Category Archives: Security Breaches

Data Loss Prevention Is A Must For Organizations As Cyber Attacks Are On the Increase – Chuck Leaver

By Ziften CEO Chuck Leaver


For United States businesses the incident of a significant cyber attack and substantial data leak is looking more like “when” rather than “if”, because of the new threats that are presenting themselves with fragmented endpoint strategies, cloud computing and data intensive applications. All too frequently organizations are overlooking or inadequately dealing with vulnerabilities that are known to them, and with aging IT assets that are not appropriately secured the cyber wrongdoers begin to take notice.

The variety of data breaches that are occurring is very troubling. In a report from the Verizon Risk Team there were 855 substantial breaches which resulted in 174 million records being lost back in 2011. The stakes are very high for companies that deal with personally identifiable info (PII), due to the fact that if staff members are not educated on compliance and inadequate endpoint data security procedures remain in place then expensive legal action is most likely to take place.

” The possibility of a data breach or privacy problem occurring in any company has actually ended up being a virtual certainty,” Jeffrey Vagle, legal expert writing for Mondaq stated. He suggested that record keepers have to reassess their approach to network and device security, worker data access controls and the administration of PII information. The increase in the use of cloud services can make the prevention of data breaches more difficult, as these services make it possible for the massive exchange of details every time. It would only take one occurrence and countless files could be lost.

Understood Vulnerabilities Need Focus

A great deal of IT departments fret constantly about zero day attacks that will cause a data breach and catch them off guard. As an example of this, Dirk Smith of Network World wrote about an Adobe Acrobat exploit that provided access for hackers to perform advanced monitoring. A lot of IT vulnerabilities can come when software is not patched up to date, and a great deal of zero day dangers can occur from weak points in legacy code that includes a bug in Windows which targeted features that were first introduced Twenty Years earlier.

Security professional, Jim Kennedy wrote in a Continuity Central post “something that I have actually discovered is that much of the breaches and intrusions which prospered did so by attacking recognized vulnerabilities that had actually been identified and had been around for many years: not from some advanced ‘zero-day’ attack which was unidentified and unknown up until only the other day by the security community at large.” “And, much more troubling, social engineering continues to be a most successful way to begin and/precipitate an attack.”

Now the cyber criminal fraternity has access to an extensive series of pre packaged malware. These tools have the capability to perform network and computer system analytics that are complex in nature and then recommend the optimal attack strategy. Another danger is a human one, where staff members are not trained properly to evaluate out calls or messages from individuals who lie about being a member of the technical support group of an external security provider.

It is certainly very important to proactively defend against zero day attacks with robust endpoint protection software applications, however likewise companies have to combine efficient training and processes with the software and hardware solutions. While a lot of companies will have a number of security policies in place there is typically a problem with enforcing them. This can result in dangerous fluctuations in the motion of data and network traffic that should be evaluated by security personnel being overlooked and not being dealt with.


Endpoints Are Now Being Used As The Channel For Malicious Cyber Attacks – Chuck Leaver

From The Desk Of Chuck Leaver CEO Ziften Technologies


With the introduction of bring your own device (BYOD) methods and cloud computing the securing of particular endpoints has become more difficult, as administrators could be making ease of data access of higher importance over security. The risks exist nevertheless, because most of the existing generation of endpoint security software have not been modified to safeguard from aggressive hacking and destructive cyber attack strategies that target individual endpoints as the launch pad for attacks that are extensively distributed.

There was a very popular endpoint attack that occurred in recent times where a malware strain called Comfoo was utilized to compromise the networks of many multinational organizations back in 2010. The Comfoo malware included a variety of custom developed backdoor Trojans and exploits that could constantly distribute malware. A more severe repercussion was that this malware could cause destructive data leakage by scraping account and network info and monitor all user input, according to CRN contributor Robert Westervelt. It is believed that the Comfoo malware could have been a part of an innovative cyber espionage project, because of the methodology that was used and the evasion of conventional endpoint tracking.

Using e-mail phishing and social engineering the malware had the ability to compromise targeted devices, which underlines how ripe endpoints have actually ended up being for malware infestation, so states Jason O’Reilly, security executive. When he was talking to ITWeb, O’Reilly stated that standard endpoint software does not sufficiently account for access from areas beyond the IT department most of the time, and it does not restrict data exposure to authorized individuals through the use of access controls.

O’Reilly stated that “endpoint security services must provide layered security that goes beyond signature-based detection just to include heuristic-based detection and polymorphic-based detection.” “Today’s networks are exposed to risks from various sources.”

Real Time Risk Catching And Report Creation

The high stakes for control techniques and endpoint security were identified by business consulting firm Frost & Sullivan, as they felt both of these areas were under pressure from both external hackers and the pressing demand from employees for gadget choice flexibility.

Chris Rodriguez, Frost & Sullivan analyst mentioned “enterprise IT organizations now deal with incredible pressure to enable employees to access the corporate network and files from their own individual devices.” “Considering their relatively universal nature, fast data connections, and powerful hardware and os, these devices represent prime targets for hackers.”

When asked exactly what organizations can do to tighten up on the special weaknesses of mobile hardware, O’Reilly suggested that any solutions need to provide clear and extensive visibility into what is happening on each endpoint so that action can be taken rapidly when any risks are detected.


Your Organization Is Not Immune To Cyber Attacks So Why Do So Many Think That They Are? Chuck Leaver

By Chuck Leaver Ziften Technologies CEO


A a great deal of companies have the belief that there is no requirement for them to pursue assiduous data loss prevention, they concern cyber attacks as either very unlikely to occur or have minimal monetary effect if they do occur. There is an increase in the recorded cases of cyber attacks and advanced relentless threats have contributed to this complacency. These harmful attacks tend to evade standard endpoint security software, and while they lack the teeth of denial-of-service attacks, they have the potential to cause considerable damage.

Over 67% of organizations declare that they have not been the victims of a cyber attack in the last 18 months, or that they had little or no visibility into whether an attack had actually compromised their network according to Infosecurity. The coordinators of the study were skeptical about the results and highlighted the many vulnerable desktop and mobile endpoints that are now very common in companies.

Security professional and study organizer Tom Cross stated “Any system you connect to the Internet is going to be targeted by attackers extremely quickly afterwards.” “I would assert that if you’re uncertain whether or not your organization has actually had a security incident, the possibilities are really high that the response is yes.”

Around 16% stated that they had experienced a DDoS attack over the very same period, and 18% reported malware infiltrations. Despite this, most of the companies evaluated the effects as minor and not validating the implementation of brand-new endpoint security and control systems. Roughly 38% stated that they had not experienced found security breaches, and just 20% were able to confess to financial losses.

The loss of reputation was more prevalent, affecting around 25% of the respondents. Highlighting the possible impact of a cyber attack on finances and reputation, an event at The University of Delaware resulted in 74,000 people having their delicate data exposed, according to Amy Cherry, WDEL contributor. The hackers targeted the school’s website and scraped details about university identifications and Social Security Numbers, which made it supply complimentary credit monitoring of the impacted parties.


Chuck Leaver – Cyber Security Must Move Away From The Dark Ages Says RSA President In Keynote Presentation

Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften Technologies


A 5 Point Plan For A New Security Approach Proposed By Amit Yoran

Amit Yoran’s, RSA President provided an exceptional keynote speech at the RSA Conference which reinforced the Ziften philosophy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to supply robust defenses in a brand-new era of advanced cyber attacks. Existing organization security methods were criticized as being bogged down in the Dark Ages of cyber moats and castle walls by Yoran, it was referred to as an “impressive fail”, and he outlined his vision for the way forward with five main points, and commentary from Ziften’s viewpoint has actually been added.

Stop Believing That Even Advanced Protections Suffice

” No matter how high or wise the walls, focused adversaries will find methods over, under, around, and through.”

A great deal of the previous, more sophisticated attacks did not utilize malware as the primary strategy. Traditional endpoint antivirus, firewalls and traditional IPS were slammed by Yoran as examples of the Dark Ages. He stated that these traditional defenses could be quickly scaled by skilled hackers and that they were mainly inadequate. A signature based anti-virus system can just secure against previously seen dangers, but unseen risks are the most threatening to a company (since they are the most common targeted attacks). Targeted cyber crooks use malware just 50% of the time, maybe just quickly, at the start of the attack. The attack artifacts are easily altered and not used ever again in targeted attacks. The accumulation of transient indicators of compromise and malware signatures in the billions in huge anti-viruses signature databases is a meaningless defensive technique.

Embrace a Deep and Prevalent Level of True Visibility All over – from the Endpoint to the Cloud

“We need pervasive and true visibility into our business environments. You just can’t do security today without the visibility of both continuous full packet capture and endpoint compromise assessment visibility.”

This implies continuous endpoint monitoring across the enterprise endpoint population for generic indicators of compromise (not stale attack artifacts) that reflect timeless strategies, not short lived hex string happenstance. And any company executing constant complete packet capture (comparatively costly) can quickly pay for endpoint threat assessment visibility (relatively affordable). The logging and auditing of endpoint process activity supplies a wealth of security insight using only primary analytics techniques. A targeted hacker relies on the relative opacity of endpoint user and system activity to mask and hide any attacks – while real visibility provides an intense light.

Identity and Authentication Matter More than Ever

” In a world without any perimeter and with fewer security anchor points, identity and authentication matter even more … Eventually in [any successful attack] campaign, the abuse of identity is a stepping stone the attackers use to enforce their will.”

Making use of more powerful authentication is good, however it only makes for higher walls that are still not impenetrable. Exactly what the hacker does when they get over the wall is the most important thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for indicators of unusual user activity (insider attack or prospective jeopardized credentials). Any activity that is observed that is different from normal patterns is possibly suspicious. One departure from normality does not make a case, but security analytics that triangulates several normality departures concentrates security attention on the highest risk anomalies for triage.

External Threat Intelligence Is A Core Capability

” There are incredible sources for the right threat intelligence … [which] should be machine-readable and automated for increased speed and leverage. It ought to be operationalized into your security program and tailored to your organization’s assets and interests so that analysts can quickly address the threats that pose the most risk.”

A lot of targeted attacks typically do not utilize readily signatured artifacts again or recycle network addresses and C2 domains, however there is still worth in risk intelligence feeds that aggregate timely discoveries from countless endpoint and network risk sensors. Here at Ziften we integrate third party threat feeds through the Ziften Knowledge Cloud, plus the direct exposure of Ziften discoveries into SIEM and other business security and operations infrastructure by means of our Open Visibility ™ architecture. With the developing of more machine-readable threat intelligence (MRTI) feeds, this ability will effectively grow.

Understand What Matters Most To Your Organization And Exactly what Is Mission Critical

” You need to understand what matters to your organization and what is mission critical. You have to … safeguard exactly what is very important and safeguard it with everything you have.”

This holds true for risk driven analytics and instrumentation that focuses security attention and action on areas of highest enterprise risk exposure. Yoran advocates that asset worth prioritization is only one side of business risk analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security staff attention on the most prominent dynamic risks (for instance by filtering, correlating and scoring SIEM alert streams for security triage) must be well-grounded in all sides of business threat analysis.

At Ziften we commend Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security industry evolves beyond the existing Dark Ages of facile targeted attacks and entrenched exploitations.

Chuck Leaver – Russian Hackers Stole Billions Of Credentials So Protect Your Organization With Continuous Endpoint Monitoring

Chuck Leaver Ziften CEO


It is believed that the most significant known cyber attack in the history of data breaches has been discovered by an American cyber security company. It is believed by the company that a team of cyber lawbreakers from Russia that they have been examining for numerous months is responsible for stealing passwords in the billions and other sensitive individual data. It is declared that the Russian group stole 4.5 billion credentials, although a lot were duplicated, and the end result was 1.2 billion unique data profiles being stolen. The group took the information from 420,000 sites of different sizes, from large brand name sites to smaller sized mom and pop stores.

The New York Times stated that the cyber bad guys comprised of about 12 individuals. Beginning with small scale spamming techniques in 2011 they acquired the majority of the data by buying stolen databases.

In an interview with PCMag, the founder of the company that discovered the breach, Alex Holden, said “the gang begun by simply buying the databases that were offered online.” The group used to buy at fire sales and were described as “bottom feeders”. As time progressed they began the purchase of higher quality databases. It’s kind of like graduating from stealing bicycles to stealing pricey cars.”

A Progression From Spamming To Using Botnets


The cyber criminal group began to alter their behavior. Botnets were employed by the group to gather the stolen data on a much bigger scale. Through using the botnets the group were able to automate the procedure of recognizing websites that were susceptible and this allowed them to work 24/7. Anytime that a contaminated user would visit a website, the bot would check to see if the vulnerability would undergo an SQL injection automatically. Using these injections, which is a frequently used hacking tool, the database of the site would be forced to reveal its contents through the entering of a simple query. The botnets would flag those websites that were vulnerable and the hackers returned later on to extract the information from the site. The use of the bot was the supreme downfall of the group as they were detected by the security company using it.

It is believed by the security business that the billions of pieces of data that were stolen were not stolen at the same time, and that most of the records were most likely purchased from other cyber lawbreakers. According to the Times, very few of the records that were taken have actually been offered online, rather the hacking group have actually decided to use the information for the sending out of spam messages on social networks for other groups so that they can earn money. Different cyber security experts are asserting that the magnitude of this breach is part of a trend of cyber crooks stockpiling big amounts of individual profiles with time and conserving them for use in the future, according to the Wall Street Journal.

Security analyst at the research firm Gartner, Avivah Litan, said “businesses that count on user names and passwords have to develop a sense of urgency about altering this.” “Until they do, criminals will simply keep stockpiling people’s credentials.”

Cyber attacks and breaches on this scale highlight the requirement for companies to protect themselves with the latest cyber security defenses. Systems that utilize endpoint threat detection and response will assist organizations to create a clearer picture of the threats facing their networks and receive info that is actionable on how best to prevent attacks. Today, when big data breaches are going to happen increasingly more, using continuous endpoint visibility is important for the security of an organization. If the network of the company is continuously monitored, threats can be determined in real time, and this will decrease the damage that a data breach can inflict on the credibility and bottom line of a company.


Learn Why The Ziften And Splunk Active Response Framework Will Provide You With Major Beneifts – Chuck Leaver

Written By Chuck Leaver CEO Ziften



We were the sponsor in Las Vegas for a terrific Splunk.conf2014 program, we returned stimulated and raring to go to push on even more forward with our solution here at Ziften. A talk that was of specific interest was by the Security Solutions Architect for Splunk, Jose Hernandez. “Using Splunk to Automatically Alleviate Risks” was the name of his presentation. If you wish to see his slides and a recording of the presentation then please go to

Using Splunk to help with mitigation, or as I prefer to describe it as “Active Response” is a very good idea. Having all of your intelligence data streaming into Splunk is very effective, and it can be endpoint data, outside risk feeds etc, then you will be able to act on this data really finishes the loop. At Ziften we have our effective continuous monitoring on the endpoint solution, and being wed to Splunk is something that we are truly extremely proud of. It is a truly strong move in the right direction to have real time data analysis coupled with the capability to respond and take action against events.

Ziften have developed a mitigation action which uses the offered Active Response code. There is a demo video included in this blog below. Here we were able to create a mitigation action within our Ziften App for Splunk as proof of concept. After the action is produced, results within Splunk ES (Enterprise Security) can be observed and tracked. This truly is a major addition and now users will have the ability to monitor and track mitigations within Splunk ES, which offers you with the significant advantage of being able to complete the loop and develop a history of your actions.

The fact that Splunk is driving such an effort thrills us, this is likely to progress and we are dedicated to continuously support it and make more development with it. It is extremely exciting at the moment in the Endpoint Detection and Response space and the Active Response Framework built into Splunk being included will certainly promote a high degree of interest in my viewpoint.

For any questions regarding the Ziften App for Splunk, please send an email to





Reliable Endpoint Monitoring Is Not Possible With Narrow Indicators Of Compromise – Chuck Leaver

Presented By Chuck Leaver And Written By Dr Al Hartmann Of Ziften Inc.


The Breadth Of The Indicator – Broad Versus Narrow

A thorough report of a cyber attack will normally supply information of indicators of compromise. Frequently these are narrow in their scope, referencing a specific attack group as viewed in a specific attack on an organization for a restricted amount of time. Typically these slim indicators are specific artifacts of an observed attack that could constitute specific evidence of compromise on their own. For the particular attack it means that they have high uniqueness, however frequently at the cost of low sensitivity to similar attacks with various artifacts.

Essentially, narrow indicators offer really minimal scope, and it is the factor that they exist by the billions in enormous databases that are continually expanding of malware signatures, network addresses that are suspicious, harmful registry keys, file and packet content snippets, filepaths and invasion detection guidelines and so on. The continuous endpoint monitoring system provided by Ziften aggregates some of these third party databases and risk feeds into the Ziften Knowledge Cloud, to take advantage of understood artifact detection. These detection elements can be used in real time in addition to retrospectively. Retrospective application is essential given the short-term qualities of these artifacts as hackers continually render obscure the info about their cyber attacks to annoy this slim IoC detection approach. This is the reason that a continuous monitoring service should archive monitoring results for a long period of time (in relation to industry reported normal hacker dwell times), to provide an enough lookback horizon.

Slim IoC’s have substantial detection worth however they are largely inefficient in the detection of new cyber attacks by proficient hackers. New attack code can be pre tested against typical business security solutions in laboratory environments to confirm non-reuse of artifacts that are noticeable. Security products that operate simply as black/white classifiers experience this weak point, i.e. by offering an explicit determination of destructive or benign. This method is very easily averted. The defended company is likely to be completely hacked for months or years before any detectable artifacts can be recognized (after extensive examination) for the specific attack instance.

In contrast to the convenience with which cyber attack artifacts can be obscured by typical hacker toolkits, the particular methods and strategies – the modus operandi – used by hackers have actually endured over numerous decades. Common methods such as weaponized websites and docs, brand-new service setup, vulnerability exploitation, module injection, delicate folder and pc registry area adjustment, new set up tasks, memory and drive corruption, credentials compromise, harmful scripting and many others are broadly typical. The proper usage of system logging and monitoring can detect a great deal of this characteristic attack activity, when appropriately combined with security analytics to concentrate on the highest hazard observations. This entirely removes the chance for hackers to pre test the evasiveness of their destructive code, considering that the quantification of threats is not black and white, however nuanced shades of gray. In particular, all endpoint risk is varying and relative, across any network/ user environment and period of time, and that environment (and its temporal dynamics) can not be replicated in any laboratory environment. The basic hacker concealment methodology is foiled.

In future posts we will analyze Ziften endpoint risk analysis in more detail, along with the important relationship between endpoint security and endpoint management. “You can’t protect what you do not manage, you can’t manage what you do not measure, you can’t measure what you do not track.” Organizations get breached due to the fact that they have less oversight and control of their endpoint environment than the cyber attackers have. Look out for future posts…

Chuck Leaver – Continuous Endpoint Monitoring And The Carbanak Case Study Part 3

Presented By Chuck Leaver And Written By Dr Al Hartmann


Part 3 in a 3 part series


Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with discussions their discovery by the Ziften continuous endpoint monitoring service. The Ziften service has a concentrates on generic indicators of compromise that have actually been consistent for decades of hacker attacks and cyber security experience. IoC’s can be identified for any operating system such as Linux, OS X and Windows. Particular indicators of compromise likewise exist that show C2 infrastructure or particular attack code instances, however these are not used long term and not generally used again in fresh attacks. There are billions of these artifacts in the security world with thousands being added every day. Generic IoC’s are embedded for the supported os by the Ziften security analytics, and the particular IoC’s are used by the Ziften Knowledge Cloud from subscriptions to a variety of market risk feeds and watch lists that aggregate these. These both have value and will help in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases used spear phishing e-mails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Comment: Not really a IoC, critical exposed vulnerabilities are a significant hacker exploit and is a large red flag that increases the risk score (and the SIEM priority) for the end point, particularly if other indicators are likewise present. These vulnerabilities are signs of lazy patch management and vulnerability lifecycle management which causes a weakened cyber defense position.

2. Locations That Are Suspect

Excerpt: Command and Control (C2) servers located in China have actually been determined in this campaign.

Remark: The geolocation of endpoint network touches and scoring by geography both contribute to the threat score that drives up the SIEM priority. There are authorized reasons for having contact with Chinese servers, and some companies might have sites located in China, however this should be validated with spatial and temporal checking of anomalies. IP address and domain info ought to be added with a resulting SIEM alarm so that SOC triage can be carried out rapidly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is effectively exploited, it sets up Carbanak on the victim’s system.

Remark: Any brand-new binaries are constantly suspicious, however not all of them should be alerted. The metadata of images need to be examined to see if there is a pattern, for example a brand-new app or a brand-new variation of an existing app from an existing vendor on a likely file path for that vendor etc. Hackers will attempt to spoof apps that are whitelisted, so signing data can be compared in addition to size, file size and filepath etc to filter out obvious circumstances.

4. Uncommon Or Delicate Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, concealed and read-only.

Comment: Any writing into the System32 filepath is suspicious as it is a sensitive system directory, so it undergoes analysis by checking abnormalities instantly. A traditional anomaly would be svchost.exe, which is a crucial system process image, in the uncommon place the com subdirectory.

5. New Autostarts Or Services

Excerpt: To make sure that Carbanak has autorun privileges the malware develops a new service.

Remark: Any autostart or new service prevails with malware and is constantly examined by the analytics. Anything low prevalence would be suspicious. If examining the image hash versus market watchlists results in an unknown quantity to the majority of antivirus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Folder

Excerpt: Carbanak creates a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it stores commands to be carried out.

Comment: This is a classic example of “one of these things is not like the other” that is simple for the security analytics to inspect (continuous monitoring environment). And this IoC is absolutely generic, has absolutely nothing to do with which filename or which directory is created. Despite the fact that the technical security report notes it as a particular IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the most recent Carbanak samples are digitally signed

Comment: Any suspect signer will be treated as suspicious. One case was where a signer supplies a suspect anonymous gmail email address, which does not inspire confidence, and the risk score will rise for this image. In other cases no email address is provided. Signers can be quickly noted and a Pareto analysis carried out, to recognize the more versus less trusted signers. If a less trusted signer is discovered in a more sensitive folder then this is really suspicious.

8. Remote Administration Tools

Excerpt: There appears to be a preference for the Ammyy Admin remote administration tool for remote control believed that the hackers used this remote administration tool due to the fact that it is frequently whitelisted in the victims’ environments as a result of being used regularly by administrators.

Comment: Remote admin tools (RAT) always raise suspicions, even if they are whitelisted by the company. Checking of abnormalities would occur to identify whether temporally or spatially each brand-new remote admin tool is consistent. RAT’s are subject to abuse. Hackers will constantly prefer to use the RAT’s of a company so that they can avoid detection, so they must not be given access each time just because they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools suggest that they were accessed from two different IPs, most likely used by the hackers, and located in Ukraine and France.

Comment: Constantly suspect remote logins, due to the fact that all hackers are presumed to be remote. They are also used a lot with insider attacks, as the insider does not wish to be identified by the system. Remote addresses and time pattern anomalies would be checked, and this should reveal low prevalence usage (relative to peer systems) plus any suspect geography.

10. Atypical IT Tools

Excerpt: We have actually likewise discovered traces of various tools utilized by the hackers inside the victim ´ s network to gain control of additional systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools ought to constantly be examined for abnormalities, because lots of hackers overturn them for harmful functions. It is possible that Metasploit could be used by a penetration tester or vulnerability scientist, but instances of this would be uncommon. This is a prime example where an uncommon observation report for the vetting of security staff would lead to restorative action. It also highlights the problem where blanket whitelisting does not help in the identification of suspicious activity.


Part Two Of The Carbanak Case Study Reveals Why Continuous Monitoring Of Endpoints Is So Effective – Chuck Leaver

Presented By Chuck Leaver And Written By Dr Al Hartmann


Part 2 in a 3 part series


Continuous Endpoint Monitoring Is Really Effective


Capturing and blocking malicious scripts before it has the ability to jeopardize an endpoint is great. However this technique is largely inadequate against cyber attacks that have actually been pre checked to avert this sort of method to security. The genuine issue is that these hidden attacks are conducted by skilled human hackers, while conventional defense of the endpoint is an automatic procedure by endpoint security systems that rely largely on standard anti-virus technology. The intelligence of human beings is more innovative and versatile than the intelligence of machines and will always be superior to automatic machine defenses. This highlights the findings of the Turing test, where automated defenses are trying to rise to the intellectual level of an experienced human hacker. At present, artificial intelligence and machine learning are not sophisticated enough to completely automate cyber defense, the human hacker is going to win, while those infiltrated are left counting their losses. We are not residing in a science fiction world where machines can out think people so you must not think that a security software suite will automatically take care of all your problems and avoid all attacks and data loss.

The only genuine way to prevent a resolute human hacker is with an undaunted human cyber protector. In order to engage your IT Security Operations Center (SOC) personnel to do this, they need to have full visibility of network and endpoint operations. This type of visibility will not be attained with standard endpoint anti-viruses solutions, instead they are designed to stay quiet unless implementing a capture and quarantining malware. This conventional approach renders the endpoints opaque to security workers, and the hackers utilize this endpoint opacity to conceal their attacks. This opacity extends backwards and forwards in time – your security personnel have no idea exactly what was running across your endpoint population previously, or at this moment, or what can be expected in the future. If persistent security personnel find hints that need a forensic look back to discover attacker traits, your anti-viruses suite will be not able to assist. It would not have actually acted at the time so no events will have been recorded.

On the other hand, continuous endpoint monitoring is constantly working – supplying real time visibility into endpoint operations, providing forensic look back’s to take action against brand-new proof of attacks that is emerging and discover indications earlier, and offering a baseline for regular patterns of operation so that it understands exactly what to anticipate and notify any irregularities in the future. Providing not only visibility, continuous endpoint monitoring provides informed visibility, with the application of behavioral analytics to detect operations that appear irregular. Irregularities will be continually analyzed and aggregated by the analytics and reported to SOC staff, through the organization’s security information event management (SIEM) network, and will flag the most worrying suspicious abnormalities for security workers attention and action. Continuous endpoint monitoring will magnify and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A child can play this game. It is simple due to the fact that a lot of items (known as high prevalence) look like each other, but one or a small amount (known as low prevalence) are not the same and stand apart. These dissimilar actions taken by cyber criminals have actually been quite constant in hacking for decades. The Carbanak technical reports that noted the indicators of compromise ready examples of this and will be gone over below. When continuous endpoint monitoring security analytics are enacted and reveal these patterns, it is basic to acknowledge something suspicious or unusual. Cyber security personnel will be able to perform rapid triage on these abnormal patterns, and quickly figure out a yes/no/maybe reaction that will identify uncommon but known to be good activities from destructive activities or from activities that need additional tracking and more informative forensics examinations to validate.

There is no way that a hacker can pre test their attacks when this defense application remains in place. Continuous endpoint monitoring security has a non-deterministic risk analytics part (that informs suspect activity) as well as a non-deterministic human component (that performs alert triage). Depending on the existing activities, endpoint population mix and the experience of the cyber security personnel, developing attack activity may or may not be discovered. This is the nature of cyber warfare and there are no guarantees. But if your cyber security fighters are geared up with continuous endpoint monitoring analytics and visibility they will have an unjust advantage.

Chuck Leaver – Avoid A Doomsday Movie Cyber Attack By Reviewing Your Cyber Security

Chuck Leaver, Ziften CEO writes


Current proof recommends that the notion of cyber security will be a huge issue for banks and utilities over the next couple of years. A company that operates in an industry sector where a cyber attack could have a destabilizing impact, that includes the oil and gas and banking markets, truly needs to have a strategy on how it will protect its servers from such attacks. It may not be thought about as a major risk yet to the typical person however attempts to hack the environments of these companies could destabilize water supplies, power lines and more. The most efficient method for security groups within these organizations to prevent their servers from becoming breached by cyber crooks is to implement modern-day software in addition to other security strategies to develop robust defenses.

A recent review by the AP News agency revealed that cyber attacks on federal networks had actually increased from 30,000 to 50,000 since 2009 which is a 66% boost. A study of professionals by Pew Research center revealed that 60% of them believed that the U.S. would struggle with a major cyber attack by 2025, where the fallout would be devastating and widespread. Widespread indicated a considerable loss of life and property losses costing billions of dollars. It was felt that these events were most likely because the opportunity cost of waging a cyber war was so low. Cyber bad guys can attack the network then hide behind plausible deniability. Although this might appear like a caution for the federal government only, it is probable that any cyber criminal group wanting to attack at the federal level would initially practice on private servers in order to both test their cyber attacks and to get much needed cash and other resources.

What Is The Relationship Between Public And Private Security?

There might be a variety of various reasons that a hacker will target a company in the oil and gas or finance sectors, some resemblances do exist. If the intent was to destabilize the day-to-day lives of residents of the United States then either industry would suffice. This is the reason that cyber security for those institutions is a matter of national concern. Organizations in these sectors need to monitor the national understanding of cyber security so that they can safeguard themselves from the many possible cyber attacks that might present a problem for them. They need to understand the requirement for cyber security protection such as endpoint threat detection and response software, malware and antivirus suites, firewall programs and encryption is critical for these companies. In the future the risk from these advanced cyber attacks will increase, and those companies that are not completely prepared to handle these attacks and get breached will need to face a public that will be very mad about their data being taken.

Network security at the essential level includes making certain that constant updates are applied to security systems and executing the most appropriate security systems. The deployment of endpoint threat detection and response systems will alleviate a variety of these problems by placing a human in control of monitoring data as it flows through the network and provides user-assisted tools. Network use will be more easily noticeable utilizing this software application and it will be a lot simpler to determine if any services are being misused. Endpoint threat detection software has to be executed if a completely featured cyber security system that offers the highest level of defense is preferred.