Monthly Archives: May 2018

A Look Inside Windows Defender ATP And Its Great Hunting Power – Charles Leaver

Written By Josh Harrimen And Presented By Charles Leaver


Following on from our recent collaboration announcement with Microsoft, our Ziften Security Research team has begun leveraging an extremely fantastic element of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Hunting feature lets users run inquiries in line with the information that has been sent by products and tools, for example Ziften, to find intriguing behaviors quickly. These queries can be saved and shared among the user base of Windows Defender ATP users.

We have actually added a handful of shared queries so far, however the results are rather interesting, and we like the ease of use of the hunting user interface. Because Ziften sends out endpoint data collected from Linux and macOS systems to Windows Defender ATP, we are concentrating on those OS in our query advancement efforts to showcase the complete protection of the platform.

You can access the Advanced Hunting user interface by choosing the database icon on the left-hand side as shown in the image below.

You can observe the top-level schema on the top left of that page with events such as ProcessCreation, Machineinfo, NetworkCommunication and others. We ran some current malware within our Redlab and developed some inquiries to find that data and produce the results for investigation. An example of this was OceanLotus. We developed a small number of queries to find both the dropper and files connected with this threat.

After running the inquiries, you get results with which you can interact with.

Upon inspection of the outcomes, we see some systems that have shown the looked for habits. When you select these systems, you can view the information of the system under examination. From there you can view signals set off and a timeline of events. Information from the harmful process are revealed below.

Additional behavior based inquiries can likewise be run. For instance, we executed another destructive sample which leveraged a couple of strategies that we queried. The screenshot directly below shows an inquiry we ran when trying to find the Gatekeeper program on a macOS which was disabled from the command line. While this action may be an administrative action, it is certainly something you would like to know is taking place within your environment.

From these query outcomes, you can again select the system under examination and further investigate the suspicious behaviors.

This blog post certainly does not act as an in-depth tutorial on using the Advanced Searching function within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together rapidly to share our excitement about how easy it is to utilize this function to conduct your own customized threat searching in a multi-system environment, and across Linux, Windows and macOS systems.

We look forward to sharing more of our experimentation and research studies utilizing queries built utilizing the Advanced Searching function. We share our successes with everyone here, so look out for future posts.

Great To See This At The 2018 RSA Conference – Charles Leaver

Written By Logan Gilbert And Presented By Charles Leaver


After spending a few days with the Ziften group at the 2018 RSA Conference, my technology point of view was: more of the same, the typical suspects and the normal buzzwords. Buzz words like – “AI”, “machine learning”, “predictive” were wonderfully worn out. Great deals of attention paid to avoidance, everybody’s preferred attack vector – email, and everybody’s favorite exploit – ransomware.

About the only surprise to me was seeing a small number of NetFlow analysis businesses – great deals of smaller businesses aiming to make their mark using an extremely abundant, but tough to work with, data set. Extremely cool stuff! Find the small cubicles and you’ll discover lots of innovation. Now, in fairness to the bigger suppliers I understand there are some truly cool technologies in there, but RSA barely positions itself to cutting through the buzzwords to actual value.

RSA Buzz

I may have a biased view considering that Ziften has actually been partnering with Microsoft for the last six plus months, but Microsoft seemed to play a far more popular leadership role at RSA this year. First, on Monday, Microsoft revealed it’s all brand-new Intelligent Security Association bringing together their security collaborations “to concentrate on defending customers in a world of increased hazards”, and more notably – enhancing that protection through shared security intelligence throughout this environment of partners. Ziften is of course proud to be a founding member in the Intelligent Security Association.

In addition, on Tuesday, Microsoft announced a ground-breaking collaboration with numerous players in the cyber security industry named the “Cybersecurity Tech Accord.” This accord requires a “digital Geneva Convention” that sets standards of behavior for the online world just as the Geneva Conventions set guidelines for the conduct of war in the physical world.

People who Attended the RSA

A real point of interest to me though was the makeup of the expo audience itself. As I was also an exhibitor at RSA, I noted that of my visitors, I saw more “suits” and less tee shirts.

Ok, maybe not suits as such, but more security Supervisors, Directors, VPs, CISOs, and security leaders than I recall seeing in the past. I was motivated to see what I think are the business decision makers having a look at security businesses first hand, as opposed to delegating that job to their security team. From this audience I often heard the very same overtones:

– This is overwhelming.
– I can’t discriminate in between one technology and another.

Those who were Absent from RSA

What I saw less of were “technology trolls”. What, you might ask, are technology trolls? Well, as a supplier and security engineer, these are the people (constantly guys) that show up five minutes prior to the close of the day and drag you into a technical due diligence workout for an hour, or at least until the happy hour celebrations start. Their objective – absolutely nothing helpful to anyone – and here I’m presuming that the troll actually works for a company, so nothing useful for the business that really paid thousands of dollars for their participation. The only thing acquired is the troll’s self affirmation that they are able to “beat down the supplier” with their technical prowess. I’m being harsh, however I’ve known the trolls from both sides, both as a vendor, and as a purchaser – and back at the office nobody is basing buying choices based upon troll suggestions. I can only assume that companies send tech trolls to RSA and similar expos because they don’t desire them in their office.

Discussions about Holistic Security

Which makes me return to the kind of people I did see a great deal of at RSA: security savvy (not simply tech savvy) security leaders, who understand the business argument and choices behind security innovations. Not only are they influencers but in most cases the business owners of security for their respective organizations. Now, aside from the previously mentioned concerns, these security leaders appeared less focused on a technology or specific usage case, but rather a focus on a desire for “holistic” security. As we know, great security requires a collection of technologies, practice and policy. Security smart consumers wanted to know how our technology fitted into their holistic service, which is a refreshing change of dialog. As such, the kinds of questions I would hear:

– How does your innovation partner with other solutions I already utilize?
– More importantly: Does your company actually buy into that partnership?

That last concern is vital, basically asking if our partnerships are merely fodder for a site, or, if we truly have a recognition with our partner that the sum is greater than the parts.

The latter is what security specialists are searching for and need.

In Conclusion

In general, RSA 2018 was fantastic from my point of view. After you go beyond the lingo, much of the buzz focussed on things that matter to customers, our market, and us as people – things like security partner ecosystems that add worth, more holistic security through genuine partnership and meaningful integrations, and face to face conversations with business security leaders, not technology trolls.

Don’t Let Unmanaged Assets In The Cloud Cause You A Big Problem – Charles Leaver

Written By Logan Gilbert And Presented By Charles Leaver


We all relate to the image of the hooded bad guy hovering over his computer late at night – accessing a corporate network, stealing important data, vanishing without a trace. We personify the assailant as smart, persistent, and crafty. However the reality is the vast majority of attacks are made possible by simple human negligence or recklessness – making the task of the hacker a simple one. He’s inspecting all the doors and windows constantly. All it takes is one mistake on your part and he’s in.

Exactly what do we do? Well, you know the action you need to take. We invest a hefty piece of our IT budget on security defense-in-depth systems – created to discover, trick, fool, or outright block the villains. Let’s forget the discourse on whether or not we are winning that game. Since there is a far simpler game taking place – the one where the enemy enters your network, company critical application, or IP/PPI data through a vector you didn’t even comprehend you had – the asset that is unmanaged – frequently referred to as Shadow IT.

Think this is not your company? A recent study recommends the average business has 841 cloud apps in use. Remarkably, most IT executives think the variety of cloud apps in use by their organization is around 30-40 – suggesting they are off by a factor of 20X. The very same report discloses that over 98% of cloud apps are not GDPR ready, and 95% of enterprise class cloud apps are not SOC 2 compliant.

Defining Unmanaged Assets/Shadow IT

Shadow IT is defined as any SaaS application utilized – by workers, departments, or whole organization groups – without the comprehension or permission of the business’s IT department. And, the development of ‘everything as a service’ has made it even easier for workers to gain access to whatever software they feel is needed to make them more productive.

The Effect

Well intentioned workers typically don’t realize they’re breaking business guidelines by activating a brand-new server instance, or downloading unapproved apps or software offerings. However, it occurs. When it does, three problems can develop:

1. Business standards within a company are compromised given that unauthorized software implies each computer has different abilities.

2. Rogue software frequently includes security flaws, putting the entire network at risk and making it a lot more tough for IT to manage security dangers.

3. Asset blind spots not only drive up security and compliance risk, they can increase legal threats. Info retention policies created to limit legal liability are being compromised with details contained on unapproved cloud assets.

3 Essential Considerations for Resolving Unmanaged Asset Threats

1. First, deploy tools that can provide thorough visibility into all cloud assets- managed and unmanaged. Know what new virtual machines have been activated recently, in addition to what other machines and applications with which each VM instance is communicating.

2. Second, make certain your tooling can provide constant inventory of licensed and unauthorized virtual devices operating in the cloud. Make certain you have visibility into all IP connections made to each asset.

3. Third, for compliance and/or forensic analysis functions try to find a solution that provides a capture of any and all assets (physical and virtual) that have ever been on the network – not just a service that is restricted to active assets – and constrained with a short look back window.

Ziften approach to Unmanaged Asset Discovery

Ziften makes it simple to quickly find cloud assets that have actually been commissioned beyond IT’s province. And we do it continually and with deep historical recall within your reach – including when each device first connected to the network, when it last appeared, and how often it reconnects. And if a virtual machine is decommissioned, this is not a problem, we still have all its historic habits data.

Identify and secure surprise attack vectors coming from shadow IT – prior to a calamity. Know exactly what’s going on in your cloud environment.