Heather Wright was in San Jose as a guest of NetEvents
Endpoint protection and response vendor Ziften has further extended its relationship with Microsoft, joining the Windows Defender Advanced Threat Protection advanced hunting project.
Ziften will provide analytics and queries so customers can conduct threat hunting for fileless – or zero-footprint – attacks across macOS and Linux platforms, with Ziften integrating with Windows Defender ATP.
Roark Pollock, Ziften SVP of marketing, said the partnership with Microsoft has been a driving force for Texas-based startup in the last six months.
In November 2017 the two companies announced that Ziften’s Zenith security platform had been integrated with Windows Defender ATP to provide a cloud-based single pane of glass view to detect, view, investigate and respond to advanced cyber-attacks across Windows, macOS and Linux endpoints.
Ziften was one of several companies Microsoft teamed up with in November as it seeks to add third party security to its Defender ATP offering.
The two companies co-sell into deals where Microsoft installs its Windows Defeder ATP endpoint on Windows machines, while Ziften installs its software for any Mac or Linux machines.
“The last six months working with Microsoft has been like going on a rocket ship,” Pollock said. “Our business was going well before we got the Microsoft business, but now it’s like being on a rocketship.
“Before the partnership we were slowly looking to expand into Asia and Europe but now it’s happening almost overnight.”
In January, Ziften rolled out a fast-start channel programme to recruit and onboard Microsoft resellers. While Ziften’s traditional partners tended to be smaller, specialist security partners, Microsoft has much bigger partners, selling its entire suite, from Azure to Windows to Office 365. Pollock said Ziften is currently on-boarding ‘a lot’ of those new Microsoft partners.
The fast-start launch was followed in March by the opening of an Australian and New Zealand office, headed by Greg Kieser – ex-Dropbox – as ANZ country manager, based in Sydney.
“The Microsoft team in Australia was by far the first and most aggressive part of the Microsoft sales organisation in picking the partnership up and rolling it out to customers,” Pollock
“We very quickly started going on customer visits with them and they introduced us to distributor Insentra who we’ve signed with.”
As part of Microsoft’s co-sell programme, Microsoft staff receive commission for selling Ziften into joint customers.
Pollock said Microsoft has taken Ziften into very large enterprise deals, which Ziften would previously not have been considered for.
He said more than 50% of Microsoft’s Windows 10 enterprise customers are using Windows Defender, while Gartner has told Ziften Microsoft is the most asked about endpoint detection and response tool by enterprise customers.
“There’s a huge opportunity for Microsoft and Ziften to disrupt the endpoint security space both on the endpoint protection platform side and on the endpoint detection and response (EDR) side, because if customers start adopting what Microsoft is doing… We’ve all heard of Netscape, Lotus Notes, Word Perfect, all of these tools that have been displaced by Microsoft because they have embedded these tools in their operating system.
“There’s an opportunity for the antivirus and EDR space to get disrupted in the same way – that’s one of the big reasons we wanted to work with Microsoft. If they’re going to disrupt this market it’s better to be a partner than one of their competitors.”
Pollock said the two companies solutions are similar architecturally, providing visibility into devices and taking data from the endpoint into the cloud where security intelligence and analytics are applied to discover breaches or threats.
“A lot of detection and response tools today are very much focused on looking at real time data,” Pollock said. “We do that but we also collect that data so you’re not just looking at real time data. We store up to six months of data by default and a lot of customers buy 12-18 months of storage capacity.
“What that means is that once I identify a threat or breach on any device I can go back and see where it came from, how long it has been in the environment, how it got in, where it started and moved to…Having that history enables you to root out where it started and eliminate that whole kill chain and not just an individual instance on an individual device,” he says.