Systems And Security Operations Is Essential For Businesses – Chuck Leaver

Written By Alan Zeichick And Presented By Chuck Leaver


SysSecOps. That’s a new phrase, still not known by lots of IT and security administrators – but it’s being discussed within the market, by experts, and at technical conferences. SysSecOps, or Systems & Security Operations, refers to the practice of bringing together security teams and IT operations teams to be able to ensure the health of enterprise technology – and having the tools to be able to respond most successfully when issues happen.

SysSecOps focuses on taking down the information walls, interrupting the silos, that get between security teams and IT administrators.

IT operations staff exist to ensure that end-users can access applications, and that critical infrastructure is operating 24 × 7. They wish to maximize access and accessibility, and require the data required to do that job – like that a brand-new employee needs to be provisioned, or a disk drive in a RAID array has stopped working, that a brand-new partner needs to be provisioned with access to a secure document repository, or that an Oracle database is ready to be migrated to the cloud. It’s all about innovation to drive business.

Exact Same Data, Various Use-Cases

While using endpoint and network monitoring details and analytics are clearly customized to fit the diverse requirements of IT and security, it ends up that the underlying raw data is in fact the same. The IT and security teams just are looking at their own domain’s problems and situations – and taking actions based upon those use-cases.

Yet often the IT and security teams need to collaborate. Like provisioning that new business partner: It should touch all the best systems, and be done securely. Or if there is an issue with a remote endpoint, such as a mobile phone or a mechanism on the Industrial Internet of Things, IT and security may have to interact to determine precisely what’s going on. When IT and security share the same data sources, and have access to the very same tools, this job becomes much easier – and thus SysSecOps.

Imagine that an IT administrator spots that a server hard disk is nearing total capacity – and this was not expected. Maybe the network had actually been breached, and the server is now being used to steam pirated films across the Web. It happens, and finding and fixing that issue is a task for both IT and security. The data gathered by endpoint instrumentation, and displayed through a SysSecOps-ready tracking platform, can assist both sides working together more efficiently than would occur with conventional, distinct, IT and security tools.

SysSecOps: It’s a brand-new term, and a new concept, and it’s resonating with both IT and security groups. You can discover more about this in a short nine-minute video, where I talk with a number of industry professionals about this topic: “Exactly what is SysSecOps?”

Prevent Phishing Attacks From Microsoft Word Features – Chuck Leaver

Written By Josh Harriman And Presented By Chuck Leaver


An interesting multifaceted attack has been reported in a current blog post by Cisco’s Talos Intelligence group. I wanted to talk about the infection vector of this attack as it’s quite interesting and something that Microsoft has vowed not to repair, as it is a function and not a bug. Reports are coming in about attacks in the wild which are using a feature in Microsoft Word, called Dynamic Data Exchange (DDE). Details to how this is achieved are reported in this blog post from SecureData.

Unique Phishing Attack with Microsoft Word

Attackers constantly try to find new methods to breach an organization. Phishing attacks are among the most common as opponents are relying on that somebody will either open a document sent out to them or go to a ‘faked’ URL. From there an exploit on a vulnerable piece of code normally gives them access to start their attack.

However in this case, the documents didn’t have a malicious thing embedded in the Word doc, which is a favorite attack vector, but rather a sneaky way of utilizing this feature that allows the Word program to connect out to recover the real destructive files. This way they could hope or rely on a better success rate of infection as malicious Word files themselves may be scanned and erased prior to reaching the recipient.

Searching for Suspicious Behaviors with Ziften Zenith

Here at Ziften, we wanted to have the ability to signal on this behavior for our clients. Finding conditions that show ‘weird’ habits such as Microsoft Word spawning a shell is interesting and not expected. Taking it further on and searching for PowerShell running from that generated shell and it gets ‘really’ intriguing. By using our Search API, we can discover these habits anytime they happened. We do not need the system to be switched on at the time of the search, if they have run a program (i.e. Word) that showed these habits, we can discover that system. Ziften is constantly collecting and sending out appropriate procedure info which is why we can discover the data without depending on the system state at the time of searching.

In our Zenith console, I looked for this condition by trying to find the following:

Process → Filepath includes word.exe, Child Process Filepath consists of cmd.exe, Child Process command line consists of powershell

This returns the PIDs (Process ID) of the processes we saw start-up with these conditions. After this we can drill down to see the nitty gritty details.

In this very first image, we can see information around the procedure tree (Word spawning CMD with Powershell under that) to the left, and to the right side you can see details like the System name and User, plus start time.

Below in the next screenshot, we take a look at the CMD procedure and get details as to what was passed to Powershell.

More than likely when the user needed to answer this Microsoft Word pop up dialog box, that is when the CMD shell used Powershell to go out and get some code hosted on the Louisiana Gov site. In the Powershell screen shot below we can see more details such as Network Link information when it was reaching out to the site to pull the fonts.txt file.

That IP address ( is in fact the Louisiana Gov site. Often we see interesting data within our Network Connect information that may not match what you expect.

After producing our Saved Search, we can notify on these conditions as they happen throughout the environment. We can likewise produce extensions that change a GPO policy to not permit DDE or perhaps take additional action and go and discover these files and remove them from the system if so preferred. Having the capability to find intriguing mixes of conditions within an environment is very powerful and we are delighted to have this function in our product.

Here 4 Steps To Prevent And Tackle Ransomware – Chuck Leaver

Written By Alan Zeichick And Presented By Chuck Leaver


Ransomware is real, and is striking people, services, schools, hospitals, governments – and there’s no sign that ransomware is stopping. In fact, it’s probably increasing. Why? Let’s face it: Ransomware is most likely the single most efficient attack that hackers have ever created. Anyone can create ransomware using easily offered tools; any cash gotten is likely in untraceable Bitcoin; and if something goes wrong with decrypting somebody’s hard drive, the cyber criminal isn’t impacted.

A business is hit with ransomware every forty seconds, according to some sources, and 60% of malware problems were ransomware. It hits all sectors. No industry is safe. And with the rise of RaaS (Ransomware-as-a-Service) it’s gon na get worse.

Fortunately: We can fight back. Here’s a 4 step battle plan.

Good Fundamental Hygiene

It begins with training workers how to handle malicious e-mails. There are falsified messages from service partners. There’s phishing and target spearphishing. Some will get through email spam/malware filters; staff members have to be taught not to click links in those messages, or naturally, not to permit for apps or plug-ins to be installed.

Nevertheless, some malware, like ransomware, is going to get through, frequently making use of obsolete software applications or unpatched systems, as in the Equifax breach. That’s where the next step comes in:

Making sure that all end points are thoroughly patched and entirely updated with the current, most safe and secure operating systems, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the endpoint is healthy, and has the ability to best eradicate the infection.

Ransomware isn’t really an innovation or security issue. It’s an organization problem. And it’s so much more than the ransom that is demanded. That’s peanuts compared with loss of performance due to downtime, bad public relations, disgruntled customers if service is interrupted, and the expense of rebuilding lost data. (Which presumes that important copyright or protected monetary or consumer health data isn’t really taken.).

What else can you do? Backup, backup, backup, and safeguard those backups. If you don’t have safe, protected backups, you can’t bring back data and core infrastructure in a timely fashion. That consists of making daily snapshots of virtual machines, databases, applications, source code, and configuration files.

Companies need tools to detect, identify, and avoid malware like ransomware from dispersing. This needs constant monitoring and reporting of exactly what’s occurring in the environment – consisting of “zero day” attacks that have not been seen before. Part of that is monitoring end points, from the mobile phone to the desktop to the server to the cloud, to guarantee that all end points are up-to-date and protected, which no unforeseen changes have actually been made to their underlying setup. That way, if a device is infected by ransomware or other malware, the breach can be detected quickly, and the device isolated and shut down pending forensics and healing. If an end point is breached, fast containment is vital.

The 4 Tactics.

Good user training. Updating systems with patches and repairs. Backing up whatever as frequently as possible. And utilizing tracking tools to help both IT and security groups discover problems, and react quickly to those issues. When it comes to ransomware, those are the four battle-tested tactics we need to keep our companies safe.

You can find out more about this in a brief 8 minute video, where I talk with several industry experts about this concern:

Protect Yourself With Microsoft And Ziften – Chuck Leaver

Written By David Shefter And Presented By Chuck Leaver


This week we revealed a cooperation with Microsoft that unites Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) providing a cloud-based, “single pane of glass” to find, see, examine, and respond to innovative cyber-attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptop computers, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that enables business consumers to identify, examine, respond and remediate advanced dangers on their networks, off-network, and in the data center and cloud.

Imagine a single solution throughout all the devices in your business, supplying scalable, cutting-edge security in a cost-efficient and simple to use platform. Making it possible for business throughout the world to secure and manage devices through this ‘single pane of glass’ provides the guarantee of lower operational expenses with true enhanced security providing real time global hazard defense with information collected from billions of devices worldwide.

The Architecture Of Microsoft And Ziften

The image below supplies an introduction of the service elements and integration struck between Windows Defender ATP and Ziften Zenith.

Endpoint investigation abilities allow you to drill down into security signals and understand the scope and nature of a prospective breach. You can send files for deep analysis, receive the results and take action without leaving the Windows Defender ATP console.

Discover and Contain Dangers

With the Windows Defender ATP and Ziften Zenith integration, companies can easily find and contain dangers on Windows, macOS, and Linux systems from an individual console. Windows Defender ATP and Ziften Zenith supply:

Behavior-based, cloud-powered, innovative attack detection. Discover the attacks that make it past all other defenses (after a breach has been detected).

Abundant timeline for forensic investigation and mitigation. Easily examine the scope of any breach or suspected behaviors on any device through an abundant, 6-month machine timeline.

Integrated in unique danger intelligence knowledge base. Risk intelligence to quickly identify attacks based on tracking and data from millions of devices.

The diagram shown below illustrates much of the macOS and Linux danger detection and response abilities now available with Windows Defender ATP.

In conclusion, if you’re seeking to secure your endpoints and infrastructure, you have to take a tough look at Windows Defender ATP and Ziften Zenith.