On the Radar: Ziften enables continuous endpoint monitoring

Transcription

1 On the Radar: Ziften enables continuous endpoint monitoring The Zenith platform can also run custom scripts for remediation Publication Date: 04 May 2017 Product code: IT Rik Turner

2 Summary Catalyst Ziften develops technology to provide endpoint visibility and control to IT and security operations teams within enterprise customers, combining both real-time and historical user device and threat behavior monitoring, analytics, and reporting. Key messages Ziften s main product is Zenith, a platform for monitoring and delivering visibility into endpoint estates. The technology covers desktops and laptops (on-net, off-net, and offline), servers, virtual machines (VMs), and containers. Lightweight agents on the endpoints collect data and send it to a management server where it can be stored and streamed to a console for security personnel. Ziften also has a product that generates extended network flow data from endpoints that can be ingested by SIEMs and other analysis tools. Ovum view Ziften enables the continuous visibility and monitoring of endpoints, a capability for which there is a clear demand, particularly as an increasing number of workloads migrate to the public or hybrid cloud, and employees increasingly work remotely. Ovum expects these trends to drive increasing demand for platforms such as Zenith. Recommendations for enterprises Why put Ziften Zenith on your radar? Ziften s ability to continuously monitor and store historical data for endpoints, including VMs and containers, is a compelling feature, while its ZFlow capability that provides NetFlow and IPFIX data from the endpoint for consumption by SIEMs and other platforms is an interesting capability for companies seeking greater visibility across their infrastructure. It should be on your list of technology providers to consider if you are planning to invest in additional or enhanced monitoring capabilities. Highlights Ziften grew out of the perception that systems management, as well as security functions such as vulnerability management and anti-virus checking, are not continuous activities, and that a platform that could provide visibility and monitoring on a continuous basis would enable a more holistic approach to systems management and security. Zenith focuses on the endpoint, which includes not only end-user computing devices, but also offnetwork user devices, servers, VMs, and containers. To perform its monitoring functions, it deploys a Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 2

3 lightweight agent, not in the kernel of the endpoint s OS but in the user space, the set of memory locations in which user processes (essentially everything except the kernel) run. Deployment is via a passive install where no reboot or maintenance window is required. For example, the agent becomes part of the image on a VM, and can be baked into the golden image for servers in a data center, or in an AMI for deployment in the AWS Cloud. The agent collects flow and connectivity data to provide insights into users and device behavior, looking at applications, binaries, and processes, enabling both performance management and security functions. It sends this data back to a management server, which can run in the cloud or as an on-premise appliance, from which it is streamed to a console. The system keeps six months of historical data by default, but customers can buy more if they need it for procedures such as insider threat investigations. In addition to reporting on endpoint activity, an extension to the platform announced in 2016 enables custom scripts to be run at the endpoint, making it possible to collect custom data elements and enable custom remedial actions such as changing a firewall policy, disabling a USB port or ejecting a USB drive, quarantining a device, or blocking or killing processes from an executable. Customers can also set policies so that these actions are triggered automatically. Zenith uses the Apache Kafka message broker and the Vertica analytics database from HPE. It also integrates with other analytics engines via an application programming interface (API). It can support up to 1 million endpoints for individual customers with this architecture. ZFlow, meanwhile, is a platform that creates network flow data from endpoints, covering the device itself, applications, binaries, and users. It uses proprietary technology based on the NetFlow and IPFix standards, and Ziften offers integrations with Lancope, Arbor, Fortinet s FortiSIEM, Splunk, and other tools that can ingest NetFlow data. Background Ziften was founded in 2009 by Mark Obrecht, who had previously founded and led WholeSecurity, a developer of anti-phishing technology acquired by Symantec in Obrecht led Ziften as CEO until 2012, and as chief Innovation officer until he left in 2015 to focus on venture capitalism at Trellis Partners, which had led Ziften s $5.8m Series A round in Since 2012, Ziften s CEO has been Charles Leaver, who was also a partner at Trellis from 2011 to The company has so far raised approximately $42m in venture funding, most recently announcing a Series C round of $24m led by Spring Mountain Capital in July This round also had additional investment from Sarofim Fayez and Co, which led the May 2012 $5.5m Series B round. Current position Ziften started out calling its product by the same name as the company, and launched Ziften 1.0 in With the addition of a second product to its portfolio, its flagship platform has now been renamed Zenith and is currently at version 5.1. Ziften has somewhere between 50 and 100 enterprise customers, with its largest deployment to date totaling some 120,000 endpoints. Zenith enables unmanaged IT asset discovery, system monitoring and hardening, threat detection and hunting, incident response and containment, and deep lookback forensics to protect organizations Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 3

4 from cyber-attacks. Ziften s other product is ZFlow, which generates an extended version of NetFlow to provide last-mile visibility for all endpoint activity on a network. Ziften goes to market through a two-tier channel as well as via managed security service providers (MSSPs). The company primarily sees other systems management and security vendors such as Tanium and Ivanti, and sometimes providers of endpoint detection and response (EDR) technology, as its main competitors. Data sheet Key facts Table 1: Data sheet: Ziften Product name Zenith Product classification Unified systems management and security software Version number 5.1 Release date First version launched in 2011 Industries covered Enterprise, Government & Managed Services Providers Geographies covered All Relevant company sizes Mid-Size and Large Licensing options Subscription URL Routes to market Value-added resellers, managed services providers Company headquarters Austin, Texas, US Number of employees Source: Ovum Appendix On the Radar On the Radar is a series of research notes about vendors bringing innovative ideas, products, or business models to their markets. Although On the Radar vendors may not be ready for prime time, they bear watching for their potential impact on markets and could be suitable for certain enterprise and public sector IT organizations. Further reading On the Radar: Tanium offers security and endpoint management, IT (November 2016) Heat Software and LANDesk merge to become Ivanti Software, IT (January 2017) Author Rik Turner, Principal Analyst, Infrastructure Solutions rik.turner@ovum.com Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 4

5 Ovum Consulting We hope that this analysis will help you make informed and imaginative business decisions. If you have further requirements, Ovum s consulting team may be able to help you. For more information about Ovum s consulting capabilities, please contact us directly at consulting@ovum.com. Copyright notice and disclaimer The contents of this product are protected by international copyright laws, database rights and other intellectual property rights. The owner of these rights is Informa Telecoms and Media Limited, our affiliates or other third party licensors. All product and company names and logos contained within or appearing on this product are the trademarks, service marks or trading names of their respective owners, including Informa Telecoms and Media Limited. This product may not be copied, reproduced, distributed or transmitted in any form or by any means without the prior permission of Informa Telecoms and Media Limited. Whilst reasonable efforts have been made to ensure that the information and content of this product was correct as at the date of first publication, neither Informa Telecoms and Media Limited nor any person engaged or employed by Informa Telecoms and Media Limited accepts any liability for any errors, omissions or other inaccuracies. Readers should independently verify any facts and figures as no liability can be accepted in this regard readers assume full responsibility and risk accordingly for their use of such information and content. Any views and/or opinions expressed in this product by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Informa Telecoms and Media Limited. Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 5

6 CONTACT US INTERNATIONAL OFFICES Beijing Dubai Hong Kong Hyderabad Johannesburg London Melbourne New York San Francisco Sao Paulo Tokyo