Author Archives: leavmecha

Why Strategic Alliances In The Security Industry Work – Charles Leaver

Written By Charles Leaver


Nobody can resolve cybersecurity alone. No single product business, no one provider, nobody can deal with the whole issue. To take on security needs cooperation between different players.

In some cases, those companies are at different levels of the solution stack – some install on endpoints, some within applications, others within network routers, others at the telco or the cloud.

In some cases, those companies each have a specific best of breed component: one player concentrates on e-mail, others in crypto, others in interrupting the kill chain.

From the enterprise client’s viewpoint, efficient security requires putting together a set of tools and services into a working whole. Speaking from the suppliers’ point of view, reliable security requires tactical alliances. Sure, each supplier, whether making hardware, composing software applications, or offering services, has its own products and intellectual property. Nevertheless, all of us work much better when we work together, to enable integrations and make life easy for our resellers, our integrators- and that end consumer.

Paradoxically, not just can suppliers make more profit through tactical alliances, but end consumers will save money at the same time. Why? A number of reasons.

Customers do not lose their cash (and time) with solutions which have overlapping capabilities. Clients do not have to waste profits (and time) creating customized integrations. And consumers won’t lose profits (and time) attempting to debug systems that fight each other, such as by causing extra notifications or hard-to-find incompatibilities.

It’s the Trifecta – Products, Solutions, and Channels

All three work together to meet the requirements of the business consumer, as well as benefit the suppliers, who can concentrate on doing what they do best, relying on tactical alliances to develop complete services out of jigsaw puzzle pieces.

Usually speaking, those solutions require more than easy APIs – which is where strategic alliances are so important.

Think about the integration in between solutions (like a network hazard scanner or Ziften’s endpoint visibility options) and analytics services. End consumers don’t want to operate a dozen various control panels, and they do not wish to by hand correlate anomaly findings from a dozen different security tools. Strategic alliances between product vendors and analytics solutions – whether on-site or in the cloud – make sense for everyone. That includes for the channel, who can provide and support total options that are currently dialed in, already debugged, already documented, and will deal with the least fuss possible.

Or consider the integration of products and managed security services providers (MSSPs). They want to provide prospective clients pre-packaged options, ideally which can run in their multi-tenant clouds. That suggests that the items need to be scalable, with synergistic license terms. They must be well-integrated with the MSSP’s existing control panels and administrative control systems. And naturally, they need to feed into predictive analytics and incident response programs. The very best method to do that? Through tactical alliances, both horizontally with other product suppliers, and with major MSSPs too.

How about significant value add resellers (VAR)? VARs need products that are simple to understand, easy to support, and simple to include into existing security implementations. This makes new products more enticing, more economical, easier to install, much easier to support – and reinforce the VAR’s consumer relationships.

What do they try to find when contributing to their solution portfolio? New solutions that have strategic alliances with their existing solution offerings. If you do not dovetail in to the VAR’s portfolio partners, well, you most likely do not fit in.

2 Examples: Fortinet and Microsoft

Nobody can resolve cybersecurity alone, which includes giants like Fortinet and Microsoft.

Think About the Fortinet Fabric-Ready Partner Program, where innovation alliance partners integrate with the Fortinet Security Fabric by means of Fabric APIs and are able to actively collect and share information to improve risk intelligence, improve overall threat awareness, and broaden threat response from end to end. As Fortinet discusses in their Fortinet Fabric-Ready Partner Program Overview, “partner inclusion in the program signals to consumers and the industry as a whole that the partner has teamed up with Fortinet and leveraged the Fortinet Fabric APIs to establish confirmed, end-to-end security services.”

Likewise, Microsoft is pursuing a similar strategy with the Windows Defender Advanced Threat Protection program. Microsoft recently chose only a few key partners into this security program, saying, “We have actually heard from our clients that they desire security and visibility into prospective threats on all their device platforms and we have actually turned to partners to help resolve this requirement. Windows Defender ATP provides security teams a single pane of glass for their endpoint security and now by teaming up with these partners, our consumers can extend their ATP service to their whole set up base.”

We’re the very first to admit: Ziften cannot resolve security alone. No one can. The best way forward for the security market is to move forward together, through strategic alliances bringing together product vendors, service companies, and the channel. That way, all of us win, suppliers, service companies, channel partners, and business consumers alike.

Flexibility Is A Critical Component Of SysSecOps – Charles Leaver

Written By Charles Leaver


You will discover that endpoints are everywhere. The device you read this on is an endpoint, whether it’s a desktop, notebook, tablet, or phone. The HEATING AND COOLING controller for your structure is an endpoint, assuming it’s linked to a network, and the WiFi access points and the security electronic cameras too. So is the connected car. So are the Web servers, storage servers, and Active Directory site servers in the data center. So are your IaaS/PaaS services in the cloud, where you are in control of bare-metal servers, VMware virtual machines, or containers operating on Windows and/or Linux.

They’re all endpoints, and each and every one is very important to handle.

They have to be managed from the IT side (from IT administrators, who ideally have proper IT-level visibility of each connected thing like those security video cameras). That management implies making sure they’re connected to the ideal network zones or VLANs, that their software applications and setups the current version, that they’re not flooding the network with bad packets because of electrical faults etc.

Those endpoints likewise have to be managed from the security viewpoint by CISO teams. Every endpoint is a prospective front door into the business network, which indicates the devices must be locked down – no default passwords, all security patches used, no unauthorized software applications set up on the device’s ingrained web server. (Kreb’s outlines how, in 2014, hackers got into Target’s network through its HEATING AND COOLING system.).

The Operations of Systems and Security.

Systems Security Operations, or SysSecOps, brings those 2 worlds together. With the best type of SysSecOps frame of mind, and tools that support the appropriate workflows, IT and security employees get the same data and can team up together. Sure, they each have various tasks, and react in a different way to difficulty notifications, however they’re all managing the exact same endpoints, whether in the pocket, on the desk, in the energy closet, in the data center, or in the cloud.

Test Report from Ziften Zentih.

We were thrilled when the recently published Broadband-Testing report praised Zenith, Ziften’s flagship end-point security and management platform, as being ideal for this kind of scenario. To quote from the recent report, “With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more. Because its definition of ‘endpoints’ extends into the Data Centre (DC) and the world of virtualisation, it holds true blanket protection.”.

Broadband-Testing is an independent testing facility and service based in Andorra. They describe themselves as, “Broadband-Testing communicates with suppliers, media, investment groups and VCs, experts and consultancies alike. Checking covers all elements of networking software and hardware, from ease of use and performance, through to increasingly crucial aspects such as device power usage measurement.”

Back to versatility. With endpoints everywhere (again, on the desk, in the energy closet, in the data center, or in the cloud), a SysSecOps-based endpoint security and management system should go everywhere and do anything, at scale. Broadband-Testing composed:

“The configuration/deployment choices and architecture of Ziften Zenith allow for a really flexible deployment, on or off-premise, or hybrid. Agent implementation is simplicity itself with zero user requirements and no endpoint intrusion. Agent footprint is likewise very little, unlike numerous endpoint security solutions. Scalability also seems exceptional – the biggest customer implementation to this day is in excess of 110,000 endpoints.”

We can’t help but take pride in our product Zenith, and exactly what Broadband-Testing concluded:

“The emergence of SysSecOps – combining systems and security operations – is an unusual milestone in IT; a hype-free, sound judgment method to refocusing on how systems and security are managed inside a business.

Key to Ziften’s endpoint method in this category is overall visibility – after all, how can you protect what you cannot see or have no idea exists in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more.

Implementation is basic, specifically in a cloud-based scenario as checked. Scalability also seems outstanding – the greatest customer implementation to this day remains in excess of 110,000 endpoints.

Data analysis choices are extensive with a big amount of information readily available from the Ziften console – a single view of the whole endpoint infrastructure. Any object can be analysed – e.g. Binaries, applications, systems – and, from a procedure, an action can be defined as an automatic function, such as quarantining a system in the event of a potentially harmful binary being found. Numerous reports are predefined covering all areas of analysis. Alerts may be set for any occurrence. Furthermore, Ziften supplies the principle of extensions for custom data collection, beyond the reach of most suppliers.

And with its External API functionality, endpoint data gathered by Ziften can be shared with a lot of 3rd party applications, thereby including more value to a consumer’s existing security and analytics infrastructure financial investment.

In general, Ziften has a really competitive offering in exactly what is an extremely worthy and emerging IT classification through SysSecOps that is extremely worthy of examination.”.

We hope you’ll consider an examination of Zenith, and will agree that when it comes to SysSecOps and endpoint security and management, we do tick all the boxes with the true blanket protection that both your IT and CISO groups have been searching for.

Be Warned Of Spectre And Meltdown And Find Out How We Help – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver


Ziften understands the most recent exploits affecting almost everybody who works on a computer system or digital device. While this is a very large statement, we at Ziften are working diligently assisting our consumers discover susceptible assets, fixing those vulnerable systems, and keeping track of systems after the fix for prospective performance problems.

This is a continuous investigation by our team in Ziften Labs, where we keep up to date on the latest malicious attacks as they progress. Today, the majority of the discussions are around PoC code (Proof of Concept) and what can theoretically occur. This will soon alter as opponents take advantage of these opportunities. The exploits I’m speaking, naturally, are Meltdown and Spectre.

Much has actually been blogged about how these exploits were found and what is being done by the industry to find workarounds to these hardware problems. To get more information, I feel it’s best to go right to the source here (

What Should You Do, and How Can Ziften Assist?

An essential location that Ziften aids with in case of an attack by either method is keeping an eye out for data exfiltration. Since these attacks are basically taking data they shouldn’t have access to, our company believe the first and most convenient approaches to secure yourself is to take this confidential data and remove it from these systems. This data might be passwords, login qualifications or even security secrets for SSH or VPN access.

Ziften checks and alerts when procedures that typically do not make network connections begin showing this unusual behavior. From these signals, users can quarantine systems from the network and / or eliminate processes related to these situations. Ziften Labs is keeping track of the advancement of the attacks that are likely to become readily available in the real world related to these vulnerabilities, so we can better protect our customers.

Find – How am I Vulnerable?

Let’s look at areas we can monitor for vulnerable systems. Zenith, Ziften’s flagship product, can simply and rapidly find OS’s that need to be patched. Despite the fact that these exploits are in the CPU chips themselves (Intel, AMD and ARM), the repairs that will be available will be updated to the OS, and in other cases, the web browser you utilize as well.

In Figure 1 below, you can see an example of how we report on the offered patches by name, and what systems have effectively set up each patch, and which have yet to install. We can also track failed patch installs. The example below is not for Meltdown or Spectre, however the KB and / or patch number for the environment could be populated on this report to show the susceptible systems.

The exact same is true for web browser updates. Zenith monitors for software application versions running in the environment. That data can be utilized to comprehend if all browsers are up to date once the repairs become available.

Mentioning browsers, one area that has actually currently gained momentum in the attack circumstances is utilizing Javascript. A working copy is revealed here (

Products like Edge browsers do not utilize Javascript any longer and mitigations are available for other browsers. Firefox has a repair offered here ( A Chrome repair is coming out this week.

Repair – Exactly What Can I Do Now?

When you have actually recognized susceptible systems in your environment you definitely want to patch and fix them as soon as possible. Some safeguards you need to think about are reports of specific Anti-Virus items triggering stability problems when the patches are applied. Details about these issues are here ( and here (

Zenith likewise has the capability to help patch systems. We can monitor for systems that require patches, and direct our solution to apply those patches for you then report success / failure and the status of those still needing patching.

Considering that the Zenith backend is cloud based, we can even monitor your endpoint systems and apply the required patches when and if they are not linked to your corporate network.

Monitor – How is Everything Running?

Lastly, there could be some systems that show performance deterioration after the OS fixes are used. These concerns appear to be restricted to high load (IO and network) systems. The Zenith platform helps both security and operational teams within your environment. Exactly what we like to call SysSecOps (

We can assist reveal problems such as application crashes or hangs, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be used to monitor and inform on systems that start to exhibit high usage compared with the duration prior to the patch was used. An example of this tracking is shown in Figure 2 below (system names purposefully removed).

These ‘defects’ are still new to the general public, and far more will be gone over and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the circumstance and how we can best educate and safeguard our clients and partners.

SysSecOps Is Something That You Need Right Now – Charles Leaver

Written By Alan Zeichick And Presented By Charles Leaver


SysSecOps. That’s a new term, still unseen by many IT and security administrators – but it’s being talked about within the industry, by analysts, and at technical conferences. SysSecOps, or Systems & Security Operations, describes the practice of uniting security groups and IT operations teams to be able to guarantee the health of enterprise technology – and having the tools to be able to respond most efficiently when problems occur.

SysSecOps focuses on taking apart the information walls, disrupting the silos, that get in between security teams and IT administrators.

IT operations staff exist to make sure that end-users can access applications, and that crucial infrastructure is running 24 × 7. They wish to maximize access and availability, and require the data needed to do that task – like that a brand-new worker must be provisioned, or a disk drive in a RAID array has actually failed, that a new partner needs to be provisioned with access to a secure file repository, or that an Oracle database is ready to be migrated to the cloud. It’s all about innovation to drive business.

Exact Same Data, Different Use-Cases

While making use of endpoint and network monitoring info and analytics are clearly customized to fit the diverse needs of IT and security, it ends up that the underlying raw data is actually the same. The IT and security groups merely are looking at their own domain’s problems and circumstances – and acting based on those use-cases.

Yet in some cases the IT and security groups need to work together. Like provisioning that brand-new service partner: It should touch all the ideal systems, and be done securely. Or if there is an issue with a remote endpoint, such as a mobile device or a mechanism on the Industrial Internet of Things, IT and security might have to collaborate to identify exactly what’s going on. When IT and security share the exact same data sources, and have access to the very same tools, this job ends up being a lot easier – and thus SysSecOps.

Think of that an IT administrator identifies that a server hard drive is nearing total capacity – and this was not expected. Possibly the network had been breached, and the server is now being used to steam pirated movies across the Web. It occurs, and finding and fixing that issue is a job for both IT and security. The data collected by endpoint instrumentation, and showed through a SysSecOps-ready tracking platform, can help both sides working together more efficiently than would occur with standard, distinct, IT and security tools.

SysSecOps: It’s a new term, and a brand-new concept, and it’s resonating with both IT and security teams. You can discover more about this in a brief nine minute video, where I talk to a number of market experts about this topic: “What is SysSecOps?”

Protect Yourself From Microsoft Word Phishing Attacks With Ziften – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver


An interesting multifaceted attack has actually been reported in a current blog by Cisco’s Talos Intelligence team. I wished to discuss the infection vector of this attack as it’s quite fascinating and something that Microsoft has actually promised not to fix, as it is a function and not a bug. Reports are becoming available about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Information to how this is achieved are reported in this blog from SecureData.

Unique Phishing Attack with Microsoft Word

Attackers continuously look for brand-new ways to breach a company. Phishing attacks are among the most common as opponents are counting on the fact that someone will either open a file sent to them or go to a ‘faked’ URL. From there an exploit on a susceptible piece of software typically gives them access to start their attack.

However in this case, the documents didn’t have a destructive item embedded in the Word doc, which is a preferred attack vector, but rather a sly way of utilizing this function that enables the Word program to connect out to recover the genuine destructive files. In this manner they might hope or rely on a much better success rate of infection as harmful Word files themselves can be scanned and erased before reaching the recipient.

Searching for Suspicious Behaviors with Ziften Zenith

Here at Ziften, we wanted to be able to inform on this behavior for our clients. Finding conditions that display ‘unusual’ behavior such as Microsoft Word generating a shell is interesting and not expected. Taking it a bit further and searching for PowerShell running from that spawned shell and it gets ‘very’ intriguing. By using our Search API, we can discover these habits no matter when they occurred. We do not need the system to be on at the time of the search, if they have run a program (in this case Word) that exhibited these behaviors, we can discover that system. Ziften is always gathering and sending relevant process info which is why we can discover the data without counting on the system state at the time of browsing.

In our Zenith console, I looked for this condition by trying to find the following:

Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process commandline includes powershell

This returns the PIDs (Process ID) of the procedures we saw start-up with these conditions. After this we can drill down to see the important details.

In this very first screenshot, we can see information around the process tree (Word spawning CMD with Powershell under that) on the left, and to the right side you can observe information such as the System name and User, plus start time.

Below in the next image, we look at the CMD process and get information regarding what was passed to Powershell.

More than likely when the user had to address this Microsoft Word pop up dialog box, that is when the CMD shell used Powershell to head out and obtain some code that was hosted on the Louisiana Gov site. In the Powershell image shown below we can see more information such as Network Link info when it was reaching out to the site to pull the fonts.txt file.

That IP address ( is in fact the Louisiana Gov site. Often we see interesting data within our Network Connect information that may not match exactly what you expect.

After developing our Saved Search, we can inform on these conditions as they occur throughout the environment. We can likewise develop extensions that change a GPO policy to not permit DDE and even take further action and go and discover these documents and eliminate them from the system if so desired. Having the ability to discover intriguing mixes of conditions within an environment is extremely powerful and we are delighted to have this feature in our offering.

Prevent Devastating Ransomware Attacks With These 4 Actions – Charles Leaver

Written By Alan Zeichick And Presented By Charles Leaver


Ransomware is real, and is threatening individuals, services, schools, health centers, local governments – and there’s no indication that ransomware is stopping. In fact, it’s most likely increasing. Why? Let’s be honest: Ransomware is most likely the single most efficient attack that cyber criminals have actually ever created. Anybody can develop ransomware using easily available tools; any cash received is most likely in untraceable Bitcoin; and if something fails with decrypting someone’s hard disk, the cyber criminal isn’t really affected.

A business is impacted by ransomware every forty seconds, in accordance with some sources, and 60% of malware problems were ransomware. It strikes all sectors. No industry is safe. And with the rise of RaaS (Ransomware-as-a-Service) it’s gon na worsen.

The good news: We can resist. Here’s a four-step fight strategy.

Great Standard Hygiene

It starts with training workers ways to manage malicious emails. There are falsified messages from service partners. There’s phishing and target spearphishing. Some will survive email spam/malware filters; employees have to be taught not to click on links in those messages, or naturally, not to give permission for plugins or apps to be set up.

However, some malware, like ransomware, is going to get through, often making use of out-of-date software or unpatched systems, just like in the Equifax breach. That’s where the next action comes in:

Ensuring that end points are completely patched and totally up-to-date with the latest, most safe and secure operating systems, applications, utilities, device drivers, and code libraries. That way, if there is an attack, the endpoint is healthy, and has the ability to best battle the infection.

Ransomware isn’t really an innovation or security problem. It’s an organization problem. And it’s so much more than the ransom that is demanded. That’s nothing compared to loss of efficiency because of downtime, poor public relations, disgruntled clients if service is disrupted, and the expense of reconstructing lost data. (And that presumes that important intellectual property or protected financial or client health data isn’t stolen.).

What else can you do? Backup, backup, backup, and safeguard those backups. If you don’t have safe, secured backups, you cannot bring back data and core infrastructure in a prompt style. That consists of making daily snapshots of virtual machines, databases, applications, source code, and setup files.

Services require tools to spot, identify, and avoid malware like ransomware from dispersing. This needs continuous visibility and reporting of exactly what’s occurring in the environment – including “zero day” attacks that haven’t been seen before. Part of that is keeping track of endpoints, from the smart phone to the PC to the server to the cloud, to guarantee that endpoints are up-to-date and protected, and that no unexpected changes have been made to their underlying configuration. That way, if a machine is infected by ransomware or other malware, the breach can be identified rapidly, and the device isolated and closed down pending forensics and recovery. If an endpoint is breached, quickly containment is critical.

The Four Tactics.

Great user training. Upgrading systems with patches and fixes. Supporting whatever as frequently as possible. And utilizing tracking tools to help both IT and security groups identify problems, and react quickly to those problems. When it comes to ransomware, those are the four battle-tested strategies we need to keep our companies safe.

You can learn more about this in a brief eight-minute video, where I talk with a number of market professionals about this concern:

Your Security Will Improve With Microsoft And Ziften – Charles Leaver

Written By David Shefter And Presented By Charles Leaver


Recently we announced a partnership with Microsoft that combines Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) providing a cloud based, “single pane of glass” to identify, see, investigate, and respond to sophisticated cyber-attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptop computers, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that makes it possible for enterprise clients to identify, investigate, respond and fix innovative risks on their networks, off-network, and in the data center and cloud.

Imagine a single option throughout all the devices in your business, providing scalable, state of the art security in an economical and easy to use platform. Enabling business throughout the world to protect and manage devices through this ‘single pane of glass’ delivers the guarantee of lower operational costs with real improved security providing real time international risk security with details collected from billions of devices worldwide.

Microsoft and Ziften Architecture

The diagram below provides an overview of the service elements and integration between Windows Defender ATP and Ziften Zenith.

Endpoint examination abilities allow you to drill down into security signals and comprehend the scope and nature of a prospective breach. You can submit files for deep analysis, receive the results and take action without leaving the Windows Defender ATP console.

Detect and Contain Risks

With the Windows Defender ATP and Ziften Zenith integration, organizations can easily find and contain threats on Windows, macOS, and Linux systems from a single console. Windows Defender ATP and Ziften Zenith provide:

Based on behavior, cloud-powered, innovative attack detection. Find the attacks that make it past your other defenses (after a breach has been detected).

Rich timeline for forensic examination and mitigation. Quickly investigate the scope of any breach or presumed habits on any machine through a rich, 6-month device timeline.

Built in special threat intelligence knowledge base. Risk intelligence to quickly spot attacks based on monitoring and data from hordes of devices.

The diagram below shows many of the macOS and Linux danger detection and response abilities now available with Windows Defender ATP.

In conclusion, if you’re wanting to secure your endpoints and infrastructure, you need to take a tough look at Windows Defender ATP and Ziften Zenith.

Safeguard Your Organization Against The KRACK Vulnerability – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver


Enough press has been generated over the Wi-Fi WPA2-defeating Key Reinsertion Attack (KRACK), that we don’t need to re-cover that again. The initial discoverer’s site is an excellent location to review the problems and connect to the detailed research paper. This may be the most attention paid to a core communications security failure since the Heartbleed attack. In that earlier attack, a patched variation of the vulnerable OpenSSL code was launched on the very same day as the general disclosure. In this brand-new KRACK attack, comparable responsible disclosure standards were followed, and patches were either currently launched or quickly to follow. Both wireless endpoints and wireless network devices need to be properly patched. Oh, and all the best getting that Chinese knockoff wireless security camera bought off eBay patched quickly.

Here we will just make a couple of points:

Take inventory of your wireless devices and follow up to ensure appropriate patching. (Ziften can carry out passive network stock, consisting of wireless networks. For Ziften monitored end points, the readily available network interfaces in addition to applied patches are reported.) For enterprise IT staff, it is patch, patch, patch every day anyhow, so absolutely nothing brand-new here. But any unmanaged wireless devices must be identified and vetted.

Windows and iOS end points are less prone, while unpatched Android and Linux end points are highly prone. The majority of Linux endpoints will be servers without wireless networking, so not as much exposure there. But Android is another story, especially provided the balkanized state of Android upgrading throughout device manufacturers. More than likely your enterprise’s greatest exposure will be IoT and Android devices, so do your risk analysis.

Prevent wireless access by means of unencrypted protocols such as HTTP. Stick to HTTPS or other encrypted protocols or utilize a safe VPN, but be aware some default HTTPS sites enable compromised devices to coerce downgrade to HTTP. (Note that Ziften network monitoring reports IP addresses and ports used, so take a look at any wireless port 80 traffic on endpoints that are unpatched.).

Continue whatever wireless network health practices you have actually been using to identify and silence rogue access points, unapproved wireless devices, etc. Grooming access point positioning and transmission zones to decrease signal spillage outside your physical borders is likewise a sensible practice, since KRACK opponents must exist locally within the wireless network. Do not give them advantaged placement opportunities within or close by to your environment.

For a more broad discussion around the KRACK vulnerability, check out our current video on the topic:

You Need Effective Training On Security Awareness For Employees – Charles Leaver

Written By Charles Leaver Ziften CEO


Effective corporate cybersecurity assumes that people – your workers – do the best thing. That they do not hand over their passwords to a caller who claims to be from the IT department doing a “credentials audit.” That they do not wire $10 million to an Indonesian savings account after getting a midnight request from “the CEO”.

That they don’t set up an “urgent upgrade” to Flash Player based on a pop-up on a porn website. That they do not overshare on social media. That they do not store business info on file-sharing services outside the firewall. That they don’t link to unsecure WiFi networks. And they don’t click on links in phishing emails.

Our research study reveals that over 75% of security events are triggered or helped by staff member mistakes.

Sure, you have actually installed endpoint security, e-mail filters, and anti-malware services. Those precautions will most likely be for nothing, though, if your employees do the wrong thing time and again when in a dangerous situation. Our cybersecurity efforts resemble having an expensive car alarm: If you do not teach your teenager to lock the car when it’s at the shopping mall, the alarm is worthless.

Security awareness isn’t enough, of course. Employees will make errors, and there are some attacks that don’t need a worker bad move. That’s why you need endpoint security, email filters, anti-malware, etc. However let’s speak about effective security awareness training.

Why Training Often Doesn’t Have an Effect

First – in my experience, a great deal of employee training, well, is poor. That’s specifically true of online training, which is normally horrible. But most of the times, whether live or canned, the training lacks trustworthiness, in part because many IT professionals are poor and unconvincing communicators. The training often focuses on interacting and imposing guidelines – not changing risky habits and habits. And it resembles getting compulsory photocopier training: There’s absolutely nothing in it for the employees, so they don’t accept it.

It’s not about imposing rules. While security awareness training might be “owned” by various departments, such as IT, CISO, or HR, there’s typically a lack of understanding about exactly what a safe awareness program is. First of all, it’s not a checkbox; it needs to be continuous. The training needs to be delivered in different ways and times, with a combination of live training, newsletters, small-group discussions, lunch-and-learns, and yes, even resources online.

Securing yourself is not complex!

But a huge problem is the lack of objectives. If you have no idea what you’re aiming to do, you can’t see if you have actually done a good job in the training – and if risky behaviors really change.

Here are some sample objectives that can lead to effective security awareness training:

Provide employees with the tools to recognize and handle ongoing daily security threats they might get online and by means of email.

Let staff members understand they are part of the team, and they cannot simply rely on the IT/CISO teams to manage security.

Halt the cycle of “unintentional lack of knowledge” about safe computing practices.

Change state of minds towards more safe practices: “If you observe something, state something”.

Evaluation of company guidelines and procedures, which are discussed in actionable terms which relate to them.

Make it Appropriate

No matter who “owns” the program, it’s necessary that there is visible executive backiong and management buy-in. If the execs don’t care, the workers won’t either. Efficient training won’t discuss tech buzzwords; rather, it will focus on changing behaviors. Relate cybersecurity awareness to your workers’ personal life. (And while you’re at it, teach them the best ways to keep themselves, their family, and their house safe. Odds are they do not know and hesitate to ask).

To make security awareness training really pertinent, solicit worker ideas and encourage feedback. Procedure success – such as, did the number of external links clicked by staff members go down? How about contacts to tech assistance originating from security infractions? Make the training timely and real-world by including current rip-offs in the news; unfortunately, there are a lot of to choose from.

In other words: Security awareness training isn’t really enjoyable, and it’s not a silver bullet. However, it is vital for making sure that dangerous staff member habits do not undermine your IT/CISO efforts to protect your network, devices, applications, and data. Make certain that you continuously train your staff members, which the training works.

Splunk And Ziften Generate Passion At Splunk .conf – Charles Leaver

Written By Josh Applebaum And Presented By Charles Leaver


Like a number of you, we’re still recuperating from Splunk.conf recently. As usual,. conf had terrific energy and the people who were in attendance were enthusiastic about Splunk and the many usage cases that it offers through the big app ecosystem.

One crucial statement during the 7 days worth discussing was a brand-new security offering known as “Content Updates,” which basically is pre-built Splunk searches for helping to find security occurrences.

Basically, it has a look at the most recent attacks, and the Splunk security team creates brand-new searches for how they would look through Splunk ES data to discover these kinds of attacks, and then ships those brand-new searches down to customer’s Splunk ES environments for automated signals when seen.

The very best part? Because these updates are using primarily CIM (Common Info Model) data, and Ziften populates a great deal of the CIM models, Ziften’s data is currently being matched against the new Content Updates Splunk has created.

A fast demonstration revealed which suppliers are adding to each kind of “detection” and Ziften was mentioned in a great deal of them.

For instance, we have a current article that shares how Ziften’s data in Splunk is utilized to find and react to WannaCry.

Overall, with the around 500 people who came by the cubicle over the course of.conf I need to say it was among the very best occasions we’ve performed in regards to quality discussions and interest. We had nothing but favorable reviews from our extensive discussions with all walks of business life – from highly technical analysts in the public sector to CISOs in the monetary sector.

The most typical conversation normally started with, “We are just starting to implement Splunk and are brand-new to the platform.” I like those, given that people can get our Apps free of charge and we can get them an agent to try out and it gets them something to use right out of the box to show worth instantly. Other folks were very skilled and truly liked our approach and architecture.

Bottom line: People are genuinely thrilled about Splunk and genuine services are readily available to help people with real problems!

Curious? The Ziften ZFlow App and Technology Add-on assists users of Splunk and Splunk ES usage Ziften-generated prolonged NetFlow from endpoints, servers, and cloud VMs to see exactly what they are missing out on at the edge of their network, their data centers, and in their cloud deployments.