Category Archives: Security Breaches

Take Advantage Of The Improvements To Our Channel Program – Chuck Leaver

Written By Greg McCreight And Presented By Chuck Leaver


If you are a reseller, integrator, distributor, managed service provider – the brand-new Ziften Activate Partner Program is here, it’s ready to go, and will be great for your profitability (and for decreasing your customers’ anxiety about cybersecurity).

Ziften is 100 percent focused on the channel, and as we grow and progress in the market, we understand that your success is our success – and also our success is your success. And it is already happening: 96% of our sales in 2017 were through the channel! That’s why we developed the new Activate Partner Program to give you the resources you need to grow your organization with Ziften security solutions.

We kicked it all off with a very effective, cross platform Endpoint Detection and Response (EDR) solution, Ziften Zenith. Clients love it. Technology Partners love it. Resellers really love it. The industry loves it. And analysts really love it.

I need to share this from the conclusion of our broadband testing report, which discusses SysSecOps, or Systems Security Operations – an emerging classification where Ziften is a market leader:

Key to Ziften’s endpoint technique in this category is complete visibility – let’s face it, how can you protect if you cannot see or do not know what is there in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more …

In general, Ziften has a very competitive offering in what is a very legitimate, emerging IT category in the form of SysSecOps and one that must be on the assessment short-list.

By the way: Microsoft just recently partnered with Ziften to develop an integration between Zenith and Microsoft Windows Defender ATP, to allow Microsoft customers to protect Linux and Mac systems with the same single pane of glass as they use to protect Windows systems.

Enough about Ziften. Let’s concentrate on you. You and the Activate Partner Program.

We have actually created a multi-tier partner program that has improved discounts, additional resources, and powerful market advancement assistance. We know a one-size-fits-all program doesn’t work, not in the market today.

With Activate, we take a hands-on stance to onboarding new partners; making it easy for those for whom security is a relatively insignificant element of your business; and rewarding top tier partners who have actually dedicated themselves to Ziften.

Here’s exactly what you will receive with the Activate Partner Program – and we’ll work alongside with you to guarantee that Activate fulfills your needs perfectly:

Security for more of your client’s environment – endpoints, servers, and cloud

Visibility and security for your client’s complex, multi-cloud deployments

Easy security tool integrations to provide really tailored, distinguished solutions

Hands-on, tailored assistance and life-cycle knowledge

Rich financial incentives that encourage your long-term financial investment and benefit on-going success

Market advancement support to drive incremental demand and lead generation

World-class, hands-on assistance from our field sales, sales engineers, technical support, and specialists

The Activate program integrates our successful security services, monetary investments, and hands-on support to assist you develop more opportunity and close more deals.

What You Need To Do Prior To Cloud Asset Migration – Chuck Leaver

Written By Logan Gilbert And Presented By Chuck Leaver


It bears reiterating – the Web has actually forever altered the world for individuals and organizations alike. When it comes to the latter, every element of modern-day IT is undergoing digital improvement. IT departments all over are under pressure to make information extremely accessible and at lower expense – all while securing important data from damage, loss, or cyber theft.

Central to this technique is the migration of data centers to the cloud. In fact, 19% of company workloads are expected to be in the general public cloud by the end of 2019, and fifty percent over the next decade.

What is Cloud Asset Migration?

Cloud migration is the process of moving data, applications or other organization components from an organization’s on premise infrastructure to the cloud or moving them from one cloud service to another.

The diagram below illustrates this migration of file-server(s), data, and application(s) from an on premise server infrastructure to a cloud environment.

Cloud service providers enable businesses to migrate some or all IT infrastructure to the cloud for scale, speed, service flexibility, ease of management, and minimized expenses. The advantages are nothing except engaging.

Utilizing Cloud Computing is transforming the corporate landscape. With the technological advancements, individuals are leaning more towards a virtual workplace meaning that you can work from anywhere and anytime making use of cloud computing.

What To Consider With Cloud Asset Migration

However, as with any significant IT infrastructure change, a move to the cloud requires thoughtful planning and execution for the process to happen within budget and on time. Moving a server, database, application, or all of the above to the cloud is not without threat. System interruptions, performance deterioration, data loss and more are likely to happen as a result of misconfigurations, system failures, and security exploits.

Case in point: 43% of those who have actually gone through a cloud asset migration have experienced a failure or delayed execution. Why? Because each asset migration is a ‘snowflake’ with its own level of complexity.

Let’s look at 3 aspects to consider for successful cloud asset migration.

1. Have a Strategy

First, there has to be a tactical migration plan. That strategy ought to assist answer questions like the following:

Which IT assets should be migrated in the first place?
If you are moving some, or all, of your infrastructure to the cloud, how will you develop and preserve asset control?
How will you inventory what you have – before and after the relocation?
Do you even have to migrate everything?
What is the first thing to move?

2. Clean Up Exactly What’s in Place Now

To address these tactical questions effectively, you’ll need definitive visibility into each asset under roof now, in addition to pertinent attributes of each asset. Whether your assets today are operating on physical or virtual server infrastructure, you have to comprehend:

What assets exist now? Discover all the linked assets and comprehend whether they are currently handled and unmanaged.
Recognize low usage and/or unused systems. Should these systems be gotten rid of or repurposed prior to migration?
Determine low use and/or unused applications. Are these applications required at all? Should they be eliminated prior to migration?
Identify and clean up aspects of duplication, be it systems and/or applications.
Now recognize those business-critical systems and applications that will now be migrated as part of your strategy. With this detailed asset data in hand, you can sharpen your migration method by segmenting what ought to – and should not be moved – or at least crisply focus on based upon organization importance.

3. Plan for Cloud Visibility Post Migration

Now that you’re equipped with detailed, accurate current and historical asset data, how will you keep this level of visibility after your effective cloud asset migration?

While the cost advantages of moving to the cloud are often extremely engaging, uncontrolled asset/ virtual device proliferation can quickly wear down those cost benefits. So, before performing your cloud asset migration, make certain you have a cloud visibility service in place that:

Finds/ monitors all connected assets across your single or multi-cloud environment
Inventories, finger prints, and classifies found assets
Alerts on brand-new or unanticipated asset discovery and/or behavior within the cloud environment
Incorporates with existing ticketing, workflow, and/or CMDB systems

Ziften Cloud Visibility and Security

Ongoing cloud visibility into each device, user, and application indicates you can administer all parts of your infrastructure more effectively. You’ll prevent squandering resources by avoiding VM expansion, plus you’ll have an in-depth body of data to comply with audit requirements for NIST 800-53, HIPAA, and other compliance policies.

Follow the above when you migrate to the cloud, and you’ll avoid weak security, insufficient compliance, or operational problems. Ziften’s approach to cloud visibility and security offers you the intelligence you require for cloud asset migration without the difficulties.

More Focus On Women In Cybersecurity Highlighted By Girl Scout Badges – Chuck Leaver

Written By Kim Foster And Presented By Chuck Leaver


It’s clear that cybersecurity is getting more global attention than before, and enterprises are truly worried if they are training adequate security professionals to fulfill growing security risks. While this issue is felt across the commercial world, lots of people did not anticipate Girl Scouts to hear the call.

Starting this fall, countless Girl Scouts across the country have the chance to receive cybersecurity badges. Girl Scouts of the USA teamed up with Security Company (and Ziften tech partner) Palo Alto Networks to develop a curriculum that informs girls about the essentials of computer system security. According to Sylvia Acevedo, CEO of GSUSA, they produced the program based upon need from the ladies themselves to safeguard themselves, their computers, and their household networks.

The timing is good, since in accordance with a study launched in 2017 by (ISC), 1.8 million cybersecurity positions will be unfilled by 2022. Factor in increased demand for security pros with stagnant growth for ladies – just 11 percent for the past few years – our cybersecurity staffing troubles are poised to intensify without significant effort on behalf of the market for much better inclusion.

Naturally, we cannot count on the Girl Scouts to do all of the heavy lifting. More comprehensive instructional efforts are a given: according to the Computing Technology Industry Association, 69 percent of U.S. ladies who do not have a profession in infotech pointed out not knowing what chances were available to them as the reason they did not pursue one. Among the terrific untapped chances of our market is the recruitment of more diverse specialists. Targeted educational programs and increased awareness must be high priority. Raytheon’s Ladies Cyber Security Scholarship is a good example.

To reap the rewards of having females supported forming the future of innovation, it is necessary to dispel the exclusionary understanding of “the boys’ club” and remember the groundbreaking contributions made by females of the past. Lots of people know that the first computer programmer was a lady – Ada Lovelace. Then there is the work of other famous leaders such as Grace Hopper, Hedy Lamarr, or Ida Rhodes, all who might stimulate some vague recollection amongst those in our industry. Female mathematicians developed programs for one of the world’s first totally electronic general-purpose computers: Kay McNulty, Jean Jennings Bartik, Betty Snyder, Marlyn Meltzer, Fran Bilas, and Ruth Lichterman were simply a few of the first programmers of the Electronic Numerical Integrator and Computer (much better referred to as ENIAC), though their important work was not commonly recognized for over half a century. In fact, when historians initially found photos of the ladies in the mid-1980s, they misinterpreted them for “Refrigerator Ladies” – models posing in front of the machines.

It deserves noting that numerous folk believe the very same “boys’ club” mentality that overlooked the accomplishments of women in history has resulted in restricted leadership positions and lower incomes for contemporary females in cybersecurity, along with straight-out exemption of female luminaries from speaking chances at industry conferences. As patterns go, omitting bright individuals with appropriate understanding from influencing the cybersecurity market is an unsustainable one if we intend to keep up with the cybercriminals.

Whether or not we jointly do something to promote more inclusive offices – like educating, hiring, and promoting women in greater numbers – it is heartening to see an organization synonymous with charity event cookies successfully notify a whole market to that girls are genuinely interested in the field. As the Girls Scouts these days are provided the tools to pursue a career in information security, we need to prepare for that they will end up being the very ladies who ultimately reprogram our expectations of what a cybersecurity professional appears like.

Check Your Macs As They Could Be A Security Risk – Chuck Leaver

Written By Roark Pollock And Presented By Chuck Leaver


Do you have Mac computers? That’s fine. I have one too. Have you locked your Macs down? If not, your business has a possibly severe security weak point.

It’s a fallacy to think that Macintosh computers are naturally protected and do not need to be secured against malware or hacking. Lots of folk believe Macs are undoubtedly arguably more safe than Windows desktops and laptops, due to the design of the Unix-oriented kernel. Definitely, we see fewer security patches released for macOS from Apple, compared with security patches for Windows from Microsoft.

Less security flaws is not absolutely no defects. And more secure doesn’t imply complete safety.

Examples of Mac Vulnerabilities

Take, for example, the macOS 10.13.3 update, issued on January 23, 2018, for the current variations of the Mac’s operating system. Like a lot of present computers running Intel processors, the Mac was vulnerable to the Meltdown flaw, which meant that malicious applications may be able to read kernel memory.

Apple needed to patch this defect – in addition to numerous others.

For instance, another problem could enable malicious audio files to execute random code, which could break the system’s security integrity. Apple needed to patch it.

A kernel flaw implied that a malicious application might have the ability to execute random code with kernel advantages, giving cyber criminals access to anything on the device. Apple needed to patch the kernel.

A flaw in the WebKit library meant that processing maliciously crafted web material may lead to random code execution. Apple needed to patch WebKit.

Another defect suggested that processing a harmful text message may cause application denial of service, locking up the system. Whoops. Apple had to patch that flaw also.

Do not Make The Exact Same Mistakes as Consumers

Lots of consumers, thinking all the discussions about how terrific macOS is, opt to run without security, relying on the macOS and its integrated application firewall to block all manner of bad code. Problem: There’s no built-in anti virus or anti malware, and the firewall can just do so much. And numerous businesses wish to overlook macOS when it concerns visibility for posture monitoring and hardening, and risk detection/ hazard searching.

Consumers often make these presumptions since they don’t know any better. IT and Security professionals ought to never ever make the same mistakes – we must know much better.

If a Mac user sets up bad software, or includes a destructive web browser extension, or opens a bad e-mail attachment, or clicks on a phishing link or a nasty advertisement, their machine is corrupted – similar to a Windows machine. However within the enterprise, we need to be prepared to handle these concerns, even on Macs.

So What Do You Do?

Exactly what do you have to do?

– Set up anti-virus and anti malware on business Mac computers – or any Mac that has access to your company’s material, servers, or networks.
– Monitor the state of Macs, just like you would with Windows computers.
– Be proactive in applying fixes and patches to Mac computers, once again, just like with Windows.

You need to also eliminate Mac computers from your corporate environment which are too old to run the current variation of macOS. That’s a lot of them, due to the fact that Apple is respectable at keeping hardware that is older. Here is Apple’s list of Mac models that can run macOS 10.13:

– MacBook (Late 2009 or newer).
– MacBook Pro (Mid 2010 or newer).
– MacBook Air (Late 2010 or newer).
– Mac mini (Mid 2010 or newer).
– iMac (Late 2009 or more recent).
– Mac Pro (Mid 2010 or more recent).

When the next version of macOS comes out, a few of your older machines may fall off the list. They should drop off your inventory too.

Ziften’s Viewpoint.

At Ziften, with our Zenith security platform, we strive to preserve visibility and security feature parity in between Windows systems, macOS systems, and Linux-based systems.

In fact, we’ve partnered with Microsoft to incorporate our Zenith security platform with Microsoft Windows Defender Advanced Threat Protection (ATP) for macOS and Linux monitoring and threat detection and response coverage. The integration makes it possible for customers to detect, view, investigate, and respond to sophisticated cyber attacks on macOS machines (and also Windows and Linux-based endpoints) straight within the Microsoft WDATP Management Console.

From our viewpoint, it has constantly been important to give your security groups self-confidence that every desktop/ laptop endpoint is safeguarded – and hence, the enterprise is secured.

It can be hard to believe, 91% of enterprises state they have some Macs. If those computers aren’t safeguarded, as well as appropriately incorporated into your endpoint security systems, the business is not secured. It’s just that basic.

Security Industry Strategic Alliances Are The Way Forward – Chuck Leaver

Written By Chuck Leaver


Nobody can fix cybersecurity alone. No one product company, no single company, nobody can deal with the whole issue. To deal with security requires cooperation between various players.

Often, those companies are at various levels of the solution stack – some install on endpoints, some within applications, others within network routers, others at the telco or the cloud.

Sometimes, those companies each have a particular best of breed piece of the puzzle: one company specializes in email, others in crypto, others in disrupting the kill chain.

From the enterprise client’s perspective, reliable security needs putting together a set of tools and services into a working whole. Speaking from the suppliers’ point of view, effective security requires tactical alliances. Sure, each vendor, whether making hardware, composing software, or using services, has its own products and intellectual property. Nevertheless, we all work better when we interact, to enable integrations and make life easy for our resellers, our integrators- and the end customer.

Paradoxically, not just can suppliers make more money through strategic alliances, however end clients will conserve money at the same time. Why? A number of reasons.

Consumers do not lose their money (and time) with solutions which have overlapping capabilities. Consumers do not need to waste profits (and time) developing custom integrations. And customers won’t squander money (and time) trying to debug systems that battle each other, such as by causing extra alerts or hard to find incompatibilities.

The Ultimate Trifecta – Products, Services, and Channels

All 3 work together to satisfy the requirements of the business customer, and also benefit the vendors, who can focus on doing exactly what they do best, trusting strategic alliances to produce total solutions from jigsaw puzzle pieces.

Typically speaking, those solutions require more than basic APIs – which is where strategic alliances come in.

Think about the integration between products (like a network threat scanner or Ziften’s endpoint visibility options) and analytics options. End consumers do not want to operate a whole load of different control panels, and they don’t wish to manually associate anomaly findings from a lot of different security tools. Strategic alliances in between solution suppliers and analytics services – whether on-site or in the cloud – make good sense for everyone. That consists of for the channel, who can use and support complete services that are currently dialed in, currently debugged, currently documented, and will work with the least hassle possible.

Or consider the integration of solutions and managed security services providers (MSSPs). They want to use prospective customers pre-packaged services, preferably which can operate in their multi-tenant clouds. That suggests that the items must be scalable, with synergistic license terms. They should be well-integrated with the MSSP’s existing control panels and administrative control systems. And of course, they need to feed into predictive analytics and event response programs. The very best way to do that? Through strategic alliances, both horizontally with other product vendors, and with major MSSPs too.

How about major value add resellers (VAR)? VARs require products that are simple to understand, easy to support, and simple to include into existing security implementations. This makes new solutions more attractive, more cost effective, much easier to install, simpler to support – and reinforce the VAR’s client relationships.

What do they search for when contributing to their product portfolio? Brand-new solutions that have tactical alliances with their existing product offerings. If you don’t dovetail in to the VAR’s portfolio partners, well, you probably do not dovetail.

2 Examples: Fortinet and Microsoft

Nobody can solve cybersecurity alone, and that includes giants like Fortinet and Microsoft.

Consider the Fortinet Fabric-Ready Partner Program, where innovation alliance partners integrate with the Fortinet Security Fabric through Fabric APIs and are able to actively collect and share information to enhance hazard intelligence, enhance total risk awareness, and widen threat response from end to end. As Fortinet discusses in their Fortinet Fabric-Ready Partner Program Overview, “partner addition in the program signals to clients and the industry as a whole that the partner has worked together with Fortinet and leveraged the Fortinet Fabric APIs to establish confirmed, end-to-end security options.”

Likewise, Microsoft is pursuing a comparable technique with the Windows Defender Advanced Threat Protection program. Microsoft recently picked just a couple of key partners into this security program, saying, “We have actually spoken with our clients that they desire defense and visibility into potential risks on all of their device platforms and we have actually relied on partners to assist address this need. Windows Defender ATP provides security teams a single pane of glass for their endpoint security and now by collaborating with these partners, our consumers can extend their ATP service to their whole set up base.”

We’re the first to admit: Ziften cannot solve security alone. Nobody can. The best way forward for the security market is to progress together, through strategic alliances uniting product vendors, service providers, and the channel. That way, we all win, vendors, service companies, channel partners, and business customers alike.

SysSecOps Are Effective If They Are Flexible – Chuck Leaver

Written by Chuck Leaver


You will discover that endpoints are everywhere. The device you read this on is an endpoint, whether it’s a desktop, notebook, tablet, or phone. The HVAC controller for your structure is an endpoint, assuming it’s linked to a network, and the WiFi access points and the security electronic cameras too. So is the linked vehicle. So are the Web servers, storage servers, and Active Directory servers in the data center. So are your IaaS/PaaS services in the cloud, where you are in control of bare-metal servers, VMware virtual machines, or containers operating on Windows and/or Linux.

All of them are endpoints, and every one is essential to manage.

They have to be handled from the IT side (from IT administrators, who ideally have appropriate IT-level visibility of each linked thing like those security cameras). That management means making sure they’re connected to the best network zones or VLANs, that their software applications and setups are up to date, that they’re not flooding the network with bad packets due to electrical faults etc.

Those endpoints likewise have to be handled from the security perspective by CISO groups. Every endpoint is a possible entrance into the enterprise network, which suggests the devices must be locked down – default passwords never used, all security patches applied, no unapproved software set up on the device’s ingrained web server. (Kreb’s outlines how, in 2014, hackers got into Target’s network by means of its A/C system.).

Systems and Security Operations.

Systems Security Operations, or SysSecOps, brings those two worlds together. With the ideal kind of SysSecOps frame of mind, and tools that support the correct workflows, IT and security workers get the very same data and can team up together. Sure, they each have various jobs, and react in a different way to problem notifications, however they’re all handling the same endpoints, whether in the pocket, on the desk, in the energy closet, in the data center, or in the cloud.

Test Report from Ziften Zentih.

We were delighted when the recently released Broadband-Testing report applauded Zenith, Ziften’s flagship end-point security and management platform, as being perfect for this type of situation. To quote from the current report, “With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more. Because its definition of ‘endpoints’ extends into the Data Centre (DC) and the world of virtualisation, it is true blanket coverage.”.

Broadband-Testing is an independent testing center and service based in Andorra. They explain themselves as, “Broadband-Testing engages with suppliers, media, financial investment groups and VCs, analysts and consultancies alike. Evaluating covers all aspects of networking software and hardware, from ease of use and performance, through to significantly essential components such as device power consumption measurement.”

Back to flexibility. With endpoints all over (again, on the desk, in the energy closet, in the data center, or in the cloud), a SysSecOps-based endpoint security and management system should go everywhere and do anything, at scale. Broadband-Testing wrote:

“The configuration/deployment options and architecture of Ziften Zenith permit a really flexible deployment, on or off-premise, or hybrid. Agent deployment is simpleness itself with no user requirements and no endpoint intrusion. Agent footprint is likewise very little, unlike many endpoint security services. Scalability also looks to be outstanding – the biggest client implementation to date is in excess of 110,000 endpoints.”

We cannot help but be proud of our item Zenith, and what Broadband-Testing concluded:

“The introduction of SysSecOps – combining systems and security operations – is an unusual milestone in IT; a hype-free, good sense technique to refocusing on how systems and security are handled inside a company.

Secret to Ziften’s endpoint technique in this category is overall visibility – after all, how can you secure exactly what you can’t see or don’t know is there in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more.

Release is basic, especially in a cloud-based scenario as checked. Scalability likewise seems excellent – the greatest client implementation to date remains in excess of 110,000 endpoints.

Data analysis choices are comprehensive with a big amount of details available from the Ziften console – a single view of the entire endpoint infrastructure. Any item can be evaluated – e.g. Binaries, applications, systems – and, from a procedure, an action can be defined as an automatic function, such as quarantining a system in the event of a potentially harmful binary being discovered. Several reports are predefined covering all areas of analysis. Alerts can be set for any occurrence. Additionally, Ziften supplies the idea of extensions for custom-made data collection, beyond the reach of most suppliers.

And with its External API performance, endpoint data gathered by Ziften can be shared with most 3rd party applications, thereby including additional value to a client’s existing security and analytics infrastructure financial investment.

In general, Ziften has an extremely competitive offering in exactly what is an extremely worthwhile and emerging IT category in the form of SysSecOps that is really deserving of examination.”.

We hope you’ll consider an assessment of Zenith, and will concur that when it comes to SysSecOps and endpoint security and management, we do tick all the boxes with the true blanket coverage that both your IT and CISO teams have actually been looking for.

How Ziften Will Help You With Spectre And Meltdown – Chuck Leaver

Written By Josh Harriman And Presented By Chuck Leaver


Ziften knows the most recent exploits impacting virtually everybody who works on a computer system or digital device. While this is a very large statement, we at Ziften are hard at work helping our customers find vulnerable assets, fixing those susceptible systems, and keeping track of systems after the repair for possible efficiency issues.

This is an ongoing investigation by our team in Ziften Labs, where we keep up-to-date on the latest harmful attacks as they progress. Today, most of the discussions are around PoC code (Proof of Concept) and what can theoretically take place. This will quickly alter as attackers benefit from these chances. The exploits I’m speaking, naturally, are Meltdown and Spectre.

Much has been written about how these exploits were found and what is being done by the industry to find workarounds to these hardware issues. To read more, I feel it’s best to go right to the source here (

What Do You Need To Do, and How Can Ziften Help?

An essential area that Ziften assists with in case of an attack by either approach is keeping track of for data exfiltration. Given that these attacks are generally taking data they shouldn’t have access to, we believe the first and easiest techniques to protect yourself is to take this personal data off these systems. This data might be passwords, login credentials or even security keys for SSH or VPN access.

Ziften monitors and informs when processes that normally do not make network connections start exhibiting this unusual behavior. From these alerts, users can quarantine systems from the network and / or kill processes related to these situations. Ziften Labs is keeping an eye on the evolution of the attacks that are most likely to become readily available in the wild related to these vulnerabilities, so we can much better secure our clients.

Find – How am I Vulnerable?

Let’s take a look at areas we can check for vulnerable systems. Zenith, Ziften’s flagship item, can simply and rapidly find OS’s that have to be patched. Despite the fact that these exploits remain in the CPU chips themselves (Intel, AMD and ARM), the repairs that will be readily available will be updated to the OS, and in other cases, the browser you use also.

In Figure 1 shown below, you can see one example of how we report on the readily available patches by name, and exactly what systems have successfully set up each patch, and which have yet to set up. We can also track failed patch installs. The example below is not for Meltdown or Spectre, but the KB and / or patch number for the environment could be occupied on this report to show the susceptible systems.

The same applies for web browser updates. Zenith keeps an eye out for software application versions running in the environment. That data can be used to comprehend if all browsers are up to date once the repairs become available.

Mentioning internet browsers, one area that has currently gained momentum in the attack situations is making use of Javascript. A working copy is shown here (

Products like Edge web browsers do not use Javascript any longer and mitigations are available for other browsers. Firefox has a fix offered here ( A Chrome repair is coming out this week.

Repair – What Can I Do Now?

Once you have recognized susceptible systems in your environment you certainly want to patch and fix them very quickly. Some safeguards you have to think about are reports of specific Anti Virus products triggering stability problems when the patches are applied. Details about these concerns are here ( and here (

Zenith also has the capability to help patch systems. We can monitor for systems that need patches, and direct our product to use those patches for you and after that report success / failure and the status of those still needing patching.

Because the Zenith backend is cloud based, we can even track your endpoint systems and use the required patches when and if they are not linked to your corporate network.

Monitor – How is it all Running?

Finally, there may be some systems that show performance deterioration after the OS fixes are used. These issues seem to be limited to high load (IO and network) systems. The Zenith platform assists both security and operational teams within your environment. Exactly what we like to call SysSecOps (

We can help uncover concerns such as hangs or crashes of applications, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be used to monitor and signal on systems that begin to exhibit high utilization compared with the period prior to the patch was used. An example of this tracking is shown in Figure 2 below (system names deliberately removed).

These ‘flaws’ are still brand-new to the public, and much more will be gone over and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the situation and how we can best inform and secure our consumers and partners.

Systems And Security Operations Is Essential For Businesses – Chuck Leaver

Written By Alan Zeichick And Presented By Chuck Leaver


SysSecOps. That’s a new phrase, still not known by lots of IT and security administrators – but it’s being discussed within the market, by experts, and at technical conferences. SysSecOps, or Systems & Security Operations, refers to the practice of bringing together security teams and IT operations teams to be able to ensure the health of enterprise technology – and having the tools to be able to respond most successfully when issues happen.

SysSecOps focuses on taking down the information walls, interrupting the silos, that get between security teams and IT administrators.

IT operations staff exist to ensure that end-users can access applications, and that critical infrastructure is operating 24 × 7. They wish to maximize access and accessibility, and require the data required to do that job – like that a brand-new employee needs to be provisioned, or a disk drive in a RAID array has stopped working, that a brand-new partner needs to be provisioned with access to a secure document repository, or that an Oracle database is ready to be migrated to the cloud. It’s all about innovation to drive business.

Exact Same Data, Various Use-Cases

While using endpoint and network monitoring details and analytics are clearly customized to fit the diverse requirements of IT and security, it ends up that the underlying raw data is in fact the same. The IT and security teams just are looking at their own domain’s problems and situations – and taking actions based upon those use-cases.

Yet often the IT and security teams need to collaborate. Like provisioning that new business partner: It should touch all the best systems, and be done securely. Or if there is an issue with a remote endpoint, such as a mobile phone or a mechanism on the Industrial Internet of Things, IT and security may have to interact to determine precisely what’s going on. When IT and security share the same data sources, and have access to the very same tools, this job becomes much easier – and thus SysSecOps.

Imagine that an IT administrator spots that a server hard disk is nearing total capacity – and this was not expected. Maybe the network had actually been breached, and the server is now being used to steam pirated films across the Web. It happens, and finding and fixing that issue is a task for both IT and security. The data gathered by endpoint instrumentation, and displayed through a SysSecOps-ready tracking platform, can assist both sides working together more efficiently than would occur with conventional, distinct, IT and security tools.

SysSecOps: It’s a brand-new term, and a new concept, and it’s resonating with both IT and security groups. You can discover more about this in a short nine-minute video, where I talk with a number of industry professionals about this topic: “Exactly what is SysSecOps?”

Prevent Phishing Attacks From Microsoft Word Features – Chuck Leaver

Written By Josh Harriman And Presented By Chuck Leaver


An interesting multifaceted attack has been reported in a current blog post by Cisco’s Talos Intelligence group. I wanted to talk about the infection vector of this attack as it’s quite interesting and something that Microsoft has vowed not to repair, as it is a function and not a bug. Reports are coming in about attacks in the wild which are using a feature in Microsoft Word, called Dynamic Data Exchange (DDE). Details to how this is achieved are reported in this blog post from SecureData.

Unique Phishing Attack with Microsoft Word

Attackers constantly try to find new methods to breach an organization. Phishing attacks are among the most common as opponents are relying on that somebody will either open a document sent out to them or go to a ‘faked’ URL. From there an exploit on a vulnerable piece of code normally gives them access to start their attack.

However in this case, the documents didn’t have a malicious thing embedded in the Word doc, which is a favorite attack vector, but rather a sneaky way of utilizing this feature that allows the Word program to connect out to recover the real destructive files. This way they could hope or rely on a better success rate of infection as malicious Word files themselves may be scanned and erased prior to reaching the recipient.

Searching for Suspicious Behaviors with Ziften Zenith

Here at Ziften, we wanted to have the ability to signal on this behavior for our clients. Finding conditions that show ‘weird’ habits such as Microsoft Word spawning a shell is interesting and not expected. Taking it further on and searching for PowerShell running from that generated shell and it gets ‘really’ intriguing. By using our Search API, we can discover these habits anytime they happened. We do not need the system to be switched on at the time of the search, if they have run a program (i.e. Word) that showed these habits, we can discover that system. Ziften is constantly collecting and sending out appropriate procedure info which is why we can discover the data without depending on the system state at the time of searching.

In our Zenith console, I looked for this condition by trying to find the following:

Process → Filepath includes word.exe, Child Process Filepath consists of cmd.exe, Child Process command line consists of powershell

This returns the PIDs (Process ID) of the processes we saw start-up with these conditions. After this we can drill down to see the nitty gritty details.

In this very first image, we can see information around the procedure tree (Word spawning CMD with Powershell under that) to the left, and to the right side you can see details like the System name and User, plus start time.

Below in the next screenshot, we take a look at the CMD procedure and get details as to what was passed to Powershell.

More than likely when the user needed to answer this Microsoft Word pop up dialog box, that is when the CMD shell used Powershell to go out and get some code hosted on the Louisiana Gov site. In the Powershell screen shot below we can see more details such as Network Link information when it was reaching out to the site to pull the fonts.txt file.

That IP address ( is in fact the Louisiana Gov site. Often we see interesting data within our Network Connect information that may not match what you expect.

After producing our Saved Search, we can notify on these conditions as they happen throughout the environment. We can likewise produce extensions that change a GPO policy to not permit DDE or perhaps take additional action and go and discover these files and remove them from the system if so preferred. Having the capability to find intriguing mixes of conditions within an environment is very powerful and we are delighted to have this function in our product.

This Is What You Do For Protection Against The KRACK Vulnerability – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver


Enough media attention has actually been generated over the Wi-Fi WPA2 defeating Key Reinsertion Attack (KRACK), that we don’t have to re-cover that again. The initial finder’s site is a good location to evaluate the issues and connect to the detailed research findings. This might be the most attention paid to a fundamental communications security failure since the Heartbleed attack. During that earlier attack, a patched variation of the susceptible OpenSSL code was launched on the exact same day as the general disclosure. In this brand-new KRACK attack, similar responsible disclosure guidelines were followed, and patches were either currently released or quickly to follow. Both wireless endpoints and wireless network devices must be properly patched. Oh, and good luck getting that Chinese knockoff wireless security camera bought off eBay patched quickly.

Here we will just make a couple of points:

Take inventory of your wireless devices and take action to make sure appropriate patching. (Ziften can carry out passive network stock, including wireless networks. For Ziften-monitored end points, the readily available network interfaces along with used patches are reported.) For business IT personnel, it is patch, patch, patch every day anyhow, so absolutely nothing new here. But any unmanaged wireless devices need to be identified and verified.

Windows and iOS endpoints are less susceptible, while unpatched Linux and Android endpoints are extremely vulnerable. Many Linux end points will be servers without wireless networking, so not as much exposure there. But Android is another story, particularly given the balkanized state of Android updating across device makers. Most likely your business’s biggest direct exposure will be Android and IoT devices, so do your danger analysis.

Avoid wireless access through unencrypted protocols such as HTTP. Stick to HTTPS or other encrypted protocols or utilize a safe VPN, but know some default HTTPS sites permit compromised devices to coerce downgrade to HTTP. (Note that Ziften network monitoring reports IP addresses and ports used, so take a look at any wireless port 80 traffic on unpatched endpoints.).

Continue whatever wireless network health practices you have been utilizing to recognize and silence rogue access points, unapproved wireless devices, etc. Grooming access point placement and transmission zones to reduce signal spillage outside your physical boundaries is also a smart practice, given that KRACK hackers should be present locally within the wireless network. Do not provide advantaged placement chances inside or close by to your environment.

For a more broad discussion around the KRACK vulnerability, take a look at our current video on the subject: