Welcome to the Sentinel Blog!
We are proud to feature a carefully curated collection of articles and other content related to the most important technology topics of today and beyond. Our posts are composed and edited by Sentinel’s ALWAYS ENGAGED team of solutions architects, engineers, project managers and other subject matter experts.
The Insight Podcast, Episode 1: Security Trends and Zero Trust
The world of IT is complex, ever-evolving, and often challenging to navigate. Sentinel hopes to provide a little clarity and guidance for your organization's IT journey with The Insight Podcast! Whether you're interested in learning more about some of the latest enterprise technology innovations and trends or are simply seeking advice on the best solutions and services for a specific industry, the experts at Sentinel want to help your business achieve more and remain Always Leading!
The inaugural episode of The Insight Podcast features a conversation between Sentinel’s Chief Technology Officer Robert Keblusek and Sentinel’s National Director of Enterprise Architecture and Innovation Mark Combs. They discuss some of the current security challenges organizations are facing during the current pandemic, as well as outline the importance of Zero Trust.
Listen and subscribe to full episodes of The Insight Podcast via your favorite streaming service. New episodes will be posted every two weeks. Watch the full video from Episode 1 on the Sentinel YouTube channel. Here is an excerpt:
Do you think working from home during this pandemic will change the future outlook for businesses as they eventually return to the office?
Robert Keblusek (RK): I think it will, because what we’re seeing is a lot of our customers, ourselves included, have been surprisingly productive with the mobile workforce. So I do think it’s going to change the way that people think about working from home and productivity, along with how we secure it.
When we look at malware and phishing, just looking at our own reporting on our Umbrella dashboard, we were seeing about a 2x increase in malware and about a 3x increase in phishing. It changes week to week. Mark gets the same reports that I do, and we watch the trends. There’s definitely a change in activity. We saw some increases, especially at the start of this, and also through our incident response team. We had a number of concurrent activities going on and saw increased activity across the board, so our incident response activity was much higher.
I think that with people being mobile, you get off the network. Historically a lot of people have put a lot of technology and controls on the network, but have not paid enough attention to what happens when they’re off the network. How do we secure people when they’re out at Panera Bread? Just working mobile under normal conditions, how do we secure that? How do we enforce policy? How do we do URL filtering? How do we see that reporting? I think that has been under-purchased or under-considered, as well as the standards that go around that. Mark, I know you have been doing a lot of POCs and having a lot of conversations around these technologies.
Mark Combs (MC): In my opinion the risk has always been there, especially during COVID and other things. It’s not that the risk wasn’t there before, I think it’s just been brought to light a little bit. When you went from having 25% of your remote workforce at home to now 100%, I think people are paying a little closer attention to that. So they’re starting to see that uptick in different types of threats, which have always been there. I think that might be the silver lining in all this.
The biggest question I ask when talking to customers about security risks, evaluations, or strategies is, “How are you protecting your users or corporate assets now that they’re remote?” Everybody’s got a next-gen firewall, everybody’s got their on premise security appliances or whatever they’re doing, but the user’s not there anymore – the users are remote. So how are we extending that, whether it’s on cloud, SD access, things like that? It’s extending that coverage to the user base.
Do you see organizations focused more on employee security training?
RK: We are seeing more conversations occurring. I have the luxury of seeing a lot of the orders come through too, and that’s an area that Dr. Mike Strnad and our Advisory team works on pretty closely from the security awareness. We’ve definitely had a lot more conversations around that, and business continuity. I would say that a lot of them are starting right now, following the initial urgency to work from home. At first it was about getting everybody connected.
Now people are circling back and asking how they can tighten things up. They’re realizing that they’re dealing with more attacks, and maybe have a few less protections in place than originally thought. That rush to work from home also increased people’s awareness of the risk. The risk was always there when people were working remote, they’re just not as security aware so their security IQ isn’t as high as it needs to be. It was minimal activity in many cases in the past, but that’s increased dramatically very quickly, and brought the awareness to the surface.
Can you tell us more about Sentinel’s Zero Trust Workshop?
MC: Zero Trust is not a product. It’s a framework. It’s a methodology. I can’t sell you “zero trust” per se. Our workshop has become really hot. On a Zero Trust Workshop, we go in with the mindset that we trust no one. I may like you, but I don’t necessarily trust you. It’s really a comprehensive review of customers’ applications, their networks, and their workforce.
You’ll hear a lot about the three pillars: the workforce, the workload, and the workplace. We’re really focusing on those areas and trying to get an idea of who’s accessing your workloads. Are your workloads in the cloud? Are you working from a hybrid network? Customers have workloads in the cloud, and they extend their VPNs into the cloud. How are the workloads being accessed? Bob mentioned business continuity. How are you backing up those workloads? We have a lot of customers with incident response and ransomware events that spread to their backups. Are your backups air gapped? How are your users accessing your network now that they’re remote? Most customers will tell me they provide access through VPN, which gets us into passwords and authentications and credentials. Do you know who is accessing your network remotely? A lot of times, the answer is no. If I ask nine out of ten customers if they require VPN to access their networks, they’ll tell me yes, but then they can’t tell me who is logged in through VPN at the moment.
Then the final piece is the workplace. Even though much of the workforce is currently remote, they’re still part of the workplace extended over VPN connectivity. What devices are they using to access the network? Are they non-corporate devices? That’s really what the workshop framework is. We dig deep into all areas of Zero Trust methodology and framework to try to poke holes or identify gaps within a customer’s security infrastructure.
RK: We have certainly seen an uptick of people buying licensing for VPNs or standing up VPNs on the fly because they never purchased enough to handle this type of a situation. But I’m finding too that working from home, I only have to access a VPN for a couple of specific applications – mostly legacy stuff. At this point Sentinel is over half SaaS applications. Even though we have CloudSelect, our own hosting centers, and sell AWS and Azure IaaS, it seems to me like less and less people have a need to VPN into the corporate data center in order to access an application because so many things have moved to SaaS. Are you seeing that in the Zero Trust Workshops too, Mark?
MC: Yeah, absolutely. That’s a good point. I was just working with a customer the other day who needed to secure their VPN and add two-factor authentication and all sorts of things, and only a small percentage of their workforce was accessing their environment over VPN. Everybody else used some type of VDI or virtual desktop solution. So I asked them why they needed VPN. If you can get rid of VPN, then you can get rid of insecure access and insecure passwords and maybe move those things to a cloud. When you start to ask those kinds of questions, it raises a lot of eyebrows and customers start to think about if they really need VPN access. So yeah, I am definitely starting to see a shift toward a VPN-less connectivity type of thing.
If you are interested in learning more about Sentinel’s FREE Zero Trust Workshop, please contact us.
Staying Secure at Home
As many organizations and workers continue to adjust the way they conduct business in the wake of the COVID-19 pandemic, security needs to remain a top priority. While it’s important to ensure everyone at your company has access to the resources required to perform their jobs on a daily basis, more often than not compromises get made in the name of convenience and the need to rapidly expand coverage to the entire workforce. Cyber criminals know this, and are trying harder than ever right now to find the weak spots in your defenses. Once they find a way in, they attack with phishing attempts, malware, ransomware, and other dangerous tools aimed at disrupting your business by stealing, deleting, or encrypting critical data. Breaches can result in a significant loss of time, money, productivity, and business reputation.
Sentinel’s Advisory Services team wants to offer a brief reminder of a couple ways you can engage with us to help ensure your employees and organization remain safe and secure while working remotely during this unprecedented time. These solutions can be deployed quickly and in a remote capacity, so you can harden your security posture while staying home and maintaining social distancing requirements.
Remote Worker Penetration Testing
Sentinel’s Remote Access PEN Test challenges an organization’s security posture from a remote worker perspective. Our expert penetration testers take on the role of one of your remote workers in order to uncover your areas of risk and help with hardening your systems as quickly as possible. We approach your systems from the standpoint of a compromised endpoint with access to your VPN, and will identify and exploit any visible holes within your security infrastructure. This will test your protection, detection, and response to a cyber threat entering your enterprise from a home worker and moving laterally to monetize the attack or steal your data. This is done without disruption and in parallel to your workers’ continued productivity.
Sentinel experts, armed with first-hand experience in your network, will provide immediate recommendations for preventing an attack. These recommendations include practical actions to swiftly secure your mobile workforce, often leveraging currently available no cost protection and detection technologies. The results will help your organization establish a preventative security approach and continued work from home productivity with a much lower risk of data exfiltration, destruction, and/or successful ransomware attack.
Sentinel’s Compromise Assessment evaluates an organization’s security posture to determine if a breach has occurred or is actively occurring. Sentinel can determine when, where, and how a compromise occurred, and provide tactical recommendations for preventing another attack. By integrating artificial intelligence into tools and processes, Sentinel experts secure environments while swiftly identifying a compromise, resulting in a preventative security approach.
A Sentinel Compromise Assessment utilizes a methodology for identifying environmental risks, security incidents, and ongoing threat actor activity in a network environment.
The assessment identifies ongoing compromises and uncovers the malicious access and usage of the environment. The goal is to detect and stop any active security incidents quickly and quietly. The assessment is composed of three phases — with each phase more targeted — and addresses core problems such as:
+Network host and application configuration
+User account activity
+Malware and persistence mechanisms
+Command and control activity
+Data exfiltration and sabotage
Beyond these two solutions, Sentinel can also perform security assessments, vulnerability assessments, and IT security governance alignments. Additional security solutions including two-factor authentication, email security, VPN security, endpoint security, Security Operations Center (SOC) monitoring, plus managed detection and response are available and can be quickly deployed as needed. Please contact us for more information. Our COVID-19 Support Offerings page includes information on other non-security solutions that may be useful during this time, including remote connectivity, collaboration, and compute tools.
Sentinel Responds to COVID-19 Technology Challenges
As the world faces an unprecedented crisis with the COVID-19 pandemic, Sentinel wants to help ensure our customers are equipped with the proper tools to manage the many challenges associated with maintaining strong employee communication and productivity in any scenario. Today’s technology enables organizations of all types to stay connected, collaborative, and secure across platforms and locations, so you can continue to conduct business with minimal or no disruption. While many companies already have things like remote and mobile work capabilities deployed within their environments, not all systems are designed to scale out rapidly in an emergency or can handle the demands of an entire mobile workforce. If you’re at all concerned about your organization’s ability to properly function from an operational standpoint during a pandemic or other major crisis situation, or are simply interested in enhancing the work from home experience for your employees, please contact Sentinel for more information on solutions or upgrades for your business.
Here are some of Sentinel’s offerings that may help during these difficult times:
Pandemic Continuity of Operations Plan
Continuity plans serve as guides for maintaining essential business functions and services during a viral outbreak or pandemic. This plan neither replaces nor supersedes any currently approved continuity plan, but can function as a supplement to any existing continuity plan. It supplements the traditional, all-hazards continuity planning by addressing additional considerations, challenges, and elements specific to the dynamic nature of a pandemic.
Based on our tailored engagements, Sentinel offers a Pandemic Continuity of Operations Plan to help our customers quickly initiate and develop a comprehensive recovery strategy. Sentinel can also provide the guidance around IT systems readiness, collaboration tools, cloud services, and other critical IT services in support of your organization’s plan.
Remote Productivity Express Plan
Most organizations have a mobile working strategy in place, but few have the tools and capacity to handle extreme mobility demands. If the number of employees working remote instantly jumps to 100%, new challenges may emerge. Your plan (if one exists) might not execute properly, the technology required might not be available, or your system might not be able to handle all the remote workers. Security is also a major concern, as organizations often lower defenses for expediency. This may be normal and expected, but bad actors will take advantage of any opportunity to compromise your environment.
Sentinel’s productivity express services can help deliver agility for your organization and its employees. Our rapid mobility workshop features a gap analysis to determine your immediate needs, identify ideal solutions, and map to vendor promotions so you can get productive quickly.
High Capacity and Specialized Collaboration
Collaboration among branches, partners, and remote co-workers is nothing new. Solutions range from simple voice or chat to fully immersive video rooms that make people worlds apart feel like they're two feet away. However when your all your employees are trying to collaborate from home at the same time, you quickly discover the limitations of your existing capabilities. Sentinel can help with agile cloud-based offerings that can be deployed quickly for real-time communications, advanced content collaboration, and video capabilities for individuals/groups.
Sentinel offers innovative collaboration solutions for organizations of all sizes. We work with our partners to provide advanced collaboration capabilities through pay-as-you-go or extended trials of solutions from industry leaders such as Amazon Chime, Cisco WebEx, and Microsoft Teams. Sentinel's digitization experts will help align your needs with the right solution for your team. Our aim is to keep your business productive, communicating within and between organizations, and collaborating with everyone, from anywhere.
Some industries face unique collaboration challenges. Along with person-to-person and business-to-business voice, video, IM, and other collaboration essentials, additional tools are required for events, distance learning, and even telemedicine. Some solutions such as telemedicine at healthcare facilities and eLearning in K-12 schools have been available for years but have lacked proper funding and adoption. Sentinel can provide the design, implementation, and support services combined with solutions from our partners to increase your capacity and capabilities in a matter of days if required.
Connect From Anywhere
During a crisis, it is important that all workers have the ability to immediately access critical applications from anywhere. Your current capabilities may only require an expansion of capacity for internet and VPN, or your situation might be more complicated and require services such as emergency virtual desktops. If your organization doesn't have a mobile workforce plan, company-issued laptops, and regular mobility testing for all workers, you may encounter challenges when working remotely. Sentinel wants to help ensure your employees can connect and compute quickly and securely from anywhere during critical situations.
Sentinel has the proven ability to assist customers with mobile devices and laptop imaging as well as delivering on demand, public cloud-based virtual desktop services from our partners at Amazon and Microsoft. Traditional VDI solutions require large hardware purchases, long design cycles, and on-site installation, which can take months or years in addition to being quite costly. Sentinel’s cloud compute now services connect you with an architect to engineer a solution for your network and users. We have quick turnaround plans able to deliver compute on demand (VDI) services in a few weeks or less. These proof of concept services for cloud virtual compute can support nearly every device your users have, and includes trial periods of up to 90 days.
Stay Secure Everywhere
While the health of your workers remains a top priority, don't forget about the health of your systems. Your organization needs to consider cyber security when rushing to provide remote capabilities for a large portion of your staff in short timeframes. Sentinel provides solutions across all areas of the NIST cyber security framework. Our Advisory consultants can assist in creating a “work from home” security policy. Protection, detection, and response is provided via technologies from Sentinel’s partnerships with global security leaders. Also, in the unfortunate event that your organization experiences a security breach, Sentinel Incident Response Services stand ready to help you recover critical assets to minimize both business loss and damage to your reputation.
Sentinel cyber security experts stand ready to assist you in defining a mobile cyber security strategy now. Leverage our experts and proven experience in creating a mobile strategy to support your work from home initiatives to meet immediate challenges and your long-term mobile workforce needs.
If you are interested in learning more about any of the solutions outlined above, please contact Sentinel for additional information. We hope that you stay safe and healthy during this unprecedented and difficult time, and look forward to assisting with your technology needs today and in the future.
Sentinel Helps A Financial Institution Achieve Dividends With Customer Care Technology
A financial institution was having issues with their aging and scrambled Cisco customer contact center platform. Their dated Cisco collaboration environment had been in place for well over a decade. Over that time, the customer had worked with multiple vendors/partners on a variety of tasks, including upgrades, additions, and process changes. The revolving door of management, team members, and partners also created a situation where critical information about the system as well as key operational details were not passed along to the next people to take over those roles.
The organization was also struggling to define attainable and measurable business objectives in order to address concerns about customer satisfaction and improve efficiencies surrounding customer interactions.
Sentinel decided to work with the customer to address their system issues in a proactive and holistic manner, rather than waiting for individual problems to arise and handling them one by one. This would enable the business units to focus their energy on clearly defining the objectives of the organization and mapping them to the appropriate features and technologies. We recommended Sentinel’s Advisory Services to help.
Sentinel’s Advisory Services engaged with the customer through a workshop format. Key members of management and staff gathered in a non-technical environment to assess all of the relevant items, topics, and issues, then assigned them each a priority level based on importance, relevance, and measurability. They defined goals and objectives, made a list of all the elements required to complete them, and established a solutions summary with detailed recommendations and next steps.
This was a multi-phased methodology that ensured the goals developed for management were “specific, measurable, achievable, relevant, and time-bound”. The strategic plan encompassed functional requirements, solution costs, action/activity timelines, and their expected impact.
The key goals included (but weren’t limited to):
+Address the growing number of customers asking for multiple ways/platforms to interact with the organization (omni-channel)
+Establish self-service capabilities for customers
+Reduce call abandonment rate
+Develop more accurate activity awareness metrics
+Improve reporting and data collection
+Provide the administration with change capabilities outside of IT
+Strengthen call capacity management
+Install call recording features and other capabilities
+Use agent skills routing to improve service call quality and efficiency
The organization faced a number of different challenges and roadblocks while working toward their goals, such as:
+Additional Employee Training
+Lack of Support
+Securing the Proper Budget/Funding
+Incompatible Policies and Processes
+Convincing Employees to Accept New Methods/Systemic Changes
+Under Staffing and Deficient Skillsets
Once the customer’s business goals and objectives were clearly defined, Sentinel provided solutions to address, fix, change, remediate, delete, add, and track activity using metrics. Solutions included a reduction in configuration complexities, native feature configurations, and new products, as well as customizations for scripting, reporting, and training.
Through the collaboration workshop created by Sentinel’s Advisory Services for this customer’s situation, we were able to not only save their current investment, but build upon it. Their faith and comfort grew as they learned new skills and became reacquainted with the refreshed systems in their environment. It helped them to gain a better perspective and understand how their own business processes map to the technology.
The customer’s systems were essentially “cleaned up” and realigned according to industry best practices and configurations. These routing efficiencies and standardizations improved performance and gave administrators a better understanding of the tools and solutions within their corporate environment.
The customer also gained a stronger understanding of metrics and reporting, which enabled them to gather and track data for historical significance and the measurement of key performance indicators.
About Sentinel Collaboration Advisory Services™
There are two methods by which Sentinel will engage and advisory effort, they are “strategic” and “tactical”.
The strategic assessment approach aligns organizational goals and objectives with technology recommendations. Sentinel will meet with key organization stakeholders to gain insight into current challenges as well as future initiatives. This process will provide guidance for the analysis and recommendation phases of the engagement. Sentinel will gather information about the current technology area, i.e. collaboration, etc. infrastructure, topology, devices, and configuration to review it for technical best practice adherence and alignment with organizational goals. A prioritized list of recommendations will be presented to the organization and linked to the key initiatives that are defined in prior phases.
The tactical assessment approach does not consider overall organizational goals and objectives and is meant to serve as a focused “immediate fix” set of recommendations. Sentinel will gather information about the current technology, i.e. collaboration, etc. infrastructure, topology, devices, and configuration to review it for technical best practice. A prioritized list of recommendations will be presented to the organization for review.
The goals of these assessments are to provide comprehensive analysis and an objective review of the current implementation, along with insights into any future changes that should be made.
Sentinel Uses AWS to Develop a Cisco Jabber Messenger Migration Tool
When you are faced with complex business challenges, public cloud providers can offer a number of different paths to a solution. These solutions frequently need to be tailored to your organization's specific use case, but can also focus on required features alone to provide faster if less elegant resolutions to your issues.
Sentinel recently utilized multiple AWS cloud services to demonstrate these possibilities. In this particular case, the business needed to migrate the contacts from hundreds of Cisco Jabber Messenger users to On-Premises Jabber services before the legacy messenger service was deprecated. This was phase one in a multi-phase migration to Cisco's WebEx Teams platform. Utilizing the application programming interfaces of both platforms, the Sentinel team developed a solution that provided a seamless user experience throughout the migration. Here are the technical details surrounding how we built the architecture and arranged the configuration.
The user interface for the tool was a single page web application, written in Angular. The "web server" was an S3 bucket with HTTP access enabled. Although there was no direct communication between the client and the server, CloudFront was used to provide a friendly HTTPS point of access. After the single page application was loaded by the client, all further I/O was through API Gateway.
The application prompts used a wizard-style approach to walk users through the migration process. The first step was for each user to enter their WebEx credentials, which was passed to the API Gateway (backed by a Lambda function). The Lambda function returned either a failure to authenticate or a list of contacts from WebEx. The next step was to enter Sentinel credentials for the IMP server, which was also passed to the API Gateway and a Lambda function. Once again, the Lambda function returns either a failure or a list of contacts.
With regard to the Lambda implementation, it is worth noting that there was a bug that prevented the IMP API from providing a list of contacts (the API result was successful but the list was always empty). To work around this problem, the Lambda functions created a Jabber-like client then connected to WebEx and IMP using the native protocol (XMPP), allowing it to get a full contact list that way. A client was created dynamically in each Lambda invocation and destroyed when the Lambda function exits.
The single page web application then performed a "diff" between the two contact lists, calculating the changes that were needed – contact additions or modifications needed to put the IMP server in sync with WebEx. As the next step in the wizard process, the SPA sent the desired changes to another Lambda function (via API Gateway), which connected to Sentinel's IMP server and made the necessary changes.
As for visibility, API Gateway and all Lambda functions used X-Ray to view the interaction between AWS services. Real-time service activity was stored in CloudWatch via log groups, and a log of all user activity was stored in DynamoDB programmatically. The DynamoDB table allowed for identification of users that had not yet performed authentication or attempted to use invalid credentials, along with other useful information to aid in user troubleshooting. It also had a table to track outages (such as if WebEx or Sentinel's IMP server were unavailable) so that email notifications could be sent (and then suppressed for a time period).
AWS services that were leveraged in building this solutions:
+ S3 – web server and location of web files
+ API Gateway – provided an HTTPS REST API endpoint for the single page app communication
+ Lambda – provided the logic for the REST API
+ CloudFront – provided HTTPS termination for the REST API
+ Route 53 – provided an alias to the S3 bucket so that users had a friendly name that ended in "sentinel.com"
+ CloudWatch – location of logs for Lambda functions
+ X-Ray – tracing was enabled for the API Gateway and all Lambda functions, providing end-to-end visibility
+ DynamoDB – tables for user activity logs and service state tracking
If you are interested in learning more about AWS and how it can be used to develop tools and applications for your organization, please contact Sentinel for additional information.
Sentinel's Spring 2020 Event Calendar
While it’s not technically spring quite yet, the weather is starting to warm up and so is Sentinel’s event calendar! We love hosting events, because it gives us an excuse to interact with our customers and talk about some of the great new innovations and technologies designed to enhance and protect the workplace. There are a few exciting things happening over the coming weeks and months across all Sentinel locations, so take a look at the summaries below and register to attend if you’re in the area or interested in learning more!
March 5 – Incident Response and Steak to Go
Here’s a great opportunity to learn a bit more about the latest incident response solutions and techniques from the experts at Cylance, while also taking home a delicious meal. Sentinel’s Denver office will be hosting a special workshop at Elway’s on Thursday, March 5th, where you’ll get an in-depth look at tools that assist in preventing, detecting, and responding to security incidents. That includes CylanceOPTICS, which pushes all detection and response decisions down to the endpoint, thereby eliminating response latency and preventing threats from becoming widespread across the entire enterprise. Light appetizers and drinks will also be served, and on the way out the door those in attendance will get a boxed up delicious steak dinner to enjoy at home.
March 6 – School Safety Program Webinar
In case you weren’t already aware, the Michigan State Police have created a $10 million statewide competitive grant program designed to fund security improvements at K-12 schools. This money can be used for purchases such as new security cameras, panic buttons, or mass notification systems designed to keep students, teachers, and other staff aware of incidents and potentially dangerous situations. We’ll be hosting a webinar on Friday, March 6th to detail the School Safety Program and highlight how Sentinel can help throughout the process, from writing a strong grant proposal to the purchase and deployment of new security technology throughout your environment.
March 17 – Enhanced 911 Webinar
A new law passed by the State of Michigan last year significantly tightens the Enhanced 911 (E911) requirements for organizations operating multi-line telephone systems (MLTS) or private branch exchange (PBX) phone systems. Once the new law goes into effect in the coming months, enterprise organizations will need to provide 911 dispatchers with detailed caller and location information so they can ensure first responders reach emergency situations as fast as possible. Sentinel will be hosting a highly informative webinar on Tuesday, March 17th with the experts from E911 provider RedSky, who will detail the new regulations and offer solutions to help organizations achieve compliance in a timely fashion.
April 2 – Security and Sunglasses
Sentinel customers in Wisconsin have the opportunity to learn about the latest security solutions and trends when we host a fun event with Cisco at the Sunglass Hut location in Mayfair Mall on Thursday, April 2nd. Experts will be on hand for some friendly discussions about the security challenges many organizations are facing today, and the best steps to take so your company can properly defend itself against even the most sophisticated attacks. This is also a great opportunity to network, meet some of the Sentinel team, enjoy some light appetizers and drinks, plus check out some cool sunglasses!
We’ve got plenty more events currently being planned for later this year, and are excited to share them with you as they are announced. If you’re curious about any Sentinel events that might be happening in your area, please keep an eye on our Events page for the latest updates!
Sentinel Loves Technology
At Sentinel, technology is our specialty and our passion. After more than 35 years of working in and evolving with the IT industry, we’re still as in love with it as we were on day one – maybe even more so. We also love our customers. Sentinel wouldn’t exist without them! In honor of Valentine’s Day this week, we asked some staff members to share what sparks their passion for technology. Here are some of their answers, which ranged from funny to profound to deeply personal.
“My favorite thing about technology is that there’s always something fresh and exciting happening. Whether it’s a brand new solution or a major upgrade to an old one, I’m never bored and remain eager to see where things will go next.”
-Geoff, Solutions Architect
“The diversity in tech is pretty incredible. There are more products out there than ever before, and every one is built to fill a particular need. And because Sentinel has so many offerings I feel like I’m never at a loss for things to talk about with customers, from advisory to cloud to security to staffing to storage, and on and on and on…”
-Chris, Sales Executive
“The people who work in tech are certainly a special breed. I mean that in the best way! I’ve met some life-long friends because of this job, some of them co-workers, some of them partners, and some of them customers. So many great people at this company and in this industry in general.”
-Mike, Sales Executive
“I love technology because I’m always learning something new. People rely on me for my expertise, and if I’m not keeping up with trends and innovations or exploring unfamiliar ideas I start to get restless. To put it another way, IT keeps me sane.”
-Tim, Solutions Architect
“I’m a natural helper. That’s my thing. Tech gives me the opportunity to help people all the time by providing them with solutions and services that can improve their efficiency, better connect with others, and protect them from cyber attacks. It’s both personally and professionally fulfilling.”
-Bill, Sr. Sales Executive
“Innovation! It’s a real thrill to be at the forefront of things, where you can share a brand new concept or solution with someone before most people have ever heard of it. Then you watch that thing change the IT industry or revolutionize the way that business is done. That’s a whole lot of fun.”
-Robbie, Sales Executive
“I love working in the IT industry, mostly because of the acronyms. I save an average of five to ten minutes a day saying things like "IBR" instead of Install Base Report, for example. That gives me more time with my Total Gym. And as Chuck Norris told me in an infomercial at 5AM this morning, the Total Gym can give me great physical results if I just dedicate five to ten minutes a day to various workouts.”
-Kevin, Customer Renewals
“Sentinel’s customers are the absolute best! Yes I realize this is absolutely pandering, but it’s also the truth. Their passion for technology inspires and motivates me on a daily basis. I love tech because they love tech, simple as that.”
-John, Director of Sales
Kari's Law and Enhanced 911
When an emergency occurs, it is essential to act quickly and communicate clearly with first responders. Even the most minor of delays could mean the difference between life and death. New technologies such as mass notification systems and federal legislation such as Kari’s Law aim to minimize the chance of critical issues or errors during emergency situations.
A new federal regulation known as Kari’s Law requires all organizations implementing a new multi-line telephone system (MLTS) or private bank exchange (PBX) phone system to enable direct 911 calling without first needing to dial an extra prefix to establish an outside line. For example, most enterprise businesses have phone systems where users have to press “9” (or some other code on the keypad) to get a dial tone before entering a standard area code and number. This new law means a user can dial 911 in an emergency situation and not have to worry about any other prefixes or digits, resulting in faster response times and less confusion about how to obtain help. Kari’s Law goes into effect on February 16, 2020.
The primary purpose of Enhanced 911 (E911) technology is to provide more detailed caller information to dispatchers so they can ensure first responders reach emergency situations as fast as possible. When a person calls 911, their callback number and precise location are automatically provided to the operator. This can be particularly helpful in situations where a connection gets lost or callers have trouble verbally communicating their location due to a medical emergency, handicap, dangerous situation, unfamiliarity with their surroundings, or foreign language barrier.
Many organizations that use MLTS or PBX phone systems are also large enough in size to make it difficult for emergency dispatchers to identify exactly where a 911 call is coming from. This is particularly true for businesses located within high rises or building complexes, which often share a phone system and might only display the most basic details to dispatchers such as a street address and corporate phone number without a floor/building number or the caller’s direct extension.
The specific regulations and compliance requirements for E911 vary by state, but Sentinel can help your organization provide detailed caller and location information to emergency services if it is available in your area.
Emergency Mass Notification Systems
Beyond these 911 regulations, Sentinel also wants to make it easier for organizations and schools to notify the proper personnel when an emergency occurs. Mass notification systems can send alerts to designated staff, management, security guards, or those in the building with medical training so they are immediately informed of a dangerous or emergency situation. These notification systems can be triggered through a number of different methods and devices, including when 911 is dialed from a building phone. Alerts are provided to specified people via text, email, desktop pop-up or phone, and can incorporate a feature that enables them to connect and listen to an in-progress 911 call to gain a better understanding of the situation for a more effective response.
If you are interested in learning more about mass notification systems and how they can help your organization meet emergency services compliance requirements, please contact Sentinel for additional information.
Sentinel Helps A Utility Company Restore Their Environment Following An Attack
A utility company was having issues with business workflows and production that was impacting their business connectivity. After reviewing the current state of their network, Sentinel determined that unauthorized user(s) were accessing their system via a Citrix server. This could have occurred due to stolen credentials or a brute force login attack. This type of attack not only results in unauthorized access to data, apps, and other resources, but also serves as an entry point for further attacks.
The unauthorized access impacted the company’s current backups along with an encrypted SQL server. The attacker then executed malware to disable servers and encrypt file structures.
The utility company required assistance to determine the current state of their network, to stop and remediate the current attack, and to implement additional security measures that would help identify and prevent unauthorized access to their network via Citrix or any other method moving forward. Sentinel’s incident response team provided assistance to disable the unauthorized access to the company’s network and worked to remediate the environment to a state before the attack occurred based on the customer’s backups.
It was determined that attacker(s) gained remote access to the customer’s network via a Citrix server, then used credentials from three different domain admin accounts to access other portions of the environment. The attacker(s) deleted disk-to-disk backups, disabled terminal servers, encrypted SQL servers, and executed malware, all of which significantly impacted business workflow and production. Also during Sentinel’s network security review, it was discovered that several unauthorized remote logins to the company’s Veeam proxy server had occurred via the server administrator account and were used to access the backups and network.
Resolution / Remediation
Sentinel assisted with many areas of the incident response, including providing security recommendations, securing the environment, and contributing to restorative activities.
Sentinel’s Cyber Security Engineers (SCSE) started the process by disabling the affected Citrix server and all domain admin accounts, as well as blacklisting all .exe file types in Cisco AMP (Advance Malware Protection) to prevent the current situation from becoming worse. The current state of the network was reviewed to determine if there were are additional areas where the attacker(s) would be able to reenter the network. It was discovered that the Veeam proxy server had unauthorized administrator accounts for remote logins that granted access to the backups and to the company network. SCSE disabled all VPN access until new protection methods were in place to combat the unauthorized access to the network.
Once the network was secured and infected servers / workstations cleared of any viruses / malware, SCSE started the remediation of the damaged and compromised systems. SCSE discovered the only tape backups that had not been deleted were a couple of weeks old. SCSE rebuilt the Veeam proxy server since the server was compromised during the attack. Once the Veeam proxy server rebuild had been completed, the remaining compromised or damaged servers were restored using the available backup files.
SCSE deployed Cisco AMP for Endpoint on every server to help block / prevent malware at the point of entry. Cisco AMP was also deployed to gain visibility into file and executable-level activity so malware could be removed at this level.
SCSE deployed additional security measures throughout the customer’s environment to significantly improve protection, detection, and recovery capabilities.
SCSE started by working with the company’s IT team to harden the password requirements and reset all user passwords to meet these requirements. This provided an additional level of security, so in the event of another brute force attack these more complex passwords would be tougher and take much longer to crack.
SCSE also implemented Cisco Duo for multi-factor authentication. Duo requires users to confirm their identities before granting them access to corporate applications. Controls allow the company to make application access decisions based on the user’s identity and the trustworthiness of their device(s) rather than the networks from where access originates.
Cisco Identity Services Engine (ISE) was also deployed by the SCSE to provide identity access to switches, wireless, and VPN connections. The additional layer of security created by ISE enabled the organization to better determine which corporate issued or approved outside devices should have the ability to log in to the company’s private network and which ones should be restricted to the guest-only public Internet. SCSE also implemented additional ASA firewall rules to harden access to and from the Internet.
SCSE implemented Sentinel’s Backup as a Service (BaaS) to provide air gapped backups through Veeam. Sentinel’s BaaS enables organizations to efficiently protect, locate, and recover critical data across all types of environments and platforms so they can return to business quickly and with minimal disruption following a data loss event. Sentinel’s Security Operation Center (SOC) was also deployed to provide security monitoring and strategic security guidance. Sentinel’s 24x7x365 SOC keeps a close eye on the company’s critical infrastructure elements to ensure their sensitive data and applications remain protected and satisfy performance metrics.
The SCSE team was able to determine the state of the network during the attack and identify the penetration points used by the attacker(s). Sentinel engineers were able to disable the rogue access within the network and begin the remediation. Restoration was completed using the remaining stable backups as necessary, along with any additional updates required to secure the network. SCSE implemented multiple solutions designed to enhance the security within the network and VPN access. The final portion enabled off-site, air gapped backups to add an extra layer of security and allow for faster and easier restoration should the network become compromised again at some point in the future.
About Sentinel SecuritySelect™
Sentinel’s SecuritySelect™ offerings are designed to handle today’s complex business and IT landscape, closely engaging with your organization to develop and implement a comprehensive security strategy suited to your company’s unique needs. Our SecuritySelect™ portfolio includes:
+Assessment and Prevention
+Security as a Service (SECaaS) via Sentinel CloudSelect™
+Security Operations Center (SOC) 24x7x365 Monitoring
+Identity Access & Endpoint Security
+Network & Perimeter Security
If you are interested in learning more about Sentinel SecuritySelect™ and how we can help protect your environment, please contact us for additional information.
Excerpt: Managing Certificates With Windows Certificate Manager and PowerShell
By Michael Soule, Sentinel Strategic Solutions Advisor
Recently, Sentinel Strategic Solutions Advisor Michael Soule wrote a lengthy, in-depth tutorial for the IT site Adam the Automator surrounding the challenges involved with managing certificates through Microsoft Windows. It is more technical than what we typically feature on this blog and may not be easy for some people to understand, but we wanted to share an edited excerpt from it anyway in case anyone is interested in learning more. If this interests you, the full tutorial can be read here.
If you're a Windows system administrator, you might have been forced to work with certificates. Working with certificates in Windows is typically one of those extra hats a sysadmin has to take on. Certificates are notoriously complex and hard to understand, but my hope is that by the time you're done reading you'll realize that certificates aren't that scary in Windows!
Within Windows, all certificates exist in logical storage locations referred to as certificate stores. Certificate stores are "buckets" where Windows keeps all certificates that are currently installed and a certificate can be in more than one store.
Unfortunately, certificate stores are not the most intuitive concept with which to work. Each store is located in the Windows Registry and on the file system. When working with a certificate in a store, you are interfacing with the logical store; not directly modifying the registry or file system. This simpler manner lets you work with a single object while Windows takes care of how to represent that object on disk.
“You'll sometimes see certificate stores referred to as physical or logical stores. Physical stores reference the actual file system or registry location where the registry key(s) and/or file(s) are stored. Logical stores are dynamic references that reference one or more physical stores. Logical stores are much easier to work with than physical stores for most common use cases.”
Windows stores certificates in two different areas - a user and computer context. A certificate is placed in one of these two contexts depending on if the certificate should be used by a single user, multiple users, or the computer itself.
If you intend for a certificate to be used by a single user, then a user certificate store is ideal. This is the common use case for certificate-based authentication processes such as wired IEEE 802.1x.
User certificates are located within the current user's profile and are only logically mapped within that user's context. User certificates are "mapped" and are unique for each user, even on the same systems.
If a certificate will be used by all users on a computer or a system process, it should be placed inside of a store in the computer context. For example, if a certificate will be used on a web server to encrypt communication for all clients, placing a certificate in a store in the computer context would be ideal.
You'll see that a computer's certificate store is logically mapped for all user contexts. This allows for certificates in a computer certificate store to be used by all users, depending on the permissions configured for the private key.
Computer certificates are located in the Local Machine Registry hives and the Program Data folder. User certificates are located in the Current User Registry hives and the App Data folder.
PowerShell vs. the Windows Security Certificate Manager
Since certificates can be managed a few different ways in Windows, which one do you choose? Should you go the GUI (MMC) route or command-line with PowerShell?
First, consider the lifecycle of a certificate. If you only intend to install or remove a single certificate once, consider using the MMC. But if you're managing multiple certificates or find yourself performing the same task over and over again, the command-line route may be the way to go. Even if you don't know how to write PowerShell scripts, it'd be worth learning if you have many different certificates to manage.
Let's first take a look at how to discover the certificates installed on Windows using both the Certificate Manager and PowerShell.
Using the Windows Certificate Manager
To view certificates with the MMC, open up the Certificate Manager open your Start menu and type certmgr.msc. This will bring up the Windows Certificates MMC. This initial view will provide an overview of all the logical stores displayed in the left window.
There are many attributes of a certificate you can see when viewing them with the MMC. For example, you will likely want to select specific certificates.
The easiest way for you to accomplish this is by referencing the certificate's Serial Number or Thumbprint extension value. If the certificate was signed by a certificate authority (CA), it will have a serial number when issued. The Thumbprint is calculated every time the certificate is viewed.
One important feature to point out is embedded private keys. Certificates in Windows can also have a corresponding private key. These private keys are stored in corresponding physical stores as encrypted files.
To quickly distinguish a certificate with and without a corresponding private key, look at the certificate icon. In the MMC, if the icon simply looks like a piece of paper with a ribbon, there is no corresponding private key. If a certificate does have a private key, you will see a key in the MMC icon, and you will see a key at the bottom of the General tab when you open the certificate.
As with the MMC, you can view and manage certificates with PowerShell as well. Let's first inspect certificates in their physical stores (the registry and file system).
By Physical Store
Using the Get-ChildItem PowerShell cmdlet, you can enumerate all of the keys and values inside of the parent HKCU:\Software\Microsoft\SystemCertificates\CA\Certificates\ registry key path.
Each entry in the Registry hive you see will correspond to the Thumbprint of the certificate for a trusted CA and it's certificate in the corresponding property.
Another common store is the Personal store. Your certificates for this store are located on the file system rather than the Registry.
By Logical Store
Since working with certificates in their physical paths is uncommon, you will be working with the logical stores for the rest of the examples.
PowerShell can access Windows logical stores using the Cert: PSDrive. The Cert: PSDrive maps certificates to the physical stores much like the MMC does.
Unfortunately, the MMC and the Cert PSDrive do not label the logical stores the same.
If you are interested in reading the complete tutorial, along with examples, screenshots, and graphics, please click here. As evidenced by this excerpt, Sentinel can help your organization manage its certificates, or aid in demystifying the process so your IT team can handle it without much trouble. Please contact us if you would like additional information.