Cyber World War Z: Part 1

Well, there’s the Brad Pitt World War Z, then there’s the “Cyber World War Z” Ziften addresses.

While Mr. Pitt is battling the zombie apocalypse, Ziften is battling cyber-attacks at the enterprise client.  It has become the most porous, attack-ripe point of attack, so we are fighting our own version of battling the “shock, panic, disbelief and possible denial” of the results of cyber-attacks in enterprises.

Enterprise Client Systems—The Preferred Point of Entry for Routine or Advanced Cyber Attacks

Both routine malware as well as sophisticated advanced attacks typically target client endpoints. They are far less well-protected than datacenter servers, run largely unobserved by IT staff, are inconsistently patched and loosely managed, and are operated by generally naïve users (or in the worst case, by insider attackers). The compromised client endpoint then serves as the pivot point for launching attacks from behind the corporate firewall, to discover and collect data assets and export them to external command and control servers. As we’ll see below, this large enterprise population of thousands of such client systems are ripe for exploitation by all but the most inept, unorganized adversaries.
No enterprise will ever effectively secure its client population by treating it as a security problem – fundamentally it is a management challenge. Ziften has instrumented many thousands of enterprise client systems across dozens of Fortune 500 organizations from major vertical markets in defense, aerospace, energy, healthcare, industry, finance, and major media. Ziften client agents report on client system hardware configuration, on user activity, and on what software runs, when it runs, what resources it consumes, what its version metadata description is (including vendor, product and file versions, product name, copyright dates, etc.) along with a cryptographic hash (MD5) of the binary executable.
Agent reports are collected by an enterprise client management server that stores the findings in an internal database, aggregates and analyzes them for population statistics, references an extensive knowledge base on the application genre, enterprise value and known vulnerabilities of tens of thousands of enterprise software applications, and applies heuristic scoring techniques to rank the performance and security trust level of applications in the enterprise and clients in the population. After four years of collecting, reviewing, and reporting findings to its major enterprise customers, Ziften has an experience base in client population security management that informs the opinions expressed in this blog.