Tag Archives: chain

SAP Ariba Discovery now open to all buyers and suppliers

To help mitigate massive disruptions to the global supply chain, SAP is making it easier for buyers and suppliers to connect by providing free access to SAP Ariba Discovery.

The move was announced in conjunction with SAP Ariba Live, an annual conference that was recast as a virtual conference Wednesday due to the ongoing coronavirus pandemic.

Chris HaydonChris Haydon

SAP Ariba Discovery is a service that enables buyers and suppliers to connect on the SAP Ariba Network, which currently includes 4 million suppliers. Buyers have always been able to join the network for free, but suppliers must pay fees after they have made connections with buyers on the network. The supplier fees are being waived until at least June 30, 2020, at which point the situation will be reevaluated and the free access may be extended, said Chris Haydon, president of the SAP procurement solutions area.

The move was made to help alleviate global supply chain disruption because of the coronavirus outbreak crisis, Haydon said.

As the COVID-19 outbreak unfolded, SAP saw SAP Ariba Discovery as a useful tool that enables buyers to find supply sources, regardless if they were an existing SAP Ariba customer, Haydon said.

SAP Discovery Server enables buyers and suppliers to connect on the Ariba Network.

“We wanted to remove the barriers by making it free to any supplier for the next 90 days,” he said. “In many ways, it’s a custom-built tool for this dynamic sourcing of demand, and given the times we’re in, we just thought it was the right thing to do.”

The move was a positive step in a time of crisis, said Predrag Jakovljevic, principal industry analyst with Technology Evaluation Centers, a Montreal-based enterprise technology analysis firm.

Given the times we’re in, we just thought it was the right thing to do.
Chris HaydonPresident of procurement solutions area, SAP

“Opening up the [SAP Ariba Discovery] to all suppliers and buyers without any fees charged by Ariba Network is a nice gesture to help companies navigate during these trying times of disruption,” Jakovljevic said. “If your usual suppliers are unable to help you today, there might be some in regions still not — or less — affected by coronavirus, who are also begging for some business.”

Simple, intelligent procurement UI

At the virtual SAP Ariba Live conference, which happened in the form of a series of video presentations, SAP demonstrated the integrated procurement environment that it calls “intelligent spend management.”

SAP Ariba, SAP Fieldglass and S/4HANA operational procurement are now integrated under a single UI that runs on top of the HANA database, and is connected through SAP Cloud Platform.

The idea is to provide a simpler, common user experience, but intelligent spend management goes further than that, Haydon said.

“Intelligent spend management is a forward-looking way to think about procurement. It’s about using technology that focuses its power on the tasks that can and should be automated or eliminated so you can focus on the aspects of business that can and should have human expertise,” he said. “We need to get beyond focusing only on creating simple screens and UIs and, instead, power procurement to succeed amongst today’s known disruptions and the unknown disruptions of tomorrow.”

This integration of procurement applications and embedding of intelligence could make SAP stronger in the areas of direct procurement and sourcing by integrating data from S/4HANA ERP such as bills of materials (BOMs), routing and manufacturing planning into the process, Jakovljevic said.

“One thing to watch about all that integration with S/4HANA is whether [SAP Ariba] is becoming serious about direct procurement and sourcing, which is much more complicated than buying the office staples,” he said. “Ariba has always been strong in the indirect materials space and perhaps is now getting serious about catching up with the likes of Jaggaer or SourceDay.”

Go to Original Article

StorMagic SvSAN helps Sheetz hyper-converge at the edge

Convenience store chain Sheetz is bringing hyper-convergence to the edge at its 600 stores to consolidate devices and make it easier to manage, with the help of StorMagic SvSAN software.

Sheetz, based in Altoona, Pa., is a chain of convenience and gasoline stores in Pennsylvania, West Virginia, Maryland, Virginia, Ohio and North Carolina. Each store requires several point-of-sale applications to conduct business.

Gary Sliver, director of infrastructure at Sheetz, and Scott Robertson, universal endpoint unit manager at the chain, said they have installed SvSAN software on about one-quarter of the company’s sites. Sheetz’s IT team began installing StorMagic SvSAN hyper-converged infrastructure (HCI) software in its stores in October 2018. The project coincided with Sheetz’s move to a new kitchen management software system.

Sliver and Robertson said they hope to have all the stores running SvSAN by the end of 2020. Their goal is to condense seven individual devices at each site to a two-node Dell server appliance running SvSAN software and VMware hypervisors.

Move motivated by IT support, space restrictions

StorMagic SvSAN replaces the servers running Sheetz’s kitchen management applications, its in-store orchestration, credit card processing and loyalty program systems, and storage at each retail store.

Sliver said Sheetz had two important reasons for the upgrade: His team wanted to make it easier to support IT, while eliminating space restrictions at the edge.

We’re able to take these seven physical devices and condense them into two small form rack-mounted servers.
Gary SliverDirector of infrastructure, Sheetz

“Primarily, we wanted to reduce the number of physical devices and the support and maintenance administration associated with those,” Sliver said. “We also wanted to put a platform in place that would allow us to grow and innovate. Frankly, we’re just running out of space in the rack with new applications and services that require compute and storage. So, we’re able to take these seven physical devices and condense them into two small form rack-mounted servers. That gives us the potential to add additional applications and servers without having to go in there and add physical devices to the store.”

Sheetz’s IT team can manage the HCI appliances remotely from headquarters. Retail employees in the stores don’t have to manage any devices, and the central IT team doesn’t have to travel to the retail sites as frequently for support.

Sliver said he considered going hyper-converged for years, and the systems upgrade in the stores presented the perfect opportunity.

“We’ve been looking at virtualizing the physical devices in the rack,” he said. “We were going out and touching all 600 stores with this upgrade, so we had the opportunity to leverage that initiative and realize economies of scale. It also allows us to quickly virtualize devices and save some money there.”

After deciding to hyper-converge on the edge, Sheetz considered several HCI options. Sliver said he looked at traditional HCI players VMware and Nutanix, as well as a few appliances designed specifically for retail sites.

U.K.-based StorMagic is less known than other HCI vendors, but its technology and support impressed the Sheetz team. StorMagic developed SvSAN as an edge product rather than altering a product designed for data centers.

StorMagic SvSAN requires only 1 GB of RAM, 512 MB of storage for its boot device and a 20 GB journal drive. It can work over a 1 Gb Ethernet network.

“The technology itself was fairly easy compared to other HCI providers,” Sliver said of StorMagic. “We also can run up to 1,000 nodes on the single witness. To me, that’s their secret sauce. The other thing is their organization. They were very responsive during the RFP review, and that has continued throughout our implementation.”

After the installation

Robertson said Sheetz can get SvSAN up and running quickly in its stores.

“What separated StorMagic was, when we did a lab test, they did everything they said their product could do,” Robertson said. “Our time frame from lab to pilot was short.”

Sliver said so far, StorMagic SvSAN “has been extremely stable. It has done everything we’ve expected it to do.”

Robertson said SvSAN HCI makes it much easier to solve problems in the field. The IT team can spin up a new virtual machine in the data center instead of having to dispatch a technician to install a new physical device at the store.

“From a management standpoint, with any kind of break/fix situation, we no longer have to send out a technician to the site to swap out physical hardware,” Robertson said. “If we notice there’s any sort of abnormality in a system, we can spin up [a new virtual machine] in a half hour. So, it’s just returned to service much quicker.”

Go to Original Article

Pentagon CMMC program to vet contractor cybersecurity

The U.S. Department of Defense is aiming to secure its supply chain with the cybersecurity maturity model certification, or CMMC program, which will vet potential third-party contractors.

Ellen Lord, the undersecretary of defense for acquisition and sustainment, said at a news conference at the Pentagon that the CMCC program “will measure technical capabilities and process maturity” for organizations in the running for new defense contracts.

Although the full details of the CMMC program won’t be made public until January, Lord described it as a five-tier framework in which each level of certification is specifically designed based on how critical the work of the contractor would be. The CMMC program is scheduled to be fully implemented by June 2020.

Dan Fallon, senior director of public sector systems engineers at Nutanix, said programs like CMMC “create or enhance standard practices and responsibilities around cybersecurity are essential to improving security posture.”

“It is great to see the DOD engaged in a strategic, comprehensive, and measured approach to ensuring the security of the products and vendors with whom they work,” Fallon told SearchSecurity. “Furthermore, the Department’s concerted effort in sourcing input from the private sector in developing these standards is a strong indication of its understanding that even with additional cybersecurity policy, overall security will always remain a shared responsibility between vendors and government agencies. After all, there is no one silver bullet to make an agency invulnerable to attack.”

Theresa Payton, president and CEO of Fortalice Solutions and former White House CIO, said the CMMC program “is a good next step to improve supply chain security for the DOD through its contractors and sub-contractors.” 

“In the wake of data breaches where the weakest link was a contractor, these are important next steps,” Payton told SearchSecurity via email. She added that if she “were to prioritize security elements for every contractor and subcontractor to meet it would be: 1. ensure that all data in rest and in transit and at points of consumption are encrypted; 2. have a regular review process of user access controls and authorizations to include third party applications and system to system interactions that are tested; 3. create kill switches that can be flipped if there is a suspected intrusion; 4. ongoing training and awareness.”

The full details of the CMMC program requirements won’t be known until next month, but Lord did promise the expectations, measurements and metrics used will be “crystal clear,” and audits of potential contractors will be done by a third party that should be chosen by next month as well.

Additionally, Lord said at the Ronald Reagan National Defense Forum in Simi Valley, Calif. earlier this week that the DOD expects the weakest links in the supply chain to be the lower tier, smaller companies who may not be able to afford to meet the requirements. As such, the DoD is planning ways to ensure smaller contactors can meet a basic level of cybersecurity via “broader certifications” that will be detailed more in the next three months.

Payton said she was “encouraged to see that the DOD specifically noted that it will help smaller contractors to meet requirements.”

“This will encourage many to embark on this endeavor,” Payton said. “A rising tide lifts all boats so if the DOD would extend free software, tools, and tips and techniques to their supply chain they will naturally lift the security of the DOD ecosystem.”

Government contractor risks

The history of cybersecurity risks and third-party contractors can be traced back years. The most famous example was whistleblower Edward Snowden, a contractor for Booz Allen, who stole and leaked information about NSA phone metadata tracking practices in 2013.

In 2015, a breach of the Office of Personnel Management affected millions and the ensuing investigation found that the threat actors gained access to systems in part by using credentials stolen from government contractors.

The DOD had two issues in 2017 linked to contractors. In August, an AWS S3 bucket containing unclassified data from the DOD was discovered to be publicly accessible due to misconfiguration by Booz Allen Hamilton. In November, another S3 bucket containing DOD data, this one built by contractor VendorX, was discovered to be exposed.

Payton said there’s a simple reason why these past issues didn’t lead to faster action by the government.

“There is a fundamental disconnect between the rate at which technology evolves and the rate at which bureaucracy reacts. What we’re dealing with here is a failure of systems,” Payton said. “It’s never too late to learn from past mistakes, but ultimately, we need real-time solutions not just to today’s obstacles and threats but to tomorrow’s as well.” 

Go to Original Article

Procurement transformation a main focus at CPO Rising Summit

BOSTON — Corporate procurement and supply chain operations must undergo a modern digital transformation, or the companies will be left behind.

This procurement transformation will be driven by real-time processes and next-generation technologies that allow procurement professionals to see what’s ahead and react immediately to any changes in the conditions, according to Tom Linton, chief procurement officer and supply chain officer for Flex, a company that designs and builds intelligent devices for a variety of industries.

Linton spoke at the CPO Rising Summit, a conference for procurement and supply chain professionals sponsored by the research firm Ardent Partners.

“We have to operate in real time and have systems and business processes that operate in real time, because the velocity of the business is going to continue to get faster,” Linton said. “Everything, whether you’re looking at technology or medicine or information systems, is moving faster. If we can’t communicate or conduct business in real time, we actually consider ourselves failing or falling behind.”

Every generation of every product today is smarter than the one that came before, Linton explained, and the average generational change is just nine months. Procurement needs to keep up with this increase in intelligence and start to take advantage of the new opportunities.

“How do we operate in an age of intelligence?” Linton asked. “How do we operate in a world which is not about the internet of things, because the things themselves are getting more intelligence? How do you develop a system of intelligence in procurement that helps us identify where we are in this progression?”

Visualization helps show where you’re going

One way to do this is through visualization, where information is presented in more digestible ways for procurement.

“What if everything you need to know about your business is available to you in the same time that you can open Uber on your smartphone?” Linton asked.

Flex built a procurement environment, called Flex Pulse, which uses a 100-foot wall of interactive monitors that display up to 58 applications that tell what’s going on with purchases and transactions in real time, according to Linton.

“The idea with Flex Pulse is to take that data and actually make it actionable,” Linton said. “It’s not doing anything truly different; it’s just taking information and restructuring it to make it more digestible for the users.”

The need for the procurement transformation to get up to speed was echoed at a subsequent expert panel.

Need to build trust in transactions

Mike Palackdharry, president and CEO of Aquiire, a Cincinnati-based B2B purchasing and supply chain process technology company, said real-time and next-generation technologies will drive the transformation.

“Things like blockchain, machine learning, AI and natural language processing are all about increasing the speed, the transparency and the trust within the supply chain. And all of that is about real time and how we create communications between buyers and sellers in real time, where we can trust the transaction and the accuracy of the data,” Palackdharry said.

The ultimate goal will be to provide systems that guide buyers to where you want them to go.

“It’s about how you use all of this real-time information that you’re gathering to guide your users to the items that you want them to buy,” said Paul Blake, technology product marketing leader for GEP, a provider of procurement technology in Clark, N.J. “It’s not just about cost savings; it’s about all the value you can bring into the supply chain and how we guide the users to those items.”

Procurement software will need to be fully functional to allow users to do everything they need to do, but underlying complexity must fall under a simple user experience, according to Blake.

“Increasingly, because of our changing expectations and innovations in technology, it has to be able to be used in the same way as all the other technologies around us,” Blake said. “The user experience, ease of use, seamless and formless interface with the technology is a major driving force in what’s going to deliver value in the future. It’s simplicity and complexity represented in the single whole — difficult to achieve, but that’s where I see it going today.”

The future is now — maybe

However, Blake cautioned the procurement transformation may not happen in the immediate future.

It’s extremely difficult to change. If you have a supertanker of a mammoth corporation, you need 100 miles to slow down and change direction.
Paul Blaketechnology product marketing leader at GEP

“In the 1990s, there were major corporations that said, ‘We think we need software that helps us to buy stuff more effectively.’ And today, there are still corporations saying the same thing,” Blake said. “There’s enormous inertia in the corporate world toward adopting new technologies, not because there isn’t the will to do something or the technology isn’t there, but because it’s extremely difficult to change. If you have a supertanker of a mammoth corporation, you need 100 miles to slow down and change direction.”

The procurement transformation is interesting and has potential, but real time may not be quite ready for the real world of procurement today, according to conference attendee Lynn Meltzer, director of sourcing for Staples, the office supply retailer based in Framingham, Mass.

Staples transitioned from a largely paper- and spreadsheet-based procurement system to Coupa, a cloud-based procurement SaaS platform, in the past year, Meltzer said.

“If you are just now getting a procure-to-pay system and you’re working to pull in your processes and your data and get there, then the timeline is highly compressed from where you are today to what they’re saying about the next 10 years,” she said. “It doesn’t mean that it can’t happen; you’ve just got to show the value and senior management fully buys in.”

It will be important to define the next step on the procurement transformation journey, said Jaime Steele, Staples’ senior director of procurement operations, and that probably won’t involve advanced AI or blockchain yet.

“The next step, not only for us but in the procurement industry, is that you’ve got to punch this out to every system and company next,” Steele said. “So, the realistic next step might be a simple chatbot, and nobody has done that well yet, so you need to solve the more basic things first.”

Meltzer agreed that certain basic things need to be taken care of before procurement organizations can use technology like blockchains.

“When you think about blockchain, you can’t move yourself to that until you figure how you can get that into a place where a robot can grab it or AI can figure out how to make some kind of decision on it,” she said. “I think those are some of the things that need to get sorted through, and it’s going to take a little bit of time. I would probably put it in five to 10 years, but I don’t see full automation getting in there anytime soon.”

CCleaner malware spread via supply chain attack

Researchers discovered a popular system maintenance tool was the victim of a supply chain attack that put potentially millions of users at risk of downloading a malicious update.

CCleaner is a tool designed to help consumers perform basic PC maintenance functions like removing cached files, browsing data and defragmenting hard drives. CCleaner is made by Piriform Ltd., a UK-based software maker that was acquired by antivirus company Avast Software in July. The compromised update of the tool was first discovered by Israeli endpoint security firm Morphisec following an investigation that began on Sept. 11th, but the company claims it began blocking the CCleaner malware at customer sites on Aug. 20th.

“A backdoor transplanted into a security product through its production chain presents a new unseen threat level which poses a great risk and shakes customers’ trust,” wrote Michael Gorelik, vice president of research and development at Morphisec in a blog post. “As such, we immediately, as part of our responsible disclosure policy, contacted Avast and shared all the information required for them to resolve the issue promptly. Customers safety is our top concern.”

The CCleaner malware gathered information about systems and transmitted it to a command and control (C&C) server; it was reportedly downloaded by users for close to one month from August 15 to September 12, according to Morphisec. However, Avast noted that the CCleaner malware was limited to running on 32-bit systems and would only run if the affected user profile had administrator privileges.

Avast said CCleaner claims to have more than 2 billion downloads and adds new users at a rate of 5 million per week, but because only the 32-bit and cloud versions of CCleaner were compromised, the company estimated just 2.27 million users were affected.

Impact of the CCleaner malware

A team of researchers at Cisco Talos, which included Edmund Brumaghin, threat researcher, Ross Gibb, senior information security analyst, Warren Mercer, technical leader, Matthew Molyett, research engineer, and Craig Williams, senior technical leader, discovered and analyzed the CCleaner malware soon after Morphisec. According to the Cisco Talos team, Avast unwittingly distributed legitimate signed versions of CCleaner and CCleaner Cloud which “contained a multi-stage malware payload that rode on top of the installation.”

“This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates,” Talos researchers wrote in their analysis. “In many organizations data received from commonly software vendors rarely receives the same level of scrutiny as that which is applied to what is perceived as untrusted sources. Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected.”

What makes this attack particularly worrying is the volume of downloads this software receives leaving a huge number of users exposed.
James MaudeSenior security engineer for Avecto

James Maude, senior security engineer for Avecto, a privilege management software maker, said it was especially concerning that the CCleaner malware included the official code signature from Avast.

“Given that CCleaner is designed to be installed by a user with admin rights, and the malware was not only embedded within it but also signed by the developers own code signing certificate (giving it a high level of trust), this is pretty dangerous,” Maude told SearchSecurity via email. “This means that the malware, and therefore the attacker, would have complete control of the system and the ability to access almost anything they wanted. What makes this attack particularly worrying is the volume of downloads this software receives leaving a huge number of users exposed.”

Itsik Mantin, director of security research at security software company Imperva, said the CCleaner malware incident shows “there’s not much users can do when the vendor gets infected.”

“This hack creates a new reality where users need to assume that their desktops, laptops and smartphones are infected, which has been the reality for security officers at organizations in the last years,” Mantin told SearchSecurity. “For organizations, this does not really matter as security officers are accustomed to the reality that they should always assume the attackers are in, are looking for ways to spread the infection within the organization and are searching for business sensitive data to steal or corrupt.”

Avast response to the CCleaner malware incident

Vince Steckler, CEO of Avast Software, and Ondřej Vlček, executive vice president and general manager of the consumer business unit, released a statement saying the company remediated the issue within 72 hours of becoming aware of the problem by releasing an clean update without the malware. They also stated Avast is working with law enforcement to shut down the CCleaner malware C&C server on Sept. 15th.

The Avast execs downplayed their company’s involvement by saying they “strongly suspect that Piriform was being targeted while they were operating as a standalone company, prior to the Avast acquisition,” and that the compromise “may have started on July 3rd,” two weeks before Avast’s acquisition of Piriform was complete. Avast also claimed the compromised update took four weeks to discover due to “the sophistication of the attack.”

Avast asserted users “should upgrade even though they are not at risk as the malware has been disabled on the server side,” and claimed it was unnecessary to follow the suggestions by Talos and other experts to restore systems to a date before Aug. 15, 2017 to ensure removal of the CCleaner malware.

“Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary,” Steckler and Vlček wrote. “Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.”

Supply chain attacks

Experts said the CCleaner malware incident should be a reminder of the dangers of supply chain attacks.

Marco Cova, senior security researcher at malware protection vendor Lastline, said the recent NotPetya attacks were another case of a supply chain attack “where an otherwise trusted software vendor gets compromised and the update mechanism of the programs they distribute is leveraged to distribute malware.”

“This is sort of a holy grail for malware authors because they can efficiently distribute their malware, hide it in a trusted channel, and reach a potentially large number of users,” Cova told SearchSecurity. “It appears that the build process of CCleaner itself was compromised: that is, attackers had access to the infrastructure used to build the software itself. This is very troublesome because it indicates that attackers were able to control a critical piece of the infrastructure used by the vendor.”

Jonathan Cran, vice president of product at Bugcrowd, told SearchSecurity the CCleaner malware issue appeared to be “less of a traditional supply chain attack and more of a case of poor vendor security. Given that the affected installer was signed as a verified safe binary by Piriform, this indicates that they didn’t realize at the time of release and that the corporate network of Piriform was likely compromised.”

Justin Fier, director for cyber intelligence and analysis at threat detection company Darktrace, said this “should come as yet another wake-up call that corporations must have visibility into how their suppliers interact with their systems, as well as a real-time assessment of their suppliers’ cyber risk.”

“The risk that companies inherit from their suppliers is a pervasive problem for cybersecurity. Quite simply, companies with a supply chain cannot avoid compromises — supply chain breaches are inevitable,” Fier told SearchSecurity. “The assessment of potential supply chain partners is often a rushed process in terms of evaluating their cyber security level, and is rarely as in-depth as it should be. While we can’t change the security posture of our supply chains, we can have a transparent relationship when it comes to cyber risk.”