Monthly Archives: June 2015

The OMB Month Long Cyber Security Sprint Had 8 Principles So We Have Provided 8 Keys – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


After suffering a huge data breach at the Office of Management and Budget (OMB), agencies were commissioned by Tony Scott, Federal Chief Information Officer, to take immediate and specific actions over the next four weeks to further improve the security of their data and systems. For this big organization it was a bold action, however the lessons learned from software development proved that acting fast or sprinting can make a lot of headway when approaching a problem in a small period of time. For big organizations this can be particularly real and the OMB is definitely big.

There were 8 concepts that were focussed on. We have actually broken these down and offered insight on how each principle could be more effective in the timeframe to assist the government make considerable inroads in only a month. As you would expect we are taking a look at things from the endpoint, and by checking out the eight principles you will discover how endpoint visibility would have been crucial to a successful sprint.

1. Securing data: Better secure data at rest and in transit.

This is a good start, and appropriately priority number one, but we would certainly encourage OMB to add the endpoint here. Many data security services forget the endpoint, however it is where data can be most vulnerable whether at rest or in transit. The team needs to inspect to see if they have the ability to examine endpoint software and hardware setup, including the presence of any data security and system defense agents, not forgetting Microsoft BitLocker setup checking. And that is just the start; compliance checking of mandated agents need not be forgotten and it must be carried out continuously, permitting the audit reporting of percentage coverage for each agent.

2. Improving situational awareness: Enhance indication and warning.

Situational awareness is similar to visibility; can you see exactly what is in fact taking place and where and why? And of course this needs to remain in real time. While the sprint is taking place it should be validated that identity and tracking of logged-in users,, user focus activities, user presence indicators, active processes, network contacts with process-level attribution, system stress levels, notable log events and a myriad of other activity indicators throughout many thousands of endpoints hosting huge oceans of procedures is possible. THIS is situational awareness for both warning and indication.

3. Increasing cyber security proficiency: Ensure a robust capability to hire and keep cyber security workers.

This is an obstacle for any security program. Discovering excellent skill is difficult and keeping it much more so. When you want to attract this type of skillset then convince them by offering the most recent tools for cyber war. Make certain that they have a system that offers complete visibility of exactly what is taking place at the endpoint and the entire environment. As part of the sprint the OMB must analyse the tools that are in place and check whether each tool changes the security group from the hunted to the hunter. If not then replace that tool.

4. Boost awareness: Improve overall threat awareness by all users.

Risk awareness begins with efficient threat scoring, and thankfully this is something that can be attained dynamically all the way to the endpoint and help with the education of every user. The education of users is a challenge that is never ever finished, as proven by the high success of social engineering attacks. But when security groups have endpoint threat scoring they have concrete items to show to users to show where and how they are vulnerable. This real life situational awareness (see # 2) enhances user understanding, along with providing the security team with exact details on say, understood software application vulnerabilities, cases of compromised credentials and insider enemies, in addition to constantly keeping track of system, user, and application activity and network points of contact, in order to apply security analytics to highlight elevated threats causing security staff triage.

5. Standardizing and automating processes: Reduce time required to handle configurations and patch vulnerabilities.

More protection ought to be demanded from security solutions, and that they are instantly deployable without tiresome preparation, infrastructure standup or substantial staff training. Did the solutions in place take longer than a couple of days to carry out and require another full-time employee (FTE) or even 1/2 a FTE? If so you need to reassess those services due to the fact that they are probably hard to use (see # 3) and aren’t doing the job that you require so you will have to enhance the existing tools. Likewise, search for endpoint services that not only report software application and hardware setups and active services and processes, however applies the National Vulnerability Database to report on actual running exposed vulnerabilities and then associates an overall vulnerability rating for each endpoint to help with patching prioritization by over worked support staff.

6. Controlling, containing and recuperating from events: Contain malware expansion, privilege escalation, and lateral motion. Quickly determine and solve events and incidents.

The fast recognition and response to problems is the main objective in the new world of cyber security. Throughout their 1 Month sprint, OMB needs to evaluate their solutions and make sure to discover technologies that can not only monitor the endpoint, however track every process that runs and all of its network contacts consisting of user login efforts, to facilitate tracking of destructive software proliferation and lateral network movement. The data derived from endpoint command and control (C2) accesses associated with significant data breaches shows that about half of jeopardized endpoints do not host recognizable malware, heightening the importance of login and contact activity. Appropriate endpoint security will monitor OMB data for long term analysis, considering that lots of indicators of compromise appear just after the event, and even long afterwards, while relentless hackers might silently lurk or remain dormant for extended periods of time. Attack code that can be sandbox detonated and determined within minutes is not a sign of sophisticated attackers. This ability to keep clues and connect the dots across both spatial and temporal dimensions is necessary to full identification and total non-recidivist resolution.

7. Reinforcing systems lifecycle security: Increase intrinsic security of platforms by purchasing more secure systems and retiring traditional systems in a timely way.

This is a credible objective to have, and a massive challenge at a large organization such as OMB. This is another place where the right endpoint visibility can instantly determine and report endpoint software and hardware configurations, operating system SKUs and patch levels, system stress levels, endpoint incidents (such as application crashes or hangs, service failures, or system crashes), and other indications of endpoints outlasting their useful or safe service lives. Now you have a full stock list that you can prioritize for retirement and replacement.

8. Minimizing attack surfaces: Decrease the complexity and quantity of things defenders have to protect.

If numbers 1 through 7 are completed, and the endpoint is thought about effectively, this will be a huge step in reducing the attack threat. However, in addition, endpoint security can also actually offer a visual of the real attack surface. Think about the ability to quantify attack surface area, based upon a variety of distinct binary images exposed throughout the whole endpoint population. For instance, our ‘Ziften Pareto analysis’ of binary image prevalence statistics produces a typical “ski slope” distribution, with a long slim distribution tail indicating vast numbers of very unusual binary images (present on less than 0.1% of total endpoints). Ziften determines attack surface area bloat elements, consisting of application sprawl and version expansion (which likewise worsens vulnerability lifecycle management). Data from lots of client deployments exposes outright bloat factors of 5-10X, compared to a firmly managed and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas produces a target-rich attackers’ paradise.

The OMB sprint is a great reminder to all of us that good things can be achieved rapidly, however that it takes vision, not to mention visibility. Visibility, to the endpoint, will be a critical piece for OMB to consider as part of their 30-day sprint.


Now That The Costs Of Data Breaches Have Risen Again The Third Reason May Surprise You – Charles Leaver

Written by Patrick Kilgore presented by Charles Leaver CEO Ziften.



Recently 2 significant reports were released that celebrated big anniversaries. On the one hand, we saw the Mary Meeker 20th annual Internet research study. Some of the original market analysis on the Internet was led by Meeker many years ago and this report saw her mark 20 years of influencing viewpoints on the Internet. And 10 years after Meeker’s first observations on the Internet there was the first study of data breach costs by the Ponemon Institute.

Just 10 years after the beginning of the Internet it was revealed that there is an unsightly disadvantage to the service that supplies significant advantages to our organizations and our lives. Today there are more annual research studies released about data breaches than the Internet itself. Just recently we spent hours examining and digesting 2 of the most significant data breach reports in the industry, the currently cited Ponemon report and the now extremely prominent Verizon DBIR (the report is important enough simply to utilize an acronym).

There were intersections between the two reports, but the Verizon report deserves credit due to the fact that if you’ve been able to do anything in security for 10 years, you should be doing something right. There are lots of intriguing stats in the report however the factors for the overall costs of data breaches skyrocketing were of the most interest to us.

The Ponemon research studies have revealed three drivers behind the increased cost of a breach. The very first is that cyber attacks have actually increased in number and this has actually correlated in greater costs to remediate these attacks. An increased per capita expense from $159 to $170 year on year has actually been cited. That’s a 5% jump from 42% to 47% of the overall root causes of a breach. Also, lost profits as a result of a data breach have actually increased. In the aggregate, this increased from $1.33 M to $1.57 M in 2015. The reasons are because of the abnormal client turnover, the increased acquisition activity, and loss of goodwill that arises from being the target of a harmful attack. Nevertheless, the most fascinating reason provided is that data breach expenses associated with detection and escalation have actually increased.

These expenses consist of examinations and forensics, crisis team management and audits and assessments. Now the trend appears to be gathering pace at just shy of a massive $1Billion. Organizations are only now beginning to deploy the solutions needed to continuously monitor the endpoint and offer a clear picture of the origin and complete effect of a breach.

Organizations not only need to monitor the proliferation of devices in a BYOD world, however also aim to enhance the security resources they have actually currently invested in to reduce the expenses of these examinations. Risks need to be halted in real time, rather than determined retrospectively.

“Avoidance might not be possible in the world we live in.” “With harmful threats ending up being increasingly more common, companies will need to develop their M.O. beyond standard AV services and look to the endpoint for complete protection,” stated Larry Ponemon in his webcast with IBM.

Charles Leaver – The Risk Of Data Loss Is Increased BY BOYD Employee Sharing And Passwords

Written By Ziften Technologies CEO Charles Leaver

If your company has implemented a bring your own device (BYOD) policy then you will be putting yourself at increased risk of cyber criminal activity and the loss of your data, because the devices will generally have insufficient control and endpoint security in place. With mobile devices, staff members typically access customer cloud services and utilise password practices that are not secure enough, and this represents a big portion of the threats related to BYOD. Using endpoint software that supplies visibility into exactly what is running on a device can assist IT departments to understand and resolve their vulnerabilities.

BYOD is a common technique for executives and employees to access delicate business data on their personal tablets, laptop computers and cellular phones. Practically 9 out of 10 companies in Australia had actually approved a variety of their senior IT employee’s access to important company info through their own BYOD devices, and 57% asserted that they had provided it to at least 80% of their leadership, revealed by a ZDNet Study. With less privileged personnel and those that were new the numbers supplied BYOD access was still up at 64%. These workers were not approved access to monetary information though.

With the variety of BYOD devices growing, a great deal of organizations have actually not carried out the right endpoint management techniques to make their increasing mobile workflows secure. Practically 50% of the participants stated that their organizations had no BYOD policies, and just 17% confirmed that their practices were ISO 27001 accredited.

Safe BYOD Is Probably At Most Risk From Passwords

Those companies that had taken steps to secure BYOD the application of password and acceptable use policies were the most typical. However passwords may represent an important and unique vulnerability in the application of BYOD, due to the fact that users often use the very same passwords again and they are not strong enough. While companies that have a BYOD policy will definitely increase the risks of a hacker attack, there may be an even higher threat which is internal stated previous Federal Trade Commission executive Paul Luehr, in an interview with CIO Magazine’s Tom Kaneshige.

Luehr informed Kaneshige “the most common method BYOD policies affect data security and breaches is in the cross-pollination of passwords.” “An individual is most likely using the same or very comparable password as the one they use on their home devices.”

Luehr kept in mind that prime risks for companies that allow BYOD are disgruntled workers who will frequently leak essential data once they have actually been let go, are prime risks for companies that have permitted BYOD. Because of BYOD the difference between work and home is disappearing, and risky behavior such as utilizing social networks on business networks is being practiced by some staff members, and this can be a start to eventually sharing delicate details either wilfully or carelessly utilizing cloud services. The performance gains that are made with BYOD have to be maintained with the execution of comprehensive endpoint security.