Author Archives: leavmecha

Petya Variant Flaw Attack? No Problem If You Are A Ziften Customer – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


Another outbreak, another nightmare for those who were not prepared. While this newest attack is similar to the earlier WannaCry threat, there are some distinctions in this latest malware which is an alternative or brand-new strain much like Petya. Named, NotPetya by some, this strain has a great deal of issues for anybody who experiences it. It may encrypt your data, or make the system completely inoperable. And now the email address that you would be needed to get in touch with to ‘perhaps’ unencrypt your files, has been removed so you’re out of luck retrieving your files.

Plenty of information to the actions of this danger are openly offered, but I wished to discuss the fact that Ziften consumers are safeguarded from both the EternalBlue threat, which is one system utilized for its proliferation, and even much better still, an inoculation based upon a possible defect or its own type of debug check that removes the hazard from ever performing on your system. It might still spread however in the environment, however our security would currently be rolled out to all existing systems to halt the damage.

Our Ziften extension platform enables our clients to have defense in place against certain vulnerabilities and malicious actions for this threat and others like Petya. Besides the particular actions taken against this particular version, we have actually taken a holistic approach to stop certain strains of malware that carry out various ‘checks’ against the system before performing.

We can likewise utilize our Search ability to try to find remnants of the other proliferation methods utilized by this risk. Reports show WMIC and PsExec being used. We can search for those programs and their command lines and use. Despite the fact that they are legitimate procedures, their usage is typically unusual and can be signaled.

With WannaCry, and now NotPetya, we expect to see a continued increase of these kinds of attacks. With the release of the recent NSA exploits, it has given ambitious hackers the tools required to push out their malware. And though ransomware dangers can be a high product vehicle, more damaging dangers could be released. It has actually always been ‘how’ to obtain the risks to spread (worm-like, or social engineering) which is most challenging to them.

UK Parliament Need To Make Their Email System Secure After Attack – Charles Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


In cyberspace the sheep get shorn, chumps get munched, dupes get deceived, and pawns get pwned. We have actually seen another terrific example of this in the current attack on the UK Parliament e-mail system.

Instead of admitting to an e-mail system that was insecure by design, the official declaration read:

Parliament has strong steps in place to safeguard all our accounts and systems.

Tell us another one. The one protective step we did see at work was blame deflection – it must have been the Russians, that always works, while implicating the victims for their policy infractions. While details of the attack are scarce, combing different sources does assist to assemble a minimum of the gross scenario. If these descriptions are reasonably close, the UK Parliament e-mail system failings are atrocious.

What failed in this scenario?

Count on single factor authentication

“Password security” is an oxymoron – anything password secured alone is insecure, period, no matter the strength of the password. Please, no 2FA here, may restrain attacks.

Do not impose any limitation on failed login efforts

Helped by single factor authentication, this allows easy brute force attacks, no ability required. However when attacked, blame elite foreign hackers – nobody can validate.

Do not carry out brute force attack detection

Allow attackers to conduct (otherwise trivially detectable) brute force violations for prolonged durations (12 hours versus the UK Parliament system), to make the most of account compromise scope.

Do not impose policy, treat it as simply recommendations

Integrated with single element authentication, no limitation on failed logins, and no brute force attack detection, do not enforce any password strength recognition. Supply hackers with really low hanging fruit.

Depend on anonymous, unencrypted e-mail for sensitive communications

If hackers are successful in jeopardizing e-mail accounts or sniffing your network traffic, offer lots of opportunity for them to score high value message material completely in the clear. This likewise conditions constituents to trust easily spoofable e-mail from Parliament, producing an ideal constituent phishing environment.

Lessons learned

In addition to adding “Good sense for Dummies” to their summer reading lists, the United Kingdom Parliament email system administrators may want to take additional actions. Strengthening weak authentication practices, imposing policies, enhancing network and endpoint visibility with continuous monitoring and anomaly detection, and totally reconsidering safe and secure messaging are suggested steps. Penetration testing would have uncovered these fundamental weak points while staying far from media attention.

Even a few intelligent high-schoolers with a totally free weekend might have duplicated this attack. And lastly, stop blaming the Russians for your own security failings. Presume that any weak points in your security architecture and policy framework will be probed and made use of by some hackers somewhere across the international web. All the more incentive to discover and fix those weak points prior to the enemies do, so get started immediately. And then if your defenders do not have visibility to the attacks in progress, upgrade your tracking and analytics.


SysSecOps Is The Solution To The IT And Security Gap – Charles Leaver

Written By Charles Leaver Ziften CEO


It was nailed by Scott Raynovich. Having actually dealt with numerous organizations he understood that one of the greatest difficulties is that security and operations are two different departments – with drastically varying goals, different tools, and different management structures.

Scott and his analyst firm, Futuriom, just completed a research study, “Endpoint Security and SysSecOps: The Growing Trend to Build a More Secure Enterprise”, where one of the essential findings was that clashing IT and security objectives hamper experts – on both groups – from achieving their goals.

That’s precisely what we believe at Ziften, and the term that Scott produced to discuss the convergence of IT and security in this domain – SysSecOps – describes perfectly exactly what we’ve been discussing. Security groups and the IT teams need to get on the very same page. That means sharing the very same goals, and in some cases, sharing the very same tools.

Consider the tools that IT people use. The tools are created to ensure the infrastructure and end devices are working appropriately, when something fails, helps them fix it. On the endpoint side, those tools help make sure that devices that are allowed onto the network, are configured properly, have software applications that are authorized and properly updated/patched, and haven’t recorded any faults.

Consider the tools that security individuals utilize. They work to enforce security policies on devices, infrastructure, and security devices (like firewall programs). This may include active monitoring incidents, scanning for abnormal habits, analyzing files to ensure they do not contain malware, embracing the most recent risk intelligence, matching against recently discovered zero-days, and carrying out analysis on log files.

Discovering fires, fighting fires

Those are two different worlds. The security teams are fire spotters: They can see that something bad is occurring, can work quickly to isolate the problem, and determine if damage occurred (like data exfiltration). The IT groups are on the ground firefighters: They jump into action when an event strikes to make sure that the systems are made safe and brought back into operation.

Sounds good, right? Regrettably, all too often, they don’t speak with each other – it’s like having the fire spotters and fire fighters utilizing dissimilar radios, dissimilar jargon, and dissimilar city maps. Worse, the groups can’t share the same data directly.

Our approach to SysSecOps is to supply both the IT and security teams with the same resources – and that indicates the very same reports, presented in the suitable ways to professionals. It’s not a dumbing down, it’s working smarter.

It’s ridiculous to operate in any other way. Take the WannaCry infection, for example. On one hand, Microsoft issued a patch back in March 2017 that resolved the underlying SMB defect. IT operations groups didn’t set up the patch, because they didn’t think this was a big deal and didn’t speak with security. Security groups didn’t know if the patch was set up, due to the fact that they do not speak to operations. SysSecOps would have had everyone on the same page – and might have potentially prevented this issue.

Missing data means waste and danger

The inefficient space in between IT operations and security exposes companies to risk. Preventable danger. Unneeded threats. It’s simply unacceptable!

If your company’s IT and security teams aren’t on the same page, you are incurring threats and expenses that you shouldn’t need to. It’s waste. Organizational waste. It’s wasteful since you have a lot of tools that are offering partial data that have spaces, and each of your teams only sees part of the picture.

As Scott concluded in his report, “Collaborated SysSecOps visibility has actually currently shown its worth in helping organizations evaluate, analyze, and avoid significant dangers to the IT systems and endpoints. If these objectives are pursued, the security and management threats to an IT system can be considerably decreased.”

If your groups are working together in a SysSecOps sort of method, if they can see the exact same data at the same time, you not just have much better security and more efficient operations – however also lower threat and lower costs. Our Zenith software application can help you attain that performance, not only dealing with your existing IT and security tools, however also completing the spaces to make sure everyone has the right data at the correct time.

Detected WannaCry And Respnded To It Swiftly Through Ziften / Splunk Integration – Charles Leaver

Written by Joel Ebrahami and presented by Charles Leaver


WannaCry has actually generated a lot of media attention. It might not have the huge infection rates that we have seen with much of the previous worms, but in today’s security world the quantity of systems it had the ability to infect in one day was still somewhat shocking. The goal of this blog post is NOT to provide a comprehensive analysis of the threat, however rather to look how the exploit acts on a technical level with Ziften’s Zenith platform and the integration we have with our technology partner Splunk.

Visibility of WannaCry in Ziften Zenith

My first action was to reach out to Ziften Labs risk research team to see exactly what details they might provide to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, heads up our research study group and informed me that they had samples of WannaCry presently running in our ‘Red Laboratory’ to look at the behavior of the danger and conduct more analysis. Josh sent me over the information of exactly what he had actually discovered when examining the WannaCry samples in the Ziften Zenith console. He delivered over those information, which I present in this post.

The Red Laboratory has systems covering all the most popular common os with different services and setups. There were currently systems in the laboratory that were purposefully susceptible to the WannaCry threat. Our international risk intelligence feeds utilized in the Zenith platform are updated in real-time, and had no trouble spotting the virus in our lab environment (see Figure 1).

2 laboratory systems have actually been recognized running the harmful WannaCry sample. While it is terrific to see our global threat intelligence feeds updated so rapidly and determining the ransomware samples, there were other behaviors that we discovered that would have identified the ransomware danger even if there had not been a risk signature.

Zenith agents gather a large quantity of data on what’s happening on each host. From this visibility information, we create non-signature based detection techniques to take a look at usually harmful or anomalous behaviors. In Figure 2 shown below, we show the behavioral detection of the WannaCry threat.

Examining the Scope of WannaCry Infections

As soon as it has been spotted either through signature or behavioral methods, it is very simple to see which other systems have likewise been infected or are displaying similar habits.

WannaCry Detections with Ziften and Splunk

After evaluating this info, I decided to run the WannaCry sample in my own environment on a vulnerable system. I had one susceptible system running the Zenith agent, and in this example my Zenith server was already set up to integrate with Splunk. This permitted me to look at the exact same info inside Splunk. Let me elucidate about the integration that exists with Splunk.

We have 2 Splunk apps for Zenith. The first is our technology add on (TA): its function is to ingest and index ALL the raw info from the Zenith server that the Ziften agents generate. As this data comes in it is massaged into Splunk’s Common Info Model (CIM) so that it can be normalized and simply browsed as well as utilized by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA likewise includes Adaptive Response capabilities for taking actions from actions that are rendered in Splunk ES. The 2nd app is a control panel for displaying our info with all the graphs and charts available in Splunk to make digesting the data a lot easier.

Given that I already had the information on how the WannaCry threat behaved in our research laboratory, I had the advantage of knowing what to find in Splunk using the Zenith data. In this case I was able to see a signature alert using the VirusTotal integration with our Splunk app (see Figure 4).

Danger Hunting for WannaCry Ransomware in Ziften and Splunk

However I wished to wear my “event responder hat” and examine this in Splunk using the Zenith agent info. My first idea was to browse the systems in my laboratory for ones running SMB, because that was the initial vector for the WannaCry attack. The Zenith data is encapsulated in various message types, and I understood that I would probably find SMB data in the running process message type, nevertheless, I used Splunk’s * regex with the Zenith sourcetype so I could search all Zenith data. The resulting search appeared like ‘sourcetype= ziften: zenith: * smb’. As I expected I got one result back for the system that was running SMB (see Figure 5).

My next action was to use the exact same behavioral search we have in Zenith that searches for typical CryptoWare and see if I could get results back. Once again this was very simple to do from the Splunk search panel. I used the exact same wildcard sourcetype as previously so I might search across all Zenith data and this time I added the ‘delete shadows’ string search to see if this habit was ever provided at the command line. My search appeared like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned results, displayed in Figure 6, that revealed me in detail the procedure that was produced and the complete command line that was executed.

Having all this detail within Splunk made it extremely easy to determine which systems were vulnerable and which systems had currently been jeopardized.

WannaCry Removal Utilizing Splunk and Ziften

Among the next steps in any kind of breach is to remove the compromise as fast as possible to prevent further damage and to act to prevent any other systems from being compromised. Ziften is among the Splunk founding Adaptive Response members and there are a variety of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to reduce these risks through extensions on Zenith.

In the case of WannaCry we really could have utilized nearly any of the Adaptive Response actions currently readily available by Zenith. When attempting to lessen the impact and avoid WannaCry initially, one action that can occur is to close down SMB on any systems running the Zenith agent where the version of SMB running is understood to be vulnerable. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the vulnerable systems where we wished to stop the SMB service, thus preventing the threat from ever happening and allowing the IT Operations team to get those systems patched prior to beginning the SMB service again.

Preventing Ransomware from Spreading or Exfiltrating Data

Now in the event that we have actually already been jeopardized, it is vital to prevent further exploitation and stop the possible exfiltration of sensitive information or business intellectual property. There are actually 3 actions we might take. The first two are similar where we might eliminate the destructive process by either PID (process ID) or by its hash. This is effective, however considering that often times malware will just generate under a new procedure, or be polymorphic and have a various hash, we can use an action that is ensured to prevent any incoming or outgoing traffic from those infected systems: network quarantine. This is another example of an Adaptive Response action available from Ziften’s integration with Splunk ES.

WannaCry is already lessening, but ideally this technical blog shows the value of the Ziften and Splunk integration in dealing with ransomware hazards against the end point.

Major Breach Caused By Info Leak. You Must Get Security Paranoid – Charles Leaver

Written By Charles Leaver Ziften CEO


Whatever you do don’t ignore cyber security hackers. Even the most paranoid “typical” individual wouldn’t worry about a source of data breaches being taken credentials from its heating, ventilation and air conditioning (A/C) specialist. Yet that’s what took place at Target in November 2013. Hackers got into Target’s network using qualifications provided to the professional, most likely so they might monitor the heating, ventilation and air conditioning system. (For a great analysis, see Krebs on Security). And after that hackers were able to utilize the breach to inject malware into point-of-sale (POS) systems, and after that offload payment card details.

A number of ludicrous mistakes were made here. Why was the HVAC specialist given access to the business network? Why wasn’t the HVAC system on a different, entirely isolated network? Why wasn’t the POS system on a different network? And so on.

The point here is that in a very complex network, there are uncounted prospective vulnerabilities that could be exploited through negligence, unpatched software, default passwords, social engineering, spear phishing, or insider actions. You understand.

Whose task is it to discover and fix those vulnerabilities? The security team. The CISO’s team. Security professionals aren’t “typical” individuals. They are paid to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to prepare for the worst and prepare accordingly.

I can’t speak to the Target HVAC breach specifically, however there is one overwhelming reason why breaches like this happen: A lack of budgetary concern for cybersecurity. I’m not sure how typically companies cannot fund security simply since they’re inexpensive and would rather do a share buy-back. Or possibly the CISO is too timid to ask for what’s required, or has actually been told that she gets a 5% boost, irrespective of the need. Possibly the CEO is worried that disclosures of big allocations for security will alarm investors. Possibly the CEO is simply naïve enough to believe that the business will not be targeted by hackers. Bad news: Every business is targeted by cyber criminals.

There are huge competitions over budget plans. The IT department wants to fund upgrades and improvements, and attack the backlog of demand for brand-new and better applications. On the other side, you have line-of-business managers who see IT jobs as directly helping the bottom line. They are optimists, and have lots of CEO attention.

By contrast, the security department too often needs to defend crumbs. They are viewed as an expense center. Security reduces organization threat in such a way that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who appreciate compliance and reputation. These green-eyeshade individuals think of the worst case scenarios. That doesn’t make good friends, and budget plan dollars are assigned grudgingly at a lot of companies (up until the company gets burned).

Call it naivety, call it established hostility, however it’s a real challenge. You can’t have IT provided great tools to move the business forward, while security is starved and making do with second best.

Worse, you don’t want to end up in scenarios where the rightfully paranoid security teams are working with tools that do not mesh well with their IT counterpart’s tools.

If IT and security tools do not fit together well, IT may not have the ability to quickly act to react to dangerous scenarios that the security groups are keeping track of or are concerned about – things like reports from danger intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user behaviors that indicate dangerous or suspicious activity.

One idea: Discover tools for both departments that are designed with both IT and security in mind, right from the beginning, rather than IT tools that are patched to provide some very little security ability. One budget plan item (take it out of IT, they have more cash), however 2 workflows, one created for the IT professional, one for the CISO group. Everybody wins – and next time somebody wants to give the A/C contractor access to the network, maybe security will observe exactly what IT is doing, and head that disaster off at the pass.

Ziften Will Help You Solve The WannaCry Ransomware Problem – Charles Leaver

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO


Answers To Your Concerns About WannaCry Ransomware

The WannaCry ransomware attack has actually infected more than 300,000 computers in 150 countries up until now by making use of vulnerabilities in Microsoft’s Windows operating system.
In this quick video Chief Data Scientist Dr. Al Hartmann and I discuss the nature of the attack, as well as how Ziften can help organizations safeguard themselves from the vulnerability known as “EternalBlue.”.

As mentioned in the video, the problem with this Server Message Block (SMB) file sharing service is that it’s on many Windows operating systems and found in a lot of environments. However, we make it easy to determine which systems in your environment have or haven’t been patched to date. Notably, Ziften Zenith can likewise from another location disable the SMB file sharing service totally, giving organizations important time to make sure that those machines are correctly patched.

If you want to know more about Ziften Zenith, our 20 minute demonstration consists of a consultation with our specialists around how we can help your organization avoid the worst digital catastrophe to strike the web in years.

Choose The Right Next Gen Endpoint Security Solution Using These Ten Tips – Charles Leaver

Written By Roark Pollock And Presented By Charles Leaver CEO Ziften


The Endpoint Security Purchaser’s Guide

The most common point for an innovative persistent attack or a breach is the end point. And they are definitely the entry point for many ransomware and social engineering attacks. Making use of endpoint security products has actually long been considered a best practice for securing end points. Sadly, those tools aren’t staying up to date with today’s threat environment. Advanced hazards, and truth be told, even less innovative dangers, are often more than appropriate for tricking the average worker into clicking something they should not. So companies are taking a look at and assessing a myriad of next generation end point security (NGES) solutions.

With this in mind, here are ten ideas to consider if you’re looking at NGES solutions.

Idea 1: Start with the end in mind

Don’t let the tail wag the dog. A threat reduction method ought to always begin by evaluating issues and then looking for potential solutions for those issues. However all too often we get captivated with a “shiny” brand-new technology (e.g., the latest silver bullet) and we wind up aiming to squeeze that innovation into our environments without totally assessing if it solves a comprehended and recognized issue. So exactly what problems are you aiming to resolve?

– Is your current endpoint security tool failing to stop risks?
– Do you require better visibility into activities at the end point?
– Are compliance requirements mandating continuous end point monitoring?
– Are you aiming to reduce the time and expense of incident response?

Specify the issues to deal with, then you’ll have a measuring stick for success.

Suggestion 2: Know your audience. Exactly who will be utilizing the tool?

Comprehending the issue that needs to be fixed is a key first step in understanding who owns the problem and who would (operationally) own the solution. Every functional group has its strengths, weaknesses, choices and prejudices. Specify who will need to use the service, and others that might benefit from its use. It could be:

– Security team,
– IT team,
– The governance, risk & compliance (GRC) group,
– Helpdesk or end user support team,
– Or even the server team, or a cloud operations group?

Tip 3: Know exactly what you suggest by end point

Another often overlooked early step in defining the problem is specifying the endpoint. Yes, we all used to know exactly what we implied when we stated end point but today endpoints come in a lot more varieties than before.

Sure we want to protect desktops and laptops however how about mobile devices (e.g. smartphones and tablets), virtual end points, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, naturally, can be found in numerous tastes so platform assistance has to be attended to also (e.g. Windows only, Mac OSX, Linux, etc?). Likewise, consider assistance for endpoints even when they are working remote, or are working offline. Exactly what are your requirements and exactly what are “nice to haves?”

Tip 4: Start with a structure of constant visibility

Continuous visibility is a foundational capability for addressing a host of security and functional management problems on the end point. The old expression is true – that you cannot manage exactly what you can’t see or determine. Even more, you cannot secure exactly what you can’t properly manage. So it needs to start with continuous or all the time visibility.

Visibility is foundational to Security and Management

And think of what visibility suggests. Enterprises require one source of truth that at a minimum monitors, stores, and evaluates the following:

– System data – events, logs, hardware state, and file system information
– User data – activity logs and behavior patterns
– Application data – attributes of set up apps and usage patterns
– Binary data – attributes of installed binaries
– Processes data – tracking details and data
– Network connectivity data – statistics and internal behavior of network activity on the host

Idea 5: Monitor your visibility data

Endpoint visibility data can be saved and evaluated on the premises, in the cloud, or some combination of both. There are benefits to each. The suitable approach varies, however is usually enforced by regulative requirements, internal privacy policies, the endpoints being monitored, and the overall expense considerations.

Know if your company requires on premise data retention

Know whether your company enables cloud based data retention and analysis or if you are constrained to on-premise options only. Within Ziften, 20-30% of our customers store data on-premise just for regulative reasons. Nevertheless, if lawfully an option, the cloud can provide expense advantages (among others).

Pointer 6: Know exactly what is on your network

Comprehending the problem you are attempting to resolve requires comprehending the assets on the network. We have found that as much as 30% of the endpoints we initially find on customers’ networks are un-managed or unknown devices. This obviously develops a big blind spot. Minimizing this blind spot is an important best practice. In fact, SANS Critical Security Controls 1 and 2 are to perform an inventory of authorized and unapproved devices and software applications attached to your network. So search for NGES services that can finger print all connected devices, track software applications stock and utilization, and carry out on-going continuous discovery.

Pointer 7: Know where you are vulnerable

After figuring out exactly what devices you need to watch, you have to make sure they are running in up to date setups. SANS Critical Security Controls 3 suggests making sure protected setups tracking for laptops, workstations, and servers. SANS Critical Security Controls 4 suggests enabling continuous vulnerability assessment and remediation of these devices. So, search for NGES services that provide all the time tracking of the state or posture of each device, and it’s even of more benefit if it can help enforce that posture.

Likewise try to find solutions that provide constant vulnerability evaluation and remediation.

Keeping your total endpoint environment hardened and devoid of critical vulnerabilities avoids a substantial amount of security problems and gets rid of a great deal of back end pressure on the IT and security operations teams.

Tip 8: Cultivate continuous detection and response

A crucial end goal for numerous NGES services is supporting constant device state monitoring, to enable reliable threat or event response. SANS Critical Security Control 19 recommends robust incident response and management as a best practice.

Search for NGES services that provide all-the-time or constant threat detection, which leverages a network of international hazard intelligence, and numerous detection strategies (e.g., signature, behavioral, machine learning, etc). And search for incident response solutions that help focus on determined risks and/or concerns and provide workflow with contextual system, application, user, and network data. This can assist automate the appropriate response or next steps. Finally, comprehend all the response actions that each solution supports – and look for a service that supplies remote access that is as close as possible to “sitting at the endpoint keyboard”.

Idea 9: Consider forensics data gathering

In addition to event response, organizations need to be prepared to resolve the need for forensic or historic data analysis. The SANS Critical Security Control 6 advises the maintenance, monitoring and analysis of all audit logs. Forensic analysis can take many forms, however a structure of historical endpoint monitoring data will be crucial to any examination. So search for solutions that keep historic data that allows:

– Forensic jobs include tracing lateral risk motion through the network gradually,
– Pinpointing data exfiltration efforts,
– Identifying origin of breaches, and
– Identifying appropriate removal actions.

Idea 10: Tear down the walls

IBM’s security team, which supports a remarkable community of security partners, approximates that the average enterprise has 135 security tools in place and is working with 40 security suppliers. IBM customers certainly skew to large enterprise however it’s a common refrain (complaint) from companies of all sizes that security products don’t integrate well.

And the problem is not simply that security products don’t play well with other security solutions, however likewise that they don’t always integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations have to consider these (and other) integration points in addition to the supplier’s willingness to share raw data, not simply metadata, through an API.

Bonus Suggestion 11: Plan for modifications

Here’s a bonus suggestion. Assume that you’ll wish to tailor that shiny new NGES service quickly after you get it. No solution will meet all of your needs right out of the box, in default setups. Discover how the solution supports:

– Customized data collection,
– Notifying and reporting with custom data,
– Custom-made scripting, or
– IFTTT (if this then that) performance.

You understand you’ll desire brand-new paint or new wheels on that NGES service soon – so make certain it will support your future customization jobs easy enough.

Try to find assistance for easy modifications in your NGES service

Follow the bulk of these ideas and you’ll unquestionably avoid a number of the common mistakes that pester others in their assessments of NGES solutions.

Ziften Is The Very Best At Protection From End To End – Charles Leaver

Written By Ziften CEO Charles Leaver


Do you wish to handle and safeguard your end points, your data center, your network and the cloud? In that case Ziften can provide the best solution for you. We collect data, and let you correlate and use that data to make choices – and remain in control over your enterprise.

The info that we receive from everyone on the network can make a real-world distinction. Think about the inference that the 2016 U.S. elections were affected by hackers from another nation. If that holds true, hackers can do almost anything – and the concept that we’ll opt for that as the status quo is just ludicrous.

At Ziften, our company believe the best method to fight those dangers is with greater visibility than you’ve ever had. That visibility goes across the whole enterprise, and links all the major players together. On the back end, that’s real and virtual servers in the data center and the cloud. That’s applications and containers and infrastructure. On the other side, it’s laptops and desktop computers, no matter how and where they are linked.

End to end – that’s the thinking behind all that we do at Ziften. From endpoint to cloud, all the way from a browser to a DNS server. We tie all that together, with all the other parts to offer your company a total service.

We also record and store real time data for approximately 12 months to let you know what’s taking place on the network today, and provide historic pattern analysis and cautions if something is modified.

That lets you detect IT faults and security concerns instantly, as well as be able to hunt down the origin by recalling in time to see where a fault or breach might have first taken place. Active forensics are an absolute must in this business: After all, where a breach or fault initiated an alarm may not be where the issue began – or where a cyber criminal is running.

Ziften provides your security and IT groups with the visibility to comprehend your present security posture, and recognize where enhancements are required. Endpoints non-compliant? Found. Rogue devices? These will be discovered. Off-network penetration? This will be detected. Out-of-date firmware? Unpatched applications? All discovered. We’ll not only help you find the problem, we’ll help you repair it, and make sure it stays fixed.

End-to-end security and IT management. Real time and historic active forensics. Onsite, offline, in the cloud. Incident detection, containment and response. We’ve got it all covered. That’s what makes Ziften so much better.

Track Your Cloud Activities With ZFlow Which Is Enhanced NetFlow – Charles Leaver

Written by Roark Pollock and Presented by Ziften CEO Charles Leaver


In accordance with Gartner the public cloud services market surpassed $208 billion last year (2016). This represented about a 17% rise year over year. Not bad when you consider the on-going concerns most cloud consumers still have concerning data security. Another particularly intriguing Gartner finding is the typical practice by cloud consumers to contract services to several public cloud suppliers.

In accordance with Gartner “most companies are currently using a mix of cloud services from various cloud providers”. While the business reasoning for the use of numerous suppliers is sound (e.g., avoiding supplier lock in), the practice does create extra complexity inmonitoring activity throughout an company’s increasingly dispersed IT landscape.

While some suppliers support more superior visibility than others (for example, AWS CloudTrail can monitor API calls throughout the AWS infrastructure) companies have to understand and deal with the visibility issues associated with relocating to the cloud despite the cloud service provider or companies they deal with.

Sadly, the capability to monitor application and user activity, and networking interactions from each VM or endpoint in the cloud is restricted.

Regardless of where computing resources live, organizations must respond to the concerns of “Which users, machines, and applications are communicating with each other?” Organizations require visibility across the infrastructure in order to:

  • Rapidly recognize and focus on issues
  • Speed origin analysis and recognition
  • Lower the mean time to fix problems for end users
  • Rapidly recognize and eliminate security threats, decreasing general dwell times.

Alternatively, poor visibility or bad access to visibility data can decrease the effectiveness of current security and management tools.

Organizations that are familiar with the ease, maturity, and relative inexpensiveness of keeping an eye on physical data centers are going to be disappointed with their public cloud options.

What has been missing is a basic, common, and classy solution like NetFlow for public cloud infrastructure.

NetFlow, of course, has actually had twenty years approximately to become a de facto requirement for network visibility. A normal deployment involves the tracking of traffic and aggregation of flows where the network chokes, the retrieval and storage of flow data from numerous collection points, and the analysis of this flow data.

Flows consist of a standard set of source and destination IP addresses and port and protocol info that is typically collected from a switch or router. Netflow data is reasonably cheap and simple to collect and provides almost common network visibility and allows for analysis which is actionable for both network tracking and performance management applications.

A lot of IT personnel, specifically networking and some security groups are exceptionally comfortable with the technology.

But NetFlow was produced for fixing what has actually ended up being a rather restricted problem in the sense that it just gathers network data and does this at a restricted variety of prospective places.

To make much better use of NetFlow, 2 key changes are essential.

NetFlow at the Edge: First, we need to broaden the helpful implementation circumstances for NetFlow. Instead of only collecting NetFlow at networking choke points, let’s expand flow collection to the network edge (clients, cloud, and servers). This would considerably broaden the big picture that any NetFlow analytics offer.

This would enable companies to augment and leverage existing NetFlow analytics tools to remove the growing visibility blind spot into public cloud activities.

Rich, contextual NetFlow: Secondly, we have to use NetFlow for more than easy visibility of the network.

Instead, let’s use an extended version of NetFlow and take account of info on the device, application, user, and binary responsible for each tracked network connection. That would permit us to rapidly connect every network connection back to its source.

In fact, these two modifications to NetFlow, are exactly what Ziften has actually achieved with ZFlow. ZFlow provides an expanded version of NetFlow that can be released at the network edge, including as part of a container or VM image, and the resulting info collection can be taken in and evaluated with existing NetFlow tools for analysis. Over and above traditional NetFlow Internet Protocol Flow Information eXport (IPFIX) visibility of the network, ZFlow supplies extended visibility with the addition of details on user, device, application and binary for every network connection.

Ultimately, this enables Ziften ZFlow to provide end to end visibility between any two endpoints, physical or virtual, removing conventional blind spots like East West traffic in data centers and business cloud implementations.

Second Part Of Why Edit Difference Is A Critical Detection Tool – Charles Leaver

Written By Jesse Sampson And Presented By Charles Leaver CEO Ziften


In the first post on edit distance, we took a look at searching for harmful executables with edit distance (i.e., how many character modifications it takes to make 2 text strings match). Now let’s take a look at how we can use edit distance to look for harmful domains, and how we can develop edit distance features that can be combined with other domain functions to pinpoint suspicious activity.

Here is the Background

Exactly what are bad actors doing with malicious domains? It may be just utilizing a similar spelling of a typical domain to trick reckless users into viewing advertisements or getting adware. Legitimate sites are gradually catching onto this technique, in some cases called typo squatting.

Other destructive domains are the product of domain generation algorithms, which can be utilized to do all types of nefarious things like evade countermeasures that obstruct known compromised sites, or overwhelm domain servers in a distributed DoS attack. Older variations use randomly-generated strings, while more advanced ones include techniques like injecting typical words, additionally puzzling protectors.

Edit distance can assist with both use cases: let’s see how. First, we’ll leave out common domain names, given that these are typically safe. And, a list of regular domain names offers a baseline for finding anomalies. One great source is Quantcast. For this conversation, we will adhere to domain names and avoid sub domains (e.g., not

After data cleaning, we compare each candidate domain (input data observed in the wild by Ziften) to its possible next-door neighbors in the very same top-level domain (the tail end of a domain name –,. org, and so on but now can be practically anything). The standard job is to find the nearby neighbor in terms of edit distance. By discovering domain names that are one step away from their nearby neighbor, we can quickly find typo-ed domain names. By discovering domain names far from their next-door neighbor (the stabilized edit distance we presented in the first post is useful here), we can also discover anomalous domain names in the edit distance area.

Exactly what were the Results?

Let’s take a look at how these results appear in reality. Be careful when navigating to these domain names considering that they might contain malicious content!

Here are a few prospective typos. Typo-squatters target popular domains given that there are more chances someone will go to them. Several of these are suspect according to our danger feed partners, but there are some false positives too with cute names like “wikipedal”.


Here are some weird looking domains far from their next-door neighbors.


So now we have actually created two useful edit distance metrics for hunting. Not just that, we have 3 features to possibly add to a machine learning model: rank of nearby neighbor, distance from neighbor, and edit distance 1 from next-door neighbor, indicating a risk of typo tricks. Other features that might be utilized well with these include other lexical functions like word and n-gram distributions, entropy, and string length – and network features like the total count of failed DNS requests.

Streamlined Code that you can Experiment with

Here is a simplified version of the code to have fun with! Created on HP Vertica, however this SQL should work on most innovative databases. Keep in mind the Vertica editDistance function may vary in other applications (e.g. levenshtein in Postgres or UTL_MATCH. EDIT_DISTANCE in Oracle).