Welcome to the Sentinel Blog!
We are proud to feature a carefully curated collection of articles and other content related to the most important technology topics of today and beyond. Our posts are composed and edited by Sentinel’s ALWAYS ENGAGED team of solutions architects, engineers, project managers and other subject matter experts.
Security Advisory: Cisco Reports Corporate Network Breach
Cisco Security Incident Response and Cisco Talos released information on 8/10/22 regarding a security incident that occurred within the Cisco corporate network that was identified in late May of 2022. Cisco determined that although files from the incident were published to the dark web on 8/10/22, they feel confident the incident was isolated to the Cisco corporate network and does not impact any Cisco products or services, sensitive customer data or employee information, Cisco intellectual property, or supply chain operations. Although no ransomware was deployed during this incident, the Talos team indicates that the TTPs used were consistent with “pre-ransomware activity.” As of version 1.0 of their communication release, Cisco has stated that no customer or partner action is required for Cisco products or services. Please read on for additional details.
Incident and Activity Group Details
Cisco shared that initial access was achieved through an event chain including a compromised Google account with cached Cisco credentials in the browser as well as successful voice phishing (vishing) and MFA fatigue which allowed the adversary to gain access to the Cisco VPN under the context of the target user. The attacker then continued to escalate privileges and drop well-known security tools such as Cobalt Strike, Mimikatz, Impacket, PowerSploit, and additional backdoor accounts to gain persistence in the environment. The Talos team observed tooling being staged in the Public user profile on affected systems and believes that the C2 infrastructure used was customized to this attack.
The Talos team reports the actor continued to escalate privileges and pivot through the environment using living-off-the-land techniques of exploiting trusted Windows utilities, eventually obtaining privileged domain controller access. Credentials were then dumped using ntdsutil.exe via PowerShell and exfiltrated over SMB. Additional attempts were made to enumerate the environment and extract credentials with other well-known methods such as adfind, secretsdump, MiniDump, and extracting the SAM database.
The actor is reported to have made efforts to conceal forensic artifacts by clearing Windows event logs and removing local admin accounts that they had created. They also modified firewall configurations to enable and utilize Remote Desktop Protocol (RDP) access as well as installing common remote support tools.
Cisco reports the threat actor continued to attempt to access the environment after eviction, specifically focusing on previously compromised accounts and attempting to exploit weak password hygiene and the use of newly established domains that referenced the Cisco organization. The adversary also made spear phishing attempts during this time. The Talos team assessed this activity is associated with an initial access broker tied to both UNC2447 and Lapsus$. For additional technical details and a list of IOCs, please refer to the Talos blog linked at the end of this release.
Fortis ActiveDefense Detection Coverage
Based on the tactics and techniques listed in the Talos blog, the Fortis ActiveDefense platform maintained comprehensive coverage throughout the MITRE ATT&CK phases provided in the blog. The Cisco CSIRT team also indicated they have updated their security products with intelligence gained from observing the bad actor’s techniques and shared Indicators of Compromise (IOCs) via the Talos blog. The Fortis by Sentinel SOC team is also performing dedicated threat hunting for this specific communication. If any suspicious activity around these indicators of compromise is found, a SOC analyst will be in touch.
The Fortis Threat Intelligence team is working diligently to review the IOCs and artifacts provided by the Talos team and implement any new detections to assist in identifying threats associated with this activity. The Fortis team will continue to monitor Cisco communication for updates – especially those that may affect Cisco partners or customers.
Additional Recommendations and Best Practices
Based on Cisco’s unique stance on visibility into this activity as a security product owner, they have provided a number of recommendations. High on the list is the recommendation for comprehensive user education to assist in thwarting social engineering attacks such as those used in this incident. Further recommendations include proper network segmentation, remote endpoint posture checking, comprehensive log collection to avoid visibility gaps, maintaining periodically tested offline backups, and command line auditing to gain visibility into suspicious activity involving trusted utilities.
As the number of cyberattacks continues to increase at an exponential level, the Fortis by Sentinel team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats. Our Incident Response team is always ready to engage at (844) 297-4853. Visit fortisbysentinel.com for more information.
References and Additional Reading
Cisco Event Response Release
Cisco Live! 2022: Major Announcements
2022 marked the first full-fledged, in-person Cisco Live! conference in over two years. Sentinel was thrilled to be back among other Cisco partners and customers out in Las Vegas for the event last month, which was packed with educational seminars, information sessions, major announcements, keynote speeches, and fun social activities. A special thank you to everyone who showed up to Sentinel’s Cisco Live! Happy Hour, stopped by the Sentinel booth, or just generally spent some time chatting with any members of the Sentinel team. It was wonderful connecting and re-connecting with so many folks, and we hope to keep the lines of communication open in the coming weeks and months.
While there was so much to learn and experience at this year’s Cisco Live! (as there is every year), perhaps the most important part of the annual conference are the many announcements revealed by Cisco. These are always introductions or previews of new technology solutions, or significant changes/upgrades to current ones. We care deeply about these details because it affects our customers and their IT environments. In our mission to help you remain Always Leading, every change or innovation can further elevate your presence and enable you to build a stronger foundation for growth. Cisco made several major announcements at their conference this year, and we’re excited to share some of those highlights to make sure you’re aware of what’s coming down the pipeline.
Cloud Management for Cisco Catalyst
If your organization is using Catalyst network switches, wireless controllers, and/or wireless access points, you’ll soon be able to monitor and manage them through the cloud-based Cisco Meraki dashboard. This enables you to connect to your network from anywhere and see everything. You’ll be able to receive insights into your network, including every connected client and port-level configuration. That means more information about traffic flow, plus the ability to identify, isolate, and resolve issues with troubleshooting tools. The simplicity of the Meraki Cloud should make it easier than ever to operate your existing Catalyst switches!
Speaking of switches and the cloud, Cisco is taking its popular Nexus data center switches and transforming the brand into a Software as a Service (SaaS) offering. The data center used to be the epicenter of all things IT for an organization. As time and new technologies have emerged, assets are now spread across the public cloud, colocation centers, SaaS, and more spaces. This has created challenges to ensure the availability, security, and performance throughout all of these platforms, services, and endpoints. Powered by Intersight, Nexus Cloud aims to make it easier than ever to deploy, manage, and operate your cloud network. This next generation of Nexus is poised to deliver world-class programmability, performance, and power efficiency to unify and innovate your network under a single platform.
ThousandEyes WAN Insights
The internet has become more important than ever to organizations, as many employees continue to work remotely, utilize cloud-based applications, and collaborate with co-workers on a regular basis without any losses in productivity. This increased reliance on the internet means applications and networks need to deliver a great user experience with minimal disruption. Cisco’s Predictive Network Vision aims to create a new level of performance by helping organizations anticipate certain application and network issues before they occur. ThousandEyes WAN Insights is a key step in making this a reality. It extends internet visibility into SD-WAN health, allowing for a closer look at your top applications, specific user experiences, and how those experiences can be improved by studying past behaviors. WAN Insights provide recommendations to fine tune your SD-WAN deployment, and take a proactive rather than reactive approach to minimize problems before they start and increase overall user satisfaction.
Cisco+ Secure Connect Now
Secure Access Service Edge (SASE) is a cloud-based network infrastructure model built around a combination of network and security services. The goal is to ensure your organization’s devices and users can securely access critical systems and applications at any time from anywhere. As the popularity of SASE continues to increase, Cisco has released Cisco+ Secure Connect Now, which is a simple and unified turnkey SASE solution. The goal is to deliver an incredibly smooth and powerful user experience that takes very little effort to seamlessly and securely connect to branches, things, and applications. It is essentially an out-of-the-box SASE solution that’s easy to deploy and manage so organizations can lower costs, reduce complexity, facilitate digital business, as well as improve worker efficiency and productivity. All while using Zero Trust Network Access (ZTNA) to keep security threats off the corporate network.
Cisco AppDynamics is a leading provider of Observability and Application Performance Monitoring technology. With the announcement of AppDynamics Cloud, Cisco intends to deliver an exceptional digital experience by correlating telemetry data from across any sized cloud environment. It utilizes cloud-native observability to remediate application performance issues with business context and insight-driven actions. In short, it continually optimizes cloud applications in order to optimize both business outcomes and customer experiences. Intelligent operations can help detect and resolve any performance issues before they can impact an organization. The platform enables collaboration across teams to make it easier for them to achieve common objectives and performance goals. AppDynamics Cloud pulls in metrics, logs, events, and more from your network, databases, storage, containers, security, and other cloud services to make it easier to understand your entire IT stack all the way to the end user. From there, your organization can take informed actions to lower costs, maximize revenue, and ensure users and organizational data remains secure.
Bluescape for Webex
Cisco announced numerous enhancements that will be coming to the Webex application in the coming months. One of those includes a partnership with Bluescape, a virtual workspace app capable of enhancing collaboration during virtual meetings. Bluescape for Webex allows remote and/or hybrid teams to share documents, images, video, and other files in a more secure canvas. There are also whiteboard, draw, and diagram tools available to make it easier to include fresh ideas and comments. Such features, so common at traditional offices, have now been adapted to more easily include those working from home or in other locations. The goal is to deliver a powerful and more dynamic alternative to screen sharing.
Webex Calling Local Survivability
While on the topic of Webex, one of the biggest reasons many organizations have been hesitant to move their phone system into the cloud has been a concern over how to stay connected in the event of an internet outage. The healthcare industry in particular often deals with life or death situations on a daily basis and cannot sacrifice even a moment of unavailability from their phone system. So Cisco has added local survivability to its Webex Calling solution to help ensure there is always a router or desk phone fallback available for those moments when your network may have failed. By being less reliant on internet connectivity, industries that require highly dependable communications services can feel much safer about migrating their phone system into the cloud.
Panoptica and Calisti
Panoptica and Calisti are two new additions to Cisco’s suite of API-first solutions and tools. They are designed to provide faster application development cycles, and enable organizations to achieve the sort of modern application connectivity, security, and observability that results in high quality digital experiences. These tools make it easier to manage and secure distributed application architectures so developers can programmatically discover, connect, secure, and observe APIs, applications, and workloads throughout their cloud journey.
Panoptica enables developers and engineers to incorporate cloud-native security during the application development process. It has the ability to scale across multiple clusters with an agentless architecture, integrates with CI/CD tools and language frameworks across multiple clouds, and provides a single interface for comprehensive container, serverless, API, service mesh, and Kubernetes security.
Calisti simplifies connectivity, lifecycle management, and security for microservices in complex, multi-cloud environments. It’s an enterprise-ready Istio platform that makes it easier for application teams to focus on application logic, site reliability engineers to control and scale, de-risk upgrades, find root causes, and monitor service-level objectives.
Panoptica and Calisti are available for free.
Last but not least, if you’re looking to engage in learning and training for a particular technology certification, role, or solution, Cisco has introduced a new platform to achieve those goals called Cisco U. Its purpose is to construct a custom learning program based around the individual user’s preferences and skill level. The process begins with assessments and goal setting to best determine your specific needs. AI-driven recommendations and personalized feedback are then provided so users can map out the strongest path toward growing their skills and achieving more with them. That means targeting only the courses and content relevant to your goals in order to reduce repetitive learning and complete things faster. There are solution-based learning paths centered on Cisco and related technologies, as well as project-based learning paths centered on specific topics. Cisco U. includes both Cisco learning content as well as training from select third-party providers.
As you can see, there are plenty of exciting new technologies and developments that have either just been released or are in the pipeline for Cisco later this year. At Sentinel we are staying on top of all the latest innovations, and are eager to share more information about them in the coming weeks, months, and years. In the meantime if you would like to know more, please don’t hesitate to contact us and we will get the conversation started!
A Closer Look at SASE
What is SASE?
SASE stands for Secure Access Service Edge. It is a cloud-based network infrastructure model built around a combination of network and security services. The goal is to ensure your organization's devices and users can securely access critical systems and applications at any time from anywhere. Gartner predicts that 40% of enterprises will have established a strategy around SASE by 2024, up from only 1% in 2018. That estimate may end up being conservative, since a vast majority of this shift is being driven by an increase in cloud consumption, the adoption of multi-cloud environments, as well as the acceleration of hybrid/remote workers since the start of the pandemic.
SD-WAN plays a primary role in a SASE model. It offers an incredible return on investment (ROI) and excellent customer experience when it comes to consuming cloud applications. As traffic patterns move away from the private data center and into cloud data centers and Software as a Service (SaaS) platforms, the edge becomes more complex and requires a solution like SD-WAN to intelligently route traffic in the right direction. This helps hybrid and remote workers access the same services and applications as on-premises employees, creating a seamless experience no matter the location.
What has driven the recent surge in popularity of SASE?
A lot of people think that SASE is just SD-WAN because you are optimizing your circuits, optimizing your connectivity, developing a next-generation network, and shifting away from legacy technologies such as DMVPN, MPLS, and hard-wired internet access. But beyond those things, SASE includes a number of security elements and other smart features. When the pandemic hit and the workforce suddenly went remote, many organizations had to open up VPN technologies, extend AnyConnect licenses, and find new ways to keep users safe while they were scattered all over the place. In some cases businesses had a next-generation firewall that only protected on-premises workers, so they needed to find a way to extend that coverage. Identity and access, multi-factor authentication, and URL filtering have all received a major boost these last couple of years. Technologies such as Cisco Umbrella, SD-WAN, and Viptela have also been migrated to the cloud so they're accessible no matter where employees are located, really driving the conversation and rapid adoption of SASE today.
What are some Cisco offerings related to SASE?
Cisco’s SASE model breaks things down into three pieces: networking, security, and observability. In networking, they are the largest SD-WAN provider on the market, with solutions that include Meraki and Viptela. It makes them a leader in the Gartner Magic Quadrant. In security they've taken Umbrella, which was originally just for DNS security, and developed it into a full security stack in the cloud. That has been incredibly successful for them as well. Cisco's somewhat recent acquisition of ThousandEyes helped put that last piece of observability in place. If you have multiple circuits going to multiple locations, ThousandEyes provides visibility to help you determine which circuit is best for which application to improve both the speed and quality of user experiences.
While the pandemic and remote work has certainly escalated the adoption of SASE, so have more organizations moving large portions of their infrastructure into the cloud along with SaaS solutions. It makes no sense to have a user VPN into your network and then hairpin straight back out into a SaaS solution. While most SaaS applications have built-in security, that's certainly not their primary focus, so organizations are smart to place their security stack in front of all that to ensure the user remains protected no matter if they're on-premises, at home, or in a cafe somewhere. All that is to say Cisco feels very well positioned in the SASE space, and Gartner agrees.
What is Sentinel's SASE Workshop, and what does it include?
Sentinel's SASE Workshop is available free of charge, and only takes about 90 minutes to complete. Members of the Sentinel team sit down with your organization and begin by gathering information about your IT environment. Once we understand what technology and systems comprise your environment, the goal is to figure out how to leverage cloud services to improve application performance, user performance, and overall security. While cost savings may play a large role in determining what you're ultimately able to do, it's also essential to understand the many benefits and ROI that can be achieved through committing to a SASE model.
As an example, not too long ago a large internet provider had a system-wide outage. Certain Sentinel customers that had a true SASE model running with Cisco Viptela and SaaS-based applications like Duo and Salesforce didn't experience the outage at all. We were monitoring the health of their SaaS-based applications and immediately re-routed them to a different service provider once it became clear they were unreachable through the carrier's primary link. Customers still using legacy technologies such as DMVPN were left without service for hours, costing time, money, and productivity. So not only can SASE lower costs, but it can really improve the user experience as well.
When it comes to security posture, a lot of organizations will just check off boxes. They'll deploy a next-generation firewall, some Cisco Adaptive Security Appliance (ASA) software, or Firepower Threat Defense (FTD) and think these solutions will handle their needs and keep their environment safe. Some organizations refuse to use tools like SSL decryption out of concern for how it would impact the performance of their current, on-premises firewall. But if you can move to an expandable cloud-based firewall or Secure Internet Gateway (SIG), you can apply SSL decryption rules on that traffic in the cloud without the need for a much bigger on-premises firewall for your users. The same rules apply to every user no matter their location.
So the SASE Workshop details how Sentinel can help improve your security, along with other deliverables and outcomes that can benefit your organization. You may need to look at your monthly costs and do an ROI evaluation to explore the possibility of implementing dual divergent internet circuits and SD-WAN. Typically it takes organizations an average of 4-6 months to achieve a complete ROI on that, where legacy circuits such as MPLS or direct T1s point-to-point are converted over to direct internet fiber circuits with Viptela as an overlay. We can conduct these kinds of evaluations as part of the SASE Workshop as well.
One other key part the Sentinel team can cover in the SASE Workshop is: Where do I begin? There are so many different components to consider when adopting a SASE model, and it all depends on the strategy you develop in accordance with a timeline. For example, you may want to have a full SASE solution ready to go in three years, but right now your first priority might be to upgrade your routers. If you're not ready for cloud security right away, focus on making sure any new routers purchased can actually work within a SASE environment. Perhaps you're good on the edge, but need to upgrade your firewalls or centralize your security. If the vision is to get to the SASE model, you need to determine where you can take a step in the right direction and then make sure you're continually on the path established by your roadmap. Sentinel's SASE Workshop can help figure out where you are, what investments you've made, what you're ready for, what the next step might be, what some short-term goals are that you can set, and then we'll work with you to build a plan and make it a reality.
If you’re interested in learning more about SASE and/or Sentinel’s SASE Workshop, please contact us or reach out to your Sentinel account manager.
Contact Center Modernization
by Adam Bertram, Sentinel National Director of Enterprise Architecture and Innovation
Webex Contact Center is Cisco’s Contact Center as a Service platform that provides not only traditional channels such as voice, chat, and email, but also a suite of digital channels that allows your customers to connect with your organization using their preferred communication method. The Contact Center, also known as the Customer Experience Center, has evolved into one of the most important interaction points an organization has with its customers, partners, and internal users. This creates new opportunities for organizations to improve customer satisfaction by leveraging technologies that Webex Contact Center can bring to the table such as machine learning and AI, self-service bots and integrations, and contextual interaction history.
Many organizations still use premises-based contact center solutions, but may be considering migration to a cloud contact center as a way to modernize their customers’ experiences. This piece will explore the benefits a cloud contact center can bring to your organization, along with what to consider when making the transition.
There are typically three primary motivating factors that cause organizations to consider moving to a cloud-based contact center.
First and foremost among them is that their current premises-based contact center solution has reached end of support and/or end of life, is up for a maintenance contract renewal, or is in desperate need of an update/upgrade. Sometimes an organization will fall behind and miss/skip multiple updates, making it increasingly difficult to get back to the most recent version. The question becomes whether it’s worth the time and expense to continue investing in frequent maintenance and updates from a third-party provider to keep an outdated/no longer supported premise system running, or if it would be better and easier to eliminate those responsibilities by moving into the cloud.
The second factor frequently cited as a reason to invest in a cloud-based contact center comes from a shift in operational focus. It’s basically the desire to get out of running a phone system and contact center system in order to focus more on improving the customer experience. Physical contact centers are often the lifelines of organizations, but require physical servers, voice gateways, virtual machines, PSTN circuits, third-party applications, wallboard apps, and the many other components that all must be regularly maintained. Shifting to an operational, as-a-service cloud contact center model puts significantly less strain on your resources and team, so they can redirect their focus to business goals and initiatives rather than simply keeping the lights on.
It's also worth mentioning one thing that also comes with moving to a cloud contact center is a change in the cost model from a capital expenditure (CapEx) on an annual basis to a monthly operational expenditure (OpEx). Some industries that get funding on an annual basis may not be able to use an OpEx cost model. A big driver with OpEx is the flexibility to expand and grow without needing to worry about all of those physical components that come with an on-premises system. There’s nothing worse than needing to account for 20% or 30% growth on a premises-based system and then having a trickle-down effect where you then worry if things such as the voice gateway and server sizes are big enough to accommodate the expansion.
The third and final factor motivating organizations to switch to a cloud contact center is its finite feature set. Premises-based contact centers tend to be really focused around the voice channel. A lot of the feature set and capabilities are built around voice interaction and not so much the digital interactions. Many Sentinel customers use Cisco Contact Center Express for their premises system, which does have the ability to add chat and email inside of the foundational product. If you want to expand beyond that though you’d probably have to add some third-party products, which again creates challenges with sizing all of the different components within the environment to account for that. Cisco and others that have cloud-based contact center platforms are limiting new investments in premises-based solutions. Most are still maintaining and supporting them in a keep-it-going type of mode for now, but all the new features and capabilities are being deployed to cloud contact center platforms.
Your customers, members, or patients – whatever a contact is to your organization – they’re demanding a better experience. They want you to engage with them using their preferred channels and not necessarily the ones you offer. Oftentimes it’s not voice. Very few people these days enjoy engaging or waiting on the phone to talk to somebody unless they absolutely have to. They’d rather reach out through chat or even SMS if it’s available.
On the other side of the coin, the finite feature set offered by a cloud-based contact center also creates a better agent and supervisor experience for internal employees. If agents are productive and have an easy-to-use contact center platform, that will factor into their interactions with customers, members, or patients. By considering both the internal and external experiences when modernizing your contact center, it can create a better overall sense of satisfaction for all users.
A cloud contact center offers a number of remarkable benefits.
Flexibility. It goes without saying, cloud contact center was born native in the cloud, making it easy to support agents no matter where they are provided there’s an internet connection and a web browser. You can’t get much simpler than that. You could even support them on a mobile device if you needed to in a pinch. That flexibility just hasn’t been there for premises-based solutions.
At the start of the pandemic, a lot of organizations with premises-based contact centers really struggled to adapt as their agents went remote, whereas those with cloud contact centers were either already allowing agents to work remotely or made the adjustment pretty easily. A lot of the premises-based contact centers require complex VPN setups for those agents to work from home, so flexibility in a cloud contact center certainly makes things very compelling. You can support that remote and hybrid work straight out of the box, you can do it securely, and don’t need to work with other cumbersome technologies such as VPN that not only add costs but also complexity to the end agents’ stations. You can also grow and expand a cloud contact center platform without any concerns about the platform itself. It’s built to be evergreen, it’s built to be elastic, and from that standpoint you don’t have to worry about other infrastructure components that may prevent you from doing that today.
A digital-first approach. Cisco has been investing heavily in going beyond the standard voice, chat, and email channels and adding in features such as virtual agents and self-service interactions via an IVR, bot, or SMS. These technologies are getting sophisticated to the point where sometimes it’s difficult to tell whether you’re interfacing with a real human agent or if it’s actually machine learning/AI. The more those get fine tuned into your organization and the questions your customers are commonly asking, the better that experience can be, which translates to offloading a lot of that burden from your expensive agents in live interaction.
It’s next to impossible in most cases to have true omnichannel agents where they’re handling voice calls but also responding to chats, emails, and social media. Self-service is important to help improve operational efficiencies. This means going beyond the bots to add something like SMS as a channel, which is a common one many organizations are ignoring today. They’ve done maybe a little bit of web chat, but SMS is a next generation channel a lot of customers are demanding.
Then there’s social media and being able to capture your social footprint. It enables you to see real-time feedback and bring negative comments into the contact center so they can be responded to in a timely fashion. It’s less about adding every channel under the sun and more about your overall interaction footprint for customers to engage with you. Do you have a way to address some of these other ancillary channels that go beyond voice? All it takes is one rant or tweet to go viral, so being able to have the company officially respond to that and then engage separately in a more customer-centric space can make an incredible difference.
Visual Flow Designer. When it comes to editing and improving moves, adds, and changes to your workflows, a lot of times those are scripts using thick proprietary editors that are very much tuned to an engineer. One thing Cisco has spent a lot of time developing with Webex Contact Center is the visual flow designer. It’s very much a “drag and drop,” meant to be a “low code, no code” type of interface so you can lower the barrier for customers to make their own changes That’s really the end goal: to try and make that interface intuitive, easy to use, and less intimidating to a non-technical business user such as a supervisor that needs to handle some minor moves, adds, and changes.
If you have complex workflows and a lot of things going on then you’re probably not going to have your contact center manager go in and make changes, but for regular adjustments like tweaking a threshold or variables or something that alters the way calls are routed, you can get that non-technical person into that interface without needing to involve a technical resource to make those moves, adds, and changes.
Reporting and Analytics. You can’t have a contact center without reporting. One key component of many cloud contact centers is that they include both a reporting and analytics engine. A lot of legacy, premises-based solutions focus primarily on the reporting of metrics. What’s my service level, what’s my abandoned calls, how many calls are in queue, what’s my talk time and my ready time – those sorts of things. These are somewhat static metrics and can be very one-dimensional in nature. By being able to cross-analyze all the ways customers are interacting with your contact center and comparing that to agent activity, you can start to measure that data against different business metrics. Basically you can provide some analysis on your static reporting and tie it to things that are more meaningful to the business as you make decisions.
The metrics will say if you’re meeting your service level agreement (SLA) or not, but what needs to happen if you’re not meeting those numbers? Maybe if you have deeper insights into where you’re failing by breaking down that SLA into certain components or areas where an agent may be struggling, then you can tactically work on improving interactions. Or maybe there’s an issue with chat where a bot is giving a wrong result or creating frustrations that escalate to a live agent. Those are definitely areas where analytics can provide actual insight.
Cisco has done wonders for cloud contact centers with their new analyzer tool. If you’re currently using an on-premise version of Cisco Contact Center Express (UCCX), they also include UCCX reports in the analyzer to help aid in the transition from the old standard reporting to understanding the terminology and some newer metrics available in Webex Contact Center.
Experience Management. Cisco recently made an acquisition of CloudCherry, which was widely known in the IT industry as an analytics company. They have survey capabilities in the platform tied to Net Promoter Scores (NPS) and Customer Satisfaction Scores (CSAT) to measure different areas of the contact center and provide insights. For most organizations, especially ones with a premises-based contact center, the measurement of customer experience tends to be a blind spot.
Webex Experience Management, as CloudCherry is now known as inside of the Webex portfolio, enables organizations to start measuring and analyzing the customer journey through various surveying options. You can standardize to different industry metrics such as NPS and generate data that is contextual and actionable. Contact center agents can not only access a customer’s interaction history and what channels they used each time, but because of surveys following those interactions there’s also NPS data, satisfaction data, and sentiment data available which may factor into their approach. If a customer has had a very unpleasant experience, the agent may talk to them differently or offer a special discount or something. Organizations don’t often realize how much that data and analytics can affect the overall agent experience and how they interact with each customer.
Integrations. Webex Contact Center was born in the cloud and is very much a modernized, web-based framework that the platform is built upon, so it goes without saying there is a fair amount of integration capability with the platform. Cisco uses the connectors model for integrating with popular line of business applications such as Salesforce, Microsoft Dynamics, and ServiceNow. They also have system connector options. Any line of business application today, whether it be a Salesforce or maybe an electronic medical records (EMR) system if you’re in the healthcare space, includes a rest-based API. It’s a way for users to interface with these systems through a standard base technology. Custom connectors within Webex Contact Center enable organizations to interface with just about any platform. As a Cisco partner, Sentinel can not only provide service expertise, but also help customers interface Webex Contact Center with other line of business applications that don’t have an out-of-the-box connector already built.
Webex Contact Center offers a lot of different benefits and features for organizations ready to shift those operations into the cloud. If your organization is interested in transitioning to a cloud contact center, Sentinel offers a no-cost Contact Center Modernization Workshop. Over the course of 90-120 minutes our team takes a close look at several contact center areas where there are opportunities for your organization to make changes and improvements to the experience. After the workshop we provide a report with key next step recommendations to start the transition. If you are interested in learning more about Webex Contact Center or any of the topics explored in this piece, please reach out to a Sentinel representative or contact us. We are happy to talk about your current contact center and where the pain points are so you can start finding ways to make improvements.
Identity and Access Management with AWS
Amazon Web Services (AWS) Identity & Access Management (IAM) plays a critical role in the success of all AWS features. AWS IAM enables administrators to granularly control who can perform what actions with any AWS features and under what conditions. Sentinel Technologies and Fortis by Sentinel are always working to provide the best possible security for our customers, which includes the ability to utilize critical services like AWS IAM within their own cloud environments.
AWS IAM offers a number of different customizable options that enable organizations to remain secure while growing their presence in the public cloud. Administrators can take advantage of settings that allow you to:
+ Configure IAM Roles to explicit authorization and delegation models
+ Establish single sign-on (SSO) with your organization’s existing identity providers
+ Develop policies to restrict and/or limit authorization based on conditions such as multi-factor authentication (MFA) or the location of the user
+ Set up baselines to restrict access to regions and services not in use
+ Maintain up-to-date posture by analyzing existing authorizations
These are just a few ways AWS IAM can help increase your protection and instill confidence with your current and future public cloud investments.
Cooper’s Hawk Winery & Restaurants have locations all over the United States that offer a modern casual dining experience in an upscale setting that includes handcrafted wines, a Napa-style tasting room, and artisanal market. They were eager to improve the operations and security of their AWS use cases, and worked closely with Sentinel throughout that process. Sentinel used AWS IAM to strengthen the protection of critical public cloud assets and streamline day-to-day operations within all Cooper’s Hawk AWS instances.
Securing AWS environments can be challenging, with a multitude of services and solutions available that offer different types of protection. Sentinel brings knowledge on how to take advantage of these services to achieve the best visibility and security for your specific AWS environment. For example, AWS GuardDuty can extend the security capabilities of AWS to identify and monitor anomalous or potentially malicious activities across multiple AWS resource types, including IAM access keys.
If you are interested in learning more about AWS IAM or any other AWS products, please contact us or reach out to your Sentinel Account Manager.
A Closer Look at AWS Route 53
Sentinel Technologies focuses on providing valuable solutions to our customers that optimize their technology environments. Recently Sentinel has helped several customers with the consolidation and simplification of their public domain name system (DNS) resolver functionality utilizing Amazon Web Services (AWS) Route 53. Organizations often have multiple domain names to facilitate access to their services. Each domain name must be registered and includes records that need to be maintained. For example, Sentinel has registered the sentinel.com domain and there are a number of additional records associated with it. Route 53 handles user requests to an organization’s infrastructure elements running both inside and outside of the AWS cloud.
ECHO Joint Agreement provides special education services to a cooperative of 17 school districts for approximately 1,000 students. Sentinel worked with ECHO to facilitate the consolidation and migration of multiple resolver and registrar services to AWS Route 53. It created a simplified experience for the ongoing management of their public DNS functions and enabled them to take advantage of numerous integrations with other AWS products.
AWS Route 53 is a foundational component for all other AWS products. It’s such an essential AWS product, Amazon makes every effort to ensure it remains 100% Available as part of the service level agreement (SLA). Route 53 is also a fantastic way to integrate with other AWS products for additional benefits. Static web pages can be hosted in Simple Storage Service (S3) and secured with included Transport Layer Security (TLS) certificates through the CloudFront Content Delivery Network (CDN). Dynamic web services like WordPress can be hosted in the AWS Virtual Private Server (VPS) product Lightsail.
The AWS product catalog is so large it can initially be quite daunting to work through and identify applicable products with valuable benefits, but the rewards for doing so are worth the effort. As an AWS Consulting Services Partner, Sentinel focuses on building innovative and beneficial solutions for customers that leverage these products. Route 53 is an excellent product with a low barrier of entry that can help all types of organizations achieve more and improve the operation of their IT environment.
If you are interested in learning more about AWS Route 53 or other AWS products, please contact us or reach out to your Sentinel Account Manager.
International Agencies Release Joint Cybersecurity Advisory for Global Ransomware Threats
by Ellen McCullough, Fortis Cyber Security Analyst
The FBI, CISA, ACSC, and NCSC-UK have released a joint cybersecurity advisory that addresses the continually increasing globalized threat of ransomware. They report that over 87% of the critical infrastructure sectors in the United States have been targeted by these attacks. Targeted sectors include Emergency Services, Food and Agriculture, Government, and IT sectors among others. Over the course of 2021 and into 2022, these attacks have continued to evolve, and the advisory mentions some notable trends in recent incidents.
After incidents that were categorized as "big game hunting" resulted in heavy government scrutiny and major penalties, ransomware groups have shifted tactics somewhat to target smaller victims in an effort to evade high profile federal investigations. The threat actors have also employed double and triple extortion by not only encrypting the victims' networks but also threatening to publish stolen data online, disrupt network availability, and/or disclose the incident to key stakeholders. These tactics are used in an effort to increase the chances that the victim will pay the ransom.
Some of the tactics that continue to be observed use primary access vectors like phishing, the exploitation of remote desktop (RDP) via weak configurations or stolen credentials, and taking advantage of unpatched vulnerabilities. The advisory states these vectors remained the top three initial infection vectors in 2021.
The impact of these attacks has increased through the adversaries' targeting of cloud infrastructure, the software supply chain, managed service providers, industrial processes, and strategic timing such as initiating attacks on holidays or weekends.
Recommended mitigations to reduce the risk of a successful attack include patching diligence, password requirements and implementation of multifactor authentication (MFA), user security and awareness training, secured and monitored RDP use, and adequately securing and monitoring Linux and cloud environments. Further mitigations to limit the ability of adversaries to perform lateral movement and network enumeration include network segmentation, end-to-end encryption, least privilege and time-based access for privileged users, use of network monitoring and documentation of external remote connections, disabling and constraining unused scripting and command line utilities, and maintaining encrypted offline backups.
As the number of cyberattacks continues to increase at an exponential level, the Fortis by Sentinel team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats. Our Incident Response team is always ready to engage at (844) 297-4853. Please contact us if you would like to learn more about how Fortis by Sentinel can help protect your organization from all types of cyber threats.
For more detailed information on the technical details of this advisory and recommended mitigations relating to the rising trend of ransomware, as well as external references, please view the joint cybersecurity advisory in its entirety at the government IC3 website.
Fortis Log4j CVE-2021-44228 Communication Release
Fortis Log4j CVE-2021-44228 Communication Release
The Fortis Security, Incident Response, and Threat Intelligence teams have been tracking activity related to the recently exploited Log4j remote code execution (RCE) vulnerability, also known as Log4Shell. Since this vulnerability came to light one week ago, the Fortis team has been diligently and aggressively both threat hunting in our customers' environments as well as developing and implementing new detection signatures to alert on possible malicious scanning and/or post-exploitation activity based on known indicators of compromise.
Although there are scattered reports of APT groups, ransomware groups, and threat actors beginning to use this vulnerability as an initial access vector for dropping second-stage payloads and potentially deploying ransomware, the majority of exploitation activity that has been seen since initial exploits is related to installation of cryptocurrency miners and use by the Mirai and other botnets.
The instances of ransomware and post-exploitation activity that have been observed have primarily been reported to involve the Khonsari ransomware family, dropping of Cobalt Strike beacons, and the use and sale of this vulnerability by access brokers. Several sources have reported activity beginning to emerge that is being attributed to known APT groups and threat actors in China and Iran as well as potentially North Korea and Turkey. Most notable of these groups are Iranian-based APT 35 (aka Charming Kitten or Phosphorus) and Chinese-based HAFNIUM, who are best known for their exploitation of Microsoft Exchange servers early in 2021.
This vulnerability in Log4j is being leveraged as an initial access vector, which is an early phase in the what is known as the cyber kill chain. This stage comes after the first two stages of reconnaissance and resource development and before execution, persistence, and privilege escalation. It is projected that either brokered or natively obtained access to environments will be used by these threat actors either in the short term or long term as threat actors have been known to lie quiet in a compromised environment for extended periods of time before actively deploying ransomware or mass exploitation.
Official mitigation advice has been updated to include mitigating the implications of the new CVE-2021-45046 which was discovered after the 2.15.0 patch was released. This new CVE has recently been upgrade to a CVSS score of 9.0. Currently, this CVE has only been demonstrated in MacOS environments. A third vulnerability, CVE-2021-45105 (CVSS 7.5), was also released which addressed the risk of denial of service conditions due to the possibility of infinite recursion.
Apache currently recommends updating to version 2.17.0 as this addresses all three known CVEs for Log4j. Several previous mitigation recommendations have now been deprecated by the Apache team due to the fact that they leave additional attack vectors open versus completely remediating the vulnerability. The current recommendation for safe and comprehensive mitigation is to update to the most recent safe version (2.17.0 as of 12/20/2021) or remove the JndiLookup class from the log4j-core jar. Please review the "Older (discredited) mitigation measures" headings in the attached Apache link for additional technical details.
Overall recommendations remain to prioritize asset inventory, isolation of vulnerable assets and aggressive patching for this vulnerability to limit the attack surface. Continue working with third-party vendors to apply recommended patches for their products as well as encouraging end users to apply approved and recommended updates. Additional recommendations include limiting outbound connections to trusted destinations and monitoring for suspicious or unapproved outbound traffic, including LDAP connections, from either inside the network or the DMZ. These outbound connections to listening IPs may result in redirects to IPs that host second-stage payloads to be delivered to the target.
Primary activity that has been observed by the Fortis team has been mass scanning activity with some attempts at data exfiltration based on specially crafted commands. Many vendors were able to quickly identify malicious IP addresses and domains and add them to threat feeds and block lists almost immediately thanks to the mobilization of the entire security community. Massive data has been collected both by the Fortis team and the security research community to assist in building actionable detections for this activity. However, the ease at which this vulnerability is tested and exploited complicates these indicators, rendering many of them low fidelity or benign. Nonetheless, the Fortis team has implemented alerting based on current intelligence and all current updated signatures released by vendors. Additionally, the team has put in place proprietary behavior-based alerts for products that we ingest for our customers including EDR tools, firewalls, Fortis IDS sensors, and DNS-based alerting.
As the number of cyberattacks continues to increase at an exponential level, the Fortis team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats. Our Incident Response team is always ready to engage at (844) 297-4853.
Highlights from AWS re:Invent 2021
Like many things in 2020, the AWS re:Invent conference was not an in-person event. Still in the middle of a pandemic, the choice was made to put all of the sessions, workshops, and keynotes online so people could attend virtually. As the number of infections declined and life began to return to some semblance of normalcy earlier this year, organizers decided that re:Invent could also return to convention centers provided a number of safety measures were in place to protect attendees. First, overall capacity was limited to only about 20,000 people total, compared to 2019 when more than 60,000 were in attendance. Second, there were vaccine and mask requirements to ensure everyone had multiple levels of protection from potential infection when gathered closely together indoors in large groups. Lastly, those uncomfortable with the health restrictions still had the option of streaming certain events and sessions from home. That said, a few members of the Sentinel team chose to make the trip to Las Vegas for the five-day event from November 29th through December 3rd. They listened to speeches, participated in interactive sessions, spent some time networking, and even held a special happy hour for Sentinel partners and customers. A great time was had by all. Here's a short summary of the experience, complete with some important news and takeaways from the 2021 AWS re:Invent conference.
The first thing AWS was proud to note at this year's re:Invent conference was their accelerating level of success. The company earned around $12 billion in revenue back in 2016, and as more organizations continue to invest in the cloud that amount has increased at a significant rate. They are currently on track to generate more than $65 billion in 2021, an anticipate reaching a trillion of revenue per year at some point in the next decade. Part of this growth has to do with their constant expansion of cloud services, as they continue to design and acquire new applications capable of giving customers more features based on their specific industry or unique needs. AWS believes partnerships play an essential role in future expansion, which is why they currently have more than 100,000 partners worldwide and continue to add more on a daily basis. Sentinel is proud to be one of those partners, as the innovation and expansive catalog of AWS aligns well with the needs of our customers, enabling them to remain Always Leading.
One of the main things AWS was trying to emphasize at re:Invent in a keynote speech from VP and CTO Werner Vogels was that they are focused on building primitive cloud solutions and not frameworks. Basically the goal is to avoid appealing to every possible customer and instead allowing partners such as Sentinel to build their own solutions using AWS as a starting point. This enables organizations to work closely with Sentinel to adopt cloud services in ways that make the most sense for their business, rather than simply buying into a pre-defined package that might not fit exactly what they need. AWS cloud solutions can be paired with Sentinel services and our highly knowledgeable team of experts to create unique opportunities that keep our customers secure and enable them to accelerate their migration into the cloud. The momentum continues to grow as new services are added daily.
Speaking of new services, there were a number of exciting announcements made at re:Invent that highlighted the diversity and scalability of the AWS portfolio. While many are undoubtedly aware of 5G as a level of connectivity for their devices, AWS has started to preview Private 5G, a new managed service that enables organizations to set up and scale private 5G mobile networks inside of facilities in a matter of days instead of months. Customers can specify where they want to build a mobile network and the network capacity needed for their devices, and AWS will then deliver and maintain the small cell radio units, servers, 5G core, along with other software and modules required to set up a private 5G network and connect devices. This would essentially eliminate the need for a switching refresh and other common network components used by most businesses. There are no up-front fees or per-device costs associated with AWS Private 5G, as customers only pay for network capacity and data consumption.
The Sustainability Pillar for the AWS Well-Architected Framework marks a big and important addition to their portfolio. It's designed to help organizations learn, measure, and improve their workloads using environmental best practices for cloud computing. As part of this pillar, organizations answer questions aimed at evaluating the design, architecture, and implementation of their workloads in order to reduce energy consumption and improve efficiency. While AWS is responsible for the sustainability OF the cloud, customers are responsible for sustainability IN the cloud. Customers can reduce associated energy usage by up to 80% by implementing sustainability practices within the AWS cloud compared to a more standard on premises deployment.
Amazon Inspector is a service used by organizations of all sizes to automate security assessment and management at scale. Amazon Inspector helps organizations meet security and compliance requirements for workloads deployed to AWS, scanning for unintended network exposure, software vulnerabilities, and deviations from application security best practice. The original Inspector was released in 2015, and since then vulnerability management for organizations has changed considerably. While new features have been added over the years, there were still a number of requirements that were a bit lacking. AWS re:Invent announced a new and improved version of Amazon Inspector, capable of enabling frictionless deployment at scale, support for an expanded set of resource types needing assessment, and a critical need to detect and remediate at speed. There are continual, automated assessment scans, automated resource discovery, support for container-based workloads, improved risk scoring, along with integration into other tools such as AWS Organizations, Amazon EventBridge, and AWS Security Hub.
If your organization uses AWS Backup or was considering shifting some of your data to AWS Backup, things just got a bit easier with some big announcements at re:Invent. AWS Backup is a fully managed, policy-based service that lets you to centralize and automate the backup and restore of your applications spanning across 12 different AWS services. Unfortunately, those dozen AWS services did not include Amazon Simple Storage Service (S3)...until now. Many AWS customers had requested centralized protection and provable compliance for application data stored in S3 alongside other AWS services for storage, compute, and databases. That has become available, allowing customers to centrally manage application backups, easily restore data, and improve overall backup compliance. AWS Backup support was also announced for VMware with a new capability that enables customers to centralize and automate data protection of virtual machines (VMs) running on VMware on premises and VMware Cloud on AWS. Customers can now use a single, centrally managed policy in AWS Backup to protect these VMware environments together with 12 AWS compute, storage, and database services already supported by AWS Backup. AWS Backup can then be used to restore VMware workloads to on-premises data centers and VMware Cloud on AWS.
These are just a few of the major announcements and highlights from this year's AWS re:Invent conference. There are many more exciting things on the horizon for the AWS cloud platform, and Sentinel is excited to share them with you to show the many ways they can improve your organization. We were thrilled to see so many of our customers also come out to our happy hour event during the conference, and had some great discussions related to security, governance, multi-account management, identity, Terraform, mainframe, machine learning, and S3. Please feel free to contact us to either start or continue the discussion of how we can help enhance and protect your business through innovative technology!
Sentinel's Holiday Gift Guide 2021
Season’s greetings! As always, your friends at Sentinel would like to wish you a happy and healthy holiday season, filled with all sorts of fun and delights. Some of that may include gift giving or a gift exchange, which is also historically one of the more challenging things to figure out during this time of year. There are so many gift options out there, and so many people to buy for, each with their own individual preferences. Given that Sentinel specializes in IT solutions and services for all types of organizations, we’d like to take a moment to kick up our feet and share some interesting and worthwhile items for the technology lover in your life. The five items included as part of this year’s Holiday Gift Guide are not sold by Sentinel, nor have we been paid to promote them. They are simply a few tech-related products we believe that you or someone you know might enjoy.
Worky Home Office [$150]
Still working from home, but miss your office accessories? The folks at Worky have created a portable solution that allows you to have some of the comforts of the office no matter where you’re working from. Their portable workspace comes in a suitcase-like box that opens to reveal a whiteboard, LED light for video conferencing, stationary supply organizer, file and accessory organizer, a 4-port power strip, and a spot to place/store your laptop. It’s perfect for those who don’t have a proper desk at home, or need to get some work done on the road.
Doorbell cameras have become quite popular over the last few years, as they enable you to see who’s at your front door without ever having to actually open it. Smart locks have also gained some major attention for their ability to unlock doors using your smartphone or voice assistant. Naturally then, Lockly decided to combine these advanced tools into a single device. You can install their Vision Doorbell Camera Smart Lock onto the front door of your home or office, and take advantage of all the features it provides. When someone rings your doorbell, an alert is sent to your smartphone that enables you to activate the camera and see who is outside. You can have a conversation with the person at your door through the device as well. As for the smart lock capabilities, it has a fingerprint scanner and hack-proof keypad, both of which can be used to unlock your door or grant someone limited or one-time access. You can also lock or unlock the door yourself using a smartphone app or voice command to another smart device.
SanDisk iXpand Flash Drive Luxe [$40-75]
Getting files and media back and forth from your smartphone to a laptop or tablet can be challenging, especially if the devices aren’t compatible with one another. It’s not always a simple as using AirDrop or Bluetooth to connect and transfer things wirelessly. That’s why SanDisk created the iXpand Flash Drive. It’s a storage drive that comes in multiple capacities, and includes both a USB-C and lightning port so you can plug it into whatever devices you’re using at the moment. Say you have a PDF file stored on your work laptop. You can load it onto this iXpand flash drive via USB, then access and open the file later at home on your iPhone via the lightning port. This isn’t revolutionary technology, just an advancement that improves accessibility and portability between different types of devices.
Whether you’re trying to avoid COVID-19 or just general allergies, breathing in clean air can help keep you healthy. There are plenty of air purifiers available on the market today; unfortunately most tend to be large and quite expensive. LG’s PuriCare Mini Portable Air Purifier may not be the cheapest air purifier you can find, but it won’t break the bank and has the added benefit of being lightweight and very portable. Weighing only 1.2 pounds, it is certified to remove 99% of 0.3-micron ultra-fine dust particles from the air, which can contain viruses, disease, and harmful substances such as heavy metals. The device also connects to your smartphone via Bluetooth, enabling users to control air flow, obtain filter information, check real-time air conditions, and monitor battery life.
Many of us can’t get through the morning without a hot cup of coffee (or three), though how you get that shot of caffeine can vary depending on your personal preferences. For those with more “traditional” sensibilities, there’s nothing quite like a standard coffee maker set to brew a full pot at the start of your day. While the results are always the same (and largely dependent on the type/strength of coffee you brew), the path to that first cup has finally started to change with the times. Hamilton Beach now offers a “smart” coffee maker, capable of adding remote operations and schedule functions to your brewing process so it’s easier and more convenient to make. It connects via smartphone app or Amazon Echo device, so you can ask your smart speaker to start brewing, change the brew strength, or turn off the coffee maker. You can even program routines to schedule a brew at a specific time each day, and come up with unique command phrases to launch specific operations in an even simpler fashion. This is an ideal gift for someone who likes waking up to the smell of freshly brewed coffee, or would prefer to start the brewing process with a simple command without ever having to get out of bed.