Best Offense And Defense Strategy For Risk And Security – Chuck Leaver

Written By Roark Pollock And Presented By Chuck Leaver Ziften CEO


Danger management and security management have long been dealt with as different functions typically performed by separate practical groups within an organization. The acknowledgment of the requirement for constant visibility and control across all assets has increased interest in looking for commonalities between these disciplines and the schedule of a brand-new generation of tools is enabling this effort. This discussion is extremely current given the ongoing problem many business organizations experience in bringing in and retaining certified security personnel to manage and secure IT infrastructure. A marriage of activity can help to better take advantage of these important personnel, decrease costs, and assist automate response.

Historically, danger management has been deemed an attack mandate, and is generally the field of play for IT operations teams. Often referred to as “systems management”, IT operations groups actively carry out device state posture monitoring and policy enforcement, and vulnerability management. The goal is to proactively mitigate possible risks. Activities that enhance risk decreasing which are performed by IT operations consist of:

Offending Risk Mitigation – Systems Management

Asset discovery, stock, and refresh

Software application discovery, usage tracking, and license rationalization

Mergers and acquisition (M&A) risk assessments

Cloud workload migration, tracking, and enforcement

Vulnerability evaluations and patch installs

Proactive help desk or systems analysis and problem response/ repair

On the other side of the field, security management is viewed as a protective game, and is generally the field of play for security operations teams. These security operations groups are normally responsible for danger detection, incident response, and resolution. The objective is to respond to a risk or a breach as quickly as possible in order to decrease impacts to the organization. Activities that fall squarely under security management which are performed by security operations consist of:

Defensive Security Management – Detection and Response

Threat detection and/or risk searching

User behavior tracking / insider danger detection and/or hunting

Malware analysis and sandboxing

Occurrence response and threat containment/ removal

Lookback forensic examinations and origin determination

Tracing lateral threat motions, and further threat removal

Data exfiltration determination

Effective businesses, naturally, need to play both offense AND defense similarly well. This requirement is driving organizations to acknowledge that IT operations and security operations need to be as lined up as possible. Therefore, as much as possible, it helps if these two teams are playing utilizing the very same playbook, or a minimum of working with the exact same data or single source of fact. This suggests both teams must strive to utilize a few of the same analytic and data collection tools and methods when it comes to managing and securing their endpoint systems. And if companies rely on the exact same workers for both tasks, it definitely assists if those people can pivot between both tasks within the very same tools, leveraging a single data set.

Each of these offensive and defensive tasks is critical to protecting an organization’s intellectual property, track record, and brand name. In fact, managing and prioritizing these jobs is what often keeps CIOs and CISOs up at night. Organizations should acknowledge chances to line up and consolidate teams, technologies, and policies as much as possible to guarantee they are concentrated on the most urgent need along the present danger and security management spectrum.

When it concerns handling endpoint systems, it is clear that organizations are approaching an “all the time” visibility and control model that allows continuous danger assessments, continuous danger monitoring, as well as constant efficiency management.

Thus, companies need to search for these 3 crucial abilities when assessing brand-new endpoint security systems:

Solutions that offer “all the time” visibility and control for both IT operations groups and security operations groups.

Solutions that supply a single source of fact that can be used both offensively for risk management, and defensively for security detection and response.

Architectures that easily integrate into existing systems management and security tool ecosystems to deliver even higher value for both IT and security teams.

This Year’s Experiences Defcon And Black Hat – Chuck Leaver

Written by Michael Vaughn And Presented By Ziften CEO Chuck Leaver


These are my experiences from Black Hat 2017. There is a minor addition in approaching this year’s summary. It is really in part due to the style of the opening presentation offered by Facebook’s Chief Security Officer, Alex Stamos. Stamos forecasted the significance of re focusing the security community’s efforts in working better together and diversifying security services.

“Working much better together” is relatively an oxymoron when examining the mass competition among hundreds of security companies fighting for clients throughout Black Hat. Based off Stamos’s messaging during the opening presentation this year, I felt it essential to include some of my experiences from Defcon also. Defcon has actually historically been an occasion for finding out and includes independent hackers and security experts. Last week’s Black Hat style concentrated on the social aspect of how companies ought to get along and genuinely assist others and each other, which has actually constantly been the overlying message of Defcon.

People checked in from all over the world this time:

Jeff Moss, aka ‘Dark Tangent’, the founder of Black Hat and Defcon, likewise wishes that to be the theme: Where you aim to help people gain knowledge and gain from others. Moss desires participants to stay ‘excellent’ and ‘practical’ throughout the conference. That is on par with what Alex Stamos from Facebook conveyed in his keynote about security businesses. Stamos asked that all of us share in the responsibility of assisting those that can not help themselves. He likewise raised another valid point: Are we doing enough in the security industry to truly assist people rather than simply doing it to make cash? Can we attain the objective of truly assisting individuals? As such is the juxtaposition of the 2 occasions. The primary distinctions between Black Hat and Defcon is the more business consistency of Black Hat (from vendor hall to the talks) to the true hacker neighborhood at Defcon, which showcases the innovative side of what is possible.

The organization I work for, Ziften, offers Systems and Security Operations software – offering IT and security teams visibility and control across all end points, on or off a corporate network. We also have a pretty sweet sock game!

Many guests flaunted their Ziften assistance by embellishing previous year Ziften sock styles. Looking great, feeling excellent!

The idea of joining forces to fight against the dark side is something most guests from all over the world embrace, and we are not any different. Here at Ziften, we aim to genuinely help our customers and the community with our solutions. Why provide or depend on an option which is limited to just exactly what’s inside the box? One that provides a single or handful of specific functions? Our software is a platform for combination and offers modular, individualistic security and functional solutions. The whole Ziften group takes the imagination from Defcon, and we push ourselves to attempt and build new, customized functions and forensic tools where standard security companies would shy away from or simply remain taken in by day-to-day tasks.

Delivering all-the-time visibility and control for any asset, anywhere is among Ziften’s main focuses. Our unified systems and security operations (SysSecOps) platform empowers IT and security operations teams to rapidly fix endpoint issues, lower general danger posture, speed hazard response, and boost operations efficiency. Ziften’s secure architecture provides continuous, streaming end point monitoring and historical data collection for enterprises, governments, and managed security providers. And remaining with this year’s Black Hat style of collaborating, Ziften’s partner integrations extend the value of incumbent tools and fill the gaps in between siloed systems.

Journalists are not permitted to take photos of the Defcon crowd, however I am not a journalist and this was prior to getting into a badge needed area:P The Defcon hoards and hooligans (Defcon mega-bosses using red t-shirts) were at a standstill for a strong 20 minutes waiting for initial access to the 4 massive Track meeting rooms on opening day.

The Voting Machine Hacking Village got a lot of attention at the event. It was interesting however absolutely nothing new for veteran attendees. I suppose it takes something noteworthy to amass attention around certain vulnerabilities.? All vulnerabilities for the majority of the talks and especially this town have actually already been revealed to the proper authorities prior to the event. Let us understand if you need assistance locking down one of these (looking at you government folks).

A growing number of personal data is becoming available to the public. For instance, Google & Twitter APIs are easily and publicly available to query user data metrics. This data is making it simpler for hackers to social engineer focused attacks on people and particularly individuals of power and rank, like judges and executives. This presentation titled, Dark Data, demonstrated how a simple yet fantastic de-anonymization algorithm and some data made it possible for these two white hats to recognize individuals with extreme precision and discover really personal details about them. This should make you hesitate about exactly what you have actually set up on your systems and people in your work environment. The majority of the above raw metadata was collected through a popular internet browser add-on. The fine tuning accompanied the algothrim and public APIs. Do you know what internet browser add-ons are operating in your environment? If the response is no, then Ziften can help.

This discussion was plainly about making use of Point-of-Sale systems. Although rather funny, it was a little scary at the speed at which one of the most frequently utilized POS systems could be hacked. This specific POS hardware is most commonly utilized when paying in a taxi. The base operating system is Linux and although on an ARM architecture and safeguarded by tough firmware, why would a company risk leaving the security of consumer credit card details entirely up to the hardware supplier? If you look for additional security on your POS systems, then look no further than Ziften. We secure the most frequently used business operating systems. If you wish to do the enjoyable thing and install the video game Doom on one, I can send you the slide deck.

This guy’s slides were off the charts exceptional. Exactly what wasn’t excellent was how exploitable the MacOS is throughout the setup process of very common applications. Generally each time you install an application on a Mac, it needs the entry of your intensified opportunities. However what if something were to somewhat modify code a moment before you entering your Administrator qualifications? Well, the majority of the time, probably something bad. Anxious about your Mac’s running malware wise sufficient to detect and change code on typical vulnerable applications prior to you or your user base entering qualifications? If so, we at Ziften Technologies can assist.

We help you by not replacing all of your toolset, although we frequently discover ourselves doing just that. Our aim is to utilize the advice and current tools that work from different suppliers, guarantee they are running and installed, guarantee the perscribed hardening is certainly intact, and guarantee your operations and security teams work more efficiently together to attain a tighter security matrix throughout your environment.

Key Takeaways from Black Hat & Defcon 2017:

1) More powerful together

– Alex Stamos’s keynote
– Jeff Moss’s message
– Visitors from around the globe interacting
– Black Hat need to maintain a friendly neighborhood spirit

2) Stronger together with Ziften

– Ziften plays good with other software application vendors

3) Popular existing vulnerabilities Ziften can assist avoid and solve

– Point-of-Sale accessing
– Voting machine tampering
– Escalating MacOS advantages
– Targeted specific attacks

Got Movie Apps On Your Device? Be Careful Of Subtitle Packages – Chuck Leaver

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


Do you like watching films with trendy apps like Kodi, SmartTV or VLC on your devices? How about requiring or wanting subtitles with those motion pictures and just getting the current pack from OpenSubtitles. No problem, seems like a great evening in your home. Issue is, according to a research study by Check Point, there could be a nasty surprise waiting for you.

For the hackers to take control of your ‘world’, they need a vector or some way to acquire entry to your system. There are some typical ways that takes place these days, such as smart (and not so smart) social engineering techniques. Getting e-mails that appear to come from buddies or co-workers which were spoofed and you opened an attachment, or went to some website and if the stars lined up, you were pwned. Normally the star alignment part is not that tough, only that you have some vulnerable software application running that can be accessed.

Given that the technique is getting users to work together, the target audience can in some cases be tough to find. But with this most current research study posted, many of the major media giants have a distinct vulnerability when it comes to accessing and translating subtitle plans. The 4 primary media giants noted in the short article are fixed to date, however as we have seen in the past (just look at the recent SMB v1 vulnerability issue) even if a fix is available, does not mean that users are upgrading. The research has actually also declined to show the technical information around the vulnerability to permit other vendors time to patch. That is a good sign and the appropriate approach I think scientists must take. Inform the supplier so they can repair the concern as well as announce it openly so ‘we the people’ are notified and know what to watch out for.

It’s difficult to stay up to date with the numerous ways you can get infected, however at least we have researchers who tirelessly attempt to ‘break’ things to discover those vulnerabilities. By performing the proper disclosure approaches, they assist everybody take pleasure in a more secure experience with their devices, and in this case, a fantastic night in at the movies.

Our Advanced Endpoint Services Will Integrate With Your Security Architecture – Chuck Leaver

Written By Roark Pollock And Presented By Ziften CEO Chuck Leaver


Security practitioners are by nature a mindful lot. Being cautious is a quality most folks likely have entering into this market given its mission, however it’s likewise certainly a characteristic that is learned over time. Ironically this holds true even when it pertains to adding extra security precautions into an already established security architecture. While one might assume that more security is better security, experience teaches us that’s not necessarily the case. There are in fact many issues related to deploying a brand-new security service. One that almost always appears near the top of the list is how well a new service integrates with existing products.

Integrating concerns come in several tastes. Firstly, a brand-new security control should not break anything. But furthermore, new security services need to willingly share hazard intelligence and act upon threat intelligence collected across a company’s entire security infrastructure. In other words, the new security tools must work together with the existing community of tools in place such that “1 + 1 = 3”. The last thing that many security and IT operations teams require is more siloed services/ tools.

At Ziften, this is why we’ve always concentrated on developing and delivering a completely open visibility architecture. We believe that any brand-new systems and security operations tools need to be produced with enhanced visibility and information sharing as crucial product requirements. However this isn’t really a one way street. Producing simple integrations needs technology partnerships with industry vendors. We consider it our responsibility to work with other innovation businesses to mutually integrate our services, hence making it easy on clients. Sadly, numerous suppliers still believe that integration of security services, particularly new endpoint security products is very difficult. I hear the concern continuously in customer conversations. But information is now appearing revealing this isn’t really always the case.

Current study work by NSS Labs on “advanced endpoint” products, they report that International 2000 clients based in North America have been happily shocked with how well these types of products integrate into their existing security architectures. In accordance with the NSS research study titled “Advanced Endpoint Protection – Market Analysis and Survey Results CY2016”, which NSS subsequently presented in the BrightTalk webinar below, respondents that had actually already deployed sophisticated endpoint items were much more favorable regarding their capability to integrate into already established security architectures than were respondents that were still in the planning stages of acquiring these products.

Specifically, for respondents that have currently deployed sophisticated endpoint products: they rank integration with already established security architectures as follows:

● Excellent 5.3 %
● Good 50.0 %
● Average 31.6 %
● Poor 13.2 %
● (Horrible) 0.0 %

Compare that to the more conservative responses from folks still in the preparation phase:

● Excellent 0.0 %
● Good 39.3 %
● Average 42.9 %
● Poor 14.3 %
● (Horrible) 3.6 %

These statements are encouraging. Yes, as noted, security people have the tendency to be pessimists, however in spite of low expectations respondents are reporting positive outcomes when it comes to integration experiences. In fact, Ziften clients usually display the exact same preliminary low expectations when we initially go over the integration of Ziften products into their existing environment of services. However in the end, consumers are wowed by how simple it is to share info with Ziften products and their already established infrastructure.

These survey outcomes will ideally assist ease issues as more recent product adopters may check out and count on peer recommendations prior to making purchase choices. Early traditional adopters are clearly having success deploying these services which will ideally assist to lessen the natural cautiousness of the real mainstream.

Certainly, there is substantial differentiation with products in the space, and organizations need to continue to perform appropriate due diligence in comprehending how and where products integrate into their broader security architectures. But, the good news is that there are products not just meeting the requirements of clients, but actually out performing their initial expectations.

Petya Variant Causes Havoc But Ziften Customers Protected – Chuck Leaver

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


Another outbreak, another headache for those who were not prepared. While this latest attack is similar to the earlier WannaCry threat, there are some differences in this most current malware which is a variant or brand-new strain much like Petya. Called, NotPetya by some, this strain has a great deal of problems for anyone who encounters it. It might encrypt your data, or make the system entirely unusable. And now the email address that you would be needed to contact to ‘perhaps’ unencrypt your files, has actually been taken down so you’re out of luck retrieving your files.

Plenty of information to the actions of this threat are publicly offered, but I wished to discuss that Ziften consumers are secured from both the EternalBlue threat, which is one mechanism utilized for its propagation, and even much better still, a shot based upon a possible flaw or its own type of debug check that removes the danger from ever operating on your system. It might still spread out however in the environment, however our security would already be rolled out to all existing systems to halt the damage.

Our Ziften extension platform enables our customers to have protection in place against specific vulnerabilities and destructive actions for this hazard and others like Petya. Besides the specific actions taken versus this specific variant, we have actually taken a holistic approach to stop certain strains of malware that carry out different ‘checks’ against the system prior to operating.

We can likewise use our Browse capability to try to find remnants of the other propagation techniques used by this risk. Reports reveal WMIC and PsExec being used. We can search for those programs and their command lines and use. Despite the fact that they are legitimate processes, their use is usually rare and can be notified.

With WannaCry, and now NotPetya, we anticipate to see an ongoing increase of these types of attacks. With the release of the current NSA exploits, it has offered ambitious hackers the tools required to push out their items. And though ransomware threats can be a high product vehicle, more destructive hazards could be released. It has actually always been ‘how’ to get the risks to spread out (worm-like, or social engineering) which is most tough to them.

UK Parliament Make Your System Secure Instead Of Blaming Others – Chuck Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


In cyberspace the sheep get shorn, chumps get chewed, dupes get duped, and pawns get pwned. We have actually seen another excellent example of this in the current attack on the UK Parliament email system.

Rather than admit to an email system that was insecure by design, the main declaration read:

Parliament has strong procedures in place to secure all our accounts and systems.

Of course you do. The one protective procedure we did see in action was deflecting the blame – pin it on the Russians, that constantly works, while accusing the victims for their policy offenses. While details of the attack are scarce, combing various sources does assist to put together at least the gross outlines. If these descriptions are reasonably close, the United Kingdom Parliament email system failings are shocking.

What failed in this scenario?

Count on single factor authentication

“Password security” is an oxymoron – anything password secured alone is insecure, that’s it, no matter the strength of the password. Please, no 2FA here, may restrain attacks.

Do not enforce any limit on unsuccessful login efforts

Assisted by single aspect authentication, this enables simple brute force attacks, no ability needed. However when violated, blame elite foreign hackers – no one can verify.

Do not implement brute force violation detection

Permit opponents to carry out (otherwise trivially detectable) brute force violations for extended durations (12 hours against the United Kingdom Parliament system), to maximize account compromise scope.

Do not implement policy, treat it as merely suggestions

Combined with single element authentication, no limitation on failed logins, and no brute force attack detection, do not impose any password strength recognition. Offer attackers with extremely low hanging fruit.

Count on anonymous, unencrypted email for sensitive communications

If attackers do prosper in jeopardizing email accounts or sniffing your network traffic, offer a lot of opportunity for them to score high worth message material entirely withput obstruction. This likewise conditions constituents to trust easily spoofable e-mail from Parliament, producing an ideal constituent phishing environment.

Lessons learned

In addition to adding “Common Sense for Dummies” to their summertime reading lists, the United Kingdom Parliament e-mail system admin might wish to take more actions. Enhancing weak authentication practices, imposing policies, improving network and end point visibility with constant tracking and anomaly detection, and completely reassessing protected messaging are suggested actions. Penetration testing would have uncovered these fundamental weak points while staying outside the news headlines.

Even a few intelligent high schoolers with a totally free weekend might have replicated this violation. And lastly, stop blaming Russia for your own security failings. Presume that any weaknesses in your security architecture and policy framework will be probed and made use of by some hackers somewhere throughout the global internet. Even more incentive to find and repair those weaknesses prior to the enemies do, so take action now. Then if your defenders don’t cannot see the attacks in progress, update your tracking and analytics.

Want To Bring Security And IT Together? Use SysSecOps – Chuck Leaver

Written By Chuck Leaver Ziften CEO


It was nailed by Scott Raynovich. Having actually dealt with numerous organizations he realized that one of the greatest difficulties is that security and operations are 2 distinct departments – with drastically different objectives, varying tools, and varying management structures.

Scott and his analyst firm, Futuriom, recently finished a research study, “Endpoint Security and SysSecOps: The Growing Pattern to Develop a More Secure Enterprise”, where one of the crucial findings was that contrasting IT and security goals hamper specialists – on both teams – from attaining their objectives.

That’s precisely what our company believe at Ziften, and the term that Scott produced to discuss the merging of IT and security in this domain – SysSecOps – explains completely exactly what we’ve been talking about. Security groups and the IT teams must get on the same page. That implies sharing the same objectives, and in many cases, sharing the very same tools.

Think about the tools that IT individuals use. The tools are designed to ensure the infrastructure and end devices are working correctly, when something goes wrong, helps them fix it. On the endpoint side, those tools help make sure that devices that are permitted onto the network, are configured properly, have software applications that are authorized and effectively updated/patched, and have not registered any faults.

Think about the tools that security folks utilize. They work to enforce security policies on devices, infrastructure, and security apparatus (like firewalls). This might include active tracking incidents, scanning for irregular habits, taking a look at files to ensure they don’t contain malware, embracing the current risk intelligence, matching against newly found zero-days, and performing analysis on log files.

Finding fires, fighting fires

Those are 2 different worlds. The security teams are fire spotters: They can see that something bad is occurring, can work rapidly to isolate the issue, and determine if damage happened (like data exfiltration). The IT groups are on the ground firefighters: They jump into action when an event strikes to ensure that the systems are made safe and restored into operation.

Sounds excellent, doesn’t it? Regrettably, all frequently, they don’t speak to each other – it’s like having the fire spotters and fire fighters utilizing dissimilar radios, different lingo, and dissimilar city maps. Worse, the teams can’t share the very same data directly.

Our method to SysSecOps is to supply both the IT and security groups with the exact same resources – which suggests the exact same reports, provided in the suitable ways to experts. It’s not a dumbing down, it’s working smarter.

It’s ridiculous to work in any other way. Take the WannaCry infection, for example. On one hand, Microsoft released a patch back in March 2017 that dealt with the underlying SMB defect. IT operations groups didn’t install the patch, because they didn’t think this was a big deal and didn’t speak with security. Security groups didn’t understand if the patch was set up, because they don’t talk with operations. SysSecOps would have had everyone on the same page – and could have potentially avoided this issue.

Missing out on data means waste and risk

The inefficient space in between IT operations and security exposes organizations to threats. Preventable threats. Unneeded threats. It’s simply undesirable!

If your organization’s IT and security groups aren’t on the same page, you are incurring risks and expenses that you shouldn’t need to. It’s waste. Organizational waste. It’s wasteful because you have a lot of tools that are supplying partial data that have spaces, and each of your groups only sees part of the picture.

As Scott concluded in his report, “Collaborated SysSecOps visibility has actually currently proven its worth in assisting organizations assess, analyze, and prevent substantial dangers to the IT systems and endpoints. If these goals are pursued, the security and management threats to an IT system can be significantly lessened.”

If your groups are interacting in a SysSecOps type of method, if they can see the exact same data at the same time, you not just have better security and more effective operations – but also lower danger and lower expenses. Our Zenith software application can help you achieve that effectiveness, not only dealing with your existing IT and security tools, but also filling in the gaps to make sure everyone has the best data at the correct time.

With Ziften And Splunk You Can Detect And Respond To WannCry – Chuck Leaver

Written by Joel Ebrahami and presented by Chuck Leaver


WannaCry has generated a lot of media attention. It might not have the enormous infection rates that we have actually seen with much of the previous worms, but in the current security world the quantity of systems it had the ability to infect in one day was still rather shocking. The goal of this blog is NOT to provide an in-depth analysis of the threat, however rather to look how the exploit behaves on a technical level with Ziften’s Zenith platform and the combination we have with our technology partner Splunk.

Visibility of WannaCry in Ziften Zenith

My very first action was to connect to Ziften Labs threat research team to see what details they might provide to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, directs our research study group and informed me that they had samples of WannaCry currently running in our ‘Red Lab’ to take a look at the habits of the threat and perform additional analysis. Josh sent me over the details of what he had actually found when examining the WannaCry samples in the Ziften Zenith console. He sent over those details, which I present herein.

The Red Laboratory has systems covering all the most typical os with different services and configurations. There were currently systems in the laboratory that were purposefully vulnerable to the WannaCry exploit. Our international hazard intelligence feeds utilized in the Zenith platform are upgraded in real-time, and had no trouble spotting the infection in our lab environment (see Figure 1).

Two laboratory systems have been determined running the destructive WannaCry sample. While it is great to see our international danger intelligence feeds updated so rapidly and recognizing the ransomware samples, there were other habits that we found that would have identified the ransomware threat even if there had not been a danger signature.

Zenith agents collect a huge amount of data on what’s happening on each host. From this visibility info, we develop non-signature based detection techniques to take a look at generally harmful or anomalous habits. In Figure 2 shown below, we reveal the behavioral detection of the WannaCry threat.

Examining the Breadth of WannaCry Infections

When detected either through signature or behavioral approaches, it is very simple to see which other systems have actually likewise been infected or are displaying similar behaviors.

Detecting WannaCry with Ziften and Splunk

After evaluating this information, I chose to run the WannaCry sample in my own environment on a susceptible system. I had one vulnerable system running the Zenith agent, and in this case my Zenith server was already configured to integrate with Splunk. This enabled me to look at the exact same information inside Splunk. Let me elucidate about the integration we have with Splunk.

We have 2 Splunk apps for Zenith. The very first is our technology add on (TA): its role is to consume and index ALL the raw data from the Zenith server that the Ziften agents generate. As this info arrives it is massaged into Splunk’s Common Info Model (CIM) so that it can be stabilized and easily browsed in addition to used by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA likewise includes Adaptive Response abilities for taking actions from events that are rendered in Splunk ES. The 2nd app is a control panel for displaying our data with all the charts and graphs readily available in Splunk to facilitate digesting the data a lot easier.

Considering that I currently had the information on how the WannaCry exploit behaved in our research lab, I had the advantage of knowing exactly what to search for in Splunk using the Zenith data. In this case I had the ability to see a signature alert by utilizing the VirusTotal integration with our Splunk app (see Figure 4).

Hazard Hunting for WannaCry Ransomware in Ziften and Splunk

But I wanted to wear my “incident responder hat” and examine this in Splunk utilizing the Zenith agent information. My very first thought was to search the systems in my lab for ones running SMB, because that was the initial vector for the WannaCry attack. The Zenith data is encapsulated in various message types, and I knew that I would most likely find SMB data in the running process message type, however, I used Splunk’s * regex with the Zenith sourcetype so I could browse all Zenith data. The resulting search appeared like ‘sourcetype= ziften: zenith: * smb’. As I expected I received 1 result back for the system that was running SMB (see Figure 5).

My next step was to use the exact same behavioral search we have in Zenith that looks for normal CryptoWare and see if I might get outcomes back. Once again this was extremely simple to do from the Splunk search panel. I used the same wildcard sourcetype as previously so I could browse throughout all Zenith data and this time I added the ‘delete shadows’ string search to see if this behavior was ever released at the command line. My search looked like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned outcomes, shown in Figure 6, that revealed me in detail the procedure that was developed and the full command line that was carried out.

Having all this info within Splunk made it very easy to determine which systems were susceptible and which systems had actually currently been jeopardized.

WannaCry Remediation Using Splunk and Ziften

Among the next steps in any kind of breach is to remediate the compromise as quick as possible to prevent more destruction and to take action to prevent any other systems from being compromised. Ziften is one of the Splunk initial Adaptive Response members and there are a variety of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to alleviate these threats through extensions on Zenith.

In the case of WannaCry we actually might have used nearly any of the Adaptive Response actions presently readily available by Zenith. When aiming to minimize the effect and avoid WannaCry initially, one action that can occur is to shut down SMB on any systems running the Zenith agent where the variation of SMB running is understood to be susceptible. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the vulnerable systems where we wished to stop the SMB service, hence preventing the threat from ever occurring and allowing the IT Operations group to get those systems patched before beginning the SMB service again.

Preventing Ransomware from Spreading or Exfiltrating Data

Now in the event that we have actually already been compromised, it is vital to prevent further exploitation and stop the possible exfiltration of sensitive info or company intellectual property. There are really 3 actions we might take. The first two are similar where we might eliminate the destructive process by either PID (process ID) or by its hash. This is effective, however since oftentimes malware will just spawn under a brand-new procedure, or be polymorphic and have a various hash, we can apply an action that is ensured to prevent any inbound or outgoing traffic from those infected systems: network quarantine. This is another example of an Adaptive Response action offered from Ziften’s integration with Splunk ES.

WannaCry is already lessening, however ideally this technical blog reveals the worth of the Ziften and Splunk integration in handling ransomware dangers against the end point.

Organizations Need To Increase Their Paranoia Over Security – Chuck Leaver

Written By Chuck Leaver Ziften CEO


Whatever you do don’t ignore cyber security criminals. Even the most paranoid “typical” person would not stress over a source of data breaches being stolen qualifications from its heating, ventilation and a/c (HEATING AND COOLING) specialist. Yet that’s exactly what took place at Target in November 2013. Hackers got into Target’s network utilizing credentials provided to the specialist, probably so they could track the heating, ventilation and air conditioning system. (For a good analysis, see Krebs on Security). And after that hackers were able to leverage the breach to inject malware into point of sale (POS) systems, and then offload payment card information.

A number of ridiculous errors were made here. Why was the HEATING AND COOLING specialist provided access to the enterprise network? Why wasn’t the HEATING AND COOLING system on a different, totally isolated network? Why wasn’t the POS system on a separate network? Et cetera, et cetera.

The point here is that in a very complex network, there are uncounted prospective vulnerabilities that could be exploited through recklessness, unpatched software, default passwords, social engineering, spear phishing, or insider actions. You get the point.

Whose task is it to discover and repair those vulnerabilities? The security team. The CISO’s team. Security specialists aren’t “normal” people. They are hired to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to prepare for the worst and prepare appropriately.

I can’t talk to the Target HEATING AND COOLING breach specifically, but there is one frustrating reason that breaches like this happen: A lack of budgetary top priority for cybersecurity. I’m not sure how frequently companies fail to fund security just due to the fact that they’re inexpensive and would rather do a share buy-back. Or possibly the CISO is too shy to request for what’s required, or has actually been informed that he gets a 5% boost, irrespective of the requirement. Maybe the CEO is worried that disclosures of big allotments for security will startle investors. Maybe the CEO is merely naïve enough to think that the enterprise will not be targeted by cyber criminals. The problem: Every company is targeted by hackers.

There are big competitions over spending plans. The IT department wishes to fund upgrades and enhancements, and attack the stockpile of demand for brand-new and improved applications. On the other side, you have line-of-business leaders who see IT projects as directly assisting the bottom line. They are optimists, and have great deals of CEO attention.

By contrast, the security department frequently needs to defend crumbs. They are viewed as a cost center. Security reduces company risk in a way that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who appreciate compliance and reputation. These green-eyeshade people think of the worst case situations. That doesn’t make good friends, and budget dollars are assigned reluctantly at a lot of companies (up until the business gets burned).

Call it naivety, call it established hostility, however it’s a genuine obstacle. You cannot have IT provided fantastic tools to move the business forward, while security is starved and making do with second-best.

Worse, you do not want to wind up in scenarios where the rightfully paranoid security groups are dealing with tools that do not fit together well with their IT counterpart’s tools.

If IT and security tools don’t mesh well, IT may not be able to rapidly act to react to risky situations that the security teams are keeping an eye on or are worried about – things like reports from risk intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user habits that suggest risky or suspicious activity.

One idea: Find tools for both departments that are developed with both IT and security in mind, right from the beginning, rather than IT tools that are patched to supply some very little security ability. One budget product (take it out of IT, they have more cash), however 2 workflows, one designed for the IT expert, one for the CISO group. Everyone wins – and next time somebody wants to offer the HVAC specialist access to the network, maybe security will discover what IT is doing, and head that disaster off at the pass.

WannCry Ransomware – How Ziften Can Help You – Chuck Leaver

Written By Michael Vaughn And Presented By Chuck Leaver Ziften CEO


Answers To Your Concerns About WannaCry Ransomware

The WannaCry ransomware attack has actually infected more than 300,000 computer systems in 150 countries so far by making use of vulnerabilities in Microsoft’s Windows os.
In this brief video Chief Data Scientist Dr. Al Hartmann and I go over the nature of the attack, in addition to how Ziften can assist companies secure themselves from the exploit called “EternalBlue.”.

As mentioned in the video, the problem with this Server Message Block (SMB) file-sharing service is that it’s on many Windows os and discovered in many environments. However, we make it easy to identify which systems in your environment have actually or haven’t been patched yet. Significantly, Ziften Zenith can likewise remotely disable the SMB file-sharing service totally, giving organizations valuable time to guarantee that those machines are correctly patched.

If you’re curious about Ziften Zenith, our 20 minute demonstration includes an assessment with our experts around how we can assist your company prevent the worst digital catastrophe to strike the web in years.