third Phase Of Cyber Security There Is Now A Focus On People – Chuck Leaver

Written By Kyle Flaherty And Presented By Chuck Leaver Ziften CEO


Cyber attack impact on companies is typically simple to determine, and the suppliers of tech services are constantly flaunting different data to reveal that you have to obtain their most current software application (including Ziften). But one fact is really stunning:

In The Previous Year Cyber Crime Cost Organizations $445 Billion And Cost 350,000 Individuals Their Jobs.

The monetary losses are simple to take on board despite the fact that the amount is substantial. But the 2nd part is concerning for all involved with cyber security. Individuals are losing their employment because of what is occurring with cyber security. The circumstances surrounding the job losses for all of these individuals is unknown, and some might have deserved it if they were negligent. But the most fascinating feature of this is that it is well known that there is a lack of gifted individuals who have the capability to combat these cyber attacks.

While people are losing their positions there is also a need that more talented individuals are found to prevent the ever increasing risk of cyber attacks. There is no argument that more people are required, and they need to be more talented, to win this war. But it is not going to happen today, tomorrow and even this year. And while it would be fantastic if a truce could be worked out with the cyber attackers up until these resources are readily available, the reality is that the battle must go on. So how do you fight?

Utilize Technology To Enable, Not Disable

For several years now suppliers of security tech have actually been offering technology to “prevent and obstruct” cyber attacks. Then the vendors would return afterwards to sell the “next generation” solution for preventing and stopping cyber attacks. And then a couple of years later on they were back again to sell the latest technology which focussed on “security analytics”, “threat intelligence” and “operational insight”.

In every scenario companies bought the most recent technology then they needed to add expert services or even a FTE to run the technology. Naturally every time it took a substantial quantity of time to get up to speed with the new technology; a team that was struggling with high turnover because of the competitive nature of the cyber market. And while all of this was going on the attacks were ending up being more persistent, more sophisticated, and more regular.

It’s About Individuals Utilizing Technology, Not The Other Way Around

The problem is that all of the CISO’s were focussed on the technology initially. These companies followed the timeless model of seeing a problem and developing technology that might plug that hole. If you consider a firewall program, it literally develops a wall within technology, using technology. Even the SIEM technology these companies had implemented was focused mostly on all the different connectors from their system into other systems and gathering all that info into one place. But what they had rather was one place due to the fact that the technology centric minds had forgotten a critical component; individuals involved.

Humans are constantly proficient at innovating when faced with risk. It’s a biological thing. In cyber security today we are seeing the 3rd phase of innovation, and it is centered on individuals:

Phase 1 Prevent by building walls
Phase 2 Detect by building walls and moats
Phase 3 View, inspect, and react by examining user habits

The reason that this needs to be focused on people is not just about skill scarcities, but since people are really the issue. People are the cyber hackers as well as the ones putting your company at risk at the endpoint. The technologies that are going to win this battle, or at least enable survival, are the ones that were developed to not only improve the abilities of the individual on the other side of that keyboard, but likewise concentrate on the behaviors of the users themselves, and not just the technologies themselves.

Webinar Showing Extended Visibility Right Down To The Endpoint – Chuck Leaver

Written By Josh Applebaum And Presented By Chuck Leaver CEO Ziften Technologies


Nowadays security hazards and attack vectors are continuously evolving, and companies have to be more watchful when it pertains to monitoring their network infrastructure. The perimeter of the network and the infrastructure security are typically challenged because of no visibility of endpoint devices.

Visibility Of Endpoint Devices Is Now More Important Than Ever.

In a webinar hosted with our partner Lancope which was called “Extending Network Visibility: Down to the Endpoint.” The aim of this webinar was to show to security experts how extra visibility can be attained and context into network activity, the enhancement of existing security systems (NetFlow, Firewall program, SIEM, threat intelligence), and improve event response by getting real time and historical data for the endpoint. A mutual customer was featured in the webinar who provided real life insights into the best ways to utilize security assets so that you can remain in front of external and insider dangers.

A great deal of you will not have actually been able to participate in the live event so we have actually chosen to reveal the on demand version here on the Ziften blog. Feedback on this is welcomed and we would be delighted to get in touch with you to go over in more detail.



Chuck Leaver – Why Ziften’s Technical Approach To Client Management Is Best

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO


There has traditionally been a lack of visibility on Windows clients of the applications that are running and the resources that are being utilized. There are good tools around to monitor the server infrastructure and the network, however the client has actually always been the weakest component. This is why suppliers such as Ziften have actually originated a brand-new class of solutions that are aimed at the management of security and the performance of clients in the enterprise, and this is called enterprise client management. Speaking from a technical viewpoint, in order to gather the big quantity of info that is readily available within Windows that is required to supply visibility of the client, there were 2 alternative approaches that required consideration. We might have created custom driver code or made use of the basic API’s in Windows.

The development of driver code is considered as a last resort due to the fact that there are some well understood issues:

An in depth understanding of the Windows kernel data structures and coding conventions is needed for driver development

Driver incompatibilities can exist even with the tiniest of system modifications, for example with the month-to-month patch updates from Microsoft

A devastating system crash can happen if there is a driver code error

3rd party driver code causes most of the instabilities in Windows

Any service that uses low level drivers in their agents do not utilize standard Windows user interfaces and they will “take control” from Windows. This can produce chaos with the os of the desktops that are under management. If a driver stops working then it can crash the system and there is also an increased security danger as these drivers perform at kernel level. “Anything a user can do that causes a driver to malfunction in such a way that it causes the system to crash or end up being unusable is a security flaw. When most developers are working on their driver, their focus is on getting the driver to work correctly and not whether a destructive hacker will try to exploit holes within the system” stated Microsoft about driver security.

So Ziften took the approach of building our service around basic Windows interfaces, which has the following benefits:

Greater resilience to Windows updates and modifications that are most likely to need driver changes

Driver conflict vulnerability that can result in system crashes eliminated (Blue Screen of Death).

The probability of coding errors that affects system performance through the kernel user interface is decreased.


What You Can Do About The Security Risks Of BYOD – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO


If you are not curious about BYOD then your users, especially your executive users, most likely will be. Being the most efficient with the least effort is exactly what users want. Utilizing the simplest, fastest, most familiar and comfortable device to do their work is the primary objective. Also the convenience of using one device for both their work and personal activities is desired.

The issue is that security and ease-of-use are diametrically opposed. The IT department would normally prefer total ownership and control over all client endpoints. IT can disable admin rights and the client endpoint can be managed to a degree, such as just authorized applications being installed. Even the hardware can be limited to a specific footprint, making it easier for IT to protect and manage.

However the control of their devices is exactly what BYOD advocates are fighting against. They wish to pick their hardware, apps and OS, and also have the flexibility to install anything they like, whenever they like.

This is tough enough for the IT security team, however BYOD can also considerably increase the quantity of devices accessing the network. Instead of a single desktop, with BYOD a user might have a desktop, laptop, mobile phone and tablet. This is an attack surface gone wild! Then there is the issue with smaller sized devices being lost or stolen or perhaps left in a bar under a cocktail napkin.

So exactly what do IT experts do about this? The first thing to do is to establish situational awareness of “trusted” client endpoints. With its minimalist and driverless agent, Ziften can offer visibility into the applications, versions, user activity and security/ compliance software which is really running on the endpoint. You can then restrict by enforceable policy what application, business network and data interaction can be carried out on all other (“untrusted”) devices.

Client endpoints will usually have security problems develop, for example versions of applications that are susceptible to attack, possibly harmful processes and disabling of endpoint security measures. With the Ziften agent you will be informed of these issues and you can then take restorative action with your existing system management tools.

Your users have to accept the truth that devices that are untrusted and too risky must not be used to gain access to organization networks, data and apps. Client endpoints and users are the source of a lot of harmful exploits. There is no magic with current technology that will make it possible to gain access to critical business assets with a device which is out of control.


What If Your IT Endpoint Could Tell You Where It Hurts? – Chuck Leaver

Written by Dr Al Hartmann and presented by Ziften CEO Chuck Leaver


It would be terrific if your IT client endpoints could inform you that they are sick instead of receiving undesirable calls from dissatisfied IT users wouldn’t it? However the reality is that IT clients can not tell you when there is something wrong. Many IT individuals might disagree with the requirement for situational awareness, however you actually need this with your endpoints. The Ziften solution makes this OK by:

With Ziften there is a minimalist driverless agent. This differs from conventional systems management or security agents and the Ziften package is very light-weight (around 1-2MB MSI package). But don’t let the small size fool you, it will provide performance management headroom and effectiveness to achieve more on IT endpoints, which will keep the users delighted and working. The Ziften agent can be compared to light beer, “Terrific taste, less filling.”

Likewise the Ziften agent monitors and reports on other agents that are implemented if there is extreme disturbance with foreground tasks.

With the Ziften agent you will receive other benefits that an agentless approach can not compare to. It can:

Provide real time response to dynamic events on the endpoint. If an agent is not present then routine polling is required, which means that endpoint events are reported in a cadence after they have happened and not in real time.

The Ziften agent can adaptively throttle interfering processes. As an example, if a backup program is causing extreme interference with user productivity, the backup program can be slowed up in favor of user performance.

It will alert on the failures of crucial services such as antivirus, backup, firewall and systems management. It holds true that an agentless technique could likewise do this, but it wouldn’t alert in real time so it is not as effective.

The Ziften Agent will alert on serious security events that are identified at the client endpoint in real time.

It will acknowledge activity and user existence. With the Ziften agent, user presence can be identified by watching keyboard and last mouse usage. It will likewise utilize the window proxy to identify which window is foreground and which are in background. With this information, the Ziften agent can determine application licenses really being utilized across the organization.

If no agent is present then it is not possible to monitor and control when the endpoint is off the network. The Ziften agent can monitor off network endpoints and report cached observations when the endpoint reconnects. This removes off network blind spots in monitoring coverage. Also, the Ziften agent is able to implement policy even while disconnected.

Reduction of network traffic load between client endpoints and the management server is possible with the Ziften agent. It accomplishes this by abstracting, filtering, and summing up and encoding time series observations.

So with the Ziften agent your endpoint clients can “tell you where it hurts”.