A New Era For Endpoints With Illumination – Chuck Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


The dissolving of the conventional border is taking place quick. So what about the endpoint?

Financial investment in border security, as specified by firewall programs, managed gateways and intrusion detection/prevention systems (IDS/IPS), is altering. Investments are being questioned, with returns not able to overcome the costs and complexity to develop, preserve, and validate these antiquated defenses.

Not only that, the paradigm has altered – employees are no longer solely working in the workplace. Lots of people are logging hours from home or while traveling – neither place is under the umbrella of a firewall program. Instead of keeping the cyber criminals out, firewall software frequently have the inverse effect – they prevent the good guys from being productive. The paradox? They develop a safe haven for enemies to breach and conceal for months, then pass through to crucial systems.

So Exactly what Has Altered A lot?

The endpoint has actually become the last line of defense. With the aforementioned failure in perimeter defense and a “mobile all over” workforce, we should now impose trust at the endpoint. Easier stated than done, nevertheless.

In the endpoint area, identity & access management (IAM) systems are not the perfect answer. Even innovative companies like Okta, OneLogin, and cloud proxy vendors such as Blue Coat and Zscaler can not conquer one simple truth: trust exceeds simple recognition, authentication, and authorization.

File encryption is a 2nd effort at securing entire libraries and specific assets. In the most recent (2016) Ponemon research study on data breaches, encryption only conserved 10% of the expense per breached record (from $158 to $142). This isn’t the remedy that some make it appear.

The Whole Picture is changing.

Organizations must be prepared to accept new paradigms and attack vectors. While companies must supply access to trusted groups and individuals, they have to resolve this in a much better method.

Important company systems are now accessed from anywhere, at any time, not simply from desks in corporate office complexes. And professionals (contingent workforce) are quickly consisting of over half of the total business workforce.

On endpoint devices, the binary is primarily the problem. Presumably benign incidents, such as an executable crash, might suggest something simple – like Windows 10 Desktop Manager (DWM) restarting. Or it might be a much deeper problem, such as a harmful file or early indicators of an attack.

Trusted access does not resolve this vulnerability. According to the Ponemon Institute, between 70% and 90% of all attacks are caused by human error, social engineering, or other human aspects. This requires more than basic IAM – it requires behavioral analysis.

Rather than making good better, border and identity access companies made bad faster.

When and Where Does the Good News Start?

Going back a little, Google (Alphabet Corp) announced a perimeter-less network design in late 2014, and has made considerable development. Other enterprises – from corporations to federal governments – have done this (in silence and less severe), but BeyondCorp has actually done this and revealed its solution to the world. The design approach, endpoint plus (public) cloud displacing cloistered enterprise network, is the crucial principle.

This changes the whole discussion on an endpoint – be it a laptop, desktop, workstation, or server – as subservient to the corporate/enterprise/private/ organization network. The endpoint really is the last line of defense, and should be safeguarded – yet also report its activity.

Unlike the conventional border security design, BeyondCorp doesn’t gate access to services and tools based upon a user’s physical place or the stemming network; rather, access policies are based upon information about a device, its state, and its associated user. BeyondCorp considers both external networks and internal networks to be completely untrusted, and gates access to apps by dynamically asserting and enforcing levels, or “tiers,” of access.

By itself, this appears innocuous. However the truth is that this is a radical brand-new design which is imperfect. The access requirements have moved from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, rather than a centralized design with capacity for breaches, hacks, and dangers at the human level (the “soft chewy center”).

The bright side? Breaching the perimeter is incredibly challenging for potential attackers, while making network pivoting next to impossible when past the reverse proxy (a common mechanism used by cyber attackers today – proving that firewall software do a better job of keeping the bad guys in rather than letting the genuine users go out). The opposite design even more applies to Google cloud servers, most likely securely managed, inside the boundary, versus client endpoints, who are all out in the wild.

Google has done some great refinements on tested security techniques, especially to 802.1 X and Radius, bundled it as the BeyondCorp architecture, including strong identity and access management (IAM).

Why is this important? Exactly what are the gaps?

Ziften believes in this method since it emphasizes device trust more than network trust. Nevertheless, Google does not particularly show a device security agent or emphasize any form of client-side tracking (apart from extremely rigorous configuration control). While there may be reporting and forensics, this is something which every organization ought to be knowledgeable about, since it’s a question of when – not if – bad things will happen.

Because implementing the initial stages of the Device Inventory Service, we’ve consumed billions of deltas from over 15 data sources, at a common rate of about 3 million daily, totaling over 80 terabytes. Retaining historical data is vital in permitting us to understand the end-to-end lifecycle of a particular device, track and analyze fleet-wide patterns, and carry out security audits and forensic examinations.

This is a costly and data-heavy procedure with two imperfections. On ultra-high-speed networks (utilized by organizations such as Google, universities and research study organizations), adequate bandwidth permits this kind of communication to take place without flooding the pipes. The first concern is that in more pedestrian business and federal government situations, this would cause excessive user disruption.

Second, computing devices need to have the horsepower to constantly collect and transfer data. While most staff members would be delighted to have current developer-class workstations at their disposal, the cost of the devices and procedure of refreshing them on a regular basis makes this excessive.

A Lack of Lateral Visibility

Few systems really produce ‘enhanced’ netflow, enhancing conventional network visibility with abundant, contextual data.

Ziften’s patented ZFlow ™ offers network flow information on data generated from the endpoint, otherwise accomplished utilizing brute force (human labor) or expensive network devices.

ZFlow acts as a “connective tissue” of sorts, which extends and finishes the end-to-end network visibility cycle, including context to on-network, off-network and cloud servers/endpoints, allowing security teams to make faster and more educated and accurate decisions. In essence, buying Ziften services lead to a labor cost saving, plus an increase in speed-to-discovery and time-to-remediation due to technology acting as a replacement for human resources.

For companies moving/migrating to the public cloud (as 56% are preparing to do by 2021 according to IDG Enterprise’s 2015 Cloud Survey), Ziften offers unequaled visibility into cloud servers to better monitor and protect the complete infrastructure.

In Google’s environment, just corporate owned devices (COPE) are allowed, while crowding out bring your own device (BYOD). This works for a business like Google that can distribute brand-new devices to all personnel – smart phone, tablet, laptop computer, etc. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device needs to meet Google requirements, having either a TPM or a software application equivalent of a TPM, to hold the X. 509 cert utilized to verify device identity and to assist in device-specific traffic file encryption. There needs to be numerous agents on each endpoint to validate the device validation predicates called out in the access policy, which is where Ziften would need to partner with the systems management agent service provider, because it is most likely that agent cooperation is vital to the procedure.


In summary, Google has established a first-rate service, but its applicability and practicality is limited to companies like Alphabet.

Ziften offers the same level of functional visibility and security defense to the masses, using a light-weight agent, metadata/network flow tracking (from the endpoint), and a best-in-class console. For organizations with specialized needs or incumbent tools, Ziften provides both an open REST API and an extension framework (to augment ingestion of data and triggering response actions).

This yields the benefits of the BeyondCorp design to the masses, while safeguarding network bandwidth and endpoint (machine) computing resources. As companies will be sluggish to move entirely far from the business network, Ziften partners with firewall program and SIEM vendors.

Finally, the security landscape is steadily moving towards managed detection & response (MDR). Managed security companies (MSSP’s) offer conventional tracking and management of firewall software, gateways and perimeter intrusion detection, however this is inadequate. They lack the skills and the technology.

Ziften’s solution has been evaluated, integrated, authorized and implemented by a number of the emerging MDR’s, highlighting the standardization (ability) and flexibility of the Ziften platform to play an essential function in remediation and incident response.

Leave a Reply

Your email address will not be published. Required fields are marked *