Monthly Archives: January 2015

Endpoint Security Through A Lightweight Approach Is The Best Solution – Charles Leaver

Charles Leaver Ziften CEO Presents A Post By David Shefter CTO

If you are a company with 5000 or more employees, it is likely that your IT Security and Operations groups are overwhelmed with the degree of data they need to crawl through for just a small percentage of visibility about what their users are doing on a recurring basis. Antivirus suites have been installed and they have actually shut down USB ports and even enforced user access constraints, but the risk of cyber attacks and malware invasions still remains. What action do you take?

As much as 72% of advance malware and cyber criminal intrusions happen in the endpoint environment, so states a Verizon Data Breach Report. Your company needs to ask itself how crucial its credibility is first. If you take Target as an example, it cost them over $ 6 Billion in market cap loss due to a malware attack. Unfortunately the modern world places us constantly under attack from unhappy or rogue staff members, anarchists and other cyber criminals. This circumstance is only likely to get worse.

Your network is secured by firewall software etc but you are not able to see exactly what is occurring past the network switch port. The only real way to resolve this danger is by enacting a solution that works with and compliments present network based solutions that are in place. Ziften (which is Dutch for “To Sift”) can provide this solution which supplies “Open Visibility” with a light-weight technique. You need to handle the entire environment that includes servers, the network, desktops and so on. But you do not wish to add additional overheads and tension on your network. A substantial Ziften commitment is that the solution will not have an adverse effect on your environment, however it will supply a deeply impactful visibility and security solution.

The revolutionary software from Ziften completely comprehends machine behavior and problems, enabling experts to focus on advanced dangers quicker to reduce dwell time to a minimum. Ziften’s solution will continually monitor activity at the endpoint, resource usage, IP connections, user interactions etc. With the Ziften solution your company will have the ability to figure out faster the origin of any infiltration and repair the problem.

It is a lightweight solution that is not kernel or driver based, very little memory usage, there is little to no overhead at the system level and almost zero network traffic.

For driver and kernel based solutions there are extreme accreditation requirements that can take longer than 9 months. By the time the new software is developed and baked, the OS could be at the next version of release. This is a time consuming, non-supportable and troublesome process.

The Ziften approach is a genuine differentiator in the market. The execution of a very light weight and non intrusive agent and also implementing this as a system service, it gets rid of the tensions that a lot of new software application solutions present at the endpoint. Ease of execution leads to faster times to market, simple support, scalability, and uncomplicated solutions that do not impede the user environment.

To summarize, with the current level of cyber risks and the threats of a cyber attack increasing daily that can significantly tarnish your reputation, you need to implement continuous monitoring of all your endpoint gadgets 24/7 to make sure that you have clear visibility of any endpoint security risks, gaps, or instabilities and Ziften can provide this to you.


Charles Leaver – Be Cyber Ready With These 5 Items And Prevent Data Breaches

Presented by Charles Leaver, Chief Executive Officer Ziften Technologies – Written By Dr Al Hartmann

1. Security Operations Center (SOC).

You have a Security Operations Center implemented that has 24/7 coverage either in house or outsourced or a combination. You do not desire any gaps in cover that could leave you open to intrusion. Handovers need to be formalized between watch managers, and appropriate handover reports provided. The supervisor will supply a summary each day, which provides information about any attack detections and defense countermeasures. If possible the cyber crooks should be identified and separated by C2 infrastructure, attack method etc and codenames attributed to these. You are not trying to associate attacks here as this would be too difficult, but just noting any attack activity patterns that correlate with different cyber criminals. It is necessary that your SOC familiarizes themselves with these patterns and have the ability to distinguish attackers or even spot new attackers.

2. Security Supplier Assistance Readiness.

It is not possible for your security workers to learn about all elements of cyber security, nor have visibility of attacks on other organizations in the very same industry. You have to have external security assistance teams on standby which could include the following:.

( i) Emergency response team assistance: This is a list of suppliers that will react to the most severe of cyber attacks that are headline material. You must ensure that a single one of these vendors is ready for a significant risk, and they should receive your cyber security reports on a regular basis. They must have legal forensic capabilities and have working relationships with legal authorities.

( ii) Cyber threat intelligence support: This is a vendor that is collecting cyber hazard intelligence in your vertical, so that you can take the lead when it concerns threats that are emerging in your sector. This team ought to be plugged in to the dark net searching for any indications of you organizational IP being pointed out or talks between hackers discussing your company.

( iii) IoC and Blacklist support: Since this includes multiple areas you will require numerous suppliers. This includes domain blacklists, SHA1 or MD5 blacklists, IP blacklists, and indications of compromise (suspect configuration settings, registry keys and file paths, etc). It is possible that a few of your installed security products for network or endpoint security can provide these, or you can designate a 3rd party professional.

( iv) Assistance for reverse engineering: A vendor that concentrates on the analysis of binary samples and provides comprehensive reports of content and any potential risk and also the family of malware. Your present security vendors might offer this service and concentrate on reverse engineering.

( v) Public relations and legal support: If you were to suffer a significant breach then you have to guarantee that public relations and legal assistance remain in place so that your CEO, CIO and CISO don’t become a case study for students at Harvard Business School to find out about how not to deal with a significant cyber attack.

3. Inventory of your assets, classification and readiness for defense.

You have to ensure that of your cyber assets undergo an inventory, their relative worth categorized, and implemented worth appropriate cyber defences have actually been enacted for each asset classification. Do not rely entirely on the assets that are understood by the IT group, get a business system sponsor for asset identification particularly those concealed in the public cloud. Also ensure key management procedures are in place.

4. Attack detection and diversion readiness.

For each one of the major asset classifications you can create reproductions using honeypot servers to entice cyber crooks to infiltrate them and divulge their attack methods. When Sony was attacked the hackers discovered a domain server that had a file named ‘passwords.xlsx’ which contained cleartext passwords for the servers of the business. This was a good ruse and you must use these strategies in tempting places and alarm them so that when they are accessed alarms will sound right away suggesting that you have an immediate attack intelligence system in place. Change these lures often so that they appear active and it doesn’t appear like an apparent trap. As a lot of servers are virtual, hackers will not be as prepared with sandbox evasion methods, as they would with client endpoints, so you might be lucky and really see the attack happening.

5. Monitoring preparedness and constant visibilities.

Network and endpoint activity must be kept an eye on continuously and be made visible to the SOC group. Due to the fact that a lot of client endpoints are mobile and for that reason beyond the company firewall program, activity at these endpoints must likewise be monitored. The monitoring of endpoints is the only particular approach to perform process attribution for monitored network traffic, since protocol fingerprinting at the network level can not constantly be relied upon (it can be spoofed by cyber lawbreakers). Data that has actually been kept track of must be conserved and archived for future reference, as a number of attacks can not be recognized in real time. There will be a requirement to rely upon metadata more often than on the capture of complete packets, since that imposes a substantial collection overhead. However, a number of dynamic risk based monitoring controls can afford a low collection overhead, as well as react to major threats with more granular observations.