The traditional perimeter as we know it is quickly dissolving. So what does this mean for the endpoint?

Investment in perimeter security, as defined by firewalls, managed gateways and intrusion detection/prevention systems (IDS/IPS), is changing. Investments are being questioned, with returns unable to overcome the costs and complexity to create, maintain, and justify these antiquated defenses.

More than that, the paradigm has changed – employees are no longer exclusively working in the office. Many people are logging hours from home or while traveling – neither location is under the umbrella of a firewall. Instead of keeping the bad guys out, firewalls often have the inverse effect – they prevent the good guys from being productive. The irony? They create a safe haven for attackers to breach and hide for months, then traverse to critical systems.

What Has Really Changed?

The endpoint has become the last line of defense. With the aforementioned failure in perimeter defense and a “mobile everywhere” workforce, we must now enforce trust at the endpoint. Easier said than done, however.

In the endpoint space, identity & access management (IAM) tools are not the silver bullet. Even innovative companies like Okta, OneLogin, and cloud proxy vendors such as Blue Coat and Zscaler cannot overcome one simple truth: trust goes beyond simple identification, authentication, and authorization.

Encryption is a second attempt at protecting entire libraries and individual assets. In the most recent (2016) Ponemon study on data breaches, encryption only saved 10% of the cost per breached record (from $158 to $142). This isn’t the panacea that some make it seem.

Everything is changing

Organizations must be prepared to embrace new paradigms and attack vectors. While organizations must provide access to trusted groups and individuals, they have to address this in a better way. Critical business systems are now accessed from anywhere, any time, not just from desks in corporate office buildings. And contractors (contingent workforce) are quickly comprising more than half of the overall enterprise workforce.

On endpoint devices, the binary is predominantly the problem. Presumably benign incidents, such as an executable crash, could indicate something simple – like Windows 10 Desktop Manager (DWM) restarting. Or it be a much deeper problem, such as a malicious file or early indicators of an attack.

Trusted access doesn’t solve this vulnerability. According to the Ponemon Institute, between 70% and 90% of all attacks are caused by human error, social engineering, or other human factors. This requires more than simple IAM – it requires behavioral analysis.

Instead of making good better, perimeter and identity access companies made bad faster.

When and Where Does the Good News Begin?

Taking a step back, Google (Alphabet Corp) announced a perimeter-less network model in late 2014, and has made significant progress. Other enterprises – from corporations to governments – have done this (in silence and less severe), but BeyondCorp has done this and shown its efforts to the world. The design philosophy, endpoint plus (public) cloud displacing cloistered enterprise network, is the key concept.

This changes the entire conversation on an endpoint – be it a laptop, desktop, workstation, or server – as subservient to the corporate/enterprise/private/organization network. The endpoint truly is the last line of defense, and must be protected – yet also report its activity.

Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to services and tools based on a user’s physical location or the originating network; instead, access policies are based on information about a device, its state, and its associated user. BeyondCorp considers both internal networks and external networks to be completely untrusted, and gates access to applications by dynamically asserting and enforcing levels, or “tiers,” of access.

By itself, this seems innocuous. But the reality is that this is a radical new model which is imperfect. The access criteria have shifted from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, rather than a centralized model with potential for breaches, hacks, and threats at the human level (the “soft chewy center”).

The good news? Breaching the perimeter extremely challenging for would-be attackers, while making network pivoting next to impossible once past the reverse proxy (a common mechanism used by attackers today – proving that firewalls do a better job of keeping the bad guys in rather than letting the good guys get out). The inverse model further applies to Google cloud servers, presumably tightly managed, inside the perimeter, versus client endpoints, who are all out in the wild.

Google has done some nice refinements on proven security approaches, notably to 802.1X and Radius, bundled it as the BeyondCorp architecture, including strong identity and access management (IAM).

Why is this important? What are the gaps?

Ziften believes in this approach because it emphasizes device trust over than network trust. However, Google doesn’t specifically show a device security agent or emphasize any form of client-side monitoring (apart from very strict configuration control). While there may be reporting and forensics, this is something which every organization should aware of, since it’s a matter of when – not if – bad things will happen.

Since implementing the initial phases of the Device Inventory Service, we’ve ingested billions of deltas from over 15 data sources, at a typical rate of about three million per day, totaling over 80 terabytes. Retaining historical data is essential in allowing us to understand the end-to-end lifecycle of a given device, track and analyze fleet-wide trends, and perform security audits and forensic investigations.

This is an expensive and data-heavy process with two shortcomings. On ultra-high-speed networks (utilized by the likes of Google, universities and research organizations), ample bandwidth allows for this type of communication to occur without flooding the pipes. The first issue is that In more pedestrian corporate and government scenarios, this would cause great user disruption.

Second, machines must have the horsepower to constantly collect and transmit data. While most employees would be delighted to have current developer-class workstations at their disposal, the expense of the devices and process of refreshing them on a regular basis makes this prohibitive.

A Lack of Lateral Visibility

Very few products actual generate ‘enhanced’ netflow, augmenting traditional network visibility with rich, contextual data.

Ziften’s patented ZFlow™ provides network flow details on data generated from the endpoint, otherwise accomplished using brute force (human labor) or expensive network devices.

ZFlow acts as a “connective tissue” of sorts, which extends and completes the end-to-end network visibility cycle, adding context to on-network, off-network and cloud servers/endpoints, allowing security teams to make faster and more informed and accurate decisions. In essence, investing in Ziften services result in a labor savings, plus an increase in speed-to-discovery and time-to-remediation due to technology acting as a substitute for people resources.

For organizations moving/migrating to the public cloud (as 56% are planning to do by 2021 according to IDG Enterprise’s 2015 Cloud Survey), Ziften offers unmatched visibility into cloud servers to better monitor and secure the complete infrastructure.

In Google’s environment, only corporate-owned devices (COPE) are allowed, while crowding out bring-your-own (BYOD). This works for a company like Google that can hand out new devices to all staff—phone, tablet, laptop, etc. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device must meet Google requirements, having either a TPM or a software equivalent of a TPM, to hold the X.509 cert used to validate device identity and to facilitate device-specific traffic encryption. There must be several agents on each endpoint to verify the device validation predicates called out in the access policy, which is where Ziften would need to partner with the systems management agent provider, since it is likely that agent cooperation is essential to the process.


In summary, Google has developed a world-class solution, but its applicability and practicality is limited to organizations like Alphabet.

Ziften offers the same level of operational visibility and security protection to the masses, using a lightweight agent, metadata/network flow monitoring (from the endpoint), and a best-in-class console. For organizations with specialized needs or incumbent tools, Ziften provides both an open REST API and an extension framework (to augment ingest of data and triggering response actions).

This yields the benefits of the BeyondCorp model to the masses, while protecting network bandwidth and endpoint (machine) computing resources. As organizations will be slow to move completely away from the enterprise network, Ziften partners with firewall and SIEM vendors.

Finally, the security landscape is steadily shifting towards managed detection & response (MDR). Managed security providers (MSSP’s) offer traditional monitoring and management of firewalls, gateways and perimeter intrusion detection, but this is not enough. They lack the skills and the technology.

Ziften’s solution has been tested, integrated, approved and implemented by a number of the emerging MDR’s, illustrating the standardization (capability) and flexibility of the Ziften platform to play a key role in remediation and incident response.

The Ziften Solution

ZFlow + ZDR for endpoint telemetry and deep analytics

For too long network and security management have been left to cope with dated security technologies that don’t adapt: they’re expensive, difficult to deploy, and impossible to scale. Enterprise security teams need network visbility now — and they need it everywhere. On or off-net, in data centers, or across the cloud.

We thought enough is enough. The Result? Ziften is the one solution that provides security teams with valuable endpoint context behind all network activity — giving enterprises continuous visibility and analytics to respond to advanced threats and run their business in a more efficient, intelligent, and secure manner.

Download Product Guide Now »

Illuminate Intelligence with ZDR

Detect & swiftly respond to advanced threats to prevent future attacks.

We get it: Traditional signature-based and network security tools lag behind modern day threats. These security tools look for known threats and anomalies all while the attackers have become smarter, better enabled, more patient, and financially motivated. Relying exclusively on traditional security software increases the amount of endpoint blind spots in a shifting security landscape.

ZDR offers comprehensive protection against advanced threats such as human-directed attacks, ransomware, cryptoware, and unknown malware to protect reputations and avoid expensive regulatory audits.

Learn More About ZDR »

Extend Network Visibility with ZFlow

Last-mile network visibility for all endpoint & cloud environments

Simply put: ZFlow illuminates network activity from the endpoint. Layering endpoint metadata on top of network data, ZFlow details what application and user was responsible for network connections while providing unique context to better understand the behavior of the endpoint at the time of each connection. This unique context and attribution allows security teams to gain a level of intelligence previously unseen.

Learn More About ZFlow »

Continuous Monitoring and Response of Enterprise Endpoints

Ziften for Splunk provides native integration of comprehensive endpoint visibility into Splunk, with the ability to combine that information with threat feeds and network intelligence for an end-to-end view of Indicators of Compromise. The product is delivered with a host of out-of-the box dashboards for easy ramp-up.

  • checkSecurity based alerts that tie network-based feeds to Ziften binary data
  • checkDaily Reports that tie Ziften binary data to Zflow binary threat feeds
  • checkForensics based ability tying endpoint context and attribution to NetFlow

Ziften + ReversingLabs

Integrated for Day One Value

In this integration, Ziften and ReversingLabs are providing a limited time offer to Ziften customers wherein ‘interesting’ files identified by Ziften solutions can be automatically checked against the ReversingLabs reputation database, returning real-time file threat intelligence based on hourly updates against the most current and actionable information.

Drill-Down Visibility for Immediate Response

The Ziften solution provides a link to the ReversingLabs A1000 Malware Analysis Platform for deeper inspection, unpacking and advanced analysis of files identified as ‘suspicious’ or ‘malicious’ by the customer at no charge during this offer. Links will remain in place and the customer will be able to continue the A1000 analysis option offer subsequent to the expiration of this offer by subscribing directly with ReversingLabs.

Download Now »

Extend malware analysis.

Complete protection for all on-network and off-network endpoints.

The combination of Blue Coat’s Security Portfolio with Ziften’s adaptive EDR capabilities provides comprehensive prevention, detection, and response across the network and all endpoints. Blue Coat’s Security Portfolio protects the enterprise network, and when combined with Ziften’s endpoint protection capabilities security teams can be sure that they have complete coverage across their entire environment.

Learn More About Blue Coat »

Still Supporting Adobe Flash and Apple QuickTime for Windows? Didn’t Get the Memo?

On the heels of Independence Day, there is a good time for a metaphor: Flash is a bit like lighting fireworks. There may be less risky ways to do it, but the only sure way is just to avoid it. And with Flash, you needn’t fight pyromaniac surges to abstain from it, just manage your endpoint configurations.

Why would you wish to do this? Well, Googling “Flash vulnerability” returns thirteen-million hits! Flash is old and spent and ripe for retirement, as Adobe put it themselves:

Today [November 30, 2015], open standards like HTML5 have matured and provide many of the capabilities that Flash ushered in. … Looking ahead, we encourage content creators to build with new web standards…

Link source:


Run a vulnerability scanner across your endpoint population. See any Flash mention? Yes, in the average enterprise, zillions. Your attackers know that also, they are counting on it. Just continue to ignore those pesky security bloggers, like Brian Krebbs:

I would recommend that if you use Flash, you should strongly consider removing it, or at least hobbling it until and unless you need it.

Link source:


Run a vulnerability scanner across your endpoint population. See any Flash mention?

Ignoring Brian Krebs’ advice raises the chances your enterprise’s data breach will be the feature story in one of his future blogs.

// Flash Exploits: the Preferred Exploit Kit Ingredient

The endless list of Flash vulnerabilities continues to lengthen with each new patch cycle. Nation state attackers and the better resourced syndicates can call upon Flash zero days. They aren’t hard to mine – launch your fuzz tester against the creaking Flash codebase and watch them roll out. If an offensive cyber team can’t call upon zero days, not to worry, there are plenty of freshly issued Flash Common Vulnerabilities and Exposures (CVE) to draw upon, before enterprise patch cycles catch up. For exploit kit authors, Flash is the gift that keeps on giving.

A recent FireEye blog exemplifies this typical Flash vulnerability progression—from virgin zero-day to freshly hatched CVE and prime enterprise exploit:

On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 just four days later (Posted to FireEye Threat Research Blog on May 13, 2016).

As a quick test then, check your vulnerability report for that entry, for CVE-2016-4117. It was employed in targeted attacks as a zero-day even before it became a known vulnerability. Now that it is known, popular exploit kits will pick it up. Be prepared.

// Start a Flash and QuickTime Eradication Project

While we haven’t talked about QuickTime yet, Apple removed support for QuickTime on Windows in April, 2016. This summarily set off a panic in corporations with large numbers of Apple macOS and Windows clients. Do you remove all support for QuickTime? Including on macOS? Or just Windows? How do you find the unsupported versions – when there are many floating around?

QT-Flash 1
By doing nothing, you can flirt with disaster, with Flash vulnerability exposures rife across your client endpoint population. Otherwise, you can start a Flash and QuickTime eradication project to move towards a Flash-free enterprise. Or, wait, maybe you educate your users not to glibly open email attachments or click on links. User education, that always works, right? Hmmm.

One problem is that some of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to recruiting departments, or legal notices sent to legal departments.

Let’s take a closer look at the Flash exploit described by FireEye in the blog cited above:

Attackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.

QT-Flash 4

Even if the Flash-adverse enterprise had thoroughly purged Flash enablement from all their various browsers, this exploit would still have succeeded. To fully eradicate Flash requires purging it from all browsers and disabling its execution in embedded Flash objects within Office or PDF documents. Certainly that is a step that should be taken at least for those departments with a job function to open attachments from unsolicited emails. And extending outwards from there is a worthy configuration hardening goal for the security-conscious enterprise.

Not to mention, we’re all waiting for the first post about QuickTime vulnerability which brings down a major enterprise.

How Ziften Works

Adobe Flash diagram

The Ziften Solution

Ziften delivers a lightweight and configurable collector, an open platform and analytics engine across a variety of data feeds (including the proprietary Ziften Zflow™ end point data and third party data feeds) to drive true, real time risk scoring and prioritization of alerts. Ziften provides unprecedented endpoint visibility using industry unique Zflow to add context, attribution, and user behavior to the security ecosystem including network products, firewalls and over the horizon solutions. This approach adds value to each discrete area and drives a unified, open security ecosystem that is infinitely more effective at predicting, detecting, preventing, and responding to threats.

Our non-driver based agent is extremely lightweight at less than 1 MB and easily & quickly deployed using standard systems management software distribution tools. Ziften can scale hundreds of thousands of endpoints without issues of network degradation, latency or complex service models.


Download Now »

Ransomware that is tailored to enterprise attack campaigns has emerged in the wild. This is an obvious evolution of consumer-grade ransomware, driven by the larger bounties which enterprises are able to pay out coupled to the sheer scale of the attack surface area (internet-facing endpoints and unpatched software). To the attacker, your enterprise is a tempting target with a big fat wallet just begging to be knocked over.

Your Enterprise Presents a Tempting Target

Simple Google queries may already have identified unpatched internet-facing servers by the scores across your domain, or your credulous users may already be opening “spear phishing” emails crafted just for them presumably authored by people they know.

The weaponized invoices go to your accounting department, the weaponized resumes to your human resources department, the weaponized legal notices to your legal department, and the weaponized trade publication articles to your public relations firm. That should cover it, for starters. Add the watering hole drive-by’s planted on industry websites frequented by your employees, the social media attacks targeted to your key executives and their family members, the infected USB sticks strewn around your facilities, and the compromises of your suppliers, customers, and business partners.

Enterprise compromise isn’t an if but a when — the when is continual, the who is legion.

Targeted Ransomware Has Arrived

Malware researchers are now reporting on enterprise-targeted ransomware, a natural evolution in the monetization of enterprise cyber intrusions. Christiaan Beek and Andrew Furtak explain this in an excerpt from Intel Security Advanced Threat Research, February 2016:

“During the past few weeks, we have received information about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automatic execution of ransomware), the attackers gained persistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system, several tools were used to find, encrypt, and delete the original files as well as any backups.”

Careful reading of this citation immediately reveals steps to be taken. Initial penetration was by “vulnerability exploitation,” as is often the case. A sound vulnerability management program with tracked and enforced exposure tolerances (measured in days) is mandatory. Since the attackers “spread their access to any connected system,” it is also requisite to have robust network segmentation and access controls. Think of it as a watertight compartment on a warship to avoid sinking when the hull is breached. Of special note, the attackers “delete the original files as well as any backups,” so there must be no delete access from a compromised system to its backup files — systems must only be able to append to their backups.

You Do Have Current Backups, Right?

Of course, there must be current backups of any files that must survive an enterprise intrusion. Paying the ransom is not an effective option since any files created by malware are inherently suspect and must be considered tainted. Enterprise auditors or regulators cannot accept files excreted from some malware orifice as legally valid, the chain of custody having been completely broken. Financial data may have been altered with fraudulent transactions, configuration data may have been tampered with, viruses may have been planted for later re-entry, or the malware file manipulations may simply have had errors or omissions. There would be no way to place any confidence in such data, and accepting it as valid could further compromise all future downstream data dependent upon or derived from it. Treat ransomware data as garbage. Either have a robust backup plan — regularly tested and validated — or prepare to suffer your losses.

Do You Have a Breach Plan?

Even with sound backups confidentiality of affected data must be assumed to be breached because it was read by malware. Even with detailed network logs, it would be impracticable to prove that no data had been exfiltrated. In a targeted attack the attackers typically take data inventory, reviewing at least samples of the data to assess its potential value — they could be leaving money on the table otherwise. Data ransom demands may simply be the final monetization stage in an enterprise breach after mining all other value from the intrusion since the ransom demand exposes the compromise.

Your Remediation Plan Must Be Thorough

One should assume that competent attackers have arranged multiple, cunningly-concealed avenues of re-entry at various staggered time points (well after your crisis team has stood down and pricey consultants flown off to their next gig). Any stray evidence left behind was carefully staged to mislead investigators and deflect blame. Expensive re-imaging of systems must be exceedingly thorough, touching every sector of the disk across its entire recording surface and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is known to compromise MBR’s.

Also, don’t assume system firmware has not been compromised. If you can update the firmware, so can hackers. It isn’t hard for hacking organizations to explore firmware hacking options when their enterprise targets standardize system hardware configurations, allowing a little lab effort to go a long way. The industrialization of cybercrime allows for the development and sale of firmware hacks on the dark net to a broader criminal market.

Good EDR Tools Can Help

After all of this bad news, there is an answer. When it comes to targeted ransomware attacks, taking proactive steps instead of reactive cleanup is far less painful. A good Endpoint Detection and Response (EDR) tool can assist on both ends. EDR tools are good for identifying exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best removed from the environment (Adobe Flash, for instance). EDR tools are also good at tracking all significant endpoint events, so that investigators can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers rely on endpoint opacity to help conceal their actions from security staff, but EDR is there to enable open visibility of notable endpoint events that could signal an attack in progress. EDR isn’t limited to the old antivirus convict-or-acquit model, that allows freshly remixed attack code to evade AV detection.

Good EDR tools are always vigilant, always reporting, always tracking, available when you need it: now or retroactively. You wouldn’t turn a blind eye to enterprise network activity, so don’t turn a blind eye to enterprise endpoint activity.