A New Era For Endpoints With Illumination – Chuck Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


The dissolving of the conventional border is taking place quick. So what about the endpoint?

Financial investment in border security, as specified by firewall programs, managed gateways and intrusion detection/prevention systems (IDS/IPS), is altering. Investments are being questioned, with returns not able to overcome the costs and complexity to develop, preserve, and validate these antiquated defenses.

Not only that, the paradigm has altered – employees are no longer solely working in the workplace. Lots of people are logging hours from home or while traveling – neither place is under the umbrella of a firewall program. Instead of keeping the cyber criminals out, firewall software frequently have the inverse effect – they prevent the good guys from being productive. The paradox? They develop a safe haven for enemies to breach and conceal for months, then pass through to crucial systems.

So Exactly what Has Altered A lot?

The endpoint has actually become the last line of defense. With the aforementioned failure in perimeter defense and a “mobile all over” workforce, we should now impose trust at the endpoint. Easier stated than done, nevertheless.

In the endpoint area, identity & access management (IAM) systems are not the perfect answer. Even innovative companies like Okta, OneLogin, and cloud proxy vendors such as Blue Coat and Zscaler can not conquer one simple truth: trust exceeds simple recognition, authentication, and authorization.

File encryption is a 2nd effort at securing entire libraries and specific assets. In the most recent (2016) Ponemon research study on data breaches, encryption only conserved 10% of the expense per breached record (from $158 to $142). This isn’t the remedy that some make it appear.

The Whole Picture is changing.

Organizations must be prepared to accept new paradigms and attack vectors. While companies must supply access to trusted groups and individuals, they have to resolve this in a much better method.

Important company systems are now accessed from anywhere, at any time, not simply from desks in corporate office complexes. And professionals (contingent workforce) are quickly consisting of over half of the total business workforce.

On endpoint devices, the binary is primarily the problem. Presumably benign incidents, such as an executable crash, might suggest something simple – like Windows 10 Desktop Manager (DWM) restarting. Or it might be a much deeper problem, such as a harmful file or early indicators of an attack.

Trusted access does not resolve this vulnerability. According to the Ponemon Institute, between 70% and 90% of all attacks are caused by human error, social engineering, or other human aspects. This requires more than basic IAM – it requires behavioral analysis.

Rather than making good better, border and identity access companies made bad faster.

When and Where Does the Good News Start?

Going back a little, Google (Alphabet Corp) announced a perimeter-less network design in late 2014, and has made considerable development. Other enterprises – from corporations to federal governments – have done this (in silence and less severe), but BeyondCorp has actually done this and revealed its solution to the world. The design approach, endpoint plus (public) cloud displacing cloistered enterprise network, is the crucial principle.

This changes the whole discussion on an endpoint – be it a laptop, desktop, workstation, or server – as subservient to the corporate/enterprise/private/ organization network. The endpoint really is the last line of defense, and should be safeguarded – yet also report its activity.

Unlike the conventional border security design, BeyondCorp doesn’t gate access to services and tools based upon a user’s physical place or the stemming network; rather, access policies are based upon information about a device, its state, and its associated user. BeyondCorp considers both external networks and internal networks to be completely untrusted, and gates access to apps by dynamically asserting and enforcing levels, or “tiers,” of access.

By itself, this appears innocuous. However the truth is that this is a radical brand-new design which is imperfect. The access requirements have moved from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, rather than a centralized design with capacity for breaches, hacks, and dangers at the human level (the “soft chewy center”).

The bright side? Breaching the perimeter is incredibly challenging for potential attackers, while making network pivoting next to impossible when past the reverse proxy (a common mechanism used by cyber attackers today – proving that firewall software do a better job of keeping the bad guys in rather than letting the genuine users go out). The opposite design even more applies to Google cloud servers, most likely securely managed, inside the boundary, versus client endpoints, who are all out in the wild.

Google has done some great refinements on tested security techniques, especially to 802.1 X and Radius, bundled it as the BeyondCorp architecture, including strong identity and access management (IAM).

Why is this important? Exactly what are the gaps?

Ziften believes in this method since it emphasizes device trust more than network trust. Nevertheless, Google does not particularly show a device security agent or emphasize any form of client-side tracking (apart from extremely rigorous configuration control). While there may be reporting and forensics, this is something which every organization ought to be knowledgeable about, since it’s a question of when – not if – bad things will happen.

Because implementing the initial stages of the Device Inventory Service, we’ve consumed billions of deltas from over 15 data sources, at a common rate of about 3 million daily, totaling over 80 terabytes. Retaining historical data is vital in permitting us to understand the end-to-end lifecycle of a particular device, track and analyze fleet-wide patterns, and carry out security audits and forensic examinations.

This is a costly and data-heavy procedure with two imperfections. On ultra-high-speed networks (utilized by organizations such as Google, universities and research study organizations), adequate bandwidth permits this kind of communication to take place without flooding the pipes. The first concern is that in more pedestrian business and federal government situations, this would cause excessive user disruption.

Second, computing devices need to have the horsepower to constantly collect and transfer data. While most staff members would be delighted to have current developer-class workstations at their disposal, the cost of the devices and procedure of refreshing them on a regular basis makes this excessive.

A Lack of Lateral Visibility

Few systems really produce ‘enhanced’ netflow, enhancing conventional network visibility with abundant, contextual data.

Ziften’s patented ZFlow ™ offers network flow information on data generated from the endpoint, otherwise accomplished utilizing brute force (human labor) or expensive network devices.

ZFlow acts as a “connective tissue” of sorts, which extends and finishes the end-to-end network visibility cycle, including context to on-network, off-network and cloud servers/endpoints, allowing security teams to make faster and more educated and accurate decisions. In essence, buying Ziften services lead to a labor cost saving, plus an increase in speed-to-discovery and time-to-remediation due to technology acting as a replacement for human resources.

For companies moving/migrating to the public cloud (as 56% are preparing to do by 2021 according to IDG Enterprise’s 2015 Cloud Survey), Ziften offers unequaled visibility into cloud servers to better monitor and protect the complete infrastructure.

In Google’s environment, just corporate owned devices (COPE) are allowed, while crowding out bring your own device (BYOD). This works for a business like Google that can distribute brand-new devices to all personnel – smart phone, tablet, laptop computer, etc. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device needs to meet Google requirements, having either a TPM or a software application equivalent of a TPM, to hold the X. 509 cert utilized to verify device identity and to assist in device-specific traffic file encryption. There needs to be numerous agents on each endpoint to validate the device validation predicates called out in the access policy, which is where Ziften would need to partner with the systems management agent service provider, because it is most likely that agent cooperation is vital to the procedure.


In summary, Google has established a first-rate service, but its applicability and practicality is limited to companies like Alphabet.

Ziften offers the same level of functional visibility and security defense to the masses, using a light-weight agent, metadata/network flow tracking (from the endpoint), and a best-in-class console. For organizations with specialized needs or incumbent tools, Ziften provides both an open REST API and an extension framework (to augment ingestion of data and triggering response actions).

This yields the benefits of the BeyondCorp design to the masses, while safeguarding network bandwidth and endpoint (machine) computing resources. As companies will be sluggish to move entirely far from the business network, Ziften partners with firewall program and SIEM vendors.

Finally, the security landscape is steadily moving towards managed detection & response (MDR). Managed security companies (MSSP’s) offer conventional tracking and management of firewall software, gateways and perimeter intrusion detection, however this is inadequate. They lack the skills and the technology.

Ziften’s solution has been evaluated, integrated, authorized and implemented by a number of the emerging MDR’s, highlighting the standardization (ability) and flexibility of the Ziften platform to play an essential function in remediation and incident response.

The Verizon 2016 DBIR Report Shows More Of The Same – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver, Ziften CEO

The Data Breach Investigations Report 2016 from Verizon Enterprise has been launched examining 64,199 security events leading to 2,260 security breaches. Verizon specifies an event as jeopardizing the stability, privacy, or availability on an info asset, while a breach is a verified disclosure of data to an unauthorized body. Because avoiding breaches is far less painful than withstanding them Verizon suggests a number of sections of controls to be used by security-conscious enterprises. If you don’t care to check out the complete 80-page report, Ziften provides this Verizon DBIR analysis with a spotlight on Verizon’s EDR-enabled recommended controls:

Vulnerabilities Recommended Controls

A solid EDR tool carries out vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines highlighting vulnerability management efficiency. The direct exposure timelines are essential because Verizon emphasizes a systematic method that highlights consistency and protection, versus haphazard practical patching.

Phishing Advised Controls

Although Verizon advises user training to prevent phishing susceptibility, still their data shows almost a 3rd of phishes being opened, with users clicking the link or attachment more than 1 time in 10. Not good odds if you have at least ten users! Provided the inevitable click compromise, Verizon recommends placing effort into detection of unusual networking activity indicative of pivoting, C2 traffic, or data exfiltration. A sound EDR system will not just track endpoint networking activity, but likewise filter it against network threat feeds recognizing harmful network targets. Ziften surpasses this with our patent-pending ZFlow technology to augment network flow data with endpoint context and attribution, so that SOC personnel have crucial choice context to quickly resolve network alerts.

Web App Cyber Attacks Recommended Controls

Verizon recommends multi-factor authentication and tracking of login activity to avoid compromise of web application servers. A solid EDR solution will monitor login activity and will use anomaly examining to discover unusual login patterns a sign of jeopardized credentials.

Point-of-Sale Intrusions Recommended Controls

Verizon advises (and this has also been highly advised by FireEye/Mandiant) strong network segmentation of POS devices. Once again, a solid EDR solution must be tracking network activity (to recognize anomalous network contacts). ZFlow in particular is of great value in providing crucial decision context for suspicious network activity. EDR services will also address Verizon’s recommendation for remote login tracking to POS devices. In addition to this Verizon recommends multi-factor authentication, however a strong EDR capability will augment that with extra login pattern abnormality checking (considering that even MFA can be defeated with MITM attacks).

Insider and Privilege Abuse Recommended Controls

Verizon advises “monitor the heck out of [employee] authorized day-to-day activity.” Continuous endpoint monitoring by a solid EDR product naturally offers this capability. In Ziften’s case our software tracks user existence periods of time and user focus activities while present (such as foreground application use). Abnormality monitoring can determine uncommon variances in activity pattern whether a temporal abnormality (i.e. something has modified this user’s normal activity pattern) or whether a spatial anomaly (i.e. this user behavior pattern differs significantly from peer habit patterns).

Verizon likewise advises tracking use of USB storage devices, which strong EDR products supply, given that they can function as a “sneaker exfiltration” route.

Miscellaneous Errors Advised Controls

Verizon suggestions in this area concentrate on preserving a record of past mistakes to serve as a warning of mistakes to avoid in the future. Solid EDR products do not forget; they keep an archival record of endpoint and user activity going back to their first deployment. These records are searchable at any time, perhaps after some future incident has actually discovered an invasion and response groups need to go back and “find patient zero” to decipher the incident and identify where errors may have been made.

Physical Theft and Loss Suggested Controls

Verizon advises (and many regulators demand) complete disk file encryption, specifically for mobile devices. A strong EDR system will verify that endpoint configurations are compliant with enterprise file encryption policy, and will alert on violations. Verizon reports that data assets are physically lost one hundred times more frequently than they are physically taken, but the effect is essentially the exact same to the affected business.

Crimeware Advised Controls

Again, Verizon stresses vulnerability management and constant extensive patching. As kept in mind above, correct EDR tools recognize and track vulnerability direct exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against procedure image records from our endpoint tracking. This reflects a precisely upgraded vulnerability evaluation at any moment.

Verizon likewise suggests capturing malware analysis data in your own business environment. EDR tools do track arrival and execution of new binaries, and Ziften’s product can get samples of any binary present on enterprise endpoints and submit them for detailed fixed and dynamic analysis by our malware research study partners.

Cyber-Espionage Suggested Controls

Here Verizon particularly calls out use of endpoint threat detection and response (ETDR) tools, describing the security tool section that Gartner now terms endpoint detection and response (EDR). Verizon likewise suggests a variety of endpoint setup solidifying steps that can be compliance-verified by EDR tools.

Verizon also suggests strong network securities. We have actually currently discussed how Ziften ZFlow can considerably improve traditional network flow tracking with endpoint context and attribution, offering a combination of network and endpoint security that is genuinely end-to-end.

Finally, Verizon suggests monitoring and logging, which is the first thing third party incident responders demand when they arrive on-scene to help in a breach crisis. This is the prime purpose of EDR tools, because the endpoint is the most regular entry vector in a significant data breach.

Denial-of-Service Attacks Advised Controls

Verizon suggests managing port access to prevent business assets from being utilized to participate in a DoS attack. EDR products can track port usage by applications and employ anomaly checks to identify unusual application port use that might suggest compromise.

Business services migrating to cloud services likewise require protection from DoS attacks, which the cloud company may offer. However, looking at network traffic tracking in the cloud – where the enterprise might not have cloud network visibility – alternatives like Ziften ZFlow offer a means for gathering boosted network flow data directly from cloud virtual servers. Do not let the cloud be your network blind spot, otherwise cyber attackers will exploit this to fly under your radar.

Chuck Leaver – Don’t Let Security Blindspots Make You Prone To Attacks Use Ziften ZFlow

Written By Andy Wilson And Presented By Chuck Leaver CEO Ziften

Over the past number of years, many IT companies have actually embraced using NetFlow telemetry (network connection metadata) to enhance their security posture. There are numerous reasons behind this: NetFlow is relatively economical (vs. complete packet capture); it’s fairly easy to gather as most Layer 3 network devices support NetFlow or the IANA standard called IPFIX; and it’s easy to analyze using freeware or commercially available software applications. NetFlow can assist conquer blind spots in the architecture and can provide much needed visibility into what is truly going on in the network (both internal and external). Flow data can likewise help in early detection of attacks (DoS and APT/malware) and can be used in baselining and anomaly detection techniques.

NetFlow can supply insight where little or no visibility exists. Most companies are collecting flows at the core, WAN and Web layers of their networks. Depending on routing schemas, localized traffic might not be accounted for – LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the data center. The majority of companies are not routing all the way to the access layer and are hence typically blind to some extent in this segment of the network.


Performing full packet capture in this area is still not 100% practical due to a variety of factors. The answer is to implement endpoint-based NetFlow to restore visibility and offer very important additional context to the other flows being gathered in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop, or server), so it’s not dependent on the network infrastructure to generate. ZFlow offers conventional ISO layer 3/4 data such as source and destination IP addresses and ports, however likewise offers extra valuable Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for kicking off the executable, and whether it was in the foreground or background. The latter are very important information that network-based flows simply can not provide.


This essential additional contextual data can assist considerably lower occurrences of false positives and offer abundant data to analysts, SOC workers and incident handlers to allow them to rapidly examine the nature of the network traffic and identify if it’s harmful or benign. Used in conjunction with network-based notifications (firewall, IDS/IPS, web proxies and gateways), ZFlow can drastically reduce the quantity of time it requires to overcome a security incident. And we understand that time to spot destructive habits is a crucial factor to how effective an attack ends up being. Dwell times have reduced in recent history but are still at unacceptable levels – presently over 230 days that an assailant can stroll undiscovered through your network gathering your crucial data.

Below is a screenshot that shows a port 80 connection to a Web destination of Fascinating realities about this connection that network-based tools might miss is that this connection was not initiated by an Internet browser, however rather by Windows Powershell. Another intriguing data point is that this connection was initiated by the ‘System’ account and not the logged-in user. These are both extremely attention-grabbing to a security expert as it’s not a false positive and most likely would require much deeper examination (at which point, the expert could pivot into the Ziften console and see deeper into that system’s habits – what actions or binaries were initiated prior to and after the connection, procedure history, network activity and more).


Ziften’s ZFlow shines a light on security blindspots and can offer the additional endpoint context of processes, application and user attribution to help security personnel better comprehend what is actually happening in their environment. Combined with network-based events, ZFlow can assist dramatically reduce the time it requires to investigate and respond to security notififications and significantly enhance an organization’s security posture.