Welcome to the Sentinel Blog!
We are proud to feature a carefully curated collection of articles and other content related to the most important technology topics of today and beyond. Our posts are composed and edited by Sentinel’s ALWAYS ENGAGED team of solutions architects, engineers, project managers and other subject matter experts.
Security Advisory: Microsoft Confirms New Exchange Zero-Day Vulnerabilities
The Fortis Threat Intelligence Team has been monitoring the emerging news of active exploitation of two new Microsoft Exchange zero-day vulnerabilities. A write-up of this vulnerability was initially reported by Vietnamese cybersecurity company GTSC. The vulnerabilities were initially reported to the Zero Day Initiative (ZDI) and assigned ZDI-CAN-18333 and ZDI-CAN-18802. Microsoft released a public statement on 9/30/22 confirming these reports and identifying these vulnerabilities as an exploit chain using an authenticated server-side request forgery (SSRF) and a remote code execution (RCE) vulnerability which have been assigned as CVE-2022-41040 and CVE-2022-41082 respectively. The Fortis team has been actively threat hunting as of 9/29/22 and has taken steps to add indicators of compromise to block lists in its MSSP tenant spaces.
There is currently no fix available, but Microsoft has released mitigation guidance and states that it is working on an accelerated timeline. On-premise and hybrid Exchange environments are the only environments impacted. Microsoft Exchange Online customers do not need to take any action at this time.
The Fortis team recommends following the mitigation advice provided by Microsoft for on-premise and hybrid Exchange servers and performing the hunting and mitigation steps outlined in the Next Steps section below. This is a developing situation; read on for additional details.
The GTSC team has reported in its blog post that they observed ProxyShell-formatted exploit requests within IIS logs and found the ability to perform command execution within other log sources. Their blue team also reported that they are observing other customers reporting a similar problem. The blog then goes on to mention that their red team was able to perform remote code execution but that they will not yet be releasing the technical details of the vulnerability. Review of reporting from others in the security and intelligence community have not revealed any proof-of-concept scripts or additional details on tooling.
Microsoft has stated that authenticated access to a vulnerable server is required to exploit either one of these new vulnerabilities. Per the Microsoft report, “CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082.”
There are reports of limited targeted attacks exploiting this activity—some of which have been used to drop the “Chinese Chopper” webshell. While attribution to a Chinese activity group has been suspected by GTSC, the Fortis Threat Intelligence team will not comment on these assessments at this time.
Fortis ActiveDefense Detection Coverage
After reviewing the available blog post released by GTSC as well as community intelligence, the Fortis ActiveDefense platform has comprehensive coverage for the behavioral indicators and MITRE ATT&CK mapping provided by GTSC. Due to the perceived similarity with the ProxyShell vulnerability, native vendor coverage for similar detections and post-exploitation activity has matured since ProxyShell’s initial release in 2021. Fortis customers utilizing Microsoft Defender for Endpoint or Microsoft Defender Antivirus should be advised that both solutions currently detect post-exploitation activity from these vulnerabilities. Specific Trend Micro solutions also currently have detection coverage for this activity.
The Fortis by Sentinel SOC team is also performing around-the-clock dedicated threat hunting for the indicators provided by GTSC. If any suspicious activity around these indicators of compromise is found, a SOC analyst will be in touch. We have also been performing proactive blocking of reported indicators of compromise within our managed MSSP tenant spaces as of 9/29/22 to protect our customers during this developing situation.
GTSC has provided two methods for checking your environment to determine whether an Exchange server has been compromised—a PowerShell script and a scanner hosted on Github. There are also two Azure Sentinel hunting queries available to hunt for both SSRF and the RCE activity associated with these vulnerabilities. We recommend reviewing these methods and performing the appropriate detection steps in your environment to discover any compromised hosts. The Microsoft communication contains detailed mitigation steps, and the GTSC blog post also provides its own mitigation measures under the Temporary Containment Measures heading. Please see the links provided below for full details.
Additional indicators of compromise are available in the GTSC blog post. We recommend adding these to blocklists in your environment as appropriate. The Fortis team will continue vigilantly threat hunting and monitoring the situation and will advise customers of developments as they are received and vetted by the Threat Intelligence team.
Additional Recommendations and Best Practices
Aging Exchange vulnerabilities continue to be a popular vector for attack as many Exchange servers remain unpatched following the initial exploitation of the ProxyShell vulnerability in 2021. We recommend ensuring that your environment remains patched and appropriately hardened against attacks targeted at Exchange vulnerabilities and ensuring that a comprehensive vulnerability scanning solution is in place to proactively identify vulnerable assets in your environment.
As the number of cyberattacks continues to increase at an exponential level, the Fortis team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats. Our Incident Response team is always ready to engage at (844) 297-4853.
References and Additional Reading:
Supply Chain Issues Accelerate Cloud Adoption
The beginning of the COVID-19 pandemic resulted in lockdowns around the globe. While many jobs were able to either temporarily or permanently operate in a remote capacity, a lot of manufacturing and factory positions did not have that capability. When those factories shut down for weeks or months at a time, essential parts and equipment were not rolling off of assembly lines and shipped out to customers worldwide. This marked the start of supply chain issues that have yet to be resolved more than two-and-a-half years later.
While supply chain issues have affected the availability of many goods from your local retail outlets, they have also resulted in a number of challenges for major technology vendors. Cisco, Microsoft, and Dell Technologies (and many others) have all been dealing with chip shortages and other things that create weeks- or months-long delays for customers. A vast majority of physical, on-premises IT solutions are manufactured and shipped from China, which continues to take extraordinary precautions in the pandemic by instituting sporadic lockdowns when virus cases rise above certain thresholds. Exceptionally busy shipping routes and a lack of available transportation have also contributed to delays, along with the military conflict between Russia and Ukraine. These are all puzzle pieces the world is frantically trying to put back together so life and business can largely return to normal.
One perhaps unintended consequence of the IT equipment supply chain delays is an acceleration of cloud adoption and migration by many organizations. Unlike physical equipment, cloud solutions can be purchased and deployed into an environment in a matter of hours or days, depending on size and scope requirements. That ease and scalability have been selling points for cloud solutions since they first became available, however now they have the added benefit of enabling businesses to avoid costly or strategic delays involved with implementation. Rather than wait months for a critical part to arrive, organizations are simply shifting that piece of their environment into the cloud so it can get deployed and become operational according to their own timeline. An increase in cloud adoption and usage has always been expected, but projections suggested it would take much longer to reach its current level. The primary motivating factor appears to be directly related to supply chain delays.
Sentinel has certainly noticed the sharp uptick in cloud adoption among our customers. We are proud to offer both AWS and Azure cloud solutions and services to help elevate your business with innovative features and robust security to keep critical pieces of your environment safe. Sentinel CloudSelect® includes the unique capabilities that we call Select, Connect, and Protect. You can Select the cloud solution you would like to deploy, choose how it Connects to your environment, then add security features from Fortis by Sentinel to Protect it against attackers. There are a wealth of customizable combinations ready to handle the unique requirements of your organization. Please contact us if you would like to learn more about our cloud offerings.
CRN also recently published a news story on how supply chain issues are driving cloud adoption, which you can read at this link if interested.
The Challenges of IoMT and Healthcare Security
By now, most of us own smart devices of some kind. Whether you use a voice-activated home assistant like an Amazon Echo or have a thermostat that can be controlled from your phone, there are all different kinds of appliances capable of connecting to the internet and activating features designed to make your life better or easier. When it comes to business, many of the smart, Internet of Things (IoT) devices focus on providing advanced data/analytics to help make more informed decisions. For example, they can automate processes to help improve productivity and lower costs. As organizations begin to incorporate more and more IoT devices in their environments, they also create new challenges in terms of scalability, resource requirements, and security.
Nowhere has this been more prevalent than in the healthcare industry. Usage of IoT devices in medical settings continues to accelerate at a rapid pace, with a recent study by Emergen Research projecting the healthcare industry will spend more than $160 billion on smart devices by 2027. These IoMT (or Internet of Medical Things) elements are intended to not only help doctors and nurses with daily tasks, but can also improve patient care and comfort. Not only can a smartboard provide information about a patient’s medications and allergies, but it can also provide live information about a patient’s condition, including heart rate, blood pressure, glucose levels, and oxygen levels. If a level moves above or below a designated threshold, the nurse on duty can automatically receive a notification on a tablet or other device and take action as necessary. Outcomes tend to be better for all involved thanks to IoMT devices, so it’s no wonder many healthcare institutions are investing heavily in the technology space.
Yet when you rely on such a large number of IoMT devices (some of the most advanced hospital rooms have 20+) in life-or-death situations, you’re adding a lot of extra endpoints onto your network, each with their own unique structures and vulnerabilities. Keeping them, along with the entire medical facility, secure in such a high stakes industry can be a monumental task – especially when you factor in regular maintenance, updates, and patching. The good news for patients is that their individual risk is quite small, as bad actors tend to target primary hospital operations, using improperly secured devices as an entry point into the network where they can then elevate access to larger machines, systems, and data that can be encrypted and held for ransom.
In one recent event, malware was discovered on a device designed to deliver precise doses of medicine to a patient. The malware was included as part of a patch provided by the vendor, and was only found because the hospital runs extensive testing on all of their devices for several days before returning them to use. Given that many medical facilities don’t have the time, IT staff, or surplus of equipment to pull devices out of service and test them for a week, this is not a standard practice. If the malware infected device had been placed back in a patient room, it could have easily spread to other devices and corrupted the entire network.
Healthcare IT teams have hundreds of devices to monitor and maintain, made by vendors of varying size and quality. Not every device includes access to operating systems, patches, and security testing either, meaning the vendors themselves or an outside managed services provider such as Sentinel takes on the responsibility of updates and maintenance. This can provide some relief to already overworked IT teams, however it also leaves them in the dark on certain devices when it comes to security testing and general usage or placement within the environment. Plus, some IoMT devices don’t have the ability to be patched or can’t be easily replaced if they break and need to be temporarily taken offline. Often a vulnerability will be discovered for a device within days or weeks of release and hospitals will continue to use it for years out of necessity, keeping a close eye and fingers crossed it never winds up exploited.
The U.S. Food and Drug Administration (FDA) regulates medical devices, and shares responsibilities in fighting cybersecurity risks in today’s ever-changing environments. Last year, the FDA began working on changes to the guidance for approving IoMT devices. They want to ensure all new devices have the capability and architecture to support updates and patching, and that this can be done in a timely fashion. The FDA also seeks to ensure customers remain informed of any cybersecurity vulnerabilities that developers discover in their IoMT devices, along with instructions related to patching or at least minimizing the risks posed by those vulnerabilities.
So what can hospitals and other healthcare facilities do today to help protect their IoMT devices along with the rest of their IT environment? There are three primary, rather obvious things to consider.
First, maintain a strong focus on network security. The basics. Know all of the elements/endpoints on your network and how they fit together, develop a routine of regular maintenance/updates/patching, deploy the right security products to provide the best possible coverage, and monitor network activity for any anomalies or suspicious behavior. This is good advice for organizations of all types, but particularly healthcare given the extensive number of devices and endpoints that increase an attack surface area. Sentinel offers 24x7x365 endpoint/device monitoring through our Network Operations Center as well as 24x7x365 security monitoring through our Security Operations Center so you can maximize the uptime and protection of your entire infrastructure.
Secondly, operate from a zero-trust security architecture. Assume all users on your network, along with their devices, are not implicitly trusted and must continually validate at every stage of a digital interaction. Yes, this requires more gatekeeping with logins, passwords, and multi-factor authentication to access different areas of your environment. It also means properly segmenting your network, which can be a difficult but worthwhile pursuit as it significantly lowers the risk of exploitation by any vulnerable users or devices. Sentinel offers a FREE Zero Trust Security Workshop that examines your organization’s position related to the zero trust framework and provides guidance on how to harden your position in alignment with that model.
Many healthcare institutions keep everything connected on a single domain or subdomain in order to keep costs and complexity to a minimum. Some don’t even encrypt sensitive data during transfers or other changes. Micro segmentation creates a lot more pieces that can be difficult and expensive to maintain, but it also isolates critical devices from the rest of the network and can give easy remote access to vendors for faster updates/patching. This is particularly helpful when your IT team doesn’t have control over the security of certain devices and requires the vendor or a contracted managed services provider to step in and fix any vulnerabilities. Just remember that even though the IT department may not be able to control every single device on the network, they can implement plenty of other large scale security measures to keep things as safe as possible.
Lastly, an important way to keep healthcare environments secure is to invest in the right technology and talent. Obviously budgeting creates a whole other set of challenges, particularly as the healthcare system has been so overwhelmed since the start of the pandemic. Asking for more money to hire IT staff and purchase security solutions/services is nearly impossible for many healthcare institutions. But honestly, the costs associated with developing and deploying a proper security strategy end up paying off in the long run. This is particularly true if it helps you avoid a major security breach and/or ransomware attack that could result in hundreds of thousands of dollars (or more) spent to remedy the situation. Sentinel offers managed services and support services for your healthcare environment that can help remove some of the burden from your overworked/understaffed IT team. We handle the maintenance, patching, and updates on covered devices, and remain always available in the event of an outage or other technical issues that may arise. Sentinel also has a Virtual Chief Information Security Officer (vCISO) service that enables your organization to have a certified expert available at a fraction of the cost of a full-time hire who works with you to develop and implement a smart security strategy tailored to your environment. Contact us to learn more!
For their part, IoMT device manufacturers are learning from their customers. Many new devices are being built with scalability in mind, so coverage can grow as a healthcare network or system does. They also understand institutions often keep devices in use for years after a vulnerability has been discovered, so the focus has shifted to ensuring new devices are as secure as possible when they hit the market, then maintaining that protection when new features and updates are installed. A lot of maintenance and patches are handled through the cloud as well these days, improving accessibility and reducing risk. While prices for a majority of IoMT devices have risen in recent years, the hope is that these modifications will significantly extend their lifespan and usability to more than make up for the higher cost.
Did you know Sentinel has a dedicated National Healthcare Innovations team? They are responsible for providing our healthcare customers with guidance, solutions, services, and support surrounding technology initiatives. The goal is to ensure all healthcare institutions have the best possible tools to deliver the highest quality patient care with a particular focus on easing the burdens faced by doctors, nurses, and other key medical staff. If you are interested in learning more about the latest developments and new IoMT devices or would simply like some additional help with the development and implementation of your healthcare IT initiatives, please contact Sentinel today for more information!
Security Advisory: Cisco Reports Corporate Network Breach
Cisco Security Incident Response and Cisco Talos released information on 8/10/22 regarding a security incident that occurred within the Cisco corporate network that was identified in late May of 2022. Cisco determined that although files from the incident were published to the dark web on 8/10/22, they feel confident the incident was isolated to the Cisco corporate network and does not impact any Cisco products or services, sensitive customer data or employee information, Cisco intellectual property, or supply chain operations. Although no ransomware was deployed during this incident, the Talos team indicates that the TTPs used were consistent with “pre-ransomware activity.” As of version 1.0 of their communication release, Cisco has stated that no customer or partner action is required for Cisco products or services. Please read on for additional details.
Incident and Activity Group Details
Cisco shared that initial access was achieved through an event chain including a compromised Google account with cached Cisco credentials in the browser as well as successful voice phishing (vishing) and MFA fatigue which allowed the adversary to gain access to the Cisco VPN under the context of the target user. The attacker then continued to escalate privileges and drop well-known security tools such as Cobalt Strike, Mimikatz, Impacket, PowerSploit, and additional backdoor accounts to gain persistence in the environment. The Talos team observed tooling being staged in the Public user profile on affected systems and believes that the C2 infrastructure used was customized to this attack.
The Talos team reports the actor continued to escalate privileges and pivot through the environment using living-off-the-land techniques of exploiting trusted Windows utilities, eventually obtaining privileged domain controller access. Credentials were then dumped using ntdsutil.exe via PowerShell and exfiltrated over SMB. Additional attempts were made to enumerate the environment and extract credentials with other well-known methods such as adfind, secretsdump, MiniDump, and extracting the SAM database.
The actor is reported to have made efforts to conceal forensic artifacts by clearing Windows event logs and removing local admin accounts that they had created. They also modified firewall configurations to enable and utilize Remote Desktop Protocol (RDP) access as well as installing common remote support tools.
Cisco reports the threat actor continued to attempt to access the environment after eviction, specifically focusing on previously compromised accounts and attempting to exploit weak password hygiene and the use of newly established domains that referenced the Cisco organization. The adversary also made spear phishing attempts during this time. The Talos team assessed this activity is associated with an initial access broker tied to both UNC2447 and Lapsus$. For additional technical details and a list of IOCs, please refer to the Talos blog linked at the end of this release.
Fortis ActiveDefense Detection Coverage
Based on the tactics and techniques listed in the Talos blog, the Fortis ActiveDefense platform maintained comprehensive coverage throughout the MITRE ATT&CK phases provided in the blog. The Cisco CSIRT team also indicated they have updated their security products with intelligence gained from observing the bad actor’s techniques and shared Indicators of Compromise (IOCs) via the Talos blog. The Fortis by Sentinel SOC team is also performing dedicated threat hunting for this specific communication. If any suspicious activity around these indicators of compromise is found, a SOC analyst will be in touch.
The Fortis Threat Intelligence team is working diligently to review the IOCs and artifacts provided by the Talos team and implement any new detections to assist in identifying threats associated with this activity. The Fortis team will continue to monitor Cisco communication for updates – especially those that may affect Cisco partners or customers.
Additional Recommendations and Best Practices
Based on Cisco’s unique stance on visibility into this activity as a security product owner, they have provided a number of recommendations. High on the list is the recommendation for comprehensive user education to assist in thwarting social engineering attacks such as those used in this incident. Further recommendations include proper network segmentation, remote endpoint posture checking, comprehensive log collection to avoid visibility gaps, maintaining periodically tested offline backups, and command line auditing to gain visibility into suspicious activity involving trusted utilities.
As the number of cyberattacks continues to increase at an exponential level, the Fortis by Sentinel team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats. Our Incident Response team is always ready to engage at (844) 297-4853. Visit fortisbysentinel.com for more information.
References and Additional Reading
Cisco Event Response Release
Cisco Live! 2022: Major Announcements
2022 marked the first full-fledged, in-person Cisco Live! conference in over two years. Sentinel was thrilled to be back among other Cisco partners and customers out in Las Vegas for the event last month, which was packed with educational seminars, information sessions, major announcements, keynote speeches, and fun social activities. A special thank you to everyone who showed up to Sentinel’s Cisco Live! Happy Hour, stopped by the Sentinel booth, or just generally spent some time chatting with any members of the Sentinel team. It was wonderful connecting and re-connecting with so many folks, and we hope to keep the lines of communication open in the coming weeks and months.
While there was so much to learn and experience at this year’s Cisco Live! (as there is every year), perhaps the most important part of the annual conference are the many announcements revealed by Cisco. These are always introductions or previews of new technology solutions, or significant changes/upgrades to current ones. We care deeply about these details because it affects our customers and their IT environments. In our mission to help you remain Always Leading, every change or innovation can further elevate your presence and enable you to build a stronger foundation for growth. Cisco made several major announcements at their conference this year, and we’re excited to share some of those highlights to make sure you’re aware of what’s coming down the pipeline.
Cloud Management for Cisco Catalyst
If your organization is using Catalyst network switches, wireless controllers, and/or wireless access points, you’ll soon be able to monitor and manage them through the cloud-based Cisco Meraki dashboard. This enables you to connect to your network from anywhere and see everything. You’ll be able to receive insights into your network, including every connected client and port-level configuration. That means more information about traffic flow, plus the ability to identify, isolate, and resolve issues with troubleshooting tools. The simplicity of the Meraki Cloud should make it easier than ever to operate your existing Catalyst switches!
Speaking of switches and the cloud, Cisco is taking its popular Nexus data center switches and transforming the brand into a Software as a Service (SaaS) offering. The data center used to be the epicenter of all things IT for an organization. As time and new technologies have emerged, assets are now spread across the public cloud, colocation centers, SaaS, and more spaces. This has created challenges to ensure the availability, security, and performance throughout all of these platforms, services, and endpoints. Powered by Intersight, Nexus Cloud aims to make it easier than ever to deploy, manage, and operate your cloud network. This next generation of Nexus is poised to deliver world-class programmability, performance, and power efficiency to unify and innovate your network under a single platform.
ThousandEyes WAN Insights
The internet has become more important than ever to organizations, as many employees continue to work remotely, utilize cloud-based applications, and collaborate with co-workers on a regular basis without any losses in productivity. This increased reliance on the internet means applications and networks need to deliver a great user experience with minimal disruption. Cisco’s Predictive Network Vision aims to create a new level of performance by helping organizations anticipate certain application and network issues before they occur. ThousandEyes WAN Insights is a key step in making this a reality. It extends internet visibility into SD-WAN health, allowing for a closer look at your top applications, specific user experiences, and how those experiences can be improved by studying past behaviors. WAN Insights provide recommendations to fine tune your SD-WAN deployment, and take a proactive rather than reactive approach to minimize problems before they start and increase overall user satisfaction.
Cisco+ Secure Connect Now
Secure Access Service Edge (SASE) is a cloud-based network infrastructure model built around a combination of network and security services. The goal is to ensure your organization’s devices and users can securely access critical systems and applications at any time from anywhere. As the popularity of SASE continues to increase, Cisco has released Cisco+ Secure Connect Now, which is a simple and unified turnkey SASE solution. The goal is to deliver an incredibly smooth and powerful user experience that takes very little effort to seamlessly and securely connect to branches, things, and applications. It is essentially an out-of-the-box SASE solution that’s easy to deploy and manage so organizations can lower costs, reduce complexity, facilitate digital business, as well as improve worker efficiency and productivity. All while using Zero Trust Network Access (ZTNA) to keep security threats off the corporate network.
Cisco AppDynamics is a leading provider of Observability and Application Performance Monitoring technology. With the announcement of AppDynamics Cloud, Cisco intends to deliver an exceptional digital experience by correlating telemetry data from across any sized cloud environment. It utilizes cloud-native observability to remediate application performance issues with business context and insight-driven actions. In short, it continually optimizes cloud applications in order to optimize both business outcomes and customer experiences. Intelligent operations can help detect and resolve any performance issues before they can impact an organization. The platform enables collaboration across teams to make it easier for them to achieve common objectives and performance goals. AppDynamics Cloud pulls in metrics, logs, events, and more from your network, databases, storage, containers, security, and other cloud services to make it easier to understand your entire IT stack all the way to the end user. From there, your organization can take informed actions to lower costs, maximize revenue, and ensure users and organizational data remains secure.
Bluescape for Webex
Cisco announced numerous enhancements that will be coming to the Webex application in the coming months. One of those includes a partnership with Bluescape, a virtual workspace app capable of enhancing collaboration during virtual meetings. Bluescape for Webex allows remote and/or hybrid teams to share documents, images, video, and other files in a more secure canvas. There are also whiteboard, draw, and diagram tools available to make it easier to include fresh ideas and comments. Such features, so common at traditional offices, have now been adapted to more easily include those working from home or in other locations. The goal is to deliver a powerful and more dynamic alternative to screen sharing.
Webex Calling Local Survivability
While on the topic of Webex, one of the biggest reasons many organizations have been hesitant to move their phone system into the cloud has been a concern over how to stay connected in the event of an internet outage. The healthcare industry in particular often deals with life or death situations on a daily basis and cannot sacrifice even a moment of unavailability from their phone system. So Cisco has added local survivability to its Webex Calling solution to help ensure there is always a router or desk phone fallback available for those moments when your network may have failed. By being less reliant on internet connectivity, industries that require highly dependable communications services can feel much safer about migrating their phone system into the cloud.
Panoptica and Calisti
Panoptica and Calisti are two new additions to Cisco’s suite of API-first solutions and tools. They are designed to provide faster application development cycles, and enable organizations to achieve the sort of modern application connectivity, security, and observability that results in high quality digital experiences. These tools make it easier to manage and secure distributed application architectures so developers can programmatically discover, connect, secure, and observe APIs, applications, and workloads throughout their cloud journey.
Panoptica enables developers and engineers to incorporate cloud-native security during the application development process. It has the ability to scale across multiple clusters with an agentless architecture, integrates with CI/CD tools and language frameworks across multiple clouds, and provides a single interface for comprehensive container, serverless, API, service mesh, and Kubernetes security.
Calisti simplifies connectivity, lifecycle management, and security for microservices in complex, multi-cloud environments. It’s an enterprise-ready Istio platform that makes it easier for application teams to focus on application logic, site reliability engineers to control and scale, de-risk upgrades, find root causes, and monitor service-level objectives.
Panoptica and Calisti are available for free.
Last but not least, if you’re looking to engage in learning and training for a particular technology certification, role, or solution, Cisco has introduced a new platform to achieve those goals called Cisco U. Its purpose is to construct a custom learning program based around the individual user’s preferences and skill level. The process begins with assessments and goal setting to best determine your specific needs. AI-driven recommendations and personalized feedback are then provided so users can map out the strongest path toward growing their skills and achieving more with them. That means targeting only the courses and content relevant to your goals in order to reduce repetitive learning and complete things faster. There are solution-based learning paths centered on Cisco and related technologies, as well as project-based learning paths centered on specific topics. Cisco U. includes both Cisco learning content as well as training from select third-party providers.
As you can see, there are plenty of exciting new technologies and developments that have either just been released or are in the pipeline for Cisco later this year. At Sentinel we are staying on top of all the latest innovations, and are eager to share more information about them in the coming weeks, months, and years. In the meantime if you would like to know more, please don’t hesitate to contact us and we will get the conversation started!
A Closer Look at SASE
What is SASE?
SASE stands for Secure Access Service Edge. It is a cloud-based network infrastructure model built around a combination of network and security services. The goal is to ensure your organization's devices and users can securely access critical systems and applications at any time from anywhere. Gartner predicts that 40% of enterprises will have established a strategy around SASE by 2024, up from only 1% in 2018. That estimate may end up being conservative, since a vast majority of this shift is being driven by an increase in cloud consumption, the adoption of multi-cloud environments, as well as the acceleration of hybrid/remote workers since the start of the pandemic.
SD-WAN plays a primary role in a SASE model. It offers an incredible return on investment (ROI) and excellent customer experience when it comes to consuming cloud applications. As traffic patterns move away from the private data center and into cloud data centers and Software as a Service (SaaS) platforms, the edge becomes more complex and requires a solution like SD-WAN to intelligently route traffic in the right direction. This helps hybrid and remote workers access the same services and applications as on-premises employees, creating a seamless experience no matter the location.
What has driven the recent surge in popularity of SASE?
A lot of people think that SASE is just SD-WAN because you are optimizing your circuits, optimizing your connectivity, developing a next-generation network, and shifting away from legacy technologies such as DMVPN, MPLS, and hard-wired internet access. But beyond those things, SASE includes a number of security elements and other smart features. When the pandemic hit and the workforce suddenly went remote, many organizations had to open up VPN technologies, extend AnyConnect licenses, and find new ways to keep users safe while they were scattered all over the place. In some cases businesses had a next-generation firewall that only protected on-premises workers, so they needed to find a way to extend that coverage. Identity and access, multi-factor authentication, and URL filtering have all received a major boost these last couple of years. Technologies such as Cisco Umbrella, SD-WAN, and Viptela have also been migrated to the cloud so they're accessible no matter where employees are located, really driving the conversation and rapid adoption of SASE today.
What are some Cisco offerings related to SASE?
Cisco’s SASE model breaks things down into three pieces: networking, security, and observability. In networking, they are the largest SD-WAN provider on the market, with solutions that include Meraki and Viptela. It makes them a leader in the Gartner Magic Quadrant. In security they've taken Umbrella, which was originally just for DNS security, and developed it into a full security stack in the cloud. That has been incredibly successful for them as well. Cisco's somewhat recent acquisition of ThousandEyes helped put that last piece of observability in place. If you have multiple circuits going to multiple locations, ThousandEyes provides visibility to help you determine which circuit is best for which application to improve both the speed and quality of user experiences.
While the pandemic and remote work has certainly escalated the adoption of SASE, so have more organizations moving large portions of their infrastructure into the cloud along with SaaS solutions. It makes no sense to have a user VPN into your network and then hairpin straight back out into a SaaS solution. While most SaaS applications have built-in security, that's certainly not their primary focus, so organizations are smart to place their security stack in front of all that to ensure the user remains protected no matter if they're on-premises, at home, or in a cafe somewhere. All that is to say Cisco feels very well positioned in the SASE space, and Gartner agrees.
What is Sentinel's SASE Workshop, and what does it include?
Sentinel's SASE Workshop is available free of charge, and only takes about 90 minutes to complete. Members of the Sentinel team sit down with your organization and begin by gathering information about your IT environment. Once we understand what technology and systems comprise your environment, the goal is to figure out how to leverage cloud services to improve application performance, user performance, and overall security. While cost savings may play a large role in determining what you're ultimately able to do, it's also essential to understand the many benefits and ROI that can be achieved through committing to a SASE model.
As an example, not too long ago a large internet provider had a system-wide outage. Certain Sentinel customers that had a true SASE model running with Cisco Viptela and SaaS-based applications like Duo and Salesforce didn't experience the outage at all. We were monitoring the health of their SaaS-based applications and immediately re-routed them to a different service provider once it became clear they were unreachable through the carrier's primary link. Customers still using legacy technologies such as DMVPN were left without service for hours, costing time, money, and productivity. So not only can SASE lower costs, but it can really improve the user experience as well.
When it comes to security posture, a lot of organizations will just check off boxes. They'll deploy a next-generation firewall, some Cisco Adaptive Security Appliance (ASA) software, or Firepower Threat Defense (FTD) and think these solutions will handle their needs and keep their environment safe. Some organizations refuse to use tools like SSL decryption out of concern for how it would impact the performance of their current, on-premises firewall. But if you can move to an expandable cloud-based firewall or Secure Internet Gateway (SIG), you can apply SSL decryption rules on that traffic in the cloud without the need for a much bigger on-premises firewall for your users. The same rules apply to every user no matter their location.
So the SASE Workshop details how Sentinel can help improve your security, along with other deliverables and outcomes that can benefit your organization. You may need to look at your monthly costs and do an ROI evaluation to explore the possibility of implementing dual divergent internet circuits and SD-WAN. Typically it takes organizations an average of 4-6 months to achieve a complete ROI on that, where legacy circuits such as MPLS or direct T1s point-to-point are converted over to direct internet fiber circuits with Viptela as an overlay. We can conduct these kinds of evaluations as part of the SASE Workshop as well.
One other key part the Sentinel team can cover in the SASE Workshop is: Where do I begin? There are so many different components to consider when adopting a SASE model, and it all depends on the strategy you develop in accordance with a timeline. For example, you may want to have a full SASE solution ready to go in three years, but right now your first priority might be to upgrade your routers. If you're not ready for cloud security right away, focus on making sure any new routers purchased can actually work within a SASE environment. Perhaps you're good on the edge, but need to upgrade your firewalls or centralize your security. If the vision is to get to the SASE model, you need to determine where you can take a step in the right direction and then make sure you're continually on the path established by your roadmap. Sentinel's SASE Workshop can help figure out where you are, what investments you've made, what you're ready for, what the next step might be, what some short-term goals are that you can set, and then we'll work with you to build a plan and make it a reality.
If you’re interested in learning more about SASE and/or Sentinel’s SASE Workshop, please contact us or reach out to your Sentinel account manager.
Contact Center Modernization
by Adam Bertram, Sentinel National Director of Enterprise Architecture and Innovation
Webex Contact Center is Cisco’s Contact Center as a Service platform that provides not only traditional channels such as voice, chat, and email, but also a suite of digital channels that allows your customers to connect with your organization using their preferred communication method. The Contact Center, also known as the Customer Experience Center, has evolved into one of the most important interaction points an organization has with its customers, partners, and internal users. This creates new opportunities for organizations to improve customer satisfaction by leveraging technologies that Webex Contact Center can bring to the table such as machine learning and AI, self-service bots and integrations, and contextual interaction history.
Many organizations still use premises-based contact center solutions, but may be considering migration to a cloud contact center as a way to modernize their customers’ experiences. This piece will explore the benefits a cloud contact center can bring to your organization, along with what to consider when making the transition.
There are typically three primary motivating factors that cause organizations to consider moving to a cloud-based contact center.
First and foremost among them is that their current premises-based contact center solution has reached end of support and/or end of life, is up for a maintenance contract renewal, or is in desperate need of an update/upgrade. Sometimes an organization will fall behind and miss/skip multiple updates, making it increasingly difficult to get back to the most recent version. The question becomes whether it’s worth the time and expense to continue investing in frequent maintenance and updates from a third-party provider to keep an outdated/no longer supported premise system running, or if it would be better and easier to eliminate those responsibilities by moving into the cloud.
The second factor frequently cited as a reason to invest in a cloud-based contact center comes from a shift in operational focus. It’s basically the desire to get out of running a phone system and contact center system in order to focus more on improving the customer experience. Physical contact centers are often the lifelines of organizations, but require physical servers, voice gateways, virtual machines, PSTN circuits, third-party applications, wallboard apps, and the many other components that all must be regularly maintained. Shifting to an operational, as-a-service cloud contact center model puts significantly less strain on your resources and team, so they can redirect their focus to business goals and initiatives rather than simply keeping the lights on.
It's also worth mentioning one thing that also comes with moving to a cloud contact center is a change in the cost model from a capital expenditure (CapEx) on an annual basis to a monthly operational expenditure (OpEx). Some industries that get funding on an annual basis may not be able to use an OpEx cost model. A big driver with OpEx is the flexibility to expand and grow without needing to worry about all of those physical components that come with an on-premises system. There’s nothing worse than needing to account for 20% or 30% growth on a premises-based system and then having a trickle-down effect where you then worry if things such as the voice gateway and server sizes are big enough to accommodate the expansion.
The third and final factor motivating organizations to switch to a cloud contact center is its finite feature set. Premises-based contact centers tend to be really focused around the voice channel. A lot of the feature set and capabilities are built around voice interaction and not so much the digital interactions. Many Sentinel customers use Cisco Contact Center Express for their premises system, which does have the ability to add chat and email inside of the foundational product. If you want to expand beyond that though you’d probably have to add some third-party products, which again creates challenges with sizing all of the different components within the environment to account for that. Cisco and others that have cloud-based contact center platforms are limiting new investments in premises-based solutions. Most are still maintaining and supporting them in a keep-it-going type of mode for now, but all the new features and capabilities are being deployed to cloud contact center platforms.
Your customers, members, or patients – whatever a contact is to your organization – they’re demanding a better experience. They want you to engage with them using their preferred channels and not necessarily the ones you offer. Oftentimes it’s not voice. Very few people these days enjoy engaging or waiting on the phone to talk to somebody unless they absolutely have to. They’d rather reach out through chat or even SMS if it’s available.
On the other side of the coin, the finite feature set offered by a cloud-based contact center also creates a better agent and supervisor experience for internal employees. If agents are productive and have an easy-to-use contact center platform, that will factor into their interactions with customers, members, or patients. By considering both the internal and external experiences when modernizing your contact center, it can create a better overall sense of satisfaction for all users.
A cloud contact center offers a number of remarkable benefits.
Flexibility. It goes without saying, cloud contact center was born native in the cloud, making it easy to support agents no matter where they are provided there’s an internet connection and a web browser. You can’t get much simpler than that. You could even support them on a mobile device if you needed to in a pinch. That flexibility just hasn’t been there for premises-based solutions.
At the start of the pandemic, a lot of organizations with premises-based contact centers really struggled to adapt as their agents went remote, whereas those with cloud contact centers were either already allowing agents to work remotely or made the adjustment pretty easily. A lot of the premises-based contact centers require complex VPN setups for those agents to work from home, so flexibility in a cloud contact center certainly makes things very compelling. You can support that remote and hybrid work straight out of the box, you can do it securely, and don’t need to work with other cumbersome technologies such as VPN that not only add costs but also complexity to the end agents’ stations. You can also grow and expand a cloud contact center platform without any concerns about the platform itself. It’s built to be evergreen, it’s built to be elastic, and from that standpoint you don’t have to worry about other infrastructure components that may prevent you from doing that today.
A digital-first approach. Cisco has been investing heavily in going beyond the standard voice, chat, and email channels and adding in features such as virtual agents and self-service interactions via an IVR, bot, or SMS. These technologies are getting sophisticated to the point where sometimes it’s difficult to tell whether you’re interfacing with a real human agent or if it’s actually machine learning/AI. The more those get fine tuned into your organization and the questions your customers are commonly asking, the better that experience can be, which translates to offloading a lot of that burden from your expensive agents in live interaction.
It’s next to impossible in most cases to have true omnichannel agents where they’re handling voice calls but also responding to chats, emails, and social media. Self-service is important to help improve operational efficiencies. This means going beyond the bots to add something like SMS as a channel, which is a common one many organizations are ignoring today. They’ve done maybe a little bit of web chat, but SMS is a next generation channel a lot of customers are demanding.
Then there’s social media and being able to capture your social footprint. It enables you to see real-time feedback and bring negative comments into the contact center so they can be responded to in a timely fashion. It’s less about adding every channel under the sun and more about your overall interaction footprint for customers to engage with you. Do you have a way to address some of these other ancillary channels that go beyond voice? All it takes is one rant or tweet to go viral, so being able to have the company officially respond to that and then engage separately in a more customer-centric space can make an incredible difference.
Visual Flow Designer. When it comes to editing and improving moves, adds, and changes to your workflows, a lot of times those are scripts using thick proprietary editors that are very much tuned to an engineer. One thing Cisco has spent a lot of time developing with Webex Contact Center is the visual flow designer. It’s very much a “drag and drop,” meant to be a “low code, no code” type of interface so you can lower the barrier for customers to make their own changes That’s really the end goal: to try and make that interface intuitive, easy to use, and less intimidating to a non-technical business user such as a supervisor that needs to handle some minor moves, adds, and changes.
If you have complex workflows and a lot of things going on then you’re probably not going to have your contact center manager go in and make changes, but for regular adjustments like tweaking a threshold or variables or something that alters the way calls are routed, you can get that non-technical person into that interface without needing to involve a technical resource to make those moves, adds, and changes.
Reporting and Analytics. You can’t have a contact center without reporting. One key component of many cloud contact centers is that they include both a reporting and analytics engine. A lot of legacy, premises-based solutions focus primarily on the reporting of metrics. What’s my service level, what’s my abandoned calls, how many calls are in queue, what’s my talk time and my ready time – those sorts of things. These are somewhat static metrics and can be very one-dimensional in nature. By being able to cross-analyze all the ways customers are interacting with your contact center and comparing that to agent activity, you can start to measure that data against different business metrics. Basically you can provide some analysis on your static reporting and tie it to things that are more meaningful to the business as you make decisions.
The metrics will say if you’re meeting your service level agreement (SLA) or not, but what needs to happen if you’re not meeting those numbers? Maybe if you have deeper insights into where you’re failing by breaking down that SLA into certain components or areas where an agent may be struggling, then you can tactically work on improving interactions. Or maybe there’s an issue with chat where a bot is giving a wrong result or creating frustrations that escalate to a live agent. Those are definitely areas where analytics can provide actual insight.
Cisco has done wonders for cloud contact centers with their new analyzer tool. If you’re currently using an on-premise version of Cisco Contact Center Express (UCCX), they also include UCCX reports in the analyzer to help aid in the transition from the old standard reporting to understanding the terminology and some newer metrics available in Webex Contact Center.
Experience Management. Cisco recently made an acquisition of CloudCherry, which was widely known in the IT industry as an analytics company. They have survey capabilities in the platform tied to Net Promoter Scores (NPS) and Customer Satisfaction Scores (CSAT) to measure different areas of the contact center and provide insights. For most organizations, especially ones with a premises-based contact center, the measurement of customer experience tends to be a blind spot.
Webex Experience Management, as CloudCherry is now known as inside of the Webex portfolio, enables organizations to start measuring and analyzing the customer journey through various surveying options. You can standardize to different industry metrics such as NPS and generate data that is contextual and actionable. Contact center agents can not only access a customer’s interaction history and what channels they used each time, but because of surveys following those interactions there’s also NPS data, satisfaction data, and sentiment data available which may factor into their approach. If a customer has had a very unpleasant experience, the agent may talk to them differently or offer a special discount or something. Organizations don’t often realize how much that data and analytics can affect the overall agent experience and how they interact with each customer.
Integrations. Webex Contact Center was born in the cloud and is very much a modernized, web-based framework that the platform is built upon, so it goes without saying there is a fair amount of integration capability with the platform. Cisco uses the connectors model for integrating with popular line of business applications such as Salesforce, Microsoft Dynamics, and ServiceNow. They also have system connector options. Any line of business application today, whether it be a Salesforce or maybe an electronic medical records (EMR) system if you’re in the healthcare space, includes a rest-based API. It’s a way for users to interface with these systems through a standard base technology. Custom connectors within Webex Contact Center enable organizations to interface with just about any platform. As a Cisco partner, Sentinel can not only provide service expertise, but also help customers interface Webex Contact Center with other line of business applications that don’t have an out-of-the-box connector already built.
Webex Contact Center offers a lot of different benefits and features for organizations ready to shift those operations into the cloud. If your organization is interested in transitioning to a cloud contact center, Sentinel offers a no-cost Contact Center Modernization Workshop. Over the course of 90-120 minutes our team takes a close look at several contact center areas where there are opportunities for your organization to make changes and improvements to the experience. After the workshop we provide a report with key next step recommendations to start the transition. If you are interested in learning more about Webex Contact Center or any of the topics explored in this piece, please reach out to a Sentinel representative or contact us. We are happy to talk about your current contact center and where the pain points are so you can start finding ways to make improvements.
Identity and Access Management with AWS
Amazon Web Services (AWS) Identity & Access Management (IAM) plays a critical role in the success of all AWS features. AWS IAM enables administrators to granularly control who can perform what actions with any AWS features and under what conditions. Sentinel Technologies and Fortis by Sentinel are always working to provide the best possible security for our customers, which includes the ability to utilize critical services like AWS IAM within their own cloud environments.
AWS IAM offers a number of different customizable options that enable organizations to remain secure while growing their presence in the public cloud. Administrators can take advantage of settings that allow you to:
+ Configure IAM Roles to explicit authorization and delegation models
+ Establish single sign-on (SSO) with your organization’s existing identity providers
+ Develop policies to restrict and/or limit authorization based on conditions such as multi-factor authentication (MFA) or the location of the user
+ Set up baselines to restrict access to regions and services not in use
+ Maintain up-to-date posture by analyzing existing authorizations
These are just a few ways AWS IAM can help increase your protection and instill confidence with your current and future public cloud investments.
Cooper’s Hawk Winery & Restaurants have locations all over the United States that offer a modern casual dining experience in an upscale setting that includes handcrafted wines, a Napa-style tasting room, and artisanal market. They were eager to improve the operations and security of their AWS use cases, and worked closely with Sentinel throughout that process. Sentinel used AWS IAM to strengthen the protection of critical public cloud assets and streamline day-to-day operations within all Cooper’s Hawk AWS instances.
Securing AWS environments can be challenging, with a multitude of services and solutions available that offer different types of protection. Sentinel brings knowledge on how to take advantage of these services to achieve the best visibility and security for your specific AWS environment. For example, AWS GuardDuty can extend the security capabilities of AWS to identify and monitor anomalous or potentially malicious activities across multiple AWS resource types, including IAM access keys.
If you are interested in learning more about AWS IAM or any other AWS products, please contact us or reach out to your Sentinel Account Manager.
A Closer Look at AWS Route 53
Sentinel Technologies focuses on providing valuable solutions to our customers that optimize their technology environments. Recently Sentinel has helped several customers with the consolidation and simplification of their public domain name system (DNS) resolver functionality utilizing Amazon Web Services (AWS) Route 53. Organizations often have multiple domain names to facilitate access to their services. Each domain name must be registered and includes records that need to be maintained. For example, Sentinel has registered the sentinel.com domain and there are a number of additional records associated with it. Route 53 handles user requests to an organization’s infrastructure elements running both inside and outside of the AWS cloud.
ECHO Joint Agreement provides special education services to a cooperative of 17 school districts for approximately 1,000 students. Sentinel worked with ECHO to facilitate the consolidation and migration of multiple resolver and registrar services to AWS Route 53. It created a simplified experience for the ongoing management of their public DNS functions and enabled them to take advantage of numerous integrations with other AWS products.
AWS Route 53 is a foundational component for all other AWS products. It’s such an essential AWS product, Amazon makes every effort to ensure it remains 100% Available as part of the service level agreement (SLA). Route 53 is also a fantastic way to integrate with other AWS products for additional benefits. Static web pages can be hosted in Simple Storage Service (S3) and secured with included Transport Layer Security (TLS) certificates through the CloudFront Content Delivery Network (CDN). Dynamic web services like WordPress can be hosted in the AWS Virtual Private Server (VPS) product Lightsail.
The AWS product catalog is so large it can initially be quite daunting to work through and identify applicable products with valuable benefits, but the rewards for doing so are worth the effort. As an AWS Consulting Services Partner, Sentinel focuses on building innovative and beneficial solutions for customers that leverage these products. Route 53 is an excellent product with a low barrier of entry that can help all types of organizations achieve more and improve the operation of their IT environment.
If you are interested in learning more about AWS Route 53 or other AWS products, please contact us or reach out to your Sentinel Account Manager.
International Agencies Release Joint Cybersecurity Advisory for Global Ransomware Threats
by Ellen McCullough, Fortis Cyber Security Analyst
The FBI, CISA, ACSC, and NCSC-UK have released a joint cybersecurity advisory that addresses the continually increasing globalized threat of ransomware. They report that over 87% of the critical infrastructure sectors in the United States have been targeted by these attacks. Targeted sectors include Emergency Services, Food and Agriculture, Government, and IT sectors among others. Over the course of 2021 and into 2022, these attacks have continued to evolve, and the advisory mentions some notable trends in recent incidents.
After incidents that were categorized as "big game hunting" resulted in heavy government scrutiny and major penalties, ransomware groups have shifted tactics somewhat to target smaller victims in an effort to evade high profile federal investigations. The threat actors have also employed double and triple extortion by not only encrypting the victims' networks but also threatening to publish stolen data online, disrupt network availability, and/or disclose the incident to key stakeholders. These tactics are used in an effort to increase the chances that the victim will pay the ransom.
Some of the tactics that continue to be observed use primary access vectors like phishing, the exploitation of remote desktop (RDP) via weak configurations or stolen credentials, and taking advantage of unpatched vulnerabilities. The advisory states these vectors remained the top three initial infection vectors in 2021.
The impact of these attacks has increased through the adversaries' targeting of cloud infrastructure, the software supply chain, managed service providers, industrial processes, and strategic timing such as initiating attacks on holidays or weekends.
Recommended mitigations to reduce the risk of a successful attack include patching diligence, password requirements and implementation of multifactor authentication (MFA), user security and awareness training, secured and monitored RDP use, and adequately securing and monitoring Linux and cloud environments. Further mitigations to limit the ability of adversaries to perform lateral movement and network enumeration include network segmentation, end-to-end encryption, least privilege and time-based access for privileged users, use of network monitoring and documentation of external remote connections, disabling and constraining unused scripting and command line utilities, and maintaining encrypted offline backups.
As the number of cyberattacks continues to increase at an exponential level, the Fortis by Sentinel team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats. Our Incident Response team is always ready to engage at (844) 297-4853. Please contact us if you would like to learn more about how Fortis by Sentinel can help protect your organization from all types of cyber threats.
For more detailed information on the technical details of this advisory and recommended mitigations relating to the rising trend of ransomware, as well as external references, please view the joint cybersecurity advisory in its entirety at the government IC3 website.