SysSecOps Are Effective If They Are Flexible – Chuck Leaver

Written by Chuck Leaver

 

You will discover that endpoints are everywhere. The device you read this on is an endpoint, whether it’s a desktop, notebook, tablet, or phone. The HVAC controller for your structure is an endpoint, assuming it’s linked to a network, and the WiFi access points and the security electronic cameras too. So is the linked vehicle. So are the Web servers, storage servers, and Active Directory servers in the data center. So are your IaaS/PaaS services in the cloud, where you are in control of bare-metal servers, VMware virtual machines, or containers operating on Windows and/or Linux.

All of them are endpoints, and every one is essential to manage.

They have to be handled from the IT side (from IT administrators, who ideally have appropriate IT-level visibility of each linked thing like those security cameras). That management means making sure they’re connected to the best network zones or VLANs, that their software applications and setups are up to date, that they’re not flooding the network with bad packets due to electrical faults etc.

Those endpoints likewise have to be handled from the security perspective by CISO groups. Every endpoint is a possible entrance into the enterprise network, which suggests the devices must be locked down – default passwords never used, all security patches applied, no unapproved software set up on the device’s ingrained web server. (Kreb’s outlines how, in 2014, hackers got into Target’s network by means of its A/C system.).

Systems and Security Operations.

Systems Security Operations, or SysSecOps, brings those two worlds together. With the ideal kind of SysSecOps frame of mind, and tools that support the correct workflows, IT and security workers get the very same data and can team up together. Sure, they each have various jobs, and react in a different way to problem notifications, however they’re all handling the same endpoints, whether in the pocket, on the desk, in the energy closet, in the data center, or in the cloud.

Test Report from Ziften Zentih.

We were delighted when the recently released Broadband-Testing report applauded Zenith, Ziften’s flagship end-point security and management platform, as being perfect for this type of situation. To quote from the current report, “With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more. Because its definition of ‘endpoints’ extends into the Data Centre (DC) and the world of virtualisation, it is true blanket coverage.”.

Broadband-Testing is an independent testing center and service based in Andorra. They explain themselves as, “Broadband-Testing engages with suppliers, media, financial investment groups and VCs, analysts and consultancies alike. Evaluating covers all aspects of networking software and hardware, from ease of use and performance, through to significantly essential components such as device power consumption measurement.”

Back to flexibility. With endpoints all over (again, on the desk, in the energy closet, in the data center, or in the cloud), a SysSecOps-based endpoint security and management system should go everywhere and do anything, at scale. Broadband-Testing wrote:

“The configuration/deployment options and architecture of Ziften Zenith permit a really flexible deployment, on or off-premise, or hybrid. Agent deployment is simpleness itself with no user requirements and no endpoint intrusion. Agent footprint is likewise very little, unlike many endpoint security services. Scalability also looks to be outstanding – the biggest client implementation to date is in excess of 110,000 endpoints.”

We cannot help but be proud of our item Zenith, and what Broadband-Testing concluded:

“The introduction of SysSecOps – combining systems and security operations – is an unusual milestone in IT; a hype-free, good sense technique to refocusing on how systems and security are handled inside a company.

Secret to Ziften’s endpoint technique in this category is overall visibility – after all, how can you secure exactly what you can’t see or don’t know is there in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more.

Release is basic, especially in a cloud-based scenario as checked. Scalability likewise seems excellent – the greatest client implementation to date remains in excess of 110,000 endpoints.

Data analysis choices are comprehensive with a big amount of details available from the Ziften console – a single view of the entire endpoint infrastructure. Any item can be evaluated – e.g. Binaries, applications, systems – and, from a procedure, an action can be defined as an automatic function, such as quarantining a system in the event of a potentially harmful binary being discovered. Several reports are predefined covering all areas of analysis. Alerts can be set for any occurrence. Additionally, Ziften supplies the idea of extensions for custom-made data collection, beyond the reach of most suppliers.

And with its External API performance, endpoint data gathered by Ziften can be shared with most 3rd party applications, thereby including additional value to a client’s existing security and analytics infrastructure financial investment.

In general, Ziften has an extremely competitive offering in exactly what is an extremely worthwhile and emerging IT category in the form of SysSecOps that is really deserving of examination.”.

We hope you’ll consider an assessment of Zenith, and will concur that when it comes to SysSecOps and endpoint security and management, we do tick all the boxes with the true blanket coverage that both your IT and CISO teams have actually been looking for.

How Ziften Will Help You With Spectre And Meltdown – Chuck Leaver

Written By Josh Harriman And Presented By Chuck Leaver

 

Ziften knows the most recent exploits impacting virtually everybody who works on a computer system or digital device. While this is a very large statement, we at Ziften are hard at work helping our customers find vulnerable assets, fixing those susceptible systems, and keeping track of systems after the repair for possible efficiency issues.

This is an ongoing investigation by our team in Ziften Labs, where we keep up-to-date on the latest harmful attacks as they progress. Today, most of the discussions are around PoC code (Proof of Concept) and what can theoretically take place. This will quickly alter as attackers benefit from these chances. The exploits I’m speaking, naturally, are Meltdown and Spectre.

Much has been written about how these exploits were found and what is being done by the industry to find workarounds to these hardware issues. To read more, I feel it’s best to go right to the source here (https://spectreattack.com/).

What Do You Need To Do, and How Can Ziften Help?

An essential area that Ziften assists with in case of an attack by either approach is keeping track of for data exfiltration. Given that these attacks are generally taking data they shouldn’t have access to, we believe the first and easiest techniques to protect yourself is to take this personal data off these systems. This data might be passwords, login credentials or even security keys for SSH or VPN access.

Ziften monitors and informs when processes that normally do not make network connections start exhibiting this unusual behavior. From these alerts, users can quarantine systems from the network and / or kill processes related to these situations. Ziften Labs is keeping an eye on the evolution of the attacks that are most likely to become readily available in the wild related to these vulnerabilities, so we can much better secure our clients.

Find – How am I Vulnerable?

Let’s take a look at areas we can check for vulnerable systems. Zenith, Ziften’s flagship item, can simply and rapidly find OS’s that have to be patched. Despite the fact that these exploits remain in the CPU chips themselves (Intel, AMD and ARM), the repairs that will be readily available will be updated to the OS, and in other cases, the browser you use also.

In Figure 1 shown below, you can see one example of how we report on the readily available patches by name, and exactly what systems have successfully set up each patch, and which have yet to set up. We can also track failed patch installs. The example below is not for Meltdown or Spectre, but the KB and / or patch number for the environment could be occupied on this report to show the susceptible systems.

The same applies for web browser updates. Zenith keeps an eye out for software application versions running in the environment. That data can be used to comprehend if all browsers are up to date once the repairs become available.

Mentioning internet browsers, one area that has currently gained momentum in the attack situations is making use of Javascript. A working copy is shown here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge web browsers do not use Javascript any longer and mitigations are available for other browsers. Firefox has a fix offered here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome repair is coming out this week.

Repair – What Can I Do Now?

Once you have recognized susceptible systems in your environment you certainly want to patch and fix them very quickly. Some safeguards you have to think about are reports of specific Anti Virus products triggering stability problems when the patches are applied. Details about these concerns are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith also has the capability to help patch systems. We can monitor for systems that need patches, and direct our product to use those patches for you and after that report success / failure and the status of those still needing patching.

Because the Zenith backend is cloud based, we can even track your endpoint systems and use the required patches when and if they are not linked to your corporate network.

Monitor – How is it all Running?

Finally, there may be some systems that show performance deterioration after the OS fixes are used. These issues seem to be limited to high load (IO and network) systems. The Zenith platform assists both security and operational teams within your environment. Exactly what we like to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can help uncover concerns such as hangs or crashes of applications, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be used to monitor and signal on systems that begin to exhibit high utilization compared with the period prior to the patch was used. An example of this tracking is shown in Figure 2 below (system names deliberately removed).

These ‘flaws’ are still brand-new to the public, and much more will be gone over and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the situation and how we can best inform and secure our consumers and partners.