Monthly Archives: July 2015

In Cyber Security’s Third Phase People Not Technology Are The Focus – Charles Leaver

Written By Kyle Flaherty And Presented By Charles Leaver Ziften CEO

Cyber attack effect on companies is often simple to determine, and the vendors of tech solutions are constantly flaunting different stats to show that you need to obtain their latest software (including Ziften). But one statistic is really stunning:

In The Previous Year Cyber Crime Cost Businesses $445 Billion And Cost 350,000 People Their Employment.

The financial losses are simple to take on board despite the fact that the amount is substantial. But the 2nd part is worrying for all involved with cyber security. Individuals are losing their jobs because of what is occurring with cyber security. The situations surrounding the employment losses for all of these people is unknown, and some could have deserved it if they were negligent. But the most intriguing thing about this is that it is well understood that there is a shortage of skilled individuals who have the ability to fight these cyber attacks.

While people are losing their positions there is likewise a demand that more skilled people are found to prevent the ever increasing hazard of cyber attacks. There is no argument that more people are required, and they have to be more skilled, to win this war. But it is not going to occur today, tomorrow and even this year. And while it would be fantastic if a truce could be negotiated with the cyber attackers till these resources are readily available, the truth is that the battle needs to go on. So how do you win this war?

Utilize Technology To Enable, Not Disable

For several years now vendors of security tech have been offering technology to “prevent and obstruct” cyber attacks. Then the suppliers would return afterwards to offer the “next generation” solution for preventing and stopping cyber attacks. And after that a couple of years later they were back once again to sell the most recent technology which focussed on “security analytics”, “risk intelligence” and “operational insight”.

In every scenario businesses acquired the latest technology and then they had to add on professional services or even a FTE to operate the technology. Naturally each time it took a significant quantity of time to get up to speed with the brand-new technology; a group that was experiencing high turnover because of the competitive nature of the cyber market. And while all this was going on the attacks were becoming more relentless, more advanced, and more routine.

It’s About People Utilizing Technology, Not The Other Way Around

The problem is that all of the CISO’s were focussed on the technology initially. These organizations followed the classic model of seeing a problem and developing technology that could plug that hole. If you think of a firewall, it actually constructs a wall within technology, using technology. Even the SIEM technology these companies had installed was focused mostly on all the various connectors from their system into other systems and collecting all those details into one place. However what they had instead was one place since the technology centric minds had forgotten an important element; individuals involved.

People are constantly good at innovating when faced with risk. It’s a biological thing. In cyber security today we are seeing the 3rd phase of development, and it is focused on individuals:

Phase 1 Prevent by building walls
Phase 2 Detect by constructing walls and moats
Phase 3 View, inspect, and react by examining user habits

The reason that this has to be focused on people is not just about skill scarcities, but due to the fact that individuals are truly the issue. People are the cyber hackers and also the ones putting your organization at risk at the endpoint. The technologies that are going to win this fight, or at least enable survival, are the ones that were built to not only boost the abilities of the individual on the other side of that keyboard, however likewise focus on the behaviors of the users themselves, and not merely the technologies themselves.


You Need Visibility Down To The Endpoint So Watch This Webinar – Charles Leaver

Written By Josh Applebaum And Presented By Charles Leaver CEO Ziften Technologies


These days security threats and attack vectors are continuously developing, and organizations have to be more vigilant when it concerns monitoring their network infrastructure. The perimeter of the network and the infrastructure security are often challenged because of no visibility of endpoint devices.

Visibility Of Endpoint Devices Is Now More crucial Than Ever.

In a webinar hosted with our partner Lancope which was called “Extending Network Visibility: Down to the Endpoint.” The aim of this webinar was to reveal to security specialists how extra visibility can be achieved and context into network activity, the improvement of current security systems (NetFlow, Firewall program, SIEM, risk intelligence), and enhance event response by getting real time and historical data for the endpoint. A shared client was included in the webinar who provided real world insights into how to use security assets so that you can stay in front of external and insider risks.

A lot of you will not have actually been able to participate in the live event so we have actually decided to show the on demand version here on the Ziften blog. Feedback on this is welcomed and we would be delighted to connect with you to discuss in more detail.

Charles Leaver – The Best Technical Approach To Client Management By Ziften

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


There has actually generally been an absence of visibility on Windows clients of the applications that are running and the resources that are being utilized. There are good tools in existence to monitor the server infrastructure and the network, but the client has actually always been the weakest element. This is why vendors such as Ziften have originated a brand-new class of solutions that are targeted at the management of security and the efficiency of clients in the enterprise, and this is called enterprise client management. Speaking from a technical standpoint, in order to collect the huge amount of info that is available within Windows that is required to supply visibility of the client, there were two alternative approaches that needed consideration. We could have developed custom driver code or utilized the standard API’s in Windows.

The development of driver code is thought as a last option because there are some well known issues:

An in depth understanding of the Windows kernel data structures and coding conventions is needed for driver development

Driver incompatibilities can exist even with the tiniest of system changes, for example with the month-to-month patch updates from Microsoft

A disastrous system crash can take place if there is a driver code issue

3rd party driver code triggers most of the instabilities in Windows

Any service that utilizes low level drivers in their agents don’t use standard Windows interfaces and they will “take control” from Windows. This can produce chaos with the os of the desktops that are under management. If a driver stops working then it can crash the system and there is likewise an increased security risk as these drivers run at kernel level. “Anything a user can do that causes a driver to malfunction in such a way that it causes the system to crash or become unusable is a security defect. When most coders are working on their driver, their focus is on getting the driver to work properly and not whether a harmful intruder will try to make use of holes within the system” said Microsoft about driver security.

So Ziften took the approach of developing our solution around basic Windows user interfaces, which has the following benefits:

Higher resilience to Windows updates and changes that are most likely to need driver modifications

Driver conflict vulnerability that can lead to system crashes eliminated (Blue Screen of Death).

The possibility of coding errors that impacts system performance through the kernel interface is minimized.


You Must Manage The Security Risks With BYOD – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

If you are not curious about BYOD then your users, especially your executive users, most likely will be. Being the most productive with the least effort is what users want. Using the most convenient, fastest, most familiar and comfortable device to do their work is the main goal. Also the convenience of using one device for both their work and individual activities is preferred.

The issue is that security and ease-of-use are diametrically opposed. The IT department would generally prefer total ownership and control over all client endpoints. IT can disable admin rights and the client endpoint can be managed to a degree, such as just authorized applications being set up. Even the hardware can be limited to a particular footprint, making it simpler for IT to protect and control.

However the control of their devices is what BYOD supporters are fighting against. They want to choose their hardware, apps and OS, and also have the freedom to install anything they like, whenever they like.

This is tough enough for the IT security team, but BYOD can likewise greatly increase the amount of devices accessing the network. Instead of a single desktop, with BYOD a user may have a desktop, laptop, mobile phone and tablet. This is an attack surface gone wild! Then there is the problem with smaller sized devices being lost or stolen or perhaps left in a bar under a cocktail napkin.

So exactly what do IT professionals do about this? The first thing to do is to develop situational awareness of “trusted” client endpoints. With its minimalist and driverless agent, Ziften can offer visibility into the applications, versions, user activity and security/ compliance software which is really running on the endpoint. You can then restrict by enforceable policy what application, business network and data interaction can be carried out on all other (“untrusted”) devices.

Client endpoints will usually have security issues develop, for example versions of applications that are susceptible to attack, potentially damaging procedures and disabling of endpoint security steps. With the Ziften agent you will be made aware of these issues and you can then take restorative action with your existing system management tools.

Your users have to accept the truth that devices that are untrusted and too risky should not be utilized to access company networks, data and apps. Client endpoints and users are the source of many harmful exploits. There is no magic with existing technology that will make it possible to gain access to crucial corporate assets with a device which is out of control.


If You Want To Know Where Your IT Endpoint Is Hurting Then The Lightweight Ziften Agent Can Tell You – Charles Leaver

Written by Dr Al Hartmann and presented by Ziften CEO Charles Leaver

It would be terrific if your IT client endpoints could tell you that they are sick instead of receiving undesirable calls from dissatisfied IT users wouldn’t it? However the truth is that IT clients can not tell you when there is something amiss. Lots of IT individuals may disagree with the need for situational awareness, however you truly need this with your endpoints. The Ziften service makes this OKAY by:

With Ziften there is a minimalist driverless agent. This differs from standard systems management or security agents and the Ziften package is really lightweight (around 1-2MB MSI package). However don’t let the small size fool you, it will supply performance management headroom and effectiveness to achieve more on IT endpoints, which will keep the users happy and working. The Ziften agent can be compared with light beer, “Excellent taste, less filling.”

Also the Ziften agent monitors and reports on other agents that are deployed if there is excessive disturbance with foreground tasks.

With the Ziften agent you will receive other benefits that an agentless technique can not compare to. It can:

Supply real time response to dynamic events on the endpoint. If an agent is not present then regular polling is needed, which suggests that endpoint events are reported in a cadence after they have happened and not in real time.

The Ziften agent can adaptively throttle interfering processes. As an example, if a backup program is causing excessive interference with user performance, the backup program can be slowed down in favor of user productivity.

It will alert on the failures of important services such as antivirus, backup, firewall software and systems management. It holds true that an agentless approach might likewise do this, however it would not alert in real time so it is not as efficient.

The Ziften Agent will alert on severe security incidents that are identified at the client endpoint in real time.

It will acknowledge activity and user existence. With the Ziften agent, user existence can be found by viewing keyboard and last mouse use. It will also utilize the window proxy to figure out which window is foreground and which are in background. With this info, the Ziften agent can figure out application licenses really being used throughout the company.

If no agent is present then it is not possible to monitor and control when the endpoint is off the network. The Ziften agent can monitor off network endpoints and report cached observations when the endpoint reconnects. This gets rid of off network blind spots in monitoring coverage. Likewise, the Ziften agent has the ability to enforce policy even while detached.

Minimization of network traffic load between client endpoints and the management server is possible with the Ziften agent. It achieves this by abstracting, filtering, and summing up and encoding time series observations.

So with the Ziften agent your endpoint clients can “inform you where it hurts”.