Monthly Archives: October 2015

The Internet Of Things Will Present You With Even More Security Challenges – Charles Leaver

Written By David Shefter And Presented By Ziften CEO Charles Leaver

We are now living in a brand-new world of the Internet of Things (IoT), and the risk of cyber dangers and attacks grow exponentially. As implementations develop, new vulnerabilities are appearing.

Symantec released a report this spring which evaluated 50 smart home devices and declared “none of the evaluated devices offered mutual authentication between the client and the server.” Earlier this summer, analysts showed the ability to hack into a Jeep while it was driving on the highway, first controlling the radio, windshield wipers, cooling and lastly cutting the transmission.

Generally, toys, tools, home appliance, and vehicle makers have actually not needed to secure against external risks. Makers of medical devices, elevators, heating and cooling, electric, and plumbing infrastructure parts (all of which are likely to be linked to the Internet in the coming years) have not always been security conscious.

As we are all aware, it is hard enough daily to secure PCs, mobile phones, servers, and even the network, which have been through substantial security monitoring, evaluations and assessments for many years. How can you secure alarms, personal electronic devices, and home devices that apparently come out daily?

To begin, one must specify and consider where the security platforms will be deployed – hardware, software, network, or all the above?

Solutions such as Ziften listen to the network (from the device point of view) and utilize advanced machine-type learning to determine patterns and scan for anomalies. Ziften presently offers a global risk analytics platform (the Ziften KnowledgeCloud), which has feeds from a range of sources that allows evaluation of 10s of millions of endpoint, binary, MD5, and so on data today.

It will be an obstacle to deploy software onto all IoT devices, a lot of which use FPGA and ASIC designs as the control platform(s). They are generally included into anything from drones to automobiles to industrial and scada control systems. A a great deal of these devices work on solid-state chips without a running operating system or x86 type processor. With insufficient memory to support innovative software, most just can’t support modern-day security software. In the world of IoT, additional modification produces threat and a vacuum that strains even the most robust services.

Solutions for the IoT area require a multi-pronged method at the endpoint, which encompasses desktops, laptops, and servers currently integrated with the network. At Ziften, we presently deliver collectors for Windows, Linux, and OS X, supporting the core desktop, server, and network infrastructure that contains the intellectual property and assets that the attackers look for to obtain access to. After all, the criminals don’t truly desire any info from the company refrigerator, but simply want to use it as a channel to where the valuable data resides.

However, there is an additional method that we deliver that can assist relieve numerous current issues: scanning for abnormalities at the network level. It’s believed that usually 30% of devices linked to a corporate network are unidentified IP’s. IoT patterns will likely double that number in the next 10 years. This is among the reasons that connecting is not always an obvious choice.

As more devices are connected to the Internet, more attack surfaces will emerge, leading to breaches that are far more harmful than those of e-mail, financial, retail, and insurance – things that might even position a danger to our way of life. Protecting the IoT has to draw on lessons learned from conventional enterprise IT security – and provide several layers, integrated to provide end-to-end robustness, capable of avoiding and identifying threats at every level of the emerging IoT value chain. Ziften can assist from a wide variety of angles today and tomorrow.


Charles Leaver – Ziften ZFlow Will Shine A Bright Light On Your Security Blind Spots

Written By Andy Wilson And Presented By Charles Leaver CEO Ziften



Over the past number of years, lots of IT organizations have adopted using NetFlow telemetry (network connection metadata) to enhance their security position. There are lots of reasons behind this: NetFlow is reasonably low-cost (vs. complete packet capture); it’s relatively simple to gather as the majority of Layer 3 network devices support NetFlow or the IANA standard called IPFIX; and it’s simple to analyze using freeware or commercially available software applications. NetFlow can assist get rid of blind spots in the architecture and can offer much required visibility into exactly what is actually going on in the network (both internal and external). Flow data can likewise assist in early detection of attacks (DoS and APT/malware) and can be utilized in baselining and anomaly detection techniques.

NetFlow can supply insight where little or no visibility exists. The majority of organizations are collecting flows at the core, WAN and Web layers of their networks. Depending upon routing schemas, localized traffic may not be represented – LAN-to-LAN activity, local broadcast traffic, as well as east-west traffic inside the datacenter. A lot of organizations are not routing all the way down to the access layer and are therefore normally blind to some extent in this segment of the network.



Performing complete packet capture in this area is still not 100% possible due to a variety of reasons. The answer is to execute endpoint-based NetFlow to bring back visibility and supply very important extra context to the other flows being gathered in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop, or server), so it’s not reliant on the network infrastructure to create. ZFlow supplies traditional ISO layer 3/4 data such as source and destination IP addresses and ports, however also supplies extra valuable Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for kicking off the executable, and whether it remained in the foreground or background. The latter are essential details that network-based flows merely can not offer.



This important additional contextual data can help dramatically reduce incidents of false positives and offer rich data to analysts, SOC workers and incident handlers to enable them to rapidly examine the nature of the network traffic and figure out if it’s malicious or benign. Used in conjunction with network-based notifications (firewall, IDS/IPS, web proxies and gateways), ZFlow can dramatically reduce the amount of time it requires to overcome a security event. And we know that time to detect harmful habits is an essential factor to how successful an attack ends up being. Dwell times have actually reduced in current history however are still at undesirable levels – currently over 230 days that an enemy can stroll unnoticed through your network harvesting your essential data.

Below is a screenshot that reveals a port 80 connection to an Internet location of Intriguing realities about this connection that network-based tools might miss is that this connection was not started by a web browser, however rather by Windows Powershell. Another interesting data point is that this connection was started by the ‘System’ account and not the logged-in user. These are both really attention-grabbing to a security expert as it’s not a false positive and most likely would need deeper examination (at which point, the expert might pivot into the Ziften console and see deeper into that system’s behavior – what actions or binaries were executed prior to and after the connection, process history, network activity and more).




Ziften’s ZFlow shines a light on security blindspots and can supply the extra endpoint context of processes, application and user attribution to help security personnel much better comprehend what is truly taking place in their environment. Combined with network-based events, ZFlow can help considerably minimize the time it requires to examine and react to security alerts and dramatically enhance a company’s security posture.


Why A New Path For Endpoint Security Has To Be Taken As Prevention And Blocking Are Not Enough – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO

Conventional endpoint security services, a few of which have been around for over 20 years, rely greatly on the exact same defense approaches year after year. Although there is constantly development and strides to enhance, the underlying problem still exists. Dangers will constantly discover a way into your organization. And for the most part, you will have to wait till your deployed solution finally spots the risk before you even can begin to assess the damage and possibly avoid it from occurring once again (once you get all the appropriate info to make that informed decision, obviously). Another downside to these systems is that they frequently develop a big performance problem on the actual device they are protecting. This in turn results in dissatisfied end-users and other issues such as management and reliability.

But this blog is not about deserting your current service, however rather enhancing and empowering your general security posture. Organizations need to move towards and accept those systems that offer constant tracking and complete visibility of all activity occurring on their endpoint population. Blocking or avoiding recognized malware from running is undoubtedly important, but does not have the general defense required in today’s threat landscape. The ability to run deeper forensics from current or in some cases more importantly, previous events, can truly just be done by systems that offer continuous tracking. This info is crucial in evaluating the damage and comprehending the scope of the infection within your company.

This, of course, needs to be done efficiently and with a limited amount of system overhead.

Just as there are lots of solutions in the standard endpoint security space, a brand-new league of vendors is popping up in this crucial step of the development. The majority of these businesses have employees from the ‘old guard’ and understand that a brand-new vision is required as the danger landscape continues to alter. Simply reporting and informing on just bad things is totally missing the point. You MUST look at everything, everybody and all behaviors and actions in order to provide yourself the best chance of reacting quickly and thoroughly to hazards within your organization.

By making use of systems that fall under this “New Path of Endpoint Security” world, Security Ops or Incident Responders within the organization will have the much needed visibility they have actually been craving. We hear this continuously from our clients and prospects and are doing our utmost to provide the systems that help protect everyone.


When You Use The Ziften App For Splunk You Can Easily Find Superfish – Charles Leaver

Written By Ryan Hollman And Presented By Charles Leaver CEO Ziften

Background Info: Lenovo admitted to pre installing the Superfish adware on some consumer PCs, and dissatisfied customers are now dragging the company to court on the matter said PCWorld. A proposed class action law suit was filed late last week against Lenovo and Superfish, which charges both businesses with “deceitful” commercial practices and of making Lenovo PCs prone from man in the middle attacks by pre loading the adware.

Having issues discovering Superfish across your enterprise? With the Ziften App for Splunk, you can discover contaminated endpoints with an uncomplicated Splunk search. Merely browse your Ziften data and filter for the keyword “superfish”. The query is:

index= ziften superfish




The following image reveals the outcomes you would see in your Ziften App for Splunk if systems were infected. In this particular instance, we identified several systems infected with Superfish.




The above results likewise make reference to the binary “VirtualDiscovery.exe”. As it ends up, this is the core process responsible for the infections. Along with the Superfish root certificate and VirtualDiscovery.exe binary, this software application also sets the following to the system:

A pc registry entry in:


INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can likewise be achieved on an endpoint straight from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see results much like the following image. If the system is clean, you will see no results.





Some analysts have actually stated that you can just eliminate Superfish by eliminating the root certificate shown above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal treatment does not continue throughout reboots. Just getting rid of the root cert does not work as VirtualDiscovery.exe will reinstall the root cert after a system reboot.

The simplest method to eliminate Superfish from your system is to update Microsoft’s integrated autovirus product Windows Defender. Quickly after the public became aware of Superfish, Microsoft upgraded Windows Defender to remediate Superfish.

Other removal methods exist, however upgrading Windows Defender is by far the most basic method.


You Need To Look For These 5 Top User Endpoint Activities – Charles Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Traditional security software applications are unlikely to identify attacks that are targeted to a specific company. The attack code will most likely be remixed to evade recognized malware signatures, while fresh command and control infrastructure will be stood up to evade known blacklisted network contacts. Resisting these fresh, targeted attacks needs defenders to spot more generic attack characteristics than can be discovered in limitless lists of known Indicators of Compromise (IoC’s) from previously evaluated attacks.

Unless you have a time machine to recover IoC’s from the future, known IoC’s won’t aid with new attacks. For that, you need to look out for suspicious habits of users or endpoints that could be indicative of ongoing attack activity. These suspicion-arousing behaviors won’t be as conclusive as a malware signature match or IP blacklist hit, so they will need expert triage to validate. Insisting upon conviction certainty before raising notifications suggests that fresh attacks will successfully evade your automated defenses. It would be equivalent to a parent overlooking suspicious child behavior without question until they receive a call from the authorities. You don’t desire that call from the FBI that your business has actually been breached when due expert focus on suspicious behaviors would have offered early detection.

Security analytics of observed user and endpoint habits looks to determine attributes of potential attack activity. Here we highlight some of those suspect behaviors by way of general description. These suspect habits function as cyber attack tripwires, signaling protectors to potential attacks in progress.

Anomalous Login Activity

Users and organizational units exhibit learnable login activity patterns that can be examined for anomalous departures. Anomalies can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be analyzed for remote IP address and geolocation, and login entropy can be determined and compared. Non-administrative users logging into several systems can be observed and reported, as it differs from expected patterns.

Anomalous Work Routines

Working outside typical work hours or outside recognized patterns of work activity can be suspect or indicative of insider threat activity or compromised credentials. Again, abnormalities might be either spatial or temporal in nature. The work active procedure mix can likewise be analyzed for adherence to developed workgroup activity patterns. Workloads may vary somewhat, but tend to be fairly constant across engineering departments or accounting departments or marketing departments, etc. Work activity patterns can be machine learned and statistical divergence tests applied to spot behavioral anomalies.

Anomalous Application Characteristics

Common applications display relatively constant attributes in their image metadata and in their active procedure profiles. Considerable departures from these observed activity standards can be indicative of application compromise, such as code injection. Whitelisted applications may be utilized by malware scripts in unusual methods, such as ransomware using system tools to get rid of volume shadow copies to stymie recovery, or malware staging stolen data to disk, prior to exfiltration, with significant disk resource demand.

Anomalous Network Activity

Common applications exhibit relatively consistent network activity patterns that can be learned and defined. Unusual levels of network activity by unusual applications are suspect because of that alone, as is unusual port activity or port scanning. Network activity at unusual times or with uncommon consistency (possibly beaconing) or unusual resource need are likewise worthwhile of attention. Unattended network activity (user not present) should constantly have a possible explanation or be reported, particularly if observed in considerable volume.

Anomalous System Fault Behavior

Anomalous fault behavior could be indicative of a susceptible or unveiled system or of malware that is repeatedly reattempting some malfunctioning operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are also worth keeping in mind, such as not running mandated security or backup agents, or constant faulting by those agents (leading to a fault-restart-fault cycle).

When looking for Endpoint Detection and Response solutions, do not have a feeling of complacency even if you have a big library of recognized IOCs. The most effective solutions will cover these leading five generic attack attributes plus a great deal more.