New client-to-cloud security architecture supports continuous delivery of security and incident
response capabilities improving security program effectiveness and efficiency.

Ziften today announced support for continuous development and feature delivery for enterprise, government, and managed security service provider (MSSP) customers worldwide in its newest cloud-based and on-premise based architectures for delivering client-to-cloud visibility and security. This innovation enables continuous development, automatic software version synchronization, and continuous feature delivery. By eliminating updates, reboots, and tedious quality assurance validation for each version release this modernization is expected to be a boon for security and IT operations teams — especially through times of crisis.

Maintaining end-to-end visibility, a hardened security posture, and reliable threat detection and incident response capabilities across physical, virtualized, and containerized environments requires organizations to remain extremely agile. This agility is best accomplished with solutions that continuously evolve with the ever-changing threat landscape. Ziften’s continuous feature delivery helps security and IT operations teams easily keep up with these demands regardless of whether they use the Ziften cloud or on-premise based solution.
Managing and securing large IT and cloud data center environments that are ever changing can be a difficult task for overburdened security and IT operations teams at many organizations. Solutions that are continuously updated without ever requiring any effort — or additional validation testing and deployment — can be a game changer that dramatically improves the productivity of thinly-stretched operational team personnel.

“We find that more often customers are moving to cloud-based, software-as-a-service products where possible,” said Mike Hamilton, SVP of Product, Ziften. “Companies want products that deliver instant gratification, and they no longer have the resources to test every product release that every software vendor delivers. We designed Ziften’s architecture to help customers maintain security, and do more with less.”
About Ziften: Ziften is a visionary provider of the ZDR platform for client-to-cloud visibility and security, offering unprecedented access to user behavior, system, application, and network data originating from user client devices, data centers, and the cloud. Combined with Ziften’s patented ZFlow technology, the company delivers continuous and look-back visibility, security posture assessment and enforcement, and real-time detection and response to security, operations, and risk and compliance teams. Ziften helps enterprises minimize their attack surface and deal with unexpected threats that get through, while improving security and operational efficiencies, and delivering real cost savings.

An OPM Breach Review

The grim-faced panel are dreading the grilling about to be handed them by irate members of Congress following the disastrous 2015 security breach of the U.S. Government’s Office of Personnel Management (OPM).


Cyber attacks, attributed to the Chinese government, had breached sensitive personnel databases and stolen data of over 22 million current, former, and prospective U.S. government employees and family members. Stern warnings were ignored from the Office of the Inspector General (OIG) to shut down systems without current security authorization.

Presciently, the OIG specifically warned that failure to shut down the unauthorized systems carried national security implications. Like the Titanic’s doomed captain who maintained flank speed through an iceberg field, the OPM responded,

“We agree that it is important to maintain up-to-date and valid ATO’s for all systems but do not believe that this condition rises to the level of a Material Weakness.”

Additionally the OPM worried that shutting down those systems would mean a lapse in retirement and employee benefits and paychecks. Given a choice between a security lapse and an operational lapse, the OPM chose to operate insecurely and were pwned.

Then director, Katherine Archuleta (shown above, on panel’s left), resigned her office in July 2015, a day after revealing that the scope of the breach vastly exceeded original damage assessments.


Despite this high value information maintained by OPM, the agency failed to prioritize cybersecurity and adequately secure high value data.

“The OPM Data Breach:  How the Government Jeopardized Our National Security for More than a Generation”
September 7, 2016

What are the Lessons for CISO’s?

Rational CISO’s will wish to avoid career immolation in a massive flaming data breach disaster, so let’s quickly review the key lessons from the Congressional report executive summary.

Prioritize Cybersecurity Commensurate with Asset Value

Have an effective organizational management structure to implement risk-appropriate IT security policies.  Chronic lack of compliance with security best practices and lagging recommendation implementation timelines are indicators of organizational failure and bureaucratic atherosclerosis. Shake up the organization or prepare your post-breach panel appearance before the inquisitors (see above photo for appropriate facial expressions).

Do Not Tolerate a Lax State of Information Security

Have the necessary monitoring in place to maintain critical situational awareness, leave no observation gaps.Do not fail to comprehend the scope or extent or gravity of attack indicators.  Assume if you identify attack indicators, there are other indicators you are missing.  While OPM was forensically observing one attack avenue, another parallel attack went unobserved. When OPM did take action the attackers knew which attack had been detected and which attack was still successful, quite valuable intelligence to the attacker.

Mandate Basic Required Security Tools and Expeditiously Deploy Cutting-Edge Security Tools

OPM was woefully negligent in implementing mandated multi-factor authentication for privileged accounts and failed to deploy available security technology that could have prevented or mitigated exfiltration of their most valuable security background investigation files. For privileged data or control access authentication, the phrase “password protected” has been an oxymoron for years—passwords are not protection, they are an invitation to compromise. In addition to adequate authentication strength, complete network monitoring and visibility is requisite to prevention of sensitive data exfiltration. The Congressional investigation blamed sloppy cyber hygiene and inadequate system traffic visibility for the attackers’ persistent presence in OPM networks.

Do Not Fail to Escalate the Alarm When Your Most Sensitive Data Is Under Attack

In the OPM breach, observed attack activity “should have sounded a high level multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data.” Instead, nothing of consequence was done “until after the agency was severely compromised, and until after the agency’s most sensitive information was lost to nefarious actors.” As a CISO, sound that alarm in time (or practice your panel appearance face).

Finally, don’t let this be said of your enterprise security posture:

The Committee obtained documents and testimony proving OPM’s information security posture was undermined by a woefully unsecure IT environment, internal politics and bureaucracy, and misplaced priorities related to the deployment of security tools that slowed vital security decisions.

In short, “Don’t OPM IT!

What Worries Enterprise CISOs When Migrating To The Cloud

Cloud computing offers a number of advantages to enterprise organizations, but there are real security issues that make switching over to a cloud environment worrisome. What CISOs want when migrating to the cloud is continuous insight into that cloud environment. They need a way to monitor and measure risk and the confidence that they have the proper security controls in place.

Increased Security Risk

Migration to the cloud means using managed IT services and many believe this means relinquishing a high level of visibility and control. Although the top cloud providers use the latest security technology and file encryption, even the most up to date systems can fail and expose your sensitive data to the world.

In reality, cloud environments are subject to similar cyber threats as private enterprise data centers. However, the cloud is becoming a more attractive target due to the significant amount of data that has been stored on servers in the cloud.

Attackers know that enterprises are slowly migrating to the cloud, and they are already targeting cloud environments. Alert Logic, a security as a service provider, released a report that concluded that those who make IT decisions should not assume that their data that is stored off premise is more difficult for cyber criminals to acquire.

The report went on to say that there had been a 45% increase in application attacks against deployments in the cloud. There had also been an increase in attack frequency on organizations that store their infrastructure in the cloud.

The Cloud Is a Jackpot

With the shifting of valuable data, production workloads, and applications to cloud environments these revelations should not come as a surprise. A statement from the report said, “…hackers, like everyone else, have a limited amount of time to complete their job. They want to invest their time and resources into attacks that will bear the most fruit: businesses using cloud environments are largely considered that fruit bearing jackpot.”

The report also suggests that there is a misconception within organizations about security. A number of enterprise decision makers were under the impression that once a cloud migration had taken place then the cloud company would be completely responsible for the security of their data.

Security in The Cloud Needs To Be A Shared Responsibility

All organizations must take responsibility for the security of their data whether it is hosted in house or in the cloud. This responsibility cannot be completely abdicated to a cloud company. If your organization suffers from a data breach while using cloud management services, it is unlikely that you would be able to evade responsibility.

It is essential that every organization fully understands the environment and the risks that are associated with cloud management. There can be myriad legal, financial, commercial, and compliance risks. Before migrating to the cloud be sure to scrutinize contracts so that the supplier’s liability is fully understood if a data breach were to occur.

Vice president of Alert Logic Will Semple said, “the key to protecting your critical data is being knowledgeable about how and where along the ‘cyber kill chain’ attackers infiltrate systems and to employ the right security tools, practices and resource investment to combat them.”

Cloud Visibility Is The Key

Whether you are using cloud management services or are hosting your own infrastructure, you need total visibility within your environment. If you are considering the migration of part — or all — of your environment to the cloud then this is essential.

After a cloud migration has taken place you can rely on this visibility to monitor each user, device, application, and network activity for potential risks and possible threats. Thus, the administration of your infrastructure becomes that much more effective.

Don’t let your cloud migration result in weakened security and incomplete compliance. Ziften can help maintain cloud visibility and security for your existing cloud deployments, or upcoming cloud migrations.


Identify and control any device that requires access to your corporate network.

When an organization grows so does its asset footprint, and this makes the task of managing the entire set of IT assets a lot more challenging. IT management has changed from the days where IT asset management consisted of recording devices such as printers, accounting for all installed applications and ensuring that antivirus suites were updated.

Today, organizations are under constant threat of cyber attacks and the use of malicious code to infiltrate the corporate network. Many devices now have network access capabilities. Gone are the days when only desktop PC’s connected to an enterprise network. Now there is a culture of bring your own device (BYOD) where smart phones, tablets and laptops are all encouraged to connect to the network.

While this provides flexibility for the organizations with the ability for users to connect remotely, it opens up a whole new range of vulnerabilities as these different endpoints make the issue of corporate IT security a whole lot more complex.

“It is essential that you have a policy-based approach to the endpoint devices that are connected to your network to minimize the threat of cyber attacks and data breaches.”

– Chuck Leaver, Ziften CEO

What Is Endpoint Management?

It is essential that you have a policy based approach to the endpoint devices that are connected to your network to minimize the threat of cyber attacks and data breaches. The use of laptops, tablets, smart phones and other devices may be convenient, but they can expose organizations to a vast array of security threats. The main goal of a sound endpoint management strategy should be that network activities are carefully monitored and unauthorized devices cannot access the network.

Most endpoint management software is likely to check that the device has an operating system that has been approved, as well as antivirus software, and examine the device for updated private virtual network systems.

Endpoint management solutions will identify and control any device that requires access to the corporate network. If anyone is attempting to access the enterprise environment from a non compliant device they will be denied access. This is essential to combat attacks from cyber criminals and infiltrations from malicious groups.

Any device which does not comply with endpoint management policies are either quarantined or granted limited access. Local administrative rights may be removed and browsing the Internet restricted.

Organizations Can Do More

There are a number of techniques that an organization can employ as part of their policy on endpoint management. This can include firewalls (both network and personal), the encryption of sensitive data, stronger authentication methods which will certainly include the use of difficult to crack passwords that are regularly changed and device and network level antivirus and anti malware protection.

Endpoint management systems can work as a client and server basis where software is deployed and centrally managed on a server. The client program will need to be installed on all endpoint devices that are authorized to access the network. It is also possible to use a software as a service (SaaS) model of endpoint management where the vendor of the service will host and maintain the server and the security applications remotely.

When a client device attempts a log in then the server based application will scan the device to see if it complies with the organization’s endpoint management policy, and then it will validate the credentials of the user before access to the network can be granted.

The Problem With Endpoint Management Systems

Most organizations see security software applications as a “cure all” but it is not that clear cut. Endpoint security software that is purchased as a set and forget solution will never be enough. The experienced hackers out there know about these software solutions and are developing malicious code that will evade the defenses that a set and forget application can offer.

There needs to be human intervention and Jon Oltsik, contributor at Network World said “CISOs must take ownership of endpoint security and designate a group of specialists who own endpoint security controls as part of an overall responsibility for incident prevention, detection, and response.”

Ziften’s endpoint security solutions provide the continuous and look-back visibility that a cyber security team needs to detect and act upon to prevent any malicious infiltrations spreading and stealing the sensitive data of the organization.

Read more about the Ziften solution here:


The latest and greatest from Splunk

Last week I attended the annual Splunk conference in the great sunshine state – Florida. The Orlando-based event allowed for Splunkers from around the world to acquaint themselves with the latest and greatest offerings from Splunk. Although there were an array of fun activities throughout the week, it was clear that attendees were there to learn. The announcement of Splunk’s security-centric Adaptive Response initiative was well-received and just so happens to integrate quite nicely with Ziften’s endpoint solution.

In particular, the “Transforming Security” Keynote Session put on by Monzy Merza, Director of Cyber Research and Chief Security Evangelist for Splunk, Haiyan Song, SVP Security Markets for Splunk, and Mike Stone, CDIO for the UK Ministry of Defense, demonstrated the power of Splunk’s new Adaptive Response interface to thousands of attendees.

In the clip below taken from that Keynote, Monzy Merza exemplifies how critical data provided by a Ziften agent can also be used to enact bi-directional functionality from Splunk by sending instructional logic back to the Ziften agent to take immediate actions on a compromised endpoint. Monzy was able to successfully identify a compromised Linux server and remove it off the live network for further forensic investigation. By not only providing critical security data to the Splunk instance, but also allowing the user to remain on the same interface to take operational and security actions, the Ziften endpoint agent enables users to bi-directionally utilize Splunk’s powerful framework to take instant action across all operating systems in an exacting manner. After the talks our booth was swamped with demos and extremely interesting conversations regarding operations and security.

Take a look at a 3 minute Monzy highlight from the Keynote:

Over the weekend I was able to process the wide array of technical discussions I had with hundreds of brilliant people in our booth at .conf. One of the funny things I discovered — which no one would openly admit unless I pulled it out of them — is that the majority of us are beginner-to-intermediate SPL(Splunk Processing Language) users. I also observed the obvious: incident response was the main focus of this year’s event.

However, many people use Ziften for Splunk for a variety of things, such as operations and application management, network monitoring, and user behavior modeling. In an attempt to illuminate the broad functionality of our Splunk App, here’s a taste of what folks at .conf2016 loved most about Ziften for Splunk:

1) It’s fantastic for Enterprise Security.
a. Generalized platform for digesting real-time data and taking immediate action
b. Autotomizing remediation from a wide scope of indicators of comprise

2) IT Operations love us.
a. Systems Tracking, Hardware Lifecycle, Resource Management
b. Application Management – Compliance, License Rationalization, Vulnerabilities

3) Network Monitoring with ZFlow is a game changer.
a. ZFlow ties netflow with binary, user and system data – in a single Splunk SPL entry
b. Do I need to say more here? This is the right Holy Grail from Indiana Jones, folks!

4) Our User Behavior Modeling goes beyond just alerts.
a. This could be tied back under IT Operations but it’s becoming its own beast
b. Ziften’s tracking of software usage, logins, elevated binaries, timestamps, etc is readily viewable in Splunk
c. Ziften provides a free Security Centric Splunk bundle, but we convert all of the data we collect from each endpoint to Splunk CIM language – Not just our ‘Alerts’

Ultimately, using a single Splunk Adaptive Response interface to manage a multitude of tools within your environment is what helps build a strong enterprise fabric for your company – one in which operations, security and network teams more fluidly overlap. Make better decisions, faster. Find out for yourself with our free 30 day trial of Ziften for Splunk!

Better Exploit Detection Gives Hospital a Healthier Network

How hospitals use Ziften to detect malicious activity on their network.

A regional hospital team had limited tools available to protect patients’ privacy and prevent HIPAA violations. The hospital’s security team deployed anti-malware and antivirus solutions, but they still lacked a way to provide visibility and oversight of user activities. They approached Ziften, in hopes to maintain full posture oversight and policy enforcement, as well as on-going threat detection and incident response over its entire computing environment. The hospital soon found that Ziften’s benefits extended well beyond its powerful abilities of detection and response.

Download Now »

Customer Saves $16 Million and Improves Security Posture.

How governments use Ziften to identify rarely-used systems and software licenses.

A provincial government in Canada had objectives to quickly identify and remove underutilized software licenses, while finding and fixing end-user system problems. After six months using the Ziften solution, the provincial government saved $16 million by decommissioning or repurposing systems and software licenses.

Download Now »

Get Tough or Get Hacked.

Highly skilled cyber attack teams have targeted and are targeting your enterprise.  Your vast endpoint population is the most common point of entry for skilled attack organizations. These enterprise endpoints number in the thousands, are loosely managed, laxly configured, and rife with vulnerability exposures, and are operated by marginally trained, credulous users—the perfect target-rich opportunity. Mikko Hypponen, chief research officer at F-Secure, often remarks at industry symposia: “How many of the Fortune 500 are hacked right now? The answer: 500.”

And how long did it take to penetrate your enterprise? White hat hackers performing penetration testing or red team exercises typically compromise target enterprises within the first few hours, even though ethically and legally restrained in their methods.  Black hat or state sponsored hackers may achieve penetration even more quickly and secure their presence indefinitely. Given average attacker dwell periods measured in hundreds of days, the time-to-penetration is negligible, not an impediment.

// Exploit Kits

The industrialization of hacking has created a black market for attack tools, including a variety of software for identifying and exploiting client endpoint vulnerabilities. These exploit kits are marketed to cyber attackers on the dark web, with dozens of exploit kit families and vendors. An exploit kit operates by assessing the software configuration on the endpoint, identifying exposed vulnerabilities, and applying an exploit to a vulnerability exposure.

A relative handful of commonly deployed endpoint software accounts for the bulk of exploit kit targeted vulnerabilities. This results from the sad reality that complex software applications tend to exhibit a continual flow of vulnerabilities that leave them continually vulnerable. Each patch release cycle the exploit kit developers will download the latest security patches, reverse engineer them to discover the underlying vulnerabilities, and update their exploit kits.  This will often be done more quickly than enterprises apply patches, with some vulnerabilities remaining unpatched and ripe for exploitation even years after a patch is issued.

// Adobe Flash

Prior to widespread adoption of HTML 5, Adobe Flash was the most commonly used software for rich Internet content.  Even with increasing adoption of HTML 5, legacy Adobe Flash maintains a significant following, maintaining its long-held position as the darling of exploit kit authors. A recent study by Digital Shadows, In the Business of Exploitation, is instructive:

This report analyzes 22 exploit kits to understand the most frequently exploited software. We looked for trends within the exploitation of vulnerabilities by these 22 kits to show what vulnerabilities had been exploited most widely, coupled with how active each exploit kit was, in order to inform our assessment.

The vulnerabilities exploited by all 22 exploit kits showed that Adobe Flash Player was likely to be the most targeted software, with 27 of the 76 identified vulnerabilities exploited pertaining to this software.

With relative consistency, dozens of fresh vulnerabilities are uncovered in Adobe Flash each month. To exploit kit developers, it is the gift that keeps on giving.

The industry is learning its lesson and moving beyond Flash for rich web content. For example, a Yahoo senior developer blogging recently in Streaming Media noted:

“Adobe Flash, once the de-facto standard for media playback on the web, has lost favor in the industry due to increasing concerns over security and performance. At the same time, requiring a plugin for video playback in browsers is losing favor among users as well. As a result, the industry is moving toward HTML5 for video playback.”

–Amit Jain, Sep 21, 2016


// Banishing Adobe Flash

One step enterprises may take today to harden their endpoint configurations is to banish Adobe Flash as a matter of enterprise security policy. This will not be convenient, it may be painful, but it will be helpful in reducing your enterprise attack surface. It involves blacklisting Adobe Flash Player and enforcing browser security settings disabling Flash content. If done correctly, this is what users will see where Flash content appears on a legacy web page:

flash player message

This message confirms two facts:

  1. Your system is properly configured to refuse Flash content.
    –Congratulate yourself!
  2. This website would compromise your security for their convenience.
    –Ditch this site!

Better Real-time Insights on End-user Systems and Servers.

Ziften provides clients a greater understanding of endpoint system problems and threats via real-time monitoring.

A Fortune 500 utility company needed a solution that gave better real-time insights on its network of end-user systems and servers. The solution had to run on thousands of endpoints and preserve their activity for future investigations. In searching for a better solution, the client approached Ziften and asked to deploy a proof of concept on a few hundred end-user systems in its energy trading floor environment. Immediately, the Ziften solution gave the client visibility into a variety of previously unknown issues.

Download Now »

Fortinet anuncia al canal nueva arquitectura Security Fabric