Saturday, 25 May 2019

Five Game-Changers for Mid-Market Businesses That Boldly Move to Cloud Calling

ISG report claims that moving to cloud operations saves companies an average of 38%1

As a mid-market business leader, one of the most important decisions you make is your approach to digital transformation. A critical part of any digital transformation strategy is the use of cloud technology; particularly cloud communications and collaboration. New cloud delivery of advanced, cognitive collaboration technologies offers the freedom to provide a first-class service experience to customers anywhere on the planet, with rapid, low risk deployment, low up-front costs, and a tightly integrated cloud application workflow model. This can mean the difference between being the agent of change in your industry and watching the market pass you by.

The State of the Cloud Calling Market


Globally, the mid-market cloud PBX segment is just starting to pick up momentum, with analysts projecting a 24% global segment CAGR of 24% through 2022, to build on a low current market penetration level estimated at 12%. See Figure 1.

Figure 1 – Cloud Calling Market Penetration and Growth Rates by Segment

Cisco Study Materials, Cisco Certifications, Cisco Tutorials and Materials

New cloud options, like Cisco Webex Calling, are adding the scalability, reliability and security, along with a more sophisticated collaboration feature set that mid-market business requires. The cloud is better able to economically address the multi-site, contact center and mobile connectivity shortcomings of the on-premises options available to mid-market organizations. Equally important is the ability to support a cloud migration strategy that offers seamless operation throughout the time a business requires use of a mixed cloud/on-premises model. Because most mid-market businesses are not ready to go all-in on the cloud in one step, support for a common dial plan, administration and directory model through this transition period is an essential check point to starting a successful cloud migration.

The Performance Gap Between Leaders and Laggards


The urgency for business to take action now comes down to the performance gap between digital transformation leaders and laggards. Digital transformation can dramatically lower costs, enhance agility and enables mid-market organizations to implement technologies and tools that were once only available to large enterprises. Well executed, these strategies are game changers for the mid-market organization. A Harvard Business School study2 published by Professors Marco Iansiti and Karim Lakhani demonstrated the gap between the top 25% “Digital Leaders” and the bottom 25% “Digital Laggards.” Figure 2 shows a gross margin difference of 18% between the leaders and laggards, and concludes, “Digital Transformation has become the new normal.”

Figure 2 – The digital divide between digital leaders and laggards

Cisco Study Materials, Cisco Certifications, Cisco Tutorials and Materials

Five reasons to implement digital collaboration transformation strategies (Figure 3)


1. Gain large enterprise capabilities without the cost and complexity– Historically, mid-market organizations have been at a disadvantage to larger organizations, due to the high capital cost of implementing sophisticated, complex and expensive IT applications, technologies and infrastructures. Cloud calling, collaboration and contact centers change all these by making advanced tools affordable to the mid-market for the first time.

2. Enhance business agility and reduce operational cost and complexity– Cloud calling, and collaboration allows organizations to seamlessly scale users and sites up or down quickly and predictably, with one global solution that can be centrally managed. Precious capital investments are preserved for more strategic business initiatives while operating budgets become more transparent and predictable, without the headaches of managing surprise PBX upgrades and maintenance. And both management and workforce productivity are vastly improved through the use of always-current and accessible cloud collaboration services.

3. Increase workforce mobility, productivity and satisfaction – A key issue for today’s multi-site enterprise and mobile workforce is the complexity and expense in deploying, managing, keeping up-to-date and networking multiple on-premises systems that typically range from new to decades old. Millennial and Gen Z employees expect advanced collaboration tools in the workplace – the same tools that they use in their private lives – and these have a dramatic impact in both recruitment and retention. They expect a seamless, global and feature rich collaboration experience across any device, network or channel –calling, messaging, team collaboration, video, etc.

4. Strengthen customer journeys and relationships– Most mid-market enterprises must deliver an omni-channel – voice, chat, video, IVR, natural language, bot – customer support experience in their contact centers, inbound/outbound sales and service operations. For many businesses, these solutions are mission critical to their customer relationships and business success. Prior to the cloud, sophisticated contact center solutions that went beyond basic routing and reporting were very expensive and difficult to manage and keep current. The cloud makes the most advanced contact center technologies accessible for businesses of all sizes without the capital investment and operational complexity.

5. Improve business performance and competitiveness– As the Harvard Business School study demonstrates, organization’s financial performance and business outcomes are vastly improved through strategic digital transformation. Successful transformation projects focus on cost reductions, process improvements, adding organizational agility to respond rapidly to changing environments, and one-to-one, team and customer collaboration.

Up until now, the mid-market segment has been slower to implement cloud collaboration transformation strategies, due to the complexity of their transformation journeys and the lack of maturity in cloud solutions. That limit no longer exists. Webex Calling now allows mid-market customers to replace their PBXs and deploy cloud calling and collaboration with confidence, with a proven enterprise platform that is already serving 29 million business users worldwide. Are you ready to take the next step?

Talk to Cisco.

Figure 3 – Five reasons mid-market organizations must implement cognitive collaboration transformations

Cisco Study Materials, Cisco Certifications, Cisco Tutorials and Materials

Thursday, 23 May 2019

What Your Collaboration Strategy Is Missing

Cisco Certifications, Cisco Study Materials, Cisco Guides, Cisco Tutorials and Materials

Why your new collaboration technology isn’t catching on as you expected


When organizations want to update their collaboration technologies, IT departments spend weeks, sometimes months, focusing on the right products that will help their company meet their goals. They rigorously check requirements, ensure all the right specs are in place, and carefully configure the new technology before making it available to end users. Everything goes as planned. Yet three months in, management is wondering why no one is using the new technology. Sound familiar?

Most new collaboration investments fail to reach their full potential not because of the technology itself but rather because of how it’s introduced to its end users. People often don’t like change, even if it’s for their own benefit. So, when a new technology is introduced, people tend to stick with what they know and what they are comfortable with. They also might not want to learn new things and can be hard to convince. Or they might not feel compelled to use the new technology if they don’t see their colleagues using it as well.

All these reactions are normal. But the good news is, there are several things you can do to help your teams in the process:

◈ First, make sure to involve executives early in using the new technology. Set up some time with them to have them interact with the technology. And lastly, walk them through some best practices so they feel more comfortable using and promoting it.

◈ Second, focus on raising awareness throughout the organization via marketing and communication. Good ideas include:

     ◈ Posters in hallways (clearly visible to support organizational change)
     ◈ Internal forums to help answer questions
     ◈ How-to videos that help users get acquainted or that helps solve basic issues
     ◈ Quick reference guides and recorded trainings that help answer “What’s in it for me?
     ◈ Language specific material so people can learn best in their native language

◈ Finally, set up some hands-on training options before the rollout and some support desks afterwards to ensure users that they can have any questions they have answered.

Cisco Certifications, Cisco Study Materials, Cisco Guides, Cisco Tutorials and Materials
Infographics and engaging posters that match your company’s colors and brand guidelines, such as the images above, are two good ways raise awareness throughout your organization.

Learning to how facilitate a change management approach for your organization is no easy task. However, it is a crucial element to establishing buy-in and usage for your new collaboration technology. The question is, are you willing to champion these kinds of actions for your organization?

Help is here if you need it


If you’re unsure about committing yourself to the extra work, there are other ways you can ensure your organization adapts properly to a new technology change. Cisco offers many different options that could potentially aid you in finding the perfect fit – from basic insights to expert advice and assistance.

One of the most common, initial customer introductions is from Cisco’s Customer Success (CS) team. Here, Customer Success managers help guide you to understand your technology further, based on agreed upon capabilities, licenses, features, services, and bundles. They also help monitor your adoption progress and better measure the impact to your organization.

Another available option is Cisco’s User Solution Empowerment (USE) Adoption services. USE is another, yet less familiar, alternative that can help your employees adopt collaboration technologies with greater speed and effectiveness through a change management approach. With access to customized processes, materials, and techniques from Prosci Certified Change Management Professionals, you can directly influence and improve:

◈ User behavior
◈ Product and technology use
◈ Organizational adoption
◈ Business processes and workflows

Cisco Certifications, Cisco Study Materials, Cisco Guides, Cisco Tutorials and Materials
Simply introducing a collaboration technology to someone and getting their feedback on how you can help raise awareness is a great way to lower anxiety among those who are unsure about a new technology change.

One of the main differences between CS and USE is that CS is usually complimentary to new customers whereas USE is an add-on service that requires an additional investment. To help articulate the difference easier, let’s look at a quick example of a USE engagement.

A major retail banking customer was experiencing lower-than-expected usage in its Webex Meetings solution. Consequently, it invested in USE Adoption services to better train, educate, and encourage end users to collaborate easily through the technology.

The USE team ended up creating a global training strategy that included:

◈ A detailed marketing & communications plan to create awareness through: 
   
     ◈ Executive sponsorship and communication
     ◈ Digital signage on the company website
     ◈ Company-branded posters throughout hallways and elevators

◈ 25 instructor-led sessions tailored specifically at helping event managers, help desk trainers, and administrative professionals best use Webex Meetings

◈ Multiple training recordings for all users, so users can access learning material at any time

◈ Custom educational reference guides created in four languages (English, Portuguese, Spanish, and French), so users could maximize their learning by understanding best practices in their native language

Through this material, the company was able to reach thousands of employees over seven months. By providing the necessary resources to help them use the technology more, over 1800 users were trained during that span. Additionally, the company saw a 12-times increase in the number of registered Webex Meetings and active hosts conducting meetings.

What to do next?


As shown above, one of the most fundamental elements of successful adoption is a good change management approach. A proper one includes influential factors such as executive sponsorship, live training, user segmentation, and awareness throughout the organization. Each has its own specific purpose in influencing change, whether it be awareness, social proof, or even physical usage.

Cisco Certifications, Cisco Study Materials, Cisco Guides, Cisco Tutorials and Materials
Think of ways you can approach executives to get their buy-in. Coffee breaks, for instance, might be an effective method for those who are busy and constantly on-the-go.

If you’re considering improving your adoption rate on your own, consider how you can broaden your approach beyond simple recordings and PDFs. Who has access to influence upper management? Who’s a good teacher and can volunteer to lead hour-long classes? Who can start a forum on the topic to answer questions and spark conversations? Who’s good at marketing?  Think through creative ways you can get your teams involved because without them, users can feel “left on their own” and even frustrated with the new technology. Or they might not understand how important it is to use.

Wednesday, 22 May 2019

How to Get On the Road to Cloud Calling Success

A Road to Somewhere


Taking your business to a cloud calling model can sometimes feel like starting out on a long, cross-country drive without a map, nor a clear destination, nor timeline. There are so many options that make it hard to navigate. That’s why many businesses get lost along the way and lose heart.

Cisco Study Materials, Cisco Certifications, Cisco Guides, Cisco Learning

It doesn’t have to be that way. Getting your business to a bright cloud communications and collaboration future can be a much more predictable and enjoyable experience.

Elevation Gain


The move to the cloud is picking up pace. Market statistics show global annual growth rates in the 15-20% range, with even higher growth as you move into market segments above 100 users. Leading analysts are predicting as many as 90% of IT leaders will no longer buy new on-premises PBX or unified communications equipment beyond 2021.

The growth in cloud calling is happening for some very clear reasons. Technology innovation cycles are faster for cloud services, which can now deliver a richer feature set that’s more tightly integrated with other important cloud business services, like Office 365, G Suite, Salesforce, and others. Cloud can also offer distinct advantages in scalability, reliability and even security.

Roadblocks


So where’s the difficulty? Well, not all cloud services are alike. Most vendors offer only one pathway to the cloud. These vendors might provide multiple feature packages, but the cloud migration is an all, or nothing proposition, one size fits all. They aren’t really offering you a pathway that respects your business strategy and any current depreciable investments in licensing, phones and equipment you may have. This creates a major disconnect.

Course Correction


Because Cisco is the leader and pioneer in both on-premises PBX systems, as well as cloud PBX services, we can offer a much more practical, business-friendly transition to the cloud, at any pace that makes sense for your business.

With Cisco, your cloud journey starts with a Cisco partner taking the time to understand your strategy, locations, workforce, communication patterns, and infrastructure. This provides the background to work out a transition timeline and technology path that meets your business objectives and will serve your business well going forward.

Navigation Support


First, it’s important to understand where you want to end up. Will you be moving your entire business to the cloud, or are there certain sites, or functions that will continue to use on-premises systems for the foreseeable future. This early discussion of the end-game will help define which Cisco calling platforms will be the best fit for your business future.

Then together we plan your transition by identifying a set of logical phases for cloud adoption. It may be based on sites, regions, workgroups, or any combination thereof. We have found the best transition plan involves a three-step approach defined as cap, surround, migrate.

Cap is where you define the limit for any future spending for on-premises PBX systems. We identify this demarcation point during the pre-planning process.

Surround is where you begin, as soon as possible, to surround your people and processes with rich Webex collaboration capabilities, added to their calling, meetings and team interactions, all delivered from the cloud.

Migrate is where group-by-group, team-by-team, or site-by-site you begin to move your people away from on-premises systems to their new cloud service.

Vehicle Protection (or Predictable Cost)


Cisco Study Materials, Cisco Certifications, Cisco Guides, Cisco Learning
As you transition your business to the Cisco cloud, we protect your investment with Cisco in a number of ways. Most Cisco IP phones purchased to run on Cisco Unified Communications Manager (UCM) in the past few years become Cisco cloud ready with just a firmware change. Another area of savings is when you purchase your UCM licenses through the Cisco Collaboration Flex Plan, you pay for UC licenses either on a subscription model, or you will receive trade-in credits to apply when you choose to migrate those licenses to the Cisco cloud. Either way, you save money.

Cisco cloud calling platforms make it simple to transition to the cloud, by site or by user, while keeping everybody connected, with common dial plans and directories. Our unique portfolio enables us to deliver an exceptional collaboration experience, with calling, meetings, teams, contact center and devices all intelligently integrated for better performance.

Cisco Webex Calling is a great solution for mid-sized to large enterprises looking for a simple cloud transition. For businesses that require a more customized approach, Cisco Hosted Collaboration Solution (HCS) is an excellent option. And with Cisco you can choose to purchase from any of our qualified cloud channel partners, that include over 600 leading service provider and VAR channel partners around the world.

Safe Arrival


As you can see, Cisco has put in the work and planning that enables you to select a cloud PBX journey designed to serve your specific business needs, rather than try to force you into a one-size-fits-nobody arrangement. You have the freedom to choose your speed, select the technology course that’s right for your business, and the Cisco partner best suited to serve as navigator for your journey. We’ve even made sure you get the most out of your investment in your current calling vehicle (phones and licenses) along the way.

Tuesday, 21 May 2019

Announcing the Availability of the Dual-Rate 10/25G Long Reach Transceiver Module

We’re excited to release a new addition to our portfolio of dual-rate pluggable transceivers: The 10/25G LR (Long Reach) SFP28 transceiver module, also known as SFP-10/25G-LR-S. Here’s some info about the new product that you may be wondering about.

What is the SFP-10/25G-LR-S?


The SFP-10/25G-LR-S is a SFP (Small Form Factor), dual rate (10GE and 25GE), Long Reach (LR) transceiver for SMF (Single Mode Fiber) applications. The transceiver enables high speed connectivity between platforms that accept SFP28’s at distances of up to 10km (~6.2miles) with appropriate software support.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

SFP-10/25G-LR Applications


SFP-10/25G-LR transceivers are needed in an assortment of applications including Enterprise, Data Center and Service Provider networks where transmission of 25G (and 10G) ethernet is used over SMF.

For Enterprise applications the SFP-10/25G-LR is used in the Intra-Building Backbone to connect Wiring Closet switches to Distribution switches and in the Inter-Building Backbone to connect Distribution switches to enterprises core switches and routers.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

For Data Center applications the SFP-10/25G-LR is used to connect Top of Rack (ToR), Middle of Row (MoR) or End of Row (EoR) switches to Servers or to connector ToR, MoR and EoR switches to Leaf switches.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

For Service Provider applications the SFP-10/25G-LR is used to connect the Service Provider Edge Routers that are in their Central Offices to their customer’s routers or Node switch.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

Cisco platforms that support the SFP-10/25G-LR-S


The SFP-10/25G-LR-S is supported in wide variety of Cisco platforms including Catalyst switches, Nexus switches, NCS routers and USC platforms.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

Other 25G transceivers available from Cisco


Cisco has a complete family of 25G transceivers including SMF & MMF (Multi Mode Fiber) transceivers, DAC (Direct Attached Cables) and AOC (Active Optical Cables) for a multitude of applications.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

Monday, 20 May 2019

Cisco AMP for Endpoints excelling in AV Comparatives Business Main Test Series

AV-Comparatives have long been the benchmark of 3rdparty testing in the endpoint security space. This year, for the first time ever, AMP for Endpoints participated in AV-Comparatives malware testing. The Business Main Test Series was broken up into two main sections: the Malware Protection Test and Business Real-World Protection Test.

Cisco Study Materials, Cisco Certifications, Cisco Tutorials and Materials

While the full report will be released in July, AV-Comparatives released a short fact sheet today. Because the test is only partially completed, the results will continue to vary, but Cisco AMP for Endpoints expects to maintain consistently high scores.

Overview


First, let’s give the brief facts behind the Business Main Test Series:

◈ 19 products are participating
◈ All products tested on a Windows 10 RS5 64-bit
◈ All vendors were allowed to configure their products
◈ Cloud and PUA detection activated in all products

Given these parameters, the 19 products will participate in a fourth month test culminating in July. At this midpoint, however, the products have participated in the two aforementioned tests.

Malware Protection Test 


In this test, the products were tested with 1,311 different malware samples. Based on criteria defined by AV-Comparatives in their report, the products were given parameters to detect the malware samples.

So far, AMP for Endpoints is one of eight products to have a malware protection rate of 99.8% or higher. In addition to this extremely high detection rate, AMP for Endpoints registered 0 false alarms on common business software.

Cisco Study Materials, Cisco Certifications, Cisco Tutorials and Materials

AV-Comparatives also performed tests on non-business software. This will not affect the final “Approved Business Product” rating they deliver, but the results are notable as it helps to demonstrates how well a product can really delineate between good and bad. Cisco AMP for Endpoints was granted the highest rating of “very low “which denotes 0-5 false positives on non-business software.

Cisco AMP for Endpoints consistently pledges to deliver elite threat detection, investigation, and response. The 99.8% malware protection rate so far highlights Cisco AMP for Endpoint’s ability to deliver on that pledge. At the same time, the low number of false positives shows that Cisco AMP for Endpoints does not need to bog down IT professionals with useless alerts allowing them to focus on what’s really important.

Real-World Protection Test


Over the course of two months, the products encountered 389 test cases. Of the 389 test cases, Cisco AMP For Endpoints has blocked all but three while producing ZERO false alarms. Resulting in a 99.2% protection rate so far. Cisco AMP For Endpoints is only one of three products to have zero false alarms. Others have already flagged up to 18 false alarms.

Saturday, 18 May 2019

Artificial Intelligence Partner Opportunity

A short time ago I had the opportunity to participate in the AI Partner and Customer events that we had in our Innovation Centers in Paris, London and Berlin. The excitement and interest of both our customers and partners was palpable.

Artificial Intelligence, Cisco Study Materials, Cisco Guides, Cisco Learning

You might have seen some of the headlines in the news around Artificial Intelligence (AI) and Machine Learning (ML) and how in the US, the European Union and Asia many countries are increasing their public and private investment in this field. AI is present everywhere nowadays, from a simple semantic search on the internet to some of the latest self-driving vehicles already available in many places. It is expected that by the year 2022 worldwide spending in AI systems will reach 78 billion US dollars and that the spending in AI servers will grow from 5 billion to 18 billion US dollars. These figures alone represent a substantial opportunity for Cisco and for our Partners.

Another interesting learning from these events was that contrary to what most people might think, a larger percentage of Machine Learning deployments are deployed on-premise as opposed to on cloud. This poses an immediate opportunity for Cisco and our partners in terms of supporting our customers with their initial deployments in their own Data Centers. There are some intrinsic benefits for deploying ML on premise, among them we can list the data gravity integration and application performance, governance and TCO (Total Cost of Ownership), while on cloud deployments provide faster deployments and simplicity.

An AI/ML solution requires multidisciplinary skills and a deep collaboration between different stakeholders, including Data Scientists and Data Engineers, the CIO and the different business leaders as well as the IT team. Without all these different teams working together with a common and joint objective a successful deployment would be really difficult to realize.

The Cisco AI/ML offering focuses on Full Data Life Cycle, Simplicity, and Manageability and includes:

◈ A full portfolio for all AI/ML computing needs.
◈ Validated solutions with technology partners
◈ Natural extension of existing computing environment

The Cisco AI/ML Architecture includes UCS (Unified Computing Systems) Servers, Cisco Infrastructure Management and Cisco Networking Solutions that power a Virtualization Layer, a Converged Infrastructure for AI and Big Data Clusters which in turn sustain the AI/ML Software platforms which eventually provide the business outcomes that AI delivers. This Architecture helps to bridge the gap between IT and the Data Scientists.

There are some real use cases examples that were highlighted in these AI events which I found quite relevant and that our partners can leverage to initiate the discussion with their customers. Some of them include:

Banking

◈ Customer-Centric Marketing

◈ Product recommendation

◈ Experience personalization

◈ Attrition prediction

Operations

◈ Improve customer experience

◈ Predicting Failures

◈ Automatically Position Spares at Depots

◈ Optimizing Supply Chain and Customer Experience

Auto

◈ Autonomous Vehicle Simulations

◈ Complex simulation modelling

◈ Massive storage requirements

◈ High volume data inputs

AI/ML can also help resolve some of the Internet of Things new set of technical challenges such as:

◈ Harsh environments

◈ Hyper-scale

◈ Randomness and unpredictability

◈ Determinism

◈ Subject to (even subtle) attacks

We can also make use of AI/ML to predict performances of the IoT, detect subtle attacks, and make the network reactive at scale as well as for Cognitive and Predictive Analytics.

Friday, 17 May 2019

Practical Ways to Reduce Ransomware Impact: Actions You Can Take Today

During the past year, Cisco Security Incident Response Services has provided emergency incident response services for many customers dealing with incidents that sometimes become a ransomware event. In many cases, we were engaged by the company at the first sign of trouble and were able to help contain the initial incident and reduce the ability of the attacker to shift to a ransomware phase. In other incidents, we were asked to help long after the attackers were in the environment and the systems were already encrypted.

In this blog post, I will share some practical tips that our team use with our customers to help mitigate the risk of ransomware causing a significant business outage.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

Figure 1: Phases of an attack.

If we follow the standard attack lifecycle (Figure 1), the first step that we need to consider is how we would address the initial attack vector. For this blog post, let us assume the initial access vector is email (which we have observed is often the case).

Initial Attack


The first thing to consider is intelligence-based email monitoring and filtering. An example of this would be the Cisco Email Security Appliance (ESA) product which integrates Cisco Talos threat intelligence into an active email inspection platform.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

ESA should be deployed to examine email, both inbound and outbound, from the organization. This filtering should be tied to an intelligence feed that dynamically adds new known malicious domains, IP addresses, behavioral indicators, signatures, etc.

By itself, this will not fully protect an organization but without this, you expose your users and your environment to preventable email-based attacks. This control should create log events into the security monitoring system. These events should be reviewed regularly by a member of the monitoring team and if possible correlated with other events (involving the same time, internal hosts, external IP/Domain, and any malware detected). The capability of being able to also review email historically for suspicious attachments or previously unidentified malicious files is helpful for scoping and understanding the scale of the incident and can be used for hunting if the initial detection somehow fails.

User Actions


Subsequent to the initial malicious email entering an environment, the next obvious question is “did the user open it” or “did the user click the link”? To answer these questions, we require some specific log telemetry from within the environment.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

DNS logs such as those available by using Cisco Umbrella, can be invaluable to identify if a user/IP address/device made a request that is related to a known suspicious domain or IP address. If there is an active incident, these logs should be examined for any requests associated with the incident. These DNS logs should be part of the overall logging environment and the events should also be used to block and track requests to known malicious domains. Again, this should be correlated into events of interest for the monitoring team to consider. This helps us understand if the domain was requested, but does not by itself indicate what the interaction was between the user and the destination.

To gather information on the interaction between the user and the destination, we require logs from a deployed web proxy system that captures the outbound web requests and the responses. Cisco Web Security Appliance (WSA) is an example of an active web proxy/filtering system, powered by Cisco Talos threat intelligence. These systems can often block or filter known malicious sites (based again on intelligence) and also retain the http transaction between the user’s web browser and the destination. This can help us to answer the question of what was done on the site, or what the site sent as a response.

To address the question of “did the user open the file” we recommend the implementation of the Windows SysInternals System Monitor (Sysmon) which can help to answer the question of user behavior and activity. Alternatively, many endpoint security tools may also be able to answer this question. Be sure to test your tools before an incident, so you know what normal activity looks like before you get into an incident and have to try to parse the alerts.

Account Compromise


Following the attack life-cycle, the next phase is account compromise:  did the user either provide their credentials (e.g., if they were prompted to enter their password to access what appeared to be a legitimate company web page) or did the malware gather local cached account data from the system? This is where we recommend multi-factor authentication (MFA) as the standard for all environments.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

We frequently recommended multi-factor for “high risk” accounts, or for “all externally facing services”, but with the current attack patterns we recommend multi-factor for all Active Directory environments. There can be technical limitations on implementing MFA for some legacy systems, legacy access types, etc. Those exceptions should be identified and very closely monitored for unexpected activity, or isolated into separate Organizational Units or Groups. This may allow early detection of misuse and may limit the impact of these systems or credentials, should they become compromised.

Another key consideration is to monitor the system used to manage the multi-factor authentication. We have seen attackers attempt to bring these systems offline, to attempt to access these systems, or to successfully access these systems and either create one-time use passcodes or create a new account that was allowed to bypass the multi-factor requirement. These systems must be closely monitored for all access and modifications to the users, groups, or creation of one-time use codes.

Privilege Escalation


The next phase is privilege escalation.  In this phase, we recommend a multi-pronged approach as there are multiple risks to address. The first risk is if the environment has a shared local administrator password across multiple devices. This is still a very common practice in many environments due to a number of factors.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

A solution that can assist with this is implementing the Microsoft Local Administrator Password Solution (LAPS). This provides a better method to manage local accounts. The second risk is an attacker compromising one of the privileged accounts in the environment. If multi-factor authentication is required on these accounts, this should be unlikely, but these accounts must still be monitored for mis-use. Additionally these privileged groups should be monitored for modification (adding/deleting or users, or change to the group roles). These are also events that should trigger alerts that are evaluated by the monitoring team.

Lateral Movement


Lateral movement occurs next. To detect and thwart this, we need to reduce the ability for a user account to move freely within the environment without being validated or having authorization.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

This can be started by reducing the internal network access from the standard user segments and VPN devices. Network segmentation can be complex to implement across the entire environment, but it is often achievable to make some small restrictions using virtual LANs (VLANs) to reduce which networks can access critical segments. Privileged activity or Administrator activity should always originate from an approved “jump box” that is hardened and monitored, and has specific access restrictions for only users that require this access. Role-based access should also be enforced, not everyone should have access to production, not everyone should have access to the code base, or sensitive data. Access (successful and failed) should be logged and correlated. Reducing the number and type of ports and protocols within the environment may also help to reduce the spread of malware or lateral movement that is expecting specific capabilities, such as the Server Message Block (SMB) protocol, for example.

Encryption of Data


The ultimate risk of a ransomware attack is in the final phase. This is when the attacker is able to encrypt critical business systems or services, causing a business outage. The impact of this outage varies based on the function of your business, your tolerance (or your customers’ tolerance) for downtime, and many other factors.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

For environments that have critical services that impact life and safety of people, we strongly recommend partnering with the disaster recovery and business continuity teams to test existing plans and update them accordingly with steps that cover full data center loss via ransomware. Other questions that should be considered: Are your backups offline and secure from the possible ransomware? Does your online backup system use the same credentials as your Active Directory environment? Has your organization practiced what a data restore would look like and how long it would take? Is the necessary hardware (or virtual space) available to be able to restore your environment? Is there an understanding of dependencies and other tactical considerations?

Take Action Today


These recommendations will help you improve your ability to detect attacks in the earlier (pre-ransomware) stages and will reduce the overall impact of a ransomware incident. You must take key preventative steps, while also readying your team to act when it strikes. If you feel you need hands-on, expert assistance, consider contacting our team – our incident responders can help you prepare your own team with proactive services and we can work alongside your team during active incidents.