Arraya Insights

by

Why Your Company Can’t Afford to Overlook a Web App Vulnerability Scanner

Vulnerability scanning is something all organizations should be looking into, if they’re not doing it already. Scanning inside and outside the network can help you identify misconfigurations, cyber security gaps or potentially even regulatory shortcomings. The key is to make these scans a habit. After all, just because you’re secure today doesn’t necessarily mean you’ll be secure tomorrow. For example, you could implement a patch and then, before you know it, a hacker will already have found a new workaround. If you’re doing vulnerability scans and you’re doing them regularly, you’re on the right track. However, stopping there still leaves an important part of your environment exposed.  

Vulnerability scanners work at the network level. They interrogate every port they can reach, checking to see if it’s open as well as for other details such as its configuration, operating system, etc. Where they struggle, however, is when they encounter a web app. While many enterprise vulnerability scanning platforms offer some level of web application scanning ability, this tends to be very limited. The in-depth explorations they do elsewhere on the network simply aren’t possible with a web app, leaving an attack vector mostly untested. This situation is made worse by the fact that the presence of a web application plugin or option tends to create a false sense of security.

The best way to address these shortcomings and close that gap is with a dedicated web app vulnerability scanner.

Web apps have become essential, but are they secure?

Web apps, websites – they’re all built on their own language (some popular options include .net, nodejs, Python, etc.). Standard vulnerability scanners don’t speak that language, but web app vulnerability scanners do. They’re able to engage with those utilities and can perform the deep dive that standard vulnerability scanners can’t manage.

So, how exactly do they engage with, say, a company’s website? A web app scanner will start by indexing all possible URLs associated with a site, leaning on naming conventions and established patterns to create a detailed site map. Next, it will crawl through each of those pages, interacting with every component, including stored files, utilities, CSS code, etc. So, if for example a web site has a search bar, the web app scanner will interact with it to make sure it’s secure. It will do the same for all of a site’s possible input fields, again looking for details like version number, platform type and so on. As it goes along, it can highlight any causes for concern, feeding that information back to admins who can then address vulnerabilities as they see fit.         

And then there’s web apps. Not to knock the work done by independent app dev teams, but the code in a custom or home-brewed app doesn’t go through nearly the level of rigorous testing as something like Microsoft’s SQL Server does. Maybe the initial code used to build the app is a little rushed due to a tight deadline. Or, even if it was spotless when it was first created, security gaps may have opened as time passed. The lack of ongoing updates can leave custom apps at a greater risk of attack. It’s also another area where a web app vulnerability scanner can help mitigate risk.

A web app scanner can authenticate into an app using a variety of roles and permissions in order to compose a comprehensive picture of the tool’s security. Under the guise of these different roles, the scanner can interrogate functions, both in the custom code as well as on the underlying platform upon which the app was constructed. Web app scanners can also check package and dependency versions and internal app logic itself. This level of insight can be applied towards custom APIs, like REST or SOAP.

Scanners can also gauge a web app’s level of security by replicating some of the favorite exploit methods favored by criminals, such as SQL Injection or Remote Code Execution. A scanner can leverage these approaches to simulate an attack and monitor the response. It’s important to tune these tests properly to ensure no real damage is inflicted during the fake attack.

Taking vulnerability scanning beyond the network

Vulnerability scanning is an important part of good cyber security. Some organizations may believe this is enough and so they stop there. That feeling can vanish quickly if an attacker gets into their website or a key web app. Depending on how a network is structured and where the compromised utility lives, that initial breach might only be step one in a much bigger attack.

Arraya Solutions can help your organization implement and manage a comprehensive vulnerability scanning program, one that covers your network as well as web apps. My team can also help you remediate any vulnerabilities surfaced by these scans. Reach out to us today to learn more: https://www.arrayasolutions.com//contact-us/.

by

4 Things Organizations Get Wrong About Office 365 Licensing

The more the merrier can be said of a lot of things, but Office 365 licenses aren’t necessarily one of them. Yet, that’s exactly how many organizations, intentionally or not, seem to be approaching the subject. The result of this is a license portfolio that is frequently, radically out of step with organizational need as well as budget.

A pair of studies explored this phenomenon recently and both landed on the exact same conclusion: Organizations are doing themselves a disservice by not taking a closer look at how they handle licenses. Some of the more eye-catching (and troubling) discoveries include:

  • Researchers from Quadrotech found roughly 18% of Office 365 licenses are going unused. The company then extrapolated that out, using the average cost of a Microsoft E3 license and a base setting of a 10,000 seat organization, to estimate an average license overspend of $150k.   
  • A separate investigation from CoreView painted an even bleaker picture. Its analysts found 56% of Office licenses are, “inactive, underutilized, oversized, or unassigned.” In their estimation, organizations are spending 14% more on Office 365 licenses than is necessary.

So how did we get to the point depicted in each of these studies? Where are organizations going wrong with licensing and, more importantly, what can be done to get them back on the right track and bring those costs down?

Costly, but correctable, Office 365 licensing mistakes

Here are four mistakes that lead to license overspend:

  • Not auditing licensing (or not doing so regularly). You can’t improve what you aren’t measuring. It’s become a cliché for a reason. When it comes to licensing, too many organizations just layer on new licenses without first looking at what they have and what they need. On the flip side of this issue, organizations may also continue to pay for licenses they once used but now don’t. Routine audits can bring each of these items into focus.
  • Stockpiling licenses for a rainy day. Organizations don’t want to get caught shorthanded so they order more licenses than they need. They don’t end up needing those licenses and, over time, they’re forgotten about – but the budget doesn’t forget. Rather than carrying extra licenses on the books, organizations would be better served by right-sizing their portfolio using the data generated by those routine audits. This can help organizations predict periods where they may require more licenses and plan accordingly. In the event of surprise spikes, like the one that took place earlier this year, it helps to have a partner that can work with Microsoft to make on the fly changes.
  • Buying new licenses instead of recycling old ones. Those gently-used Office 365 licenses? They’re just as good as the new ones. Still, the first step for some organizations when they find themselves in need of licenses is to buy more. They do this even though they often have perfectly good licenses going unused in-house. Instead of buying new, organizations should repurpose and reassign the licenses they already have, for example those from employees who were either terminated or who resigned.
  • Overinvesting in top of the line licensing. Everyone wants the best, highest tier of licensing. What they actually need is a different story. Let’s look at Microsoft’s E5 licensing, its top tier. This includes all of the core Office apps, cloud calling, audio conferencing, Power BI Pro and a lot more. It’s the highest tier for a reason. It’s unlikely every user needs access to all of those features. The same basic idea also applies to E3 licensing. Back to the idea of audits, organizations should also be auditing how their licenses are used. If a user has access to dozens of features he or she isn’t using, it’s likely safe to slide him or her down a tier (or more), cutting costs in the process.          

Next Steps: Right-size your Office 365 license footprint (and spend)

Need help reviewing or right-sizing your Office 365 licensing? Arraya Solutions can help. During our completely free licensing assessment, our experts will work with your team to audit your existing portfolio and help you pivot as necessary to better meet your organization’s needs and requirements. Reach out to us today to start a conversation!

Visit https://www.arrayasolutions.com//contact-us/ to connect with our team now.

Comment on this and all of our posts on: LinkedInTwitter, and Facebook.

Follow us to stay up to date on our industry insights and unique IT learning opportunities.

by

Arraya’s John Salmons Jr. (Inside Sales Engineer) introduces one of the newest features to come to Microsoft Teams: pop out meetings. He also shows viewers how they can enable it.

by

Rightsizing Your VPN Without Sacrificing Remote Worker Security

Remember back in March, when workplace doors were closed and employees were sent home for a brief shutdown? Some five months later, it’s safe to say the shutdown has been anything but brief. While some organizations have made the move to reopen on a provisional basis, many others have kept their buildings shuttered. There are plenty of reasons why but some simply see no reason to change as their safely scattered teams have functioned and produced much as they did when under the same roof. Users may not have buckled under the strain, but a core technology in their work-from-home support system may be feeling the pinch: VPNs.

Part of the issue is VPNs are handling far heavier traffic volume than was intended. When they were deployed, working from home was a perk enjoyed by some just once or twice a week and not the organization-wide mandate it became. Even lifting those mandates and reopening offices might not make the problem completely go away as one popularly cited statistic from Gartner suggests. According to the research firm, employers are planning to transition roughly 5% of their previously onsite workforce into fully remote roles.

We checked in with network experts in search of insights on what organizations need to consider as they plan for the remainder of 2020 and what comes after.

What to focus on during a VPN audit

Leaders in the field suggest conducting a thorough audit of a VPN, focusing on two areas:

  • Enhancing security: Cyber criminals have no reservations about leveraging the coronavirus pandemic to score a quick payday. Some scams have merely used the pandemic as window dressing, covering tried and true social engineering and phishing campaigns. Others see opportunity in a company being forced to operate in a way it wasn’t built to, e.g., entirely remotely. A properly tuned VPN along with a few supporting technologies can be instrumental to making sure these attacks fizzle. Some capabilities worth pursuing – if they’re not already in place – include granting a network the ability to assess an endpoint’s defense posture (antivirus running, patches implemented, etc.) and to restrict access to the network in the event of noncompliance. Network access should be further guarded using multifactor authentication as the security boost it provides far outweighs the mild inconvenience inflicted upon users. Audits should also confirm time is being made for more mundane, but important, maintenance tasks such as reviewing access control lists, revising policies as needed, etc. Organizations must also ensure they’re prepared for a data breach, should one happen. VPN access logs should be collected so they can be used to follow in the footsteps of an attacker, helping to fully remediate any damage caused.
  • Right-sizing capacity: Earlier we mentioned the idea that organizational VPNs are already stretched thin. We also talked about how, even when that traffic does eventually recede, it may not quite find its way back to pre-pandemic levels. Remote work has been validated in the eyes of many former skeptics. Now it’s a matter of ensuring your organization is able to support an appropriate level of access moving forward. To start, measure. It’s just like the cliché goes: “you can’t improve what you don’t measure.” Continuously monitor the traffic traversing your various VPNs as well as the number of distinct devices seeking connections, all in order to gain a feel for what an average day looks like. This might reveal that additional VPN resources aren’t needed. Instead, they may simply need to be redirected from lesser used sites to those that experience heavier traffic. Note: Be sure to engage with all departments to learn more about their individual strategies for reopening workplaces or possibly relocating users. If more resources is the answer, this data can help allocate new IP addresses, hubs, firewalls, etc. Of course, solving certain network bottlenecks may require a call to the organization’s internet service provider for additional circuits or more flexible usage caps.  

Next Steps: Start planning now for the future of your VPN

These are the kinds of conversations organizations must have in order to be sure users are able to continue to access the resources they need and that they can do so securely. The fact that so many businesses have adapted so seamlessly, and so quickly, to a fully remote posture is a testament to their digital maturity. However, more changes are coming and organizations must be ready to continue to evolve as they arrive.  

Need help auditing your VPN and network environment? Want to learn more about the steps you can take to right-size and secure user connectivity? Arraya can help. Our team of network experts can provide the strategic as well as hands-on technical support your organization needs to keep users securely connected while allowing for room to grow.

Visit https://www.arrayasolutions.com//contact-us/ to connect with our team.

Comment on this and all of our posts on: LinkedInTwitter, and Facebook.

Follow us to stay up to date on our industry insights and unique IT learning opportunities.

by

Heads up: The Webex Meetings experience is about to change this September with the release of Webex version 40.9. Despite being designed to improve the user experience, this update – as updates so often do – is bound to elicit its fair share of grumbles, at least initially. Change, after all, even when it’s for the better, has a way of inspiring calls to the help desk.

With the 40.9 update a mere weeks away, our Collaboration team wanted to give you chance to get out ahead of the consternation and maybe even help users make a smooth (or at least smoother) transition into the new version. Here’s a look at what you and your team can expect from Webex Meetings version 40.9 before it hits laptop screens next month, complete with images pulled from Cisco’s website.

Icons are out. Icons + text are in

In its present form, Webex Meetings uses onscreen icons to help users control their meeting experience. So, if a user wanted to, say, mute (or un-mute), record the meeting, share their screen, send a message, whatever – they would need to click on the appropriate icon (a microphone, a box with an arrow, a red dot inside another circle, a speech bubble). These are all housed in a row near the bottom of the meeting window. While the location of these buttons won’t change much, their appearance will.

The icon-only set up proved less-than-intuitive for some users, so Cisco has chosen to augment that by adding text back into the mix in the form of identifying labels like “Mute,” “Share,” “Record,” “Chat,” etc. As mentioned above, buttons can be found in more or less the same spots. However, unsuspecting users still might be thrown for a loop by the revised look, making a heads-up worthwhile.  

Changes are Coming to Webex Meetings: Preparing Users for Version 40.9

Drop-down meeting controls

On the subject of meeting controls, many of these revised buttons will be able to provide additional context and assistance with the release of version 40.9. With this new update, Cisco will add enhanced drop down menus to many of its meeting control buttons. Attendees will be able to use this to easily refine their meeting experience from one centralized spot.

Let’s start by looking at the “Mute” button. In earlier releases, this would simply toggle on and off a user’s microphone. This core functionality obviously carries over into 40.9, however the new version goes several steps further. Instead of simply turning their microphone on and off, users will have full control over their audio meeting experience from this one spot. They’ll be able to choose their microphone, speakers and even pivot to a completely different audio alignment. The same is true of the “Stop Video” button. In addition to turning on and off a camera, this icon now includes a drop down that lets users change their backgrounds, select new video inputs, and more.    

Changes are Coming to Webex Meetings: Preparing Users for Version 40.9

Upfront audio and video controls

“You’re on mute.” “We can’t see you.” Chances are, you’ve probably heard both of those phrases (or a variation of them) more than you’d care to over the last few months. Our increased dependence on remote collaboration has led to an incredible spike in real time A/V troubleshooting and a massive dip in productivity during the early minutes of a meeting.

Webex version 40.9 probably won’t completely eliminate those issues – we’re all human after all. However, it should happily reduce their frequency and help more meetings hit the ground running. Cisco’s update will give audio and video controls a place of prominence on users’ screens before they join a meeting. In previous incarnations of Webex, the “Join Meeting” button occupied a central, eye-grabbing location. This led many users to click it and then figure out the rest later. In 40.9, the “Join Meeting” button has been shuffled below the “Connect to video system,” “Audio connection,” and “Test speaker and microphone” options. This will hopefully provide the subliminal encouragement users need to sort out their connections prior to jumping into a meeting. Additionally, 40.9 has revised the “Mute” option. Gone is the red button with a microphone icon. In its place is an interactive microphone icon that fills with blue to simulate audio levels, indicating that a mic is live and in use.

Changes are Coming to Webex Meetings: Preparing Users for Version 40.9

Reorganized control schemes

Currently, the “Participants” and “Chat” buttons are grouped rather haphazardly in with all of the other Webex meeting control buttons. They’re not exactly hidden, however, they can be difficult to hone in on when moving quickly during a high-pressure meeting. Cisco has changed that, giving these controls some real estate of their own in 40.9.

In the latest version of Webex Meetings, the “Participants” and “Chat” buttons have been split out from the crowd and given some room to breathe. The 40.9 update relocates control of these panels off to the lower right hand side of the meeting window, away from the buttons managing audio, video, etc. Located alongside these buttons is an ellipses icon that houses controls for additional panels, including the “Polls” and “Notes” sidebars.

Changes are Coming to Webex Meetings: Preparing Users for Version 40.9

Adaptable control size

Space is of the essence on users’ laptop screens. This is so often true during meetings, which many have come to view as perfect opportunities for multitasking. We’ll set aside what this says about the relevance of the meetings many of us attend and simply look at the way in which Webex version 40.9 deals with the issue of multitasking in general.

Webex’s revised control buttons are adaptable, adjusting in size to match the meeting window itself. A larger meeting window will allow the buttons to appear in their full glory, including both text and icon. However, should an attendee shrink the size of the meeting window, perhaps to work on something else while keeping an eye and ear on the proceedings, the buttons will adapt accordingly. The text will drop, leaving just the icon visible to attendees. This ensures that the majority of the re-sized window is reserved for what matters most: the faces and screens of the other attendees.

Changes are Coming to Webex Meetings: Preparing Users for Version 40.9

Next Steps: Prepping for 40.9 and the future of Cisco Webex

Webex version 40.9 is due for release in September. Now is the perfect time to start preparing your users for what Cisco has in store for them. If you’d like to learn more about the change coming to Webex, or just about the platform in general, Arraya’s collaboration experts are here to help. Reach out to us today to open up a dialogue!

Visit https://www.arrayasolutions.com//contact-us/ to connect with our team now.

Comment on this and all of our posts on: LinkedInTwitter, and Facebook.

Follow us to stay up to date on our industry insights and unique IT learning opportunities.

by

How to Address Security Compliance Shortfalls Using the CIS Top 20 (Part 3: Organizational Controls)

Cyber security, and by extension security compliance, isn’t just about having the right tools. Nor is it only the concern of dedicated security teams or IT in general. True security and compliance are organization-wide efforts and they tie together proven tools with sound processes and an engaged, vigilant user base. Without all of these different elements working in concert, an organization can’t claim to be either secure or meaningfully compliant.

The Center for Internet Security (CIS) Top 20 Controls are an excellent starting point for any organization looking to strengthen its security posture or move toward compliance with regulations such as GDPR or the California Consumer Privacy Act. So far this summer, with the help of the Arraya Cyber Team (ACT), we’ve covered the first 16 controls on CIS’s list. In our first post in this series, we looked at the Basic Controls (1-6). After that, we moved into the Foundational Controls (7-16). That brings us to the subject of this, our final post in our CIS series, the Organizational Controls (17-20).

The Organizational Controls differ from the earlier levels in that they are less technically-oriented. Instead, controls 17-20 are meant to complete that ideal, holistic approach we described earlier. The following controls emphasize people and process as well as the role in which entire organizations must play in security and compliance.  

CIS Control #17: Implement a Security Awareness and Training Program 

What it means: Plenty of organizations boast that their people are their greatest asset. They are, of course, also their greatest liability from a cyber security perspective. Think of a financial analyst who falls victim to a phishing scheme or the member of the app dev team who fails to properly identify or address a security vulnerability early on in the development process. Cyber criminals are aware of the fallibility of their fellow humans and are keen to try to exploit it. They’ve refined their tactics to ruthlessly target these weak points, forcing businesses to adjust accordingly.    

Where to start: Security starts with awareness. Generating awareness requires implementing an ongoing educational program that instructs users about, and tests their ability to act in accordance with, proven security best practices. As part of their training, users should be made aware of how to:

  • identify warning signs that an email or message may not be from a legitimate source
  • properly store, transfer, and delete sensitive data
  • avoid accidental security exposures (e.g., something as basic as relying on autocomplete when entering a recipient’s email address)
  • recognize warning signs of unfolding cyber security incident and where to turn for help
  • craft secure passwords and the importance of backing them up with techniques such as multi factor authentication

CIS Control #18: Application Software Security   

What it means: Applications are an essential part of most modern workdays. Those tools, much like the people who use them, also have become a favorite target of cyber criminals. Attackers hone in on app construction vulnerabilities such as coding errors, logical inconsistencies, etc. Information on these vulnerabilities and how to exploit them has become common knowledge in certain circles, making this attack vector easier and thus more frequently attempted. While criminals may have ready access to this knowledge, defenders may often be left in the dark as apps often fall outside of the purview of scanning utilities. One final note on this issue, risk exists for apps designed and built in-house as well as those purchased from an outside supplier. The risk is lessened for apps purchased from large, industry-leaders due to rigorous testing and routine updates, but not fully eliminated.

Where to start: As was outlined in the previous section regarding CIS Control #17, humans are not perfect. That inherent imperfection will inevitably come through, even in the work of the best app dev teams. How can organizations respond? For software solutions designed and built in-house or purchased from a third party, an organization must be committed to making security part of the long-term lifecycle of that technology. Plans must be made to thoroughly test these solutions when possible as well as to swiftly execute any necessary updates or patches.

CIS Control #19: Incident Response and Management    

What it means: Cyber attacks happen. Unfortunately, they’re an ongoing reality that all organizations must face. While resources should always be devoted to prevention, organizations can’t overlook the other piece of the equation: how to respond when an incident occurs. The chaotic moments after an attack is discovered is the worst time to try to outline a strategic response. Furthermore, a lack of a tuned and ready response strategy can afford attackers extra time and space in which to work, amplifying the severity of the attack or the volume of impacted data. It can also complicate remediation as well as clean-up efforts after the fact.    

Where to start: Organizations will want to make sure they have an incident response game plan close at hand. This should include designating key roles like, for example, who will be tasked over overseeing and coordinating the totality of response efforts as well departmental offshoots responsible for managing their individual focus areas. Backups should be designated for all roles in order to keep a response effort from being derailed by an unfortunately timed vacation or sick day. Also, the various phases and steps that will be taken should be outlined and organized, starting with the discovery of an incident and carrying on through the elimination of the threat. It’s also important to preemptively gather and make accessible any necessary third party contact information – law enforcement, vendors, PR firms, cyber insurance carrier, etc. Lastly, end users should understand what to do and who to turn to if they believe they’ve spotted a possible red flag.

CIS Control #20: Penetration Tests and Red Team Exercises     

What it means: A defensive scheme might look good on the page, but on paper and in practice are two totally different worlds. Organizations need to be confident that a response effort will be up to the task when, not if, an attack happens. Additionally, they must do their best to get out in front of attackers, catching and addressing weak points before the bad guys have a chance to do so. These information-finding endeavors should look for more than technological exposure, hunting for preparedness gaps among the people and processes in an environment as well.     

Where to start: Penetration tests are a great way to weed out gaps in a cyber security posture. They function as a controlled attack, asking usually third party testers to assume the role of cyber criminals. Using real world tactics and motivations, testers will put an environment through the ringer in the hopes of exposing risks. A full pen test of an entire environment might be too big of an ask for an organization with limited resources or exposure. Instead, an organization may choose to put its people to the test by working with an outside firm to conduct a faux phishing campaign or table top exercise. The idea remains to look for ways to see an environment from the other side and make any corrections this picture reveals.   

Next Steps: Better security through the CIS Top 20 – and beyond

This concludes our trek through the CIS Top 20 Controls. Even over the course of three posts, we’ve still only managed to scratch the surface of what’s covered by these controls and how organizations can use them to build and evolve their program. If you’d like to cover the CIS Top 20, or another framework, in greater detail, Arraya’s Cyber Team can help. Our experts can guide you through the nuances of compliance frameworks such as the CIS Top 20 and help you accurately interpret them to your unique use case.

Visit https://www.arrayasolutions.com//contact-us/ to connect with our team.

Comment on this and all of our posts on: LinkedInTwitter, and Facebook.

Follow us to stay up to date on our industry insights and unique IT learning opportunities. 

by

Meraki has added a new per-device licensing model in addition to the co-termination licensing model that we have been accustomed to and have associated Meraki with. The first important point to know is that all existing dashboards will remain the same and there is nothing that is needed to be done by the end user to remain on the co-termination model. Dashboards will operate as they did, the only change is that there is now the option to convert to the new per-device model. The conversion to per-device licensing is permanent and should be chosen for the specific reasons that suit the organization. Remember: Always reach out for support when needed to discuss which licensing model makes sense for the organization. Each organization must either have the per-device or the co-termination model applied, as both cannot exist within a single organization. The image below is an example of what a per-device licensing model would look like when applied to Meraki devices.

Meraki Per-Device Licensing Model

Using Meraki in a per-device licensing model allows for greater flexibility in how licenses are assigned and moved around. Moving licenses between organizations is now possible as well as the ability to renew a subset of the devices. There are license true-ups available to extend expiration dates for devices to achieve more shared expiration dates across the organization. License true-ups should be seen to make the per-device licensing model more flexible and organized, and not turn the organization into a co-termination-based licensing model. With these new changes comes the flexibility for incorporating new subscription options, including the new MX Security Appliance license tiers, MS Switch license options, and Upgraded MR Wireless licenses to include Umbrella. Look for updates on these new licensing options in future posts on this blog!

by

Azure Virtual WAN Microsoft cloud

Microsoft’s Azure Virtual WAN made headlines recently with the announcement of several new features and capabilities on the platform. Several of these features are already generally available while others have only just begun their global rollout. All, however, are worth exploring more in depth, particularly as organizations everywhere continue to rethink the ways in which they manage and support end user connections.

Running Third-Party SD-WAN in Azure

First, let’s look at a feature that’s still relatively new to Azure Virtual WAN. In late July, Microsoft debuted the ability to run third party SD-WAN virtual appliances directly within Azure Virtual WAN for select regions. Rollout is ongoing, however this feature seems to have a lot of potential for organizations looking to reduce networking expenses while also improving performance.

On its own, SD-WAN monitors traffic patterns occurring on organizational networks. If necessary, it can intelligently, automatically re-route traffic off busier paths and onto those less traveled. Back when remote work was mostly associated with those in far-flung branch offices, SD-WAN could make those physical distances less of an obstacle. Bandwidth-hungry workloads, for example video chats or even demanding SaaS apps, could travel between headquarters and satellite offices (and back) without quality concerns. It can do the same now that far-flung satellite offices have been mostly replaced with home offices.

By bringing third party SD-WAN to Azure, Microsoft is allowing organizations to continue to leverage the tools they want, backed by the power of the Microsoft cloud. In this new architecture, Azure regions function as hubs. Users are connected to those hubs via spokes that can take on a number of forms, including SD-WAN architecture from leaders like Cisco Meraki, Check Point, Citrix and VMware VeloCloud. While not yet compatible, Cisco’s Viptela solution is on Microsoft’s road map, with plans to unite the two in the near future. All of these connections can be set up manually through Azure Virtual WAN or, in some cases, automatically using the Virtual WAN CPE partner tool.

What else is new on Azure Virtual WAN?

Integration with third party SD-WAN providers isn’t the only new capability coming to Azure Virtual WAN – or, in many cases, already there. Let’s take these other newly added features (and their impact) one at a time:

  • Hub-to-hub connectivity: Those hubs we talked about earlier? Microsoft has taken steps to bring them closer together (figuratively speaking) within the Azure global network. The company recently forged direct links between these various geographic regions, allowing traffic to flow between branches connected to two different Azure regional hubs. Essentially, this architecture lets users or virtual networks (VNets) at two geographically-dispersed branch offices each connect to the Azure hub nearest to them before then connecting to each other. Doing so keeps latency levels down for co-workers or networks connecting from multiple locations within an organization.  
  • Custom Routing: Arriving earlier this month, Custom Routing is one of the newest capabilities to come online in Azure Virtual WAN. With this feature, Microsoft has given network and cloud admins greater control over their organization’s traffic patterns. Admins can establish unique route tables to set their own, optimized parameters for the way in which packets should traverse the network. Other recent customizations include the ability to group route tables together into logical categories, simplifying management of network virtual appliances and shared services routing scenarios. 
  • Virtual Network Transit: Azure Virtual WAN now permits traffic to move freely between VNets supporting throughput of up to 50 Gbps (Note: This assumes a total of 2000 VM workloads throughout a virtual WAN environment). The architecture behind this connection looks like this: Individual VNets feed back into a virtual hub. Every virtual hub is spun up around a router which enables transit connectivity between VNets. It’s worth mentioning that routing status for these hubs can be monitored from the Azure portal. Within this portal, admins will find routers attributed with one of four routing statuses: Provisioned, Provisioning, Failed or None. A “None” status could indicate a hub that was spun up prior to this feature going live, thus no router was provisioned. Meanwhile, “Failed” indicates something went wrong during provisioning. A fix can be attempted using the “Reset Router” option in the Azure portal.
  • VPN and ExpressRoute Transit: Another new connectivity path available in Azure Virtual WAN exists between a standard VPN and Azure’s ExpressRoute. This results in seamless link between users on a VPN and users on ExpressRoute. In order for this connection to take place, the branch-to-branch flag must be enabled within the Azure portal. Just as with Virtual Network Transit, VPN and ExpressRoute Transit is governed by the virtual hub router. Also as with Virtual Network Transit, VPN and ExpressRoute Transit offer a flexibility that can prove necessary given the widespread, rapid decentralization of workspaces that has occurred this year.
  • Full Support for BGP: Azure Virtual WAN’s incoming VPN compatibility offers full support for Border Gateway Protocol (BGP)/APIPA (Automatic Private IP Addressing). When a new VPN is spun up, admins can simply provide the BGP parameters to the site. This lets it know that any connections lined up for that site in Azure will be imbued with BGP compatibility. 

Next Steps: Adding intelligent flexibility to your network

As some organizations move toward reopening their physical locations, SD-WAN seems poised to once again play a key role in keeping teams connected, efficiently and securely, despite geographic separation. Advances like those covered above should make Azure Virtual WAN part of any network refresh or modernization conversation. If you’d like to learn more about Azure Virtual WAN, or would like to start talking about what the future may hold for your network, our team is ready to help. We can work with you to analyze your existing environment and, if it’s called for, architect improvement plans guided by your business needs and goals. 

Visit https://www.arrayasolutions.com//contact-us/ to connect with our team now.

Comment on this and all of our posts on: LinkedInTwitter, and Facebook.

Follow us to stay up to date on our industry insights and unique IT learning opportunities.

by

Planning to Roll Out a SIEM? Do These 3 Things First

So, you’ve decided to invest in a SIEM. Maybe you’ve even chosen the one that seems to be the best fit for your organization’s needs. Soon, your security team will be awash in data, with real time insights coming in to one central hub from across your environment. Hackers and any other malicious actors will be hard-pressed to avoid security’s new, ever-watchful eye. Before that dream can come to pass, however, there’s still much to be done.

A lot goes into implementing a SIEM. Even more has to happen prior to implementation in order to position a SIEM for success and to ensure that the initial investment pays off. It’s these steps that too often are passed over and left until much later in the process, risking potentially costly delays when the finish line should otherwise be in sight.

Arraya’s Cyber Team (ACT) has managed and executed countless SIEM deployments, for all types of organizations. The following are three documents they’ve come to count on as essential to planning and delivering (relatively) stress-free SIEM rollouts. Creating and completing these documents, either on your own or with the support of ACT, can help bring similar results to your SIEM project.     

Document #1: People Inventory

SIEMs generate a ton of data. They do that by interfacing with all parts of a technology environment. The more that’s connected to the SIEM, the more complete the picture it generates will be. Making those connections will require a total team effort. So, for example, if you want your SIEM to talk to your network, you’re likely going to need your organization’s network resource to help unite the two. Want your firewalls to feed into the SIEM? You’re going to need a hand or insights from the person tasked with managing them. The same goes for most areas you hope to connect. In some cases, these resources may be the same person. No matter who the point of contact is, your team – or whoever is preparing to spearhead the SIEM rollout – needs to know where to turn for support.

A People Inventory document can ensure that info is readily available. A simple Excel workbook can be used to create this tool. Down one column, list all of the disciplines you want connected to the SIEM. Moving across the row for each of these areas, note the name of the best person to contact with questions or to whom tasks should be delegated as well as contact details (such as his or her phone number and email address).     

If responsibility for overseeing a SIEM implementation changes hands, a People Inventory offers a very high-level look at scope beyond providing a directory of all the project’s key players.

Document #2: Project Scope

Once you know who will be involved on a project, it’s time to figure out what will be involved, technology-wise. At this stage, you’ll want to begin gaining a greater understanding of what is on your organization’s network and what exactly that network even looks like. This process should be repeated for every network within a given location and across all applicable locations (if your organization is made up of multiple branch or satellite offices that will add feed into the SIEM). You’ll also want to explain the purpose of each network, e.g., this one supports our WiFi connectivity, this one connects our IoT devices, etc.     

Again, an Excel workbook can be created to track all of this information. You can document the types of devices your organization is currently using, such as web/mail servers, database server and core/large firewalls. You can also mark down how many of each of these devices inhabits a network as well as offer an estimate on the solution’s usage levels. Note: It’s important to include SaaS platforms such as Office 365 in this document as well as other security solutions a SIEM will monitor. These solutions are all part of your organization’s technology footprint and should be recorded as such.    

With the Project Scope document, the core idea is to start with a bird’s eye view of your network and to begin recording what you see.

Document #3: Detailed Technology Inventory

The last tool we’ll cover in this post is the more granular Detailed Technology Inventory document. This is meant to flesh out the initial fly-by of the Project Scope document. It’s where you’ll want to include things like product version numbers, basic IP addresses, host names, etc. The goal is to get into as much detail and be as exact as possible. At a higher level, it’s OK to be marginally off and go with rough estimates. In this document, you’ll really want to accurately map out your company’s technology landscape.      

In the Detailed Technology Inventory, you’ll want to break down assets by type. So, for example, you’ll want to list out all of your Linux servers. Then, you’ll want to note things like the host name, the operating system, that server’s role in the network, etc. for each of those servers. This should be repeated throughout the environment to provide a photographic account of the technologies your organization utilizes.   

This process can be invaluable later on as you work to bring a SIEM online. The resulting document can be used to determine things like how many firewall rules need to be made or if you have the correct amount of licensing. In turn, that information can act as milestones during rollout, allowing those working on the project to see just how far they’ve come and how much they have left to do.  

It’s worth pointing out that the technology inventory can be completed in pieces, over the course of multiple passes. Trying to tackle it all at once, right before an implementation is set to begin, is a recipe for delays or errors. Furthermore, those that have an asset management system in place can use it to gather much of the data required for this document. In lieu of an asset management system, internal vulnerability can data can also be used to similar effect. Regardless of how it’s initially created, the inventory should also be a living file, one that is updated over time.

Next Steps: What else you need to know before powering on your SIEM

Interested in learning more about how to get your SIEM implementation off on the right foot? Or, do you want to begin the process of modernizing your organization’s cyber security posture? The Arraya Cyber Team can help. Our experts can provide the strategic insights and hands-on expertise needed to help you assess where you stand, where you want to be and to map out a way to close the gap between the two positions. 

Visit https://www.arrayasolutions.com//contact-us/ to connect with our team now.

Comment on this and all of our posts on: LinkedInTwitter, and Facebook.

Follow us to stay up to date on our industry insights and unique IT learning opportunities.

by

How to Address Security Compliance Shortfalls Using the CIS Top 20 (Part 2: Foundational Controls)

Security and compliance may not be one and the same, however, the Center for Internet Security (CIS) Top 20 Controls can substantially help organizations achieve both. Strict adherence to CIS’s nearly two dozen cyber security best practices can help organizations ready their defenses for the worst today’s cyber criminals can muster. Additionally, the controls can act as guardrails, keeping followers on the straight and narrow toward staying compliant with hot-button statutes such as GDPR and the California Consumer Privacy Act.

In a blog post from earlier this summer, we detailed the points covered under the first six, or basic level, CIS controls. With the help of experts from the Arraya Cyber Team (ACT), we also outlined some ways in which organizations could begin putting the basic CIS controls to work for them. There’s plenty more to cover and learn from regarding CIS’s guidelines. Let’s move on to controls 7-16, or as they’re also known: the Foundational CIS Controls.  

CIS Control #7: Email and Web Browser Protections

What it means: Cyber crooks love email and web browsers. Their targets use these tools throughout the day so opportunity isn’t an issue. All they have to do is trick a user to engage with a malicious webpage or email and they’ve gotten exceptionally good at both. A single stray click from an unsuspecting user can open a ton of doors to attackers. 

Where to start: Users can’t engage with what they can’t access and Domain Name System (DNS) filtering tools can essentially wall off known malicious sites. Furthermore, be sure teams are only using the latest and most up to date version of organization-approved email clients and browsers. Doing so makes life easier on IT teams by minimizing the variables they need to support while making life harder on hackers by taking away easily-exploitable known vulnerabilities. This forces them to contend with cutting edge security features.

CIS Control #8: Malware Defenses

What it means: Modern malware can take many forms, making it particularly challenging to defend against. Sometimes it’s designed to lock down systems for ransom, while other times its motivations are more destructive. Some strains prefer stealth, while others seek to facilitate their goals by launching a direct assault on defensive tools. Potential entry points are just as diverse, ranging from email, malicious websites, compromised devices and more. 

Where to start: Knowledge and experience are both important tools in the fight against malware. Organizations must prioritize keeping their anti-malware solutions updated. This ensures these solutions are prepared to sniff out the latest threats by continuously drawing on up-to-date vendor insights regarding threat signatures, behavior, etc. An often overlooked baseline step? Flash drives, external hard drives and other forms of removable media should be subject to an anti-malware scan as soon as they’re connected to a network device. They should also be blocked from auto-running any type of content. These steps can cut off another favorite attack vector.  

CIS Control #9: Limitation and Control of Network Ports, Protocols, and Services  

What it means: Junkware isn’t just a nuisance, it can be a legitimate cyber security hazard. New software solutions often come prepacked with a variety of secondary functions and tools, frequently of dubious value. What’s worse is that these freeloaders may be set to activate themselves while leaving both user and admin alike in the dark. Unfortunately, cyber criminals are all-too-aware of these and other, similar backdoors (poorly configured web servers, faulty email servers, etc.) and are more than happy to exploit them.   

Where to start: Firewalls and port-filtering tools can help reduce unwanted traffic moving across the corporate network. These tools can be set to automatically reject any traffic not signed off on by administrators. This can help seal up backdoors, no matter if they stem from misconfigurations or if they opened up by following in the wake of some other, more important, solution. Port-scanning tools can also be used to catalog expected traffic and identify any unwelcomed surprises.

CIS Control #10: Data Recovery Capabilities   

What it means: A cyber security incident can leave data inaccessible or potentially compromised in some way. Organizations need to be able to return to their pre-incident state quickly and efficiently. Furthermore, they must be confident that things are exactly as they were previously and that the threat has been effectively contained and vanquished.     

Where to start: Full, system-wide backups need to be scheduled to take place on a regular basis. These should include all parts of an organization’s mission critical data and environment. Backups should be executed automatically, relieving time-strapped admins from having to find time in their already-packed workdays. These backups should also be directed to diverse homes, e.g., both online and off, to ensure continued accessibility across a range of possible worst case scenarios. Lastly, wherever they live, backups should be encrypted at rest and in motion to add an extra layer of security.     

CIS Control #11: Secure Configuration for Network Devices, Such as Firewalls, Routers, and Switches

What it means: Firewalls, routers and switches are all foundational parts of the organizational network. The out-of-box configuration for these solutions isn’t typically meant to emphasize security. Instead, the focus is usually on making them as admin-friendly as possible. This leads to things like weak default passwords, open ports, and support for outdated technologies – all factors that can make network technology vulnerable to attack.

Where to start: Working alongside a subject matter expert can make sure that devices are configured in a way that emphasizes security as well as usability right out of box. As optimal configurations evolve over time, admins – or a managed services partner – must be ready to regularly review and reset if necessary. This includes deploying the latest patches and security updates.   

CIS Control #12: Boundary Defense

What it means: Cyber attacks often start at the network edge, targeting internet-connected laptop and workstations. Once they’ve managed to establish that initial network foothold, attackers may then begin burrowing deeper, in pursuit of high-value targets. Attackers may also pivot, turning their attention instead to a compromised organization’s business partners. Say, for example, an impacted organization is a key vendor for a much larger corporation. In this instance, cyber crooks may begin looking for ways to leverage the breached vendor against the more desirable target.   

Where to start: It sounds simple enough, however, organizations need to understand just where their network borders lie. It’s impossible to defend what isn’t defined. An inventory should be created and kept updated in order to bring an organization’s boundaries into sharp relief. Additionally, organizations will need a way to closely monitor and restrict the flow of traffic across their borders. This can be done by blocking any and all unauthorized TCP or UDP traffic to ensure the only data coming and going from a network is meant to be doing so.

CIS Control #13: Data Protection  

What it means: To put it mildly, data is everywhere in some organizations. In worst case scenarios, sensitive data may be stored right alongside publicly available information. Anyone, from any level of the organization, may be able to access that critically important data, even if it’s something that should fall well beyond their paygrade. Loose, or even non-existent, data protection policies can not only allow cyber criminals to gain access to sensitive data, but empower them to take that data with them when they decide to pull up stakes.

Where to start: As is so often the case, it helps for an organization to know what sensitive data it is storing, where it lives, and even who has access to it. Cataloging these items will make it far easier for an organization to begin properly defending its mission critical information. Any sensitive data not regularly accessed via the network should be moved off it, into a more secure residence. Doing so won’t interrupt anyone’s regular work functions and it can help prevent the wrong people from stumbling upon that data. Finally, encryption should be part of every organization’s approach to data storage, including on mobile devices.

CIS Control #14: Controlled Access Based on the Need to Know

What it means: It sounds simple enough but access to critical data or systems shouldn’t be issued in blanket fashion. Instead, it should be doled out on a case-by-case basis, specifically to those whose job functions depend upon that level of access. The same basic idea is true for the entry points and devices used to gain access to a key resource.    

Where to start: Admins need to audit data and resource access across their organizations. Care should be taken to remove access privileges to a data set or a technology from those for whom it is not an essential part of their job. Access control lists can be used to define who and what devices are able to reach file shares, specific applications, or any other part of the network that doesn’t benefit from having a universal audience.

CIS Control #15: Wireless Access Control

What it means: Wireless access has become almost indispensable to the average workday. At the same time, it can also be a significant cyber security liability. By their very nature, wireless routers can be exploited by cyber criminals to gain access to a company’s data without ever stepping foot in a building. Additionally, business travelers leveraging, say a company laptop connected to airport Wi-Fi, can bring home a souvenir in the form of a nasty malware infection. Once reconnected to the corporate network, that malware can wreak havoc.    

Where to start: Not all wireless-connectable devices are equal, nor should they be treated as such. Instead, a separate, untrusted wireless network should be created for devices that fall outside of an organization’s strict security controls, e.g., personal smart phones or tablets. Company-issued and managed devices like laptops should be allowed to inhabit their own wireless network. Tight controls should be developed and enforced restricting what can be accessed via that untrusted network. Additionally, encryption standards should always be applied to data on the corporate network, whether it’s on the go or at rest.

CIS Control #16: Account Monitoring and Control

What it means: Contractors and employees may come and go but their user accounts? Sometimes those tend to linger. Dormant user accounts are very appealing for hackers as they can add an air of false credibility to their nefarious movements while providing a nice entry point to a system. This attack style isn’t only exploitable by outsiders looking in. Those who were once inside – like say a recently terminated employee or a contractor whose contract just ended – may also seek to re-access their still-active old accounts for their own gain.

Where to start: Admins should take an inventory of the user accounts currently inhabiting their network. Any that can’t be tied to a specific, active user or a clear business purpose should be disabled to prevent any malicious takeovers. From there, accounts should be set to automatically deactivate after predetermined period of inactivity. Workstations should also be set to lock themselves if they sit unused for a given length of time. All of these steps can reduce opportunities for attackers.  

Next Steps: Security through compliance – Leveraging the CIS Top 20 Controls

We’ve now covered 16 of the CIS Top 20 Controls. Our next post will look at the final four, or as CIS refers to them, the organizational level controls. Want a more in-depth discussion of the CIS Top 20 Controls and how they can help your organization refine its security posture? Need an assist with diving into another framework you can use to help your organization begin or further its compliance journey? Arraya’s Cyber Team can help. Our experts can not only walk you through these various compliance frameworks, but they can help you accurately interpret them to your unique use case.

Visit https://www.arrayasolutions.com//contact-us/ to connect with our team.

Comment on this and all of our posts on: LinkedInTwitter, and Facebook.

Follow us to stay up to date on our industry insights and unique IT learning opportunities.