Arraya Insights

by

One of the big announcements from Day 1 of Microsoft Ignite 2017 lost a little steam due to an accidental leak a couple of weeks ago. Some Office 365 admins were greeted with a message  announcing that, in a year, Skype for Business (SfB) Online would be absorbed into Microsoft Teams. The suddenness of the announcement had many admins scrambling and concerned, with little info coming from Microsoft. Well, yesterday Microsoft finally opened up about the future of Skype for Business Server, Skype for Business Online and Microsoft Teams.

First, and probably most importantly, at no time was a date given for the demise of any version of Skype for Business. In fact, quite the opposite was shared with attendees. Both products will continue to exist and features will continue to be added for the foreseeable future. A new version of Skype for Business Server was even announced for the second half of 2018. Microsoft made it clear that if you have an investment in an on-prem solution, you should not be concerned.

No features of Skype for Business Online are being removed or forced over to Microsoft Teams. It will continue to live on as long as is needed. In the meantime, more “Skype-Like” features are being added to Teams.

Microsoft Teams was announced as the “hero” application for Office 365 communications. The vision for Teams is that it is the core communications center for all Office 365 users, regardless of the communication medium in use. While this announcement is clearly important as a shift in how Office 365 will be used in the future, the more important announcement was around the backend architecture of the Teams Voice, Chat, Video and Meetings. A brand-new architecture is in place that is based on native Skype, leaving the legacy Lync architecture that runs SfB. This will improve meeting quality as the platform is already a proven communications channel.

The downside of this new architecture, though, is that it does not have all the call routing and management capabilities of SfB. Microsoft demonstrated voice and video calls initiated from Teams (not using Skype for Business), and the ability to add PSTN users into conference calls. The calls have basic features like hold and transfer, but no advanced PBX features.

Within an organization, you can selectively move people from SfB to Teams and they will still be able to communicate with one another as they always have. The SfB users may have some limitations when communicating to Teams, but that shouldn’t be a surprise. Migrating users is a simple process, done from inside a new Office 365 Admin console that is being rolled out to tenants now.

If you have an investment in SfB hardware, such as phones and room systems, don’t worry. These systems will remain compatible with the Teams environment. In addition, new systems will be coming that will have more Teams-specific features.

So, this is all great, right? But is it the correct path for your company? Great question and one that doesn’t have just one answer. First, you need to look at the features you use and require for voice and video and see if those features are part of Teams. If they aren’t, it is obviously too soon for you to switch. If you’re doing basic telephony and meetings and don’t have regulatory requirements (more on that shortly), then Teams might be a good switch for you.

If you have regulatory or corporate policy needs, now may not be the time for you. During the presentation, it was kind of snuck in that diverse data centers is coming to Teams next year, which means it isn’t here now. That may be a deciding factor for some when it comes to moving core communications to the platform. In addition, there still does not seem to be an answer to chat archiving in Teams. Nothing was mentioned during the presentations on this topic, and after discussing it with a few Microsoft engineers afterward, there were no solutions offered. If you require your IM chats to be archived today, then you will want to hold off on Teams.

To summarize how I took the information, it was not an announcement of the death of Skype for Business, but an announcement of new features in Teams, and Microsoft continues to push the adoption of what is becoming their flagship tool in Office 365. Eventually the two products will become one, but there is no date circled on the calendar. As one Microsoft engineer described it to me, think of it as two paths that today are miles apart from one another, but are slowly converging. Someday they will become one, but that day is not anytime soon.

If you are interested in learning more about Teams and how it might benefit your environment, contact Arraya for a conversation around collaboration and communication.

by

Arraya Insights Radio

Episode 1: Security Strikes Back: Balancing Convenience and Privacy

Host: Thomas York (Arraya’s Director, Quality and Operational Excellence)

Guests: Tom Clerici (Arraya’s Director, Cyber Security) and Matt Sekol (Arraya’s Director, Microsoft and Cloud)

In our debut episode, the Arraya Insights Radio crew analyze the latest trends and news stories impacting cyber security, including the ongoing disaster at Equifax, the changes that could soon be coming to the regulatory environment, and the challenges of securing an increasingly mobile workforce. Later, they turn their cyber security expertise to a galaxy far, far away …

Theme Music: “I Don’t Remember (Yesterday)” by Hygh Risque
Further Reading:

Click HERE to register for Arraya’s upcoming security forum, Identifying, Monitoring, and Analyzing Security Threats, presented by Tom Clerici. This free, full morning event will feature multiple presentations designed to help IT professionals thrive in today’s increasingly harsh security climate.

 

by

IT investments should start with a problem, not a product. All too often in business, that process gets reversed. Companies fall in love with a set of features or the promise of an innovative, disruptive solution and rush to sign on the dotted line. Next thing they know, that exciting new piece of hardware is gathering dust in the corner of their data center, or a new software license is fading into obscurity – at least until the time comes to renew it.

When businesses put products ahead of problems, inevitably it’s going to lead to some tough conversations about those solutions later on. Questions such as “What goals do we want this solution to help us accomplish?” and “How exactly is it going to do that?” will need to be answered. These are conversations that should have taken place months earlier, but were lost in the lure of innovation. If the answers to those questions never materialize, it could prove to be a damaging blow for IT and for the company itself.

At Arraya, our goal is to do everything possible to avoid seeing organizations end up in that situation. This motivates us to work to get to know our customers, their environments, and their needs. By doing that, we’re better able to guide them toward IT solutions that aren’t just new and flashy, but that make business sense.

Making the most out of IT investments

Whether we’re involved from the start of a project or are asked to come in later and help right the ship during a situation like the one described above, Arraya is ready to help. We’ve spent almost two decades empowering organizations to get the most out of their IT investments. Once we get involved, we will:

  • Serve as a bridge between all sides of the business.
    IT decisions impact every part of an organization’s structure and so they can’t be made in isolation. During initial discovery sessions, our team will gather information on the processes and demands of individual departments. That information will be funneled back to an organization’s IT team and used to plot the best technological path forward for the company.
  • Conduct demos and product workshops for any department, IT or otherwise.
    We do this to illustrate how a solution can be used to bring a department’s goals into reach. Additionally, Arraya will facilitate in-person training sessions for anyone who needs them. By continuing to work with users and admins alike, we will make certain they feel comfortable using a solution and that they can do so securely.
  • Acknowledge that organizational initiatives are ever-changing.
    As a result, the technology that supports those initiatives must be ready to do the same. That’s why Arraya’s team will always be available to conduct health checks and assessments. Should adjustments need to be made to realign a solution with a business need, Arraya will be there to assist with executing those changes.

Are you concerned that you might not be getting the most out of your IT investments? Arraya can jump in at any point. We can help you find solutions that address your organization’s needs, optimize your existing IT environment, or help facilitate user buy-in through instructional sessions and training. All you have to do to schedule a meeting is head to www.arrayasolutions.com/contact-us/ and you’ll be able to open up a line of dialogue with us.

by

Nobody was surprised when it was announced this weekend that the chief information officer and chief security officer were both out at Equifax. We all knew that was going to happen because those two roles always get terminated after a major breach. Clearly, it’s always the CIO and CSO’s fault, right…or is it? I’ve never worked with Equifax and I have no idea what happened at Equifax prior to this breach, but what I do know is that in many of the companies I talk to, the business is just as much to blame as IT for major security holes. How much responsibility does the non-technical leadership team have for an organization’s security posture? It’s an interesting question because, in the midst of everything going on at Equifax, they aren’t calling the CIO or CSO to testify in front of Congress. The CEO is going to testify, and pretty soon that’s who everyone is going to blame if these kinds of catastrophic breaches continue.

The Great Disconnect Between IT and the Business

There is a misconception in many organizations that IT owns security and it’s solely their job to keep the bad guys out. That approach is fundamentally flawed and gives executive leadership an easy pass to blame the CIO and CISO when a breach happens. I’m not going to say IT doesn’t get some blame here, in fact they deserve a lot of blame. IT owns the administration and management of core infrastructure and systems and is primarily responsible for identifying risks and mitigations. However, the last time I checked just about everyone uses technology today. The first thing most employees do when they get to the office is log into a computer. In essence, EVERYONE is a part of the IT department. It’s the business though that owns the checkbook, risk management, priority list, and corporate strategy. The business dictates what they need to be profitable and should be driving IT toward technology that empowers operations. As such, it’s the business’ responsibility to get involved, hold IT accountable for finding risks, understand the gaps, and appropriately resource security initiatives that are critical to protecting sensitive information.

That’s not typically what happens though, is it? Think about your own organization. How many times have you heard someone on the executive team publicly talk about commitment to security and then privately pitch a fit because they had to wait an extra 60 seconds for their PC to boot up on Monday morning after installing security patches? Better yet, how many executives get to bypass multifactor authentication, have local admin right on their laptops, and are exempt from web filtering? To them these are inconveniences that they don’t have time for. They are also the same people that don’t have time to attend security meetings or allocate resources to security solutions. Breaches like the one at Equifax are going to force changes at the CEO level.

People are Looking to the Board and Senior Leadership for Accountability

All too often I see the IT department out on a ledge fighting for money and staff to secure the business channels that are too busy to bother with it. I get it – security is expensive, complicated, inconvenient, and boring. It’s also intangible in that you can’t see the value until there’s a major problem, so it’s easy to ignore or procrastinate. Passing the buck to IT is the easiest way out.  Unfortunately, we live in a world now where ignoring security can put you out of business so, like it or not, the business must care. These breaches have become so public that CEOs can no longer hide behind the complexity of IT for not knowing they are at risk. It’s the executive team’s responsibility to understand the risk and costs to remediate it, which in many cases will require not just money, but culture change.

That doesn’t mean IT is off the hook.  You can’t expect CEOs to be the technology experts. That’s IT’s job. The CEO does need to hold IT more accountable, though. Is the IT department reporting on existing weaknesses and strategies to strengthen them? Are they providing the business with metrics on the effectiveness of the information security program? Do they move security initiatives forward? If the answer to any of these questions is no, then it’s time to replace them with people that can. The discipline is too complex to put “average players” into positions that can literally destroy your business. The CEOs need to get involved. They certainly read revenue/profit reports, audit reports, sales trends, and legal requests. If they’re not treating security the same way, then they are just as accountable as the CIO or CISO when there’s a breach. Politicians, regulators, and law enforcement are taking note of the issues. They are now looking to executive leaders to get engaged. My advice is for business leaders to get involved now, or be prepared to face the music later.

Continue the cyber security conversation with Tom on 9/28 at Arraya’s forum: Identifying, Monitoring, and Analyzing Security Threats. This free, full morning event will feature multiple presentations designed to help IT professionals thrive in today’s increasingly harsh security climate.  

by

Shortly after college, I joined a gym. It wasn’t that I was overweight, it just seemed like something I should do – a healthy lifestyle change. The gym assigned me a personalized coach in the first session to build a quick exercise plan. I took the guidance, but didn’t really get anywhere. After a few months, the membership became a drain with no benefits.

As I hit my 30s, it was clear something had to be done. I started out on the elliptical and then moved to the treadmill. Eventually, I started running outside and now I’m signed up for the 10 mile section of the Rocky Run in November.

When I think about the annual ritual of gym memberships and the promise of getting in shape against the reality of busy schedules and motivation, I think about Office 365. Office 365 has so much promise to make your company more productive, giving your employees ways to work on their terms. An interesting phenomenon occurs after the first entry workload, typically email, is completed.

Office 365 becomes a gym that you never go to. You drive by, check out the happy people working out and see all that equipment and think, “What would I even do with all that?”

Commodity IT Services

There are some workloads IT can control beyond email, but even these can be daunting to roll out. It doesn’t have to be that way. Let’s look at the commodity services that can provide business value, but be delivered through IT.

First up is the hardest one, Office Pro Plus. Why is this the hardest? Office Pro Plus stalls in organizations for two main reasons – legacy compatibility and perceived training issues. The reality is that legacy compatibility represents a real security risk. Take steps to update those add-ins or applications.

For training, Office Pro Plus isn’t as complex as you think. These tools aren’t the most widely used in the world because they are difficult. If your users get stuck, there is a handy little idea icon that calls for you to “Tell me what you want to do.” It couldn’t be easier to find legacy (or new) functionality.

Next up is Skype for Business Online. Now that Office Pro Plus is taken care of, make some basic decisions as to what you want to do. Most customers start with chat, audio, video and desktop sharing. You might need a network assessment, but this is something you can pilot in IT and monitor. The other decision you need to make is to either federate with the outside world or just to pick some strategic domains to federate with.

The first productivity boost your company will notice with Skype is a lower volume of email and a faster time to decision.

Lastly, OneDrive for Business can be a huge productivity boon, especially since you’ve deployed Office Pro Plus already. The hardest decision here is to figure out if you want to allow external sharing. Some content sharing guidelines and tips should probably be instituted.

Congratulations, you’ve laid the workout foundation and started getting value back from your membership.

Business Driven Services

The repetition of these commodity services is akin to your baseline workout. Sure, you’re in better shape, but you’ve plateaued. To get more out of your membership, it’s time to start doing more and changing it up. You can’t go it alone though.

For the remaining services, IT must swallow its pride and check with the business.

SharePoint and Yammer particularly require the business. Don’t fall into piloting the platforms with IT. If IT doesn’t have a business need, the pilot for both will fall flat.

Instead, try reaching out to the business about how employees collaborate on documents, find expertise across the organization, broadcast announcements and other business workflows inside of email that can be pulled out into more effective platforms.

Instead of starting with IT, start with business units and pilot. You will find it will take a life of its own. IT’s job afterwards is to limit sprawl and ensure security.

Accelerate Adoption with a Partner

Just like with a gym membership, the way to get the most out of it is with an expert to guide you through what will work for you.

Office 365 represents just as much of a cultural shift as a technological one. The tools can jumpstart your business’ productivity and efficiency, but it can be like boiling the ocean if you don’t know where to start.

At Arraya Solutions, we are your productivity experts. With several solutions in place, we can ensure that you are getting the most out of the solution. For getting you going with email migrations, no one can help you better. We’ve moved hundreds of thousands of mailboxes into Office 365. A great post-migration step is to bring your business leaders and heaviest technology users to our monthly hands on lab. They will be able to explore the solutions and are encouraged to think of ideas on improving business processes.

We can come to you as well. Simply schedule a personalized session, but make sure to bring business leaders to get the most value.

From implementation to managing Office 365 monthly and being that trusted advisor to keep you fit, Arraya Solutions can help. Reach out to our team today before Office 365 turns into a gym membership!

by

The news broke fast and furious at VMworld last month, keeping the members of the Arraya team in attendance plenty busy as they attempted to experience (and document) everything that took place. While their efforts were admirable – check out their coverage HERE and HERE – there’s still plenty of stories to dive in more deeply to as we move forward from VMworld.

One area we’d like to expand on concerns Dell EMC. Now, while VMworld 2017 was undoubtedly VMware’s show, Dell EMC had a productive week in its own right. At the conference, Dell EMC and VMware came together to announce several new product integrations and enhancements. These changes should give businesses some much-needed additional support as they pursue their digital transformation agendas.

Let’s take a look at five of the biggest announcements as well as the ways in which they seem poised to make an impact:

  • VxRail gets a modern makeover – VxRail 4.5, the latest version of Dell EMC and VMware’s jointly engineered and VSAN-powered hyperconverged infrastructure appliance, is set for a September release date. This release features automation and lifecycle management capabilities, making it easier for IT to administer to the newest VMware technologies, including vSphere 6.5 update 1 among others. In addition, VxRail 4.5 incorporates at-rest data encryption for VSAN to enhance the data center’s security posture.
  • A more scalable, efficient VxRack – VxRack is a hyperconverged solution featuring Cloud Foundation that brings together everything a business needs to launch its own private cloud. It’s scalable so that it can continue to meet the data center needs of growing organizations. Further adding to its flexibility are dozens of new Dell EMC PowerEdge configurations that give organizations more choices and access to higher-capacity storage options.
  • Hybrid clouds for any need – Organizations whose interest in the cloud is more hybrid than private have several new options to explore. Dell EMC Enterprise Hybrid Cloud (EHC) and Dell EMC Native Hybrid Cloud (NHC) each seek to provide a turnkey, low risk pathway to the cloud. EHC loops in Azure for additional public cloud options and adds greater scalability and availability to VxRail deployments. NHC also promises greater VxRail availability while offering developers an advanced application toolbox.
  • Greater peace of mind comes to virtual environments – VMware-based data centers will now be able to leverage Dell EMC solutions to increase transparency and data security without adding management overhead. At VMworld, the tech giants announced Dell EMC’s Data Protection portfolio would be natively integrated with VMware technology. This will allow organizations to use automated data protection and governance strategies, provide greater access to self-service for application owners, and execute more efficient backup and recoveries. As a result, the door will be open for businesses looking to expand their virtualized environment without overwhelming IT.
  • Ready-built cloud and hyperconverged solutions – Customers interested in a simple yet secure way to take advantage of hyperconverged or the hybrid cloud may want to consider Dell EMC and VMware’s joint portfolio of Ready Solutions. These solutions let organizations choose from a completely pre-built solution or take a customizable starting architecture in their own direction before empowering IT to take on more deployment and lifecycle management responsibility. VMware Ready Systems from Dell EMC makes it easy and safe to launch hybrid cloud solutions on a hyperconverged base, while Dell EMC vSAN Ready Nodes allow businesses greater control over HCI stacks while offering sizeable CapEx benefits.

Where can the VMworld conversation go next?

Want to carry on the conversation regarding any of these items – or VMworld in general? Arraya’s team is ready to discuss with you the announcements that stand to make the most difference for your business. Reach out to us today by visiting: https://www.arrayasolutions.com//contact-us/.

We can also be found on social media: LinkedIn, Twitter, and Facebook. You can use any or all of those platforms to comment on our posts, keep up with our latest company news and industry insights, and be the first to know about the exclusive IT learning opportunities we provide.

by

There’s really no nice way to say it, what happened at Equifax last week was the biggest failure to safeguard public data to date. Yahoo had more records compromised, but those weren’t nearly as sensitive.  Furthermore, Equifax’s response has been characterized by Brian Krebs, a leading security expert, as a “dumpster fire.” Krebs goes on to write: “I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now.” This is pretty much as bad as a data breach can get in the financial services industry. Equifax literally stores every piece of a person’s online identity, including:

  • Social Security Number
  • Driver’s License Number
  • Date of Birth, Address and Phone Number
  • Bank Account and Credit Cards (with balances)
  • Loan Numbers, Creditors, and Debt Amounts

Except for maybe your health records, what could be more important to protect? Now that info is out there and the real question becomes what will the response be? In my opinion, we’ll see one of two outcomes emerge.

Lack of Accountability Influences Companies to Stop Caring Altogether

I don’t think this outcome will be the case, but it’s certainly worth exploring. The Equifax response can be described as woeful at best, and if they aren’t held adequately accountable this will become the standard for other financial institutions entrusted with sensitive public data.

Equifax stock dropped 13% after the breach was announced. That may sound bad initially, but if that’s the only repercussion, is it enough to really affect change? It really seems to be more of a nuisance to Equifax than a genuine concern. Let’s start with the six weeks that passed between breach identification and notification to the public. SIX WEEKS! Why even bother at that point? You have to assume that data is already published and sold on the dark web. It also doesn’t look very good that three top executives sold off huge chunks of company stock right after the breach was identified but before it was made public. They claim they didn’t know, but it’s extremely suspicious. Then, to make matters worse, their offer to compensate those affected is one year of free access to their credit protection services…credit protection services from the same company that just lost data! It’s not only an insult, but can be used as a database to solicit more revenue from this service after the free first year expires. This hardly looks like stiff, culture changing punishment.

What’s a consumer to do? When Target and Home Depot were breached, customers could use their feet and go to a competitor to punish them. When a ransomware attack takes a company down, that company is directly impacted by the loss of system availability. In this case, there’s little if anything that can be done. Consumers can’t have their personal information removed from Equifax’s database and, unless the government imposes fines or puts them out of business, what’s the real impact to Equifax? If unchallenged, this will become the new norm. Why would other financial institutions protect their data if they know they can just pay for credit protection and be done with it? That could be a lot cheaper and easier than investing in a real security program. It’s a terrible precedent and for the sake of everyone I hope it’s not the end result.

Overregulation and Strict Compliance Force Painful, Expensive Accountability

This one’s not much better, but it’s the more likely outcome if you ask me. Entities like the Consumer Financial Protection Board, NY Department of Financial Services, and Federal Trade Commission could be on the march to make an example of Equifax and rightfully so. I’m usually not an advocate for more oversight, but someone’s got to be held accountable here and there aren’t a lot of options at the consumer’s disposal other than filing a class action law suit. One doesn’t have to look much further than the housing market to see how this ends – painfully intrusive compliance audits that force companies to put controls in place or risk losing their ability to stay in business.

Politicians have already started to pounce and that usually doesn’t bode well for companies on the receiving end. Below are just a couple of examples:

  • Massachusetts Senator Elizabeth Warren – “It’s outrageous that @Equifax – a company whose one job is to collect consumer information – failed to safeguard data for 143M Americans.”
  • New York Attorney General Eric Schneiderman – “My office intends to get to the bottom of how and why this massive hack occurred.”
  • Colorado Representative Diana DeGette – “As a country we need to craft new means to keep thieves and hackers from obtaining and using personal information. Simply compensating consumers whose data has been hacked with a year of monitoring is not going to be enough”.
  • Virginia Senator Mark Warner – “The #EquifaxBreach raises serious questions about #Cybersecurity that Congress must address head on and soon”.

There’s already some cyber security regulation in place, but I think this breach is going to be the straw that breaks the camel’s back in terms of punishment and accountability. You can’t force executives to care about protecting this information, but you can hit them where it hurts – their bank accounts. This is where I think we finally land, and if it doesn’t happen at the federal level, anticipate it happening at the state level like it already has in New York. That’s right, up to 50 different security checklists and larger corporations can anticipate each state to act on it with 50 different onsite inspections. If security seems expensive now, just wait until it’s necessary to hire a full legal team just to interpret the different laws. Unfortunately, that’s almost a certainty now.

I wouldn’t be surprised if some heavy fines are levied against Equifax that force this conversation in each and every board room. Will this actually make us more secure? Maybe, maybe not, but it’s probably where the industry is headed. Prepare now or be crippled by lengthy, expensive, time-consuming checklists along with the fines that accompany non-compliance later.

Continue the cyber security conversation with Tom on 9/28 at Arraya’s forum: Identifying, Monitoring, and Analyzing Security Threats. This free, full morning event will feature multiple presentations designed to help IT professionals thrive in today’s increasingly harsh security climate.  

 

by

There’s a positive moment at the top of Cisco’s 2017 Midyear Cybersecurity Report, one which acknowledges the advances security pros have made regarding preventing and recovering from attacks. Unfortunately – and predictably – this new report isn’t all pats on the back. Instead, the conversation shifts to a number of trends observed by Cisco, each of which is working to undermine security pros’ best efforts. Before any lasting progress can be made, it seems security teams will have to find a way to account for each.

Let’s take a closer look at five of the top trends highlighted by Cisco’s researchers – and outline how cybersecurity pros can respond.

1. The rise of ‘more sinister’ motivations

Businesses have had to come to terms with the notion that cyber criminals may attempt to break in to their systems and hold data for ransom. After all, last year ransomware became a billion dollar industry for those operating on the wrong side of the law.

However, Cisco’s researchers see things taking a far darker turn with the rise of what they’re calling Destruction of Service (DeOS) attacks. While June’s Petya outbreak was initially categorized as a global ransomware scheme, it was soon discovered for what it really was: a highly sophisticated effort to lock up files and throw away the key. How exactly these assaults play out will depend on the attacker, but the basic idea is to severely and permanently disable an affected network. Besides the Petya example, another style of DeOS attack is one used in conjunction with an actual ransomware attack to disable an organization’s backups, forcing compliance with attacker demands.

However they unfold, Cisco sees this strategy as something organizations will need to keep a closer eye on. This includes leveraging a combination of solutions designed to stop threats at the door and supporting that initiative with backups either stored in the cloud or air-gapped to remain out of attacker’s clutches.

2. A low-tech approach more profitable than ransomware

As already mentioned, ransomware had a big year in 2016. Yet, it was a different attack vector which proved more profitable. Worse news:  It’s easier for criminals to execute.

Business Email Compromise (BEC) has netted attackers an average of $1.7 billion per year from October 2013 to December 2016, surpassing even ransomware’s impressive yearly haul. This strategy targets financial teams, leveraging social engineering to initiate fraudulent wire transfers. Malicious actors only need a spoofed email address that appears to belong to a high-ranking company official, and a bank account to pull this con off. All they have to do is pose as a company official, demand a wire transfer, often on a tight timeline, and wait. It’s just that simple.

From a defense perspective, stopping BEC comes down to educating employees on spotting spoofed emails. For example, things like a .net account instead of the correct .com. Additionally, organizations can prevent successful BEC attacks by having a clear multistep approval process in place for all wire transfers. This will clear up the confusion attackers rely on. Finding the time for these training sessions is a must do.

3. Wolves disguised as everyday file extensions

As far as distributing malware, attackers have their preferred methods. In terms of file extensions, it’s not surprising to see a pair of business workhorses leading the way. By far, attackers’ method of choice was .zip files, which racked up just shy of 200,000 encounters. Coming in a distant second was .doc files, which numbered at over 72,000 instances. Additionally, .xls made the top five, featured in over 16,000 instances.

The lesson in this is end users need to expect risky files to be camouflaged. As such, before they open anything, users need to consider a few things. They should look for red flags such as unexpected or slightly altered email accounts. They should consider whether a request is coming totally out of left field. They should look to the message itself for misspellings or awkward phrasing. All of these context clues can keep users from clicking on a potentially dangerous attachment.

4. The dark side of the Internet of Things

Organizations are only just beginning to scratch the surface of what they can achieve through the Internet of Things (IoT) – however the fear is that so are cyber criminals. Last year saw the emergence of IoT botnets as a true Distributed Denial of Service (DDoS) attack vector. Not one but three major assaults had their origins in IoT botnets, targeting a security blogger, a hosting company, and a DNS service provider respectively. These attacks leveraged the full might of their “zombie army” of infected and commandeered IoT devices to push the attacks over the 1TBps threshold.

These attacks are particularly appealing to malicious actors for a number of reasons, including the fact that they:

  • can be set up quickly – sometimes in under an hour
  • grow exponentially – botnets of more than 100,000 infected devices can be spun up in 24 hours
  • are hard to detect – the code only lingers on a device until it is restarted

Defending against IoT botnets is a tough proposition. One option available to organizations is to explore network segmentation as a way of way of managing the flood of traffic churned up during a DDoS attack in order to prevent a total outage.

5. Misconceptions surrounding PUAs

Potentially Unwanted Applications (PUAs) may appear to be nothing more than nuisance-ware, which explains why they’re so often overlooked, according to Cisco’s report. In reality, these applications may be spyware in disguise. Such applications are far from innocuous, giving attackers an eye inside the corporate network, swiping data, and leaving the door open for increased malware infections and other risks.

One of cyber crooks’ methods of deploying their hidden spyware comes in the form of browser extensions. Once downloaded by an unsuspecting user seeking to boost productivity, these extensions can serve as a launching point for cyber attacks. Organizations can protect themselves by adhering to security hygiene basics. Staying up-to-date on patching, requiring users to stick to secure, trusted browsers, and incorporating a defense in depth approach to security can go a long way toward keeping data safe.

Putting the Midyear Cybersecurity Report into action

Want to continue the conversation around the lessons contained in Cisco’s Midyear Cybersecurity Report? Arraya’s Cyber Security team is ready to share their expertise on how organizations can apply these lessons and more to improve their overall security posture. Our team can be reached by visiting: https://www.arrayasolutions.com//contact-us/.

You can also meet the members of our team at our upcoming security forum, Identifying, Monitoring, and Analyzing Security Threats. This event will take place on September 28th at The Hub in Conshohocken, PA and will feature multiple presentations from Arraya’s security experts, all geared toward providing attendees with practical ways to gain insight into the top threats faced by their organization – and how to respond. Attendance is free, however, registration is required and seats are limited. Reserve your spot today here.

Feel free to leave any questions or comments you have regarding this or any of our blogs on our social media pages: LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay in the loop with our latest industry insights, unique learning opportunities, and company news.

by

Data center transformation isn’t just a buzz-phrase nor is it merely a to-do list box to be checked off once and forgotten about. Instead, it’s a continuous process, one which IT must remain vigilant for new ways to apply. Finding these fresh approaches can prove difficult, particularly for time-strapped technology departments. However, with the help of a partner like Arraya Solutions, these opportunities can be more easily spotted.

Arraya’s strategy for furthering the cause of data center transformation includes offering multiple VMware-based software-defined data center assessments. Organizations of all sizes and industries can leverage one or more of these assessments to uncover new places where data center transformation can take hold. Here’s a quick overview of these assessments and what business can expect from each:

  • Virtual Network Assessment – This roughly three-day-long assessment looks at the various ways traffic traverses the corporate network. Its chief concern is shedding light on security vulnerabilities within these traffic flow patterns while also providing IT teams with ways to address those concerns through additional visibility and microsegmentation.
  • Hybrid Cloud Assessment – In just four hours, this assessment can detail an effective organizational cloud strategy. It does this by providing estimates on the cost of housing selected workloads in the cloud versus keeping them on premises. Additionally, it can show businesses how to optimize their cloud strategy to ensure it fits designated budgetary goals.
  • vSphere Optimization Assessment – Over the course of anywhere from one to four weeks, the vSphere Optimization Assessment will dig in to an organization’s existing virtualized environment. The length of the assessment varies depending on a business’s goals as well as the size of its virtualized environment. Upon its conclusion, participants will receive a customized report documenting the ways in which they can improve the capacity, performance, and efficiency of their virtual machines.
  • vSAN Assessment – The goal of this three-day assessment is storage modernization. It analyzes existing virtual machines and determines whether or not their designated workloads are enough to require an all-flash arrangement or if a hybrid configuration would be sufficient. Additionally, this assessment can also suggest hardware upgrades needed to support these recommendations. Participants can come away from this assessment with a more advanced storage environment and CapEx/OpEx savings.

Discover the next phase of data center transformation

Taken singly or together, these assessments can provide a clear path forward for organizations looking to further the cause of data center transformation. Arraya’s expert Data Center team stands ready to perform any or all of the above assessments at no cost. Once the assessment is finished, our team is also available to help organizations map out and execute the next phases of their data center transformation strategy.

Interested in one or more of the above assessments? There’s never been a better time to take part. In addition to the practical benefits of participating, VMware – in conjunction with Intel – is sweetening the deal. The companies are offering a free golf driver or a drone to those who complete any of these assessments. This offer will last for a limited time so, as far as signing up goes, the sooner the better. Contact Arraya Solutions by visiting www.arrayasolutions.com/contact-us/ to schedule your assessment and secure either of those special offers.

Also, feel free to leave us a comment on this or any of our blog posts by checking us out on social media. We can be found on LinkedIn, Twitter, and Facebook. While there, be sure to follow us to be the first to know about our latest industry insights, unique learning opportunities, and company news.

by

On Monday August 28th, the 180-day transitional period for compliance with the New York Department of Financial Services Cyber Security Law came to an end. This means that covered entities are now required to be in compliance with elements of the law unless otherwise specified. The date is significant because companies affected by the law have been given time to comply with it and now auditors can begin checking for compliance and levying penalties.

Why the NY DFS Law is Different

In some of my previous blog posts, I’ve talked about security compliance, different regulations, and strategies for compliance. I’ve been through many audits in the past. In the interest of full transparency, it’s been my experience that most cyber security audits are pretty generic. If you’re following basic security hygiene practices, know what you’re talking about, and can make a case as to how your controls meet the auditor’s intent, then the audit typically goes smoothly. There are usually some recommendations and takeaways but nothing earth shattering or business crippling.

Then there’s the state of New York. I’ve gone through audits with this group before when there wasn’t even a defined checklist and it was a week-long event. Unlike most vendor due diligence checklists or existing state guidelines with generic requirements, the NY DFS law calls out specific controls that you must have in place. As of Monday the 28th, the following controls are now legally mandated:

  • Established policy across 14 specific security categories like customer privacy, system availability, inventory/device management, data governance, and much more
  • Limitations on access privileges
  • Qualified cybersecurity personnel and intelligence
  • Third party service provider security policy
  • An incident response plan

These are mostly non-technical requirements; however those timelines are fast approaching. Companies will soon be required to implement multifactor authentication for remote access, detect cybersecurity events, and encrypt data at rest and in transit and much more. These may sound like simple tasks, but many organizations simply do not have these controls implemented. The more impactful requirement for this law takes effect on February 15, 2018.  By this date, companies must submit in writing to the Superintendent a statement “certifying that the Covered Entity is in compliance with the requirements set forth.” In other words, security is no longer IT’s problem. This certification holds the “Senior Officer(s)” responsible for complying with the law. For many organizations, this is a significant deviation from how security is typically perceived and managed.

What’s Next?

It’s my opinion this is just the beginning of the emergence of cyber security regulations. I anticipate more states, federal agencies, and regulatory authorities prescribing similarly defined requirements across all industries with specific technical controls. Finance has already adopted multiple security regulations like the NY DFS Law. Healthcare is already on its way toward mandating adoption of the NIST Cyber Security Framework, if it decides to follow guidance from the U.S. Dept of Health and Human Services Healthcare Cyber Security Task Force Report. Given the number and scale of attacks over the last year, it’s impossible to think these concerns from regulators will go away. Most likely they’ll only get more complex and sophisticated.

If you’d like to hear more about the latest in cyber security defense initiatives as well as threats, join me on 9/28 for Identifying, Monitoring, and Analyzing Security Threats, a free, morning-long event packed with sessions dedicated to those very topics. We can also carry on the conversation one-on-one. If you’d rather get something scheduled sooner, visit https://www.arrayasolutions.com//contact-us/ to make that happen.