The traditional perimeter as we know it is quickly dissolving. So what does this mean for the endpoint?
Investment in perimeter security, as defined by firewalls, managed gateways and intrusion detection/prevention systems (IDS/IPS), is changing. Investments are being questioned, with returns unable to overcome the costs and complexity to create, maintain, and justify these antiquated defenses.
More than that, the paradigm has changed – employees are no longer exclusively working in the office. Many people are logging hours from home or while traveling – neither location is under the umbrella of a firewall. Instead of keeping the bad guys out, firewalls often have the inverse effect – they prevent the good guys from being productive. The irony? They create a safe haven for attackers to breach and hide for months, then traverse to critical systems.
What Has Really Changed?
The endpoint has become the last line of defense. With the aforementioned failure in perimeter defense and a “mobile everywhere” workforce, we must now enforce trust at the endpoint. Easier said than done, however.
In the endpoint space, identity & access management (IAM) tools are not the silver bullet. Even innovative companies like Okta, OneLogin, and cloud proxy vendors such as Blue Coat and Zscaler cannot overcome one simple truth: trust goes beyond simple identification, authentication, and authorization.
Encryption is a second attempt at protecting entire libraries and individual assets. In the most recent (2016) Ponemon study on data breaches, encryption only saved 10% of the cost per breached record (from $158 to $142). This isn’t the panacea that some make it seem.
Everything is changing
Organizations must be prepared to embrace new paradigms and attack vectors. While organizations must provide access to trusted groups and individuals, they have to address this in a better way. Critical business systems are now accessed from anywhere, any time, not just from desks in corporate office buildings. And contractors (contingent workforce) are quickly comprising more than half of the overall enterprise workforce.
On endpoint devices, the binary is predominantly the problem. Presumably benign incidents, such as an executable crash, could indicate something simple – like Windows 10 Desktop Manager (DWM) restarting. Or it be a much deeper problem, such as a malicious file or early indicators of an attack.
Trusted access doesn’t solve this vulnerability. According to the Ponemon Institute, between 70% and 90% of all attacks are caused by human error, social engineering, or other human factors. This requires more than simple IAM – it requires behavioral analysis.
Instead of making good better, perimeter and identity access companies made bad faster.
When and Where Does the Good News Begin?
Taking a step back, Google (Alphabet Corp) announced a perimeter-less network model in late 2014, and has made significant progress. Other enterprises – from corporations to governments – have done this (in silence and less severe), but BeyondCorp has done this and shown its efforts to the world. The design philosophy, endpoint plus (public) cloud displacing cloistered enterprise network, is the key concept.
This changes the entire conversation on an endpoint – be it a laptop, desktop, workstation, or server – as subservient to the corporate/enterprise/private/organization network. The endpoint truly is the last line of defense, and must be protected – yet also report its activity.
Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to services and tools based on a user’s physical location or the originating network; instead, access policies are based on information about a device, its state, and its associated user. BeyondCorp considers both internal networks and external networks to be completely untrusted, and gates access to applications by dynamically asserting and enforcing levels, or “tiers,” of access.
By itself, this seems innocuous. But the reality is that this is a radical new model which is imperfect. The access criteria have shifted from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, rather than a centralized model with potential for breaches, hacks, and threats at the human level (the “soft chewy center”).
The good news? Breaching the perimeter extremely challenging for would-be attackers, while making network pivoting next to impossible once past the reverse proxy (a common mechanism used by attackers today – proving that firewalls do a better job of keeping the bad guys in rather than letting the good guys get out). The inverse model further applies to Google cloud servers, presumably tightly managed, inside the perimeter, versus client endpoints, who are all out in the wild.
Google has done some nice refinements on proven security approaches, notably to 802.1X and Radius, bundled it as the BeyondCorp architecture, including strong identity and access management (IAM).
Why is this important? What are the gaps?
Ziften believes in this approach because it emphasizes device trust over than network trust. However, Google doesn’t specifically show a device security agent or emphasize any form of client-side monitoring (apart from very strict configuration control). While there may be reporting and forensics, this is something which every organization should aware of, since it’s a matter of when – not if – bad things will happen.
Since implementing the initial phases of the Device Inventory Service, we’ve ingested billions of deltas from over 15 data sources, at a typical rate of about three million per day, totaling over 80 terabytes. Retaining historical data is essential in allowing us to understand the end-to-end lifecycle of a given device, track and analyze fleet-wide trends, and perform security audits and forensic investigations.
This is an expensive and data-heavy process with two shortcomings. On ultra-high-speed networks (utilized by the likes of Google, universities and research organizations), ample bandwidth allows for this type of communication to occur without flooding the pipes. The first issue is that In more pedestrian corporate and government scenarios, this would cause great user disruption.
Second, machines must have the horsepower to constantly collect and transmit data. While most employees would be delighted to have current developer-class workstations at their disposal, the expense of the devices and process of refreshing them on a regular basis makes this prohibitive.
A Lack of Lateral Visibility
Very few products actual generate ‘enhanced’ netflow, augmenting traditional network visibility with rich, contextual data.
Ziften’s patented ZFlow™ provides network flow details on data generated from the endpoint, otherwise accomplished using brute force (human labor) or expensive network devices.
ZFlow acts as a “connective tissue” of sorts, which extends and completes the end-to-end network visibility cycle, adding context to on-network, off-network and cloud servers/endpoints, allowing security teams to make faster and more informed and accurate decisions. In essence, investing in Ziften services result in a labor savings, plus an increase in speed-to-discovery and time-to-remediation due to technology acting as a substitute for people resources.
For organizations moving/migrating to the public cloud (as 56% are planning to do by 2021 according to IDG Enterprise’s 2015 Cloud Survey), Ziften offers unmatched visibility into cloud servers to better monitor and secure the complete infrastructure.
In Google’s environment, only corporate-owned devices (COPE) are allowed, while crowding out bring-your-own (BYOD). This works for a company like Google that can hand out new devices to all staff—phone, tablet, laptop, etc. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device must meet Google requirements, having either a TPM or a software equivalent of a TPM, to hold the X.509 cert used to validate device identity and to facilitate device-specific traffic encryption. There must be several agents on each endpoint to verify the device validation predicates called out in the access policy, which is where Ziften would need to partner with the systems management agent provider, since it is likely that agent cooperation is essential to the process.
In summary, Google has developed a world-class solution, but its applicability and practicality is limited to organizations like Alphabet.
Ziften offers the same level of operational visibility and security protection to the masses, using a lightweight agent, metadata/network flow monitoring (from the endpoint), and a best-in-class console. For organizations with specialized needs or incumbent tools, Ziften provides both an open REST API and an extension framework (to augment ingest of data and triggering response actions).
This yields the benefits of the BeyondCorp model to the masses, while protecting network bandwidth and endpoint (machine) computing resources. As organizations will be slow to move completely away from the enterprise network, Ziften partners with firewall and SIEM vendors.
Finally, the security landscape is steadily shifting towards managed detection & response (MDR). Managed security providers (MSSP’s) offer traditional monitoring and management of firewalls, gateways and perimeter intrusion detection, but this is not enough. They lack the skills and the technology.
Ziften’s solution has been tested, integrated, approved and implemented by a number of the emerging MDR’s, illustrating the standardization (capability) and flexibility of the Ziften platform to play a key role in remediation and incident response.
Ziften to Showcase Next-Gen Endpoint Security Solutions at Black Hat USA 2016
Ziften demonstrates end-to-end visibility and security for user devices, data centers, and cloud environments
AUSTIN, TX (PRWEB) July 25, 2016 – Ziften today announced it will be showcasing its end-to-end next-generation endpoint security solutions at Black Hat USA 2016 July 30 – August 4 at Mandalay Bay in Las Vegas. The Ziften solution provides security and operations teams with valuable endpoint context behind all network activity – giving enterprises continuous visibility and analytics to respond to advanced threats and run their business in a more efficient, intelligent and secure manner. Ziften security experts will be on hand to give live product demonstrations and meet with conference attendees August 3 and 4 in the Business Hall booth #132.
“Our commitment to innovation and evolving our endpoint security offering has paid off with 400% revenue growth in the last 12 months”, said Charles Leaver, CEO, Ziften. “With a world-class leadership team and a core of strategic partners, we look to further build on that momentum with a successful showing at Black Hat to propel us into our next phase of growth.”
In addition, Ziften will be demonstrating their integration solutions with Splunk in booth #1348 and Blue Coat in booth #1100. The Ziften app for Splunk combines native integration of comprehensive endpoint visibility with threat feeds and network intelligence for an end-to-end view of indicators of compromise. Ziften’s adaptive capabilities combined with Blue Coat’s Security Portfolio protects the enterprise network, providing comprehensive prevention, detection and response across all on-network and off-network endpoints.
“Endpoint security continues to be a hot market as enterprise security teams understand the need for complete visibility, particularly at the endpoint, where cyber criminals can abuse blind spots to avoid detection and gain access to sensitive data,” said David Monahan, research director, EMA. “Ziften’s innovative approach to protect, detect, and respond to endpoint threats has provided enterprises a strong foundation for security programs to protect their endpoints and their data from breach and exfiltration.”
About Ziften: Ziften is a visionary provider of the ZDR platform for real-time endpoint security and management, offering unprecedented access to endpoint, user, application, and network data originating from user devices, data centers, and the cloud. Combined with Ziften’s patented ZFlow technology, the company delivers real-time data, context, and relevance to security, operations, and risk and compliance teams. Ziften helps enterprises efficiently deal with unexpected threats and issues that get through their preventative measures, saving them money, minimizing cyber security risks, and improving productivity and end user experience.
The Ziften Solution
ZFlow + ZDR for endpoint telemetry and deep analytics
For too long network and security management have been left to cope with dated security technologies that don’t adapt: they’re expensive, difficult to deploy, and impossible to scale. Enterprise security teams need network visbility now — and they need it everywhere. On or off-net, in data centers, or across the cloud.
We thought enough is enough. The Result? Ziften is the one solution that provides security teams with valuable endpoint context behind all network activity — giving enterprises continuous visibility and analytics to respond to advanced threats and run their business in a more efficient, intelligent, and secure manner.
Illuminate Intelligence with ZDR
Detect & swiftly respond to advanced threats to prevent future attacks.
We get it: Traditional signature-based and network security tools lag behind modern day threats. These security tools look for known threats and anomalies all while the attackers have become smarter, better enabled, more patient, and financially motivated. Relying exclusively on traditional security software increases the amount of endpoint blind spots in a shifting security landscape.
ZDR offers comprehensive protection against advanced threats such as human-directed attacks, ransomware, cryptoware, and unknown malware to protect reputations and avoid expensive regulatory audits.
Extend Network Visibility with ZFlow
Last-mile network visibility for all endpoint & cloud environments
Simply put: ZFlow illuminates network activity from the endpoint. Layering endpoint metadata on top of network data, ZFlow details what application and user was responsible for network connections while providing unique context to better understand the behavior of the endpoint at the time of each connection. This unique context and attribution allows security teams to gain a level of intelligence previously unseen.
Continuous Monitoring and Response of Enterprise Endpoints
Ziften for Splunk provides native integration of comprehensive endpoint visibility into Splunk, with the ability to combine that information with threat feeds and network intelligence for an end-to-end view of Indicators of Compromise. The product is delivered with a host of out-of-the box dashboards for easy ramp-up.
Ziften + ReversingLabs
Integrated for Day One Value
In this integration, Ziften and ReversingLabs are providing a limited time offer to Ziften customers wherein ‘interesting’ files identified by Ziften solutions can be automatically checked against the ReversingLabs reputation database, returning real-time file threat intelligence based on hourly updates against the most current and actionable information.
Drill-Down Visibility for Immediate Response
The Ziften solution provides a link to the ReversingLabs A1000 Malware Analysis Platform for deeper inspection, unpacking and advanced analysis of files identified as ‘suspicious’ or ‘malicious’ by the customer at no charge during this offer. Links will remain in place and the customer will be able to continue the A1000 analysis option offer subsequent to the expiration of this offer by subscribing directly with ReversingLabs.
Extend malware analysis.
Complete protection for all on-network and off-network endpoints.
The combination of Blue Coat’s Security Portfolio with Ziften’s adaptive EDR capabilities provides comprehensive prevention, detection, and response across the network and all endpoints. Blue Coat’s Security Portfolio protects the enterprise network, and when combined with Ziften’s endpoint protection capabilities security teams can be sure that they have complete coverage across their entire environment.
Still Supporting Adobe Flash and Apple QuickTime for Windows? Didn’t Get the Memo?
On the heels of Independence Day, there is a good time for a metaphor: Flash is a bit like lighting fireworks. There may be less risky ways to do it, but the only sure way is just to avoid it. And with Flash, you needn’t fight pyromaniac surges to abstain from it, just manage your endpoint configurations.
Why would you wish to do this? Well, Googling “Flash vulnerability” returns thirteen-million hits! Flash is old and spent and ripe for retirement, as Adobe put it themselves:
Run a vulnerability scanner across your endpoint population. See any Flash mention? Yes, in the average enterprise, zillions. Your attackers know that also, they are counting on it. Just continue to ignore those pesky security bloggers, like Brian Krebbs:
Run a vulnerability scanner across your endpoint population. See any Flash mention?
Ignoring Brian Krebs’ advice raises the chances your enterprise’s data breach will be the feature story in one of his future blogs.
// Flash Exploits: the Preferred Exploit Kit Ingredient
The endless list of Flash vulnerabilities continues to lengthen with each new patch cycle. Nation state attackers and the better resourced syndicates can call upon Flash zero days. They aren’t hard to mine – launch your fuzz tester against the creaking Flash codebase and watch them roll out. If an offensive cyber team can’t call upon zero days, not to worry, there are plenty of freshly issued Flash Common Vulnerabilities and Exposures (CVE) to draw upon, before enterprise patch cycles catch up. For exploit kit authors, Flash is the gift that keeps on giving.
A recent FireEye blog exemplifies this typical Flash vulnerability progression—from virgin zero-day to freshly hatched CVE and prime enterprise exploit:
On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 just four days later (Posted to FireEye Threat Research Blog on May 13, 2016).
As a quick test then, check your vulnerability report for that entry, for CVE-2016-4117. It was employed in targeted attacks as a zero-day even before it became a known vulnerability. Now that it is known, popular exploit kits will pick it up. Be prepared.
// Start a Flash and QuickTime Eradication Project
While we haven’t talked about QuickTime yet, Apple removed support for QuickTime on Windows in April, 2016. This summarily set off a panic in corporations with large numbers of Apple macOS and Windows clients. Do you remove all support for QuickTime? Including on macOS? Or just Windows? How do you find the unsupported versions – when there are many floating around?
One problem is that some of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to recruiting departments, or legal notices sent to legal departments.
Let’s take a closer look at the Flash exploit described by FireEye in the blog cited above:
Attackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.
Even if the Flash-adverse enterprise had thoroughly purged Flash enablement from all their various browsers, this exploit would still have succeeded. To fully eradicate Flash requires purging it from all browsers and disabling its execution in embedded Flash objects within Office or PDF documents. Certainly that is a step that should be taken at least for those departments with a job function to open attachments from unsolicited emails. And extending outwards from there is a worthy configuration hardening goal for the security-conscious enterprise.
Not to mention, we’re all waiting for the first post about QuickTime vulnerability which brings down a major enterprise.
How Ziften Works