Ziften Digs Deep for Security Visibility


Visibility is the key to identifying and mitigating security incidents. You can't protect what you can't see, and you can't block unknown threats. Security startup Ziften is among the many vendors now chasing the market opportunity associated with improving security visibility.

Hot on the heels of a $24 million funding round led by Spring Mountain Capital, the company announced its Ziften 4.5 platform update, including a new ZFlow capability which helps users identify the actual executables that are part of a security incident.

David Shefter, CTO of Ziften, explained to eSecurityPlanet that Ziften started going after the security market in late 2013 after transitioning from its original operations visibility focus. The company was founded in 2010.

Mike Hamilton, VP of Product at Ziften, said that Ziften has always had the ability to connect the network connections made by a device back to the executables making the connections. ZFlow adds the ability to send the information out in IPFIX (IPF Flow Information Export), a format that provides information on which processes are running, the users involved and which applications are making the connections.

On Windows the information collected by Ziften comes from Microsoft's ETW (Event Tracing for Windows) capability. Additionally Ziften has an agent that has native calls for other information collection on Windows. On Apple Mac OS X all the data is collected via a Ziften agent.

The Ziften agents for both Windows and OS X are driverless, so they will not interfere with any custom applications that an organization might be running.

Financial Services Niche

Shefter spent 30 years of his career working in financial services. In his experience, end points have been treated as the "bastardized stepchild" of security.

"A lot of the application work that generates revenue and profitability for financial services organizations are custom-built applications," Shefter said. "Many of them have very invasive processes that hook into the operating system for speed."

As such, when an agent requires a driver, there is the risk of breaking custom processes on a system. Shefter said that Ziften's niche is working without kernel or process hooks so as not to break custom applications.

Additionally, Shefter said Ziften doesn't require a system reboot in order to install, which can also be a risk in financial services.

"We're well under one percent CPU utilization, while traditional anti-virus can be four to 10 percent," he said. "That's why you don't see AV in high-frequency trading environments, because if you add four to 10 percent to CPU load that might impact the speed of a transaction which could cost millions of dollars."

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.