Monthly Archives: May 2018

Why You Should Use Network Whitelisting – Charles Leaver

Written By Roark Pollock And Presented By Charles Leaver



As with any kind of security, the world of IT security is concerned with developing and implementing a set of allow/disallow guidelines – or more officially entitled, security policies. And, simply stated, allow/disallow guidelines can be revealed as a ‘whitelist’ or a ‘blacklist’.

Back in the good ‘ole days, a lot of guidelines were blacklist in nature. In those days past we trusted almost everybody to act well, and if they did, it would be rather simple to identify bad habits or abnormalities. So, we would just need to write a few blacklist guidelines. For instance, “do not enable anyone into the network originating from an IP address in say, Russia”. That was sort of the same thing as your grandparents never ever locking the doors to the house on the farm, given that they were aware of everybody within a 20 mile radius.

Then the world changed. Good behavior became an exception, and bad actors/behavior ended up being legion. Of course, it occurred slowly – and in stages – dating to the start of the true ‘Web’ back in the early 90’s. Remember script kids illegally accessing public and private websites, simply to prove to their high school friends that they were able to?

Fast forward to the modern age. Everything is on-line. And if it has value, somebody on earth is aiming to steal or damage it – constantly. And they have plenty of tools that they can use. In 2017, 250,000 brand-new malware variations were presented – per day. We used to count on desktop and network anti-virus packages to include new blacklist signatures – on a weekly basis – to fend off the bad guys utilizing harmful strings of code to do their bidding. But at over 90 million brand-new malware variations per year, blacklist strategies alone will not cut it.

Network whitelisting technologies have actually been a crucial line of defense for on premises network security – and with many companies rapidly moving their work to the cloud, the exact same systems will be required there also.

Let’s take a more detailed look at both techniques.

What is Blacklisting?

A blacklist lines out known destructive or suspicious “entities” that should not be allowed access, or rights of execution, in a system or network. Entities include bad software applications (malware) including viruses, Trojans, worms, spyware, and keystroke loggers. Entities also include any user, application, process, IP address, or organization known to position a danger to a business.

The essential word above is “known”. With 250,000 brand-new versions appearing daily, how many are out there we don’t know about – at least till much later on in time, which may be days, weeks, or even years?


So, what is whitelisting? Well, as you may have thought, it is the opposite of blacklisting. Whitelisting begins from a point of view that nearly everything is bad. And, if that holds true, it should be more efficient simply to specify and enable “good entities” into the network. A simple example would be “all employees in the financial department that are director level or greater are allowed to access our financial reporting application on server X.” By extension, everybody else is locked out.

Whitelisting is typically described as a “zero trust” method – reject all, and permit only certain entities access based on a set of ‘good’ properties associated with user and device identity, habits, place, time, and so on

Whitelisting is extensively accepted for high-risk security environments, where strict guidelines take precedence over user freedom. It is likewise extremely valued in environments where companies are bound by stringent regulatory compliance.

Black, White, or Both?

Initially, few would tell you that blacklisting is absolutely aged out. Definitely at the endpoint device level, it is fairly simple to set up and maintain and somewhat efficient – especially if it is kept up to date by third party hazard intelligence companies. However, on its own, is it enough?

Second, depending upon your security background or experience, you’re most likely thinking, “Whitelisting could never work for us. Our company applications are just too diverse and complex. The time, effort, and resources needed to compile, monitor, and upgrade whitelists at an enterprise level would be untenable.”

Thankfully, this isn’t really an either-or option. It’s possible to take a “best of both worlds” stance – blacklisting for malware and invasion detection, running along with whitelisting for system and network access at large.

Cloud Whitelisting with Ziften

The key to whitelisting boils down to ease of execution – specifically for cloud-based workloads. And ease of execution becomes a function of scope. Think of whitelisting in two ways – application and network. The previous can be a quagmire. The latter is far easier to execute and maintain – if you have the right visibility within your cloud environment.

This is where Ziften scores well.

With Ziften, it becomes easy to:

– Identify and develop visibility within all cloud servers and virtual machines

– Gain constant visibility into devices and their port usage activity

– See east-west traffic streams, including detailed tracking into protocols being used over specific port pairs

– Convert ‘seeing’ what’s taking place into a discernable variety of whitelists, complete with exact procedure and port mappings

– Establish near real time notifications on any anomalous or suspicious resource or service activations

A Look Inside Windows Defender ATP And Its Great Hunting Power – Charles Leaver

Written By Josh Harrimen And Presented By Charles Leaver


Following on from our recent collaboration announcement with Microsoft, our Ziften Security Research team has begun leveraging an extremely fantastic element of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Hunting feature lets users run inquiries in line with the information that has been sent by products and tools, for example Ziften, to find intriguing behaviors quickly. These queries can be saved and shared among the user base of Windows Defender ATP users.

We have actually added a handful of shared queries so far, however the results are rather interesting, and we like the ease of use of the hunting user interface. Because Ziften sends out endpoint data collected from Linux and macOS systems to Windows Defender ATP, we are concentrating on those OS in our query advancement efforts to showcase the complete protection of the platform.

You can access the Advanced Hunting user interface by choosing the database icon on the left-hand side as shown in the image below.

You can observe the top-level schema on the top left of that page with events such as ProcessCreation, Machineinfo, NetworkCommunication and others. We ran some current malware within our Redlab and developed some inquiries to find that data and produce the results for investigation. An example of this was OceanLotus. We developed a small number of queries to find both the dropper and files connected with this threat.

After running the inquiries, you get results with which you can interact with.

Upon inspection of the outcomes, we see some systems that have shown the looked for habits. When you select these systems, you can view the information of the system under examination. From there you can view signals set off and a timeline of events. Information from the harmful process are revealed below.

Additional behavior based inquiries can likewise be run. For instance, we executed another destructive sample which leveraged a couple of strategies that we queried. The screenshot directly below shows an inquiry we ran when trying to find the Gatekeeper program on a macOS which was disabled from the command line. While this action may be an administrative action, it is certainly something you would like to know is taking place within your environment.

From these query outcomes, you can again select the system under examination and further investigate the suspicious behaviors.

This blog post certainly does not act as an in-depth tutorial on using the Advanced Searching function within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together rapidly to share our excitement about how easy it is to utilize this function to conduct your own customized threat searching in a multi-system environment, and across Linux, Windows and macOS systems.

We look forward to sharing more of our experimentation and research studies utilizing queries built utilizing the Advanced Searching function. We share our successes with everyone here, so look out for future posts.

Great To See This At The 2018 RSA Conference – Charles Leaver

Written By Logan Gilbert And Presented By Charles Leaver


After spending a few days with the Ziften group at the 2018 RSA Conference, my technology point of view was: more of the same, the typical suspects and the normal buzzwords. Buzz words like – “AI”, “machine learning”, “predictive” were wonderfully worn out. Great deals of attention paid to avoidance, everybody’s preferred attack vector – email, and everybody’s favorite exploit – ransomware.

About the only surprise to me was seeing a small number of NetFlow analysis businesses – great deals of smaller businesses aiming to make their mark using an extremely abundant, but tough to work with, data set. Extremely cool stuff! Find the small cubicles and you’ll discover lots of innovation. Now, in fairness to the bigger suppliers I understand there are some truly cool technologies in there, but RSA barely positions itself to cutting through the buzzwords to actual value.

RSA Buzz

I may have a biased view considering that Ziften has actually been partnering with Microsoft for the last six plus months, but Microsoft seemed to play a far more popular leadership role at RSA this year. First, on Monday, Microsoft revealed it’s all brand-new Intelligent Security Association bringing together their security collaborations “to concentrate on defending customers in a world of increased hazards”, and more notably – enhancing that protection through shared security intelligence throughout this environment of partners. Ziften is of course proud to be a founding member in the Intelligent Security Association.

In addition, on Tuesday, Microsoft announced a ground-breaking collaboration with numerous players in the cyber security industry named the “Cybersecurity Tech Accord.” This accord requires a “digital Geneva Convention” that sets standards of behavior for the online world just as the Geneva Conventions set guidelines for the conduct of war in the physical world.

People who Attended the RSA

A real point of interest to me though was the makeup of the expo audience itself. As I was also an exhibitor at RSA, I noted that of my visitors, I saw more “suits” and less tee shirts.

Ok, maybe not suits as such, but more security Supervisors, Directors, VPs, CISOs, and security leaders than I recall seeing in the past. I was motivated to see what I think are the business decision makers having a look at security businesses first hand, as opposed to delegating that job to their security team. From this audience I often heard the very same overtones:

– This is overwhelming.
– I can’t discriminate in between one technology and another.

Those who were Absent from RSA

What I saw less of were “technology trolls”. What, you might ask, are technology trolls? Well, as a supplier and security engineer, these are the people (constantly guys) that show up five minutes prior to the close of the day and drag you into a technical due diligence workout for an hour, or at least until the happy hour celebrations start. Their objective – absolutely nothing helpful to anyone – and here I’m presuming that the troll actually works for a company, so nothing useful for the business that really paid thousands of dollars for their participation. The only thing acquired is the troll’s self affirmation that they are able to “beat down the supplier” with their technical prowess. I’m being harsh, however I’ve known the trolls from both sides, both as a vendor, and as a purchaser – and back at the office nobody is basing buying choices based upon troll suggestions. I can only assume that companies send tech trolls to RSA and similar expos because they don’t desire them in their office.

Discussions about Holistic Security

Which makes me return to the kind of people I did see a great deal of at RSA: security savvy (not simply tech savvy) security leaders, who understand the business argument and choices behind security innovations. Not only are they influencers but in most cases the business owners of security for their respective organizations. Now, aside from the previously mentioned concerns, these security leaders appeared less focused on a technology or specific usage case, but rather a focus on a desire for “holistic” security. As we know, great security requires a collection of technologies, practice and policy. Security smart consumers wanted to know how our technology fitted into their holistic service, which is a refreshing change of dialog. As such, the kinds of questions I would hear:

– How does your innovation partner with other solutions I already utilize?
– More importantly: Does your company actually buy into that partnership?

That last concern is vital, basically asking if our partnerships are merely fodder for a site, or, if we truly have a recognition with our partner that the sum is greater than the parts.

The latter is what security specialists are searching for and need.

In Conclusion

In general, RSA 2018 was fantastic from my point of view. After you go beyond the lingo, much of the buzz focussed on things that matter to customers, our market, and us as people – things like security partner ecosystems that add worth, more holistic security through genuine partnership and meaningful integrations, and face to face conversations with business security leaders, not technology trolls.

Don’t Let Unmanaged Assets In The Cloud Cause You A Big Problem – Charles Leaver

Written By Logan Gilbert And Presented By Charles Leaver


We all relate to the image of the hooded bad guy hovering over his computer late at night – accessing a corporate network, stealing important data, vanishing without a trace. We personify the assailant as smart, persistent, and crafty. However the reality is the vast majority of attacks are made possible by simple human negligence or recklessness – making the task of the hacker a simple one. He’s inspecting all the doors and windows constantly. All it takes is one mistake on your part and he’s in.

Exactly what do we do? Well, you know the action you need to take. We invest a hefty piece of our IT budget on security defense-in-depth systems – created to discover, trick, fool, or outright block the villains. Let’s forget the discourse on whether or not we are winning that game. Since there is a far simpler game taking place – the one where the enemy enters your network, company critical application, or IP/PPI data through a vector you didn’t even comprehend you had – the asset that is unmanaged – frequently referred to as Shadow IT.

Think this is not your company? A recent study recommends the average business has 841 cloud apps in use. Remarkably, most IT executives think the variety of cloud apps in use by their organization is around 30-40 – suggesting they are off by a factor of 20X. The very same report discloses that over 98% of cloud apps are not GDPR ready, and 95% of enterprise class cloud apps are not SOC 2 compliant.

Defining Unmanaged Assets/Shadow IT

Shadow IT is defined as any SaaS application utilized – by workers, departments, or whole organization groups – without the comprehension or permission of the business’s IT department. And, the development of ‘everything as a service’ has made it even easier for workers to gain access to whatever software they feel is needed to make them more productive.

The Effect

Well intentioned workers typically don’t realize they’re breaking business guidelines by activating a brand-new server instance, or downloading unapproved apps or software offerings. However, it occurs. When it does, three problems can develop:

1. Business standards within a company are compromised given that unauthorized software implies each computer has different abilities.

2. Rogue software frequently includes security flaws, putting the entire network at risk and making it a lot more tough for IT to manage security dangers.

3. Asset blind spots not only drive up security and compliance risk, they can increase legal threats. Info retention policies created to limit legal liability are being compromised with details contained on unapproved cloud assets.

3 Essential Considerations for Resolving Unmanaged Asset Threats

1. First, deploy tools that can provide thorough visibility into all cloud assets- managed and unmanaged. Know what new virtual machines have been activated recently, in addition to what other machines and applications with which each VM instance is communicating.

2. Second, make certain your tooling can provide constant inventory of licensed and unauthorized virtual devices operating in the cloud. Make certain you have visibility into all IP connections made to each asset.

3. Third, for compliance and/or forensic analysis functions try to find a solution that provides a capture of any and all assets (physical and virtual) that have ever been on the network – not just a service that is restricted to active assets – and constrained with a short look back window.

Ziften approach to Unmanaged Asset Discovery

Ziften makes it simple to quickly find cloud assets that have actually been commissioned beyond IT’s province. And we do it continually and with deep historical recall within your reach – including when each device first connected to the network, when it last appeared, and how often it reconnects. And if a virtual machine is decommissioned, this is not a problem, we still have all its historic habits data.

Identify and secure surprise attack vectors coming from shadow IT – prior to a calamity. Know exactly what’s going on in your cloud environment.