Are You Whitelisting Your Network? – Chuck Leaver

Written By Roark Pollock And Presented By Chuck Leaver



Similar to any form of security, the world of IT security is concerned with developing and implementing a set of allow/disallow rules – or more formally entitled, security policies. And, simply specified, allow/disallow guidelines can be expressed as a ‘whitelist’ or a ‘blacklist’.

In the past, the majority of rules were blacklist in nature. The good ‘ole days were when we trusted almost everyone to behave well, and when they did this, it would be quite easy to determine bad behavior or anomalies. So, we would only have to write a few blacklist rules. For instance, “don’t permit anyone into the network coming from an IP address in say, Russia”. That was sort of the same thing as your grandparents never ever locking the doors to your house on the farm, given that they knew everyone within a twenty mile radius.

Then our world altered. Good behavior ended up being an exception, and bad actors/habits ended up being legion. Of course, it took place slowly – and in phases – dating to the beginning of the true ‘Internet’ back in the early 90’s. Keep in mind script kiddies illegally accessing public and secure sites, just to show to their high school pals that they could?

Fast forward to the modern age. Everything is online. And if it has value, somebody in the world is trying to steal or harm it – continuously. And they have plenty of tools that they can use. In 2017, 250,000 brand-new malware versions were presented – daily. We used to trust desktop and network anti-virus programs to include brand-new blacklist signatures – every week – to counter the bad guys utilizing destructive strings of code for their bidding. But at over 90 million new malware variations each year, blacklist techniques alone won’t cut it.

Network whitelisting technologies have been a crucial form of protection for on premises network security – and with many organizations quickly moving workloads to the cloud, the same systems will be needed there too.

Let’s take a closer look at both approaches.


A blacklist lines out understood destructive or suspicious “entities” that should not be enabled access, or execution rights, in a network or system. Entities consist of bad software applications (malware) including infections, Trojans, worms, spyware, and keystroke loggers. Entities also consist of any user, application, process, IP address, or organization understood to posture a danger to a business.

The critical word above is “known”. With 250,000 new versions appearing per day, the number that are out there we have no idea about – at least till much later on in time, which could be days, weeks, and even years?

What is Whitelisting?

So, what is whitelisting? Well, as you may have thought, it is the opposite of blacklisting. Whitelisting begins from a viewpoint that almost all things are bad. And, if that holds true, it ought to be more effective simply to specify and allow “good entities” into the network. A basic example would be “all employees in the finance department that are director level or greater are allowed to access our financial reporting application on server X.” By extension, everybody else is locked out.

Whitelisting is frequently described as a “absolutely no trust” approach – deny all, and permit just select entities access based on a set of ‘good’ properties connected with user and device identity, habits, place, time, and so on

Whitelisting is extensively accepted for high-risk security environments, where stringent guidelines are more important than user liberty. It is likewise highly valued in environments where companies are bound by strict regulatory compliance.

Black, White, or Both?

First, there are not many that would suggest blacklisting is totally a thing of the past. Certainly at the endpoint device level, it remains relatively simple to set up and preserve and rather effective – specifically if it is kept up to date by third party danger intelligence companies. But, in and of itself, is it enough?

Second, depending upon your security background or experience, you’re likely thinking, “Whitelisting would never work for us. Our business applications are just too different and complicated. The time, effort, and resources needed to assemble, monitor, and update whitelists at an enterprise level would be untenable.”

Thankfully, this isn’t really an either-or choice. It’s possible to take a “finest of both worlds” approach – blacklisting for malware and invasion detection, running along with whitelisting for system and network access at large.

Ziften and Cloud Whitelisting

The secret to whitelisting comes down to ease of implementation – specifically for cloud-based work. And ease of execution becomes a function of scope. Think of whitelisting in 2 ways – application and network. The former can be a quagmire. The latter is far simpler to implement and preserve – if you have the right visibility within your cloud deployments.

This is where Ziften comes in.

With Ziften, it becomes simple to:

– Identify and develop visibility within all cloud servers and virtual machines

– Gain continuous visibility into devices and their port use activity

– See east west traffic flows, including detailed tracking into protocols being used over particular port sets

– Convert ‘seeing’ exactly what’s happening into a discernable variety of whitelists, finished off with exact procedure and port mappings

– Establish near real-time notifications on any anomalous or suspicious resource or service activations

Check Out This Advanced Hunting With Windows Defender ATP – Chuck Leaver

Written By Josh Harrimen And Presented By Chuck Leaver


Following on from our current partnership statement with Microsoft, our Ziften Security Research group has actually started leveraging a very great part of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Searching feature lets users run queries against the information that has actually been sent by products and tools, for example Ziften, to discover intriguing habits quickly. These inquiries can be kept and shared among the user base of Windows Defender ATP users.

We have actually included a handful of shared inquiries up until now, however the outcomes are rather interesting, and we like the ease of use of the searching interface. Given that Ziften sends out endpoint data collected from macOS and Linux systems to Windows Defender ATP, we are focusing on those OS in our inquiry advancement efforts to showcase the complete coverage of the platform.

You can access the Advanced Hunting interface by selecting the database icon on the left hand side as shown below.

You can observe the high-level schema on the top left of that page with occasions such as ProcessCreation, Machineinfo, NetworkCommunication and some others. We ran some current malware within our Redlab and created some queries to find that data and create the results for examination. An example of this was OceanLotus. We developed a few queries to find both the dropper and files associated with this threat.

After running the inquiries, you get results with which you can interact with.

Upon inspection of the outcomes, we see some systems that have exhibited the searched for behavior. When you choose these systems, you can view the information of the particular system in question. From there you can view alerts activated and an event timeline. Details from the malicious process are revealed in the image below.

Extra behavior-based queries can also be run. For instance, we carried out another harmful sample which leveraged a few strategies that we queried. The screenshot directly below reveals an inquiry we ran when searching for the Gatekeeper program on a macOS being disabled from the command line. While this action could be an administrative action, it is certainly something you would wish to know is occurring within your environment.

From these query outcomes, you can again select the system under examination and further investigate the suspicious behaviors.

This blog post definitely doesn’t act as an in-depth tutorial on using the Advanced Searching function within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together quickly to share our excitement about how simple it is to utilize this feature to conduct your very own custom-made danger hunting in a multi-system environment, and across Linux, Windows and macOS systems.

We eagerly anticipate sharing more of our experiments and research studies utilizing queries constructed using the Advanced Searching feature. We share our successes with everybody here, so stay tuned.

RSA 2018 Was Refreshing For A Number Of Reasons – Chuck Leaver

Written By Logan Gilbert And Presented By Chuck Leaver


After spending a few days with the Ziften team at the 2018 RSA Conference, my technology observation was: more of the very same, the normal suspects and the usual buzzwords. Buzz words like – “AI”, “machine learning”, “predictive” were wonderfully worn out. Lots of attention paid to prevention, everyone’s preferred attack vector – email, and everybody’s favorite vulnerability – ransomware.

The only surprise I encountered was seeing a smattering of NetFlow analysis businesses – great deals of smaller sized companies trying to make their mark using a really abundant, however hard to work with, data set. Really cool stuff! Find the small booths and you’ll discover lots of innovation. Now, in fairness to the bigger suppliers I know there are some really cool innovations therein, but RSA barely positions itself to seeing through the buzzwords to real worth.

The Buzz at RSA

I may have a prejudiced view given that Ziften has actually been partnering with Microsoft for the last six plus months, however Microsoft appeared to play a lot more popular leading role at RSA this year. First, on Monday, Microsoft revealed it’s all new Intelligent Security Association bringing together their security collaborations “to concentrate on defending customers in a world of increased threats”, and more significantly – reinforcing that defense through shared security intelligence throughout this environment of partners. Ziften is of course proud to be an establishing member in the Intelligent Security Association.

Furthermore, on Tuesday, Microsoft revealed a ground breaking partnership with many in the cybersecurity market named the “Cybersecurity Tech Accord.” This accord calls for a “digital Geneva Convention” that sets standards of habits for cyberspace just as the Geneva Conventions set rules for the conduct of war in the physical world.

RSA Attendees

A true interesting point to me though was the makeup of the expo audience itself. As I was likewise an exhibitor at RSA, I noted that of my visitors, I saw more “suits” and less t-shirts.

Ok, maybe not suits per se, but more security Supervisors, Directors, VPs, CISOs, and security leaders than I recall seeing in the past. I was motivated to see what I think are business decision makers having a look at security businesses first hand, as opposed to delegating that task to their security team. From this audience I often heard the same themes:

– This is overwhelming.
– I can’t discriminate in between one innovation and another.

RSA Absences

There were certainly less “technology trolls”. What, you might ask, are technology trolls? Well, as a supplier and security engineer, these are the guys (always males) that show up five minutes before the close of the day and drag you into a technical due-diligence workout for an hour, or at least up until the happy hour parties start. Their objective – definitely nothing beneficial to anyone – and here I’m presuming that the troll actually works for a company, so absolutely nothing useful for the business that actually paid thousands of dollars for their attendance. The only thing acquired is the troll’s self-affirmation that they are able to “beat down the vendor” with their technical expertise. I’m being extreme, however I’ve experienced the trolls from both sides, both as a vendor, and as a buyer – and back at the home office no one is basing buying choices based upon troll recommendations. I can just presume that businesses send out tech trolls to RSA and similar expos because they do not want them in their workplace.

Discussions about Holistic Security

Which brings me back to the kind of people I did see a lot of at RSA: security savvy (not just tech savvy) security leaders, who comprehend the business argument and decisions behind security technologies. Not just are they influencers but oftentimes the business owners of security for their respective companies. Now, apart from the above mentioned concerns, these security leaders seemed less concentrated on an innovation or specific usage case, but rather a focus on a desire for “holistic” security. As we understand, great security needs a collection of innovations, policy and practice. Security savvy customers wanted to know how our innovation fitted into their holistic service, which is a refreshing modification of dialog. As such, the types of concerns I would hear:

– How does your technology partner with other solutions I currently use?
– More notably: Does your business really buy into that collaboration?

That last concern is important, basically asking if our collaborations are just fodder for a site, or, if we really have an acknowledgment with our partner that the sum is greater than the parts.

The latter is what security experts are searching for and need.

To Conclude

In general, RSA 2018 was terrific from my viewpoint. After you go beyond the jargon, much of the buzz centered on things that matter to clients, our industry, and us as people – things like security partner communities that add worth, more holistic security through genuine partnership and significant integrations, and face to face conversations with business security leaders, not technology trolls.

Discovering Unmanaged Assets In Your Cloud Environment – Chuck Leaver

Written By Logan Gilbert And Presented By Chuck Leaver


We all identify with the vision of the masked bad guy bending over his computer late in the evening – accessing a corporate network, stealing valuable data, vanishing without a trace. We personify the opponent as smart, determined, and crafty. But the truth is the vast majority of attacks are made possible by easy human carelessness or recklessness – making the job of the cyber criminal an easy one. He’s inspecting all the doors and windows continuously. All it takes is one error on your part and hegets in.

Exactly what do we do? Well, you know the answer. We invest a large portion of our IT budget plan on security defense-in-depth systems – designed to identify, trick, fool, or outright obstruct the bad guys. Let’s park the discourse on whether or not we are winning that war. Since there is a far easier war taking place – the one where the opponent enters your network, business crucial application, or IP/PPI data through a vector you didn’t even comprehend you had – the asset that is unmanaged – often described as Shadow IT.

Believe this is not your company? A current research study recommends the average business has 841 cloud apps in use. Surprisingly, most IT executives believe the variety of cloud apps in use by their organization is around 30-40 – suggesting they are incorrect by an element of 20 times. The very same report highlights that over 98% of cloud apps are not GDPR prepared, and 95% of enterprise class cloud apps are not SOC 2 ready.

Defining Unmanaged Assets/Shadow IT

Shadow IT is defined as any SaaS application utilized – by workers, departments, or whole company units – without the comprehension or authorization of the business’s IT department. And, the introduction of ‘everything as a service’ has made it even easier for workers to access whatever software they feel is needed to make them more productive.

The Effect

Well-intentioned employees normally do not understand they’re breaking business guidelines by activating a new server instance, or downloading unauthorized apps or software offerings. However, it happens. When it does, three problems can emerge:

1. Corporate standards within a company are compromised since unauthorized software applications means each computer system has different capabilities.

2. Rogue software often comes with security defects, putting the whole network at risk and making it much more tough for IT to handle security risk.

3. Asset blind spots not only drive up security and compliance threats, they can increase legal dangers. Information retention policies developed to restrict legal liability are being compromised with details stored on unapproved cloud assets.

Three Key Considerations for Dealing With Unmanaged Asset Risk

1. Initially, release tools that can offer extensive visibility into all cloud assets- managed and unmanaged. Know what brand-new virtual machines have actually been triggered this week, along with exactly what other devices and applications with which each VM instance is communicating.

2. Second, ensure your tooling can offer constant stock of authorized and unauthorized virtual machines running in the cloud. Make certain you can see all IP connections made to each asset.

3. Third, for compliance and/or forensic analysis purposes try to find a service that supplies a capture of any and all assets (virtual and physical) that have actually ever been on the network – not just a service that is limited to active assets – and within a short look back window.

Ziften approach to Unmanaged Asset Discovery

Ziften makes it easy to rapidly discover cloud assets that have been commissioned beyond IT’s purview. And we do it continuously and with deep historic recall within your reach – consisting of when each device first connected to the network, when it last appeared, and how often it reconnects. And if a virtual device is decommissioned, no problem, we still have all its historic habits data.

Recognize and protect concealed attack vectors coming from shadow IT – prior to a disaster. Know what’s going on in your cloud environment.