The post Ethisphere names Microsoft one of the Worlds Most Ethical Companies for 8th year in a row appeared first on Stories.
Even in the era of Slack and Skype, email remains the key communication linchpin for business. But where companies use email is changing.
In July 2017, Microsoft said, for the first time, its cloud-based Office 365 collaboration platform brought in more revenue than traditional Office licensing. In October 2017, Microsoft said it had 120 million commercial subscribers using its cloud service.
This trend toward the cloud is reflected by the heavy presence of Office 365 tutorials in this compilation of the most popular tips of 2017 on SearchExchange. More businesses are interested in moving from a legacy on-premises server system to the cloud — or at least a new version of Exchange.
The following top-rated Office 365 tutorials range from why a business would use an Office 365 hybrid setup to why a backup policy is essential in Office 365.
5. Don’t wait to make an Office 365 backup policy
Microsoft does not have a built-in backup offering for Office 365, so admins have to create a policy to make sure the business doesn’t lose its data.
Admins should work down a checklist to ensure email is protected if problems arise:
- Create specific plans for retention and archives.
- See if there are regulations for data retention.
- Test backup procedures in Office 365 backup providers, such as Veeam and Backupify.
- Add alerts for Office 365 backups.
4. What it takes to convert distribution groups into Office 365 Groups
Before the business moves from its on-premises email system to Office 365, admins must look at what’s involved to turn distribution groups into Office 365 Groups. The latter is a collaborative service that gives access to shared resources, such as a mailbox, calendar, document library, team site and planner.
Microsoft provides conversion scripts to ease the switch, but they might not work in every instance. Many of our Office 365 tutorials cover these types of migration issues. This tip explains some of the other obstacles administrators encounter with Office 365 Groups and ways around them.
3. Considerations before a switch to Office 365
While Office 365 has the perk of lifting some work off IT’s shoulders, it does have some downsides. A move to the cloud means the business will lose some control over the service. For example, if Office 365 goes down, there isn’t much an admin can do if it’s a problem on Microsoft’s end.
Businesses also need to keep a careful eye on what exactly they need from licensing, or they could end up paying far more than they should. And while it’s tempting to immediately adopt every new feature that rolls out of Redmond, Wash., the organization should plan ahead to determine training for both the end user and IT department to be sure the company gets the most out of the platform.
2. When a hybrid deployment is the right choice
A clean break from a legacy on-premises version of Exchange Server to the cloud sounds ideal, but it’s not always possible due to regulations and technical issues. In those instances, a hybrid deployment can offer some benefits of the cloud, while some mailboxes remain in the data center. Many of our Office 365 tutorials assist businesses that require a hybrid model to contend with certain requirements, such as the need to keep certain applications on premises.
1. A closer look at Exchange 2016 hardware
While Microsoft gives hardware requirements for Exchange Server 2016, its guidelines don’t always mesh with reality. For example, Microsoft says companies can install Exchange Server 2016 on a 30 GB system partition. But to support the OS and updates, businesses need at least 100 GB for the system partition.
A change from an older version of Exchange to Exchange 2016 might ease the burden on the storage system, but increase demands on the CPU. This tip explains some of the adjustments that might be required before an upgrade.
Identity management is a pain point for many companies and individuals, but blockchain could help solve some of the challenges.
When banking, traveling, providing proof of age or accessing corporate data, individuals must prove their identity. But it can be difficult for users to keep track of all the different pieces of identification they must present to do so. ShoCard, a software provider in Cupertino, Calif., aims to eliminate the need for multiple forms of identification, usernames and passwords, and give users more control through the use of its blockchain identity management tool.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
“Since it is your data, really, you have the right to hold it, to operate it as you wish,” said Alexander Novoselov, the head of innovation at Creditinfo Group, a ShoCard customer headquartered in Iceland.
How blockchain identity management works
ShoCard offers an identity management tool that uses a blockchain-based digital verification and authentication process. Blockchain is a type of database that is secured using cryptography and encryption key techniques. A user’s identity information is stored on the blockchain to a hashed version of what’s called the public key. Each user also has a private key, which allows them to safeguard their personal data and prove to those with whom they share the data that it belongs only to the person sharing it.
The idea with blockchain identity management is to store and encrypt data on users’ mobile devices, rather than in a central database. Since credentials are stored on the device, an attacker would have to hack phone by phone and wouldn’t be able to compromise many identities at once.
Although the mass appeal of blockchain identity management remains to be seen, there is potential in very strict compliance-oriented fields, said Eric Klein, director of mobile software at VDC Research in Natick, Mass.
“They are definitely unique in the market for doing something that hadn’t occurred to me as a means of enhancing your security,” Klein said.
Customers can use ShoCard software development kits to integrate the technology into their mobile applications and servers. The client app then prompts users to take pictures of their valid government IDs, and ShoCard extracts the personal information. The user then sets up a passcode or fingerprint verification as an added security measure. When a user decides to share the data with a third party, the information is placed in an encrypted container on the blockchain, which no one — including ShoCard — can access, except the party with whom the user is sharing it.
Blockchain pays off
Creditinfo adopted ShoCard for a few of its customers. It needed to allow customers to not only have control over their own credit data, but also be able to securely transfer data between different countries, Novoselov said.
For example, if a person from India goes to a U.S. bank and tries to get a credit card, it brings complications. Creditinfo cannot share data from India in the U.S. because of a difference in privacy laws between the two countries. Creditinfo needed a tool to allow people to bring their credit histories with them anywhere.
Alexander Novoselovhead of innovation at Creditinfo
Customers can now download the Creditinfo app, which incorporates ShoCard technology via the vendor’s software development kit, and securely access and share their credit score data on their mobile devices.
“This is a new way of bringing confidence that the data is in safe hands,” Novoselov said.
Based on this same blockchain identity management technology, ShoCard also offers ShoBadge, an app that allows employees to hold their encrypted ID information on their mobile devices. Unlike with ShoCard, customers don’t have to write any code; instead, they just use the app directly.
ShoBadge allows employees to access all of their corporate apps by authenticating through the app, rather than requiring different logins to different applications or devices. It also allows them to securely share their identities at the workplace — with human resources, for example. There is no longer a central database at the company where all the users’ sensitive personal information is stored. Thus, employees bring their own identity, and there is no username and password management in the hands of a third party.
The identity management market remains fragmented, with some existing vendors who have the benefit of being in the game for a long time, Klein said. But this does not mean that all customers have decided on which technology to adopt, which is why a new company like ShoCard has been attracting some pretty serious venture funding, he said.
“There are people betting on other technologies maybe surpassing what we have today,” he added. “Integrating sophisticated blockchain capabilities as a path certainly has potential.”
IoT is fast becoming a key strategy for companies of all sizes, as they strive to get closer to their customers and offer great product experiences—all while reducing operational expenditures. Until now, however, it’s been a major hurdle to gain the skills needed to build and manage connected solutions. This obstacle has been further compounded by concerns about security, scalability, and difficulties finding an IoT solution that has built-in best practices gained from years of experience in the sector.
This is why today we are pleased to launch the public preview of Microsoft IoT Central to address these barriers. Microsoft IoT Central is the first true highly scalable IoT software-as-a-service (SaaS) solution that offers built-in support for IoT best practices and world-class security along with the reliability, regional availability, and global scale of the Microsoft Azure cloud. Microsoft IoT Central allows companies worldwide to build production-grade IoT applications in hours—without having to manage all the necessary back-end infrastructure or learn new skills. In short, Microsoft IoT Central enables everyone to benefit from IoT.
IoT Solutions without the hassle
Microsoft IoT Central takes the hassle out of creating an IoT solution by eliminating the complexities of initial setup as well as the management burden and operational overhead of a typical IoT project. That means you can bring your connected product vision to life faster while staying focused on your customers and products. The end-to-end IoT SaaS solution equips you to harness the “digital feedback loop” to draw better insights from your data and convert them into intelligent actions that result in better products and experiences for your customers.
By reducing the time, skills, and investment required to develop a robust enterprise-grade IoT solution, Microsoft IoT Central also sets you up to quickly reap the powerful business benefits of IoT. You can get started quickly, connecting devices in seconds and moving from concept to production in hours. The complete IoT solution lets you seamlessly scale from a few to millions of connected devices as your IoT needs grow. Moreover, it removes guesswork thanks to simple and comprehensive pricing that makes it easier for you to plan your IoT investments and achieve your IoT goals.
On the security front, Microsoft IoT Central leverages industry-leading privacy standards and technologies to help ensure your data is only accessible to the right people in your organization. With IoT privacy features such as role-based access and integration with Azure Active Directory permissions, you stay in control of your information.
From years of working in the commercial space, we understand organizations’ need to take advantage of existing applications and data to glean richer insights, integrate business workflows, and take more effective actions. So, in the coming months, Microsoft IoT Central will also be able to integrate with customers’ existing business systems—such as Microsoft Dynamics 365, SAP, and Salesforce—to accelerate more proactive sales, service, and marketing.
Several customers have already started building solutions for their businesses with Microsoft IoT Central. Here’s what they have to say:
- “Small-scale IoT use cases are rare, even though they can have profound social impact. Why? Because each use case has unique needs that in turn require special sensor configurations and secure provisioning to the cloud before the solution can even be turned on. Arrow has simplified this process by bringing together Microsoft’s IoT Central platform and Libelium’s Plug & Sense IoT Toolkits, which help small, medium, and even large businesses get their IoT projects up and running sooner. Microsoft’s IoT Central solution helped us pilot in weeks, at minimal cost, a public school environmental monitoring solution that would have taken a year to develop from scratch. School and government officials can now monitor and improve the safety of public spaces without the cost and duration of typical IoT projects.” – Jeff Reed, PhD, VP Microsoft Global Alliance at Arrow Electronics
- “Mesh Systems is passionate about the work Microsoft is doing with the release of Microsoft IoT Central. We recognize how Microsoft IoT Central accelerates projects that need entry-level simplicity while also be extendable to meet more complex requirements. We value this level of SaaS offering from Microsoft because it allows us to focus on identifying and iterating on the application business transformation, which is critical across the IoT market.” – Uri Kluk, CTO, Mesh Systems
- “With Microsoft IoT Central and partner VISEO, we created and deployed IoT solutions quickly, securely, and at scale—with the reach and resources of the global Azure cloud platform. The solution we implemented enables us to collect telemetry data on thousands of our devices. We are now able to do predictive maintenance and ensure our firmware is always up to date—critical advantages in the health field. With this data, we are better able to serve our market and adapt our service to the needs of our customers.” – Philippe Angotta, Director of Customer Relations, LPG
- “Patterson Companies believes there is an opportunity to realize significant improvement in dental device fix/repair service-level outcomes for its customers via an IoT Remote Monitoring & Diagnostics solution. The OEMs that manufacture dental devices are actively implementing and enhancing their IoT capabilities to provide ongoing performance data from devices connected at the dental office. Microsoft IoT Central provides a highly configurable and intuitive solution to define the criteria needed to monitor and diagnose any variety of connected devices. This in turn equips Patterson service technicians with current and past performance data, allowing them to transition from a reactive stance to one that is proactive and results in higher levels of customer satisfaction.” – Nate Hill, Principal Architect, Patterson Dental
- “The Umbra Group is excited to work with Microsoft IoT Central and Microsoft Dynamics 365 Finance & Operations to monitor performance and health of our systems in ways we never have been able to do before. These new tools enable us to integrate commercial, supply chain, production, and product data from the time an order is placed all the way through to serving up insights for how and when to service a device. Umbra expects to see tremendous benefits during product development and testing by being able to see and act on real-time performance data regardless of location. Our customers will be thrilled to be able to have maintenance activities performed during scheduled machine down time instead of experiencing interruptions in service, since machine conditions will now be predictable.” – David Manzanares, Vice President of Engineering, Umbra Group
- “Digital transformation will drive mass-scale growth of the IoT market. Scalable, secure, reliable, and pay-per-use solutions are needed to handle these volumes efficiently. ICT Group has a strong focus on the Industrial IoT market, and Microsoft IoT Central offers us the ability to create insights and add real business value. ICT Group has been involved in the development of Microsoft IoT Central from the start. Microsoft IoT Central has enabled us to gather more valuable insights to inform how we manage our products with this digital feedback loop.” – Aart Wegink, Director Digital Transformation, ICT Group, The Netherlands
Microsoft is leading the way in IoT innovation, and we are committed to introducing new features at a rapid pace so customers can quickly and continually reap benefits and stay ahead of the game. As a true IoT SaaS solution, Microsoft IoT Central gives customers automatic access to new features as they’re released. It also frees customers from updating the underlying hardware.
Azure IoT Hub Device Provisioning Service now available
To further simplify IoT, we are also announcing the availability of Azure IoT Hub Device Provisioning Service. Azure IoT Hub Device Provisioning Service enables zero-touch device provisioning and configuration of millions of devices to Azure IoT Hub in a secure and scalable manner. Device Provisioning Service adds important capabilities that, together with Azure IoT Hub device management, help customers easily manage all stages of the IoT device lifecycle.
For a deeper look into the features of Microsoft IoT Central, check out the new Microsoft IoT Central website and demo, and start your free trial today. Also, for a deeper dive be sure to see our blog post, “Microsoft IoT Central delivers low-code way to build IoT solutions fast.”
Tags: Azure IoT Hub, Azure IoT Hub Device Provisioning Service, device management, Microsoft IoT Central
This week and next, private companies and sub-nationals are joining governments from around the world in Bonn, Germany for the 23rd Conference of the Parties to the United Nations Framework Convention on Climate Change, or COP23. At the event, participants aim to solidify plans to help achieve the collective carbon-reduction targets outlined in Paris two years ago.
Microsoft is proud to be participating in the event. During this past week, Microsoft representatives have joined in discussions to share our experiences and insights as to how technology can be deployed to help reduce energy demands, curb emissions and accelerate climate solutions. As COP23 enters the second week, we look forward to hosting demos at our booth and participating in panel discussions with world leaders.
We believe that technology can and must play a role in addressing climate change and advancing resiliency, and to that end, Microsoft is excited to share that our technology is helping achieve these aims by powering COP23 itself. We will be providing Skype and Skype Broadcast services throughout the conference that will enable international delegations, who are unable to travel to this important global event, to use our technology to participate in the various activities at COP23.
And, in addition, Microsoft is a sponsor of the Hack4Climate hackathon, the world’s first blockchain hackathon to fight climate change. The hackathon will be powered by Blockchain as a Service on Microsoft Azure. Our commitment to advancing and accelerating the global dialogue on sustainability is also taking shape at this week’s GreenBuild International Conference and Expo in Boston, where we announced a commitment to pursue LEED Gold certification for our entire portfolio of owned datacenters under the U.S. Green Building Council’s LEED volume program. This builds on Microsoft’s ongoing work to green our own datacenters and creates a standardized set of design and performance criteria to serve as a “blueprint” to certify greener, more efficient datacenters industry wide.
At an event this week in Lisbon, at Planet:Tech, I shared our view on how AI can be applied to areas of biodiversity, climate change, agriculture and water. I was also fortunate enough to spend time meeting with both startups and large multi-national corporations, who are investing to create new approaches to managing the planet’s resources in a more sustainable way.
As we approach the two-year anniversary of the Paris climate accord, it is exciting to see progress happening on sustainability. The pace of innovation and investment continues to accelerate, and I can’t help but be optimistic about the opportunities that lie ahead. From Boston to Lisbon to Bonn, startups, governments, NGO’s and corporations are working together to address some of the critical environmental challenges we all face.
If you are attending COP23 this year, I invite you to stop by our digital transformation booth inside the U.N. delegation hall to learn more about how Microsoft’s technology and services can help people and organizations achieve their own environmental goals. In addition, a listing of Microsoft’s public panel engagements in Bonn is provided below, and you can follow us on Twitter @Microsoft_Green for daily updates throughout the conference.
- “Transforming Carbon and Energy Markets through Advanced Technology” at 10:00 CET at the U.S. Climate Pavilion
- “The Economic Case for Climate Action” at 13:00 CET at the U.S. Climate Pavilion
- “What Actions Can Companies Take to Reduce Vulnerability and Enhance Resilience in the Communities along their Supply Chain?” at 11:30 CET at the Kameha Grand Hotel, sponsored by BSR
- “The United Nations System, Industry 4.0 and Its Potential for Climate Solutions” at 13:15 CET (Watch live stream)
- “Paradigm Shifts in the Boardroom – Corporate Face of Energy Transformation” at 14:45 CET at the Deutsche Post DHL Tower
- “U.S. Businesses Leading on Climate” at 16:00 CET at the U.S. Climate Pavilion, sponsored by C2ES
- “Innovation and Entrepreneurship for Transformative Climate Solutions” at 10:00 at the World Conference Center
- “U.S. Business Showcase Session 6: We Are All In This Together” at 15:45 CET at the U.S. Climate Pavilion
Tags: Carbon Emissions, Climate Change, COP23, Environmental Sustainability, green tech, Microsoft
Companies outsource functions of security operations centers. But most agree that management of strategic activities — security planning, alignment to the business, performance assessments — should stay in-house.
Are companies that have information security operations centers (SOCs)
less likely to get breached? That data is hard to come by. Target did not respond to automated warnings about suspicious activity during its 2013 breach. The SOC manager left the retailer in October. The breach occurred in November and was publicly acknowledged by Target on December 19, 2013, after Brian Krebs reported it on his Krebs on Security blog. According to reports by Bloomberg Businessweek and others, alerts issued by FireEye malware detection were noted by Target’s security staff in India but then ignored by the SOC team in the United States.
Today, the retail company runs a 24/7 Cyber Fusion Center at its Northern Campus in Brooklyn Park, Minnesota. A recent job posting for an event analyst noted that the future SOC team member would work with the company’s Cyber Threat Intelligence team and participate in “cyber hunt activities” as needed, in addition to security information and event management, log management and a host of other duties to assess and detect cyberthreats in the retailer’s global operations.
In this issue, technology journalist Steve Zurier looks at information security operations centers and reports on tools integration, future automation and SOC team staffing — in May, he covered the role of threat hunters in modern SOCs. What is it going to take to improve SOC capabilities going forward? A 2017 SANS Institute report found that lack of visibility is a major problem, especially detection of unknown threats. Of the 309 IT professionals surveyed worldwide, 61% indicated that their security operations were centralized, but only 32% reported close integration between the SOC team and network operations center. Better information sharing and automation of SOC performance metrics — 69% of those surveyed who compile metrics said they must do a lot of the data collection and analysis manually — could help take security operations to the “next level,” according to SANS.
Vulnerability management and patch management are also getting increased scrutiny at many organizations after the Equifax breach and global ransomware attacks that some speculate could have been avoided. CISO James Ringold looks at risk-based vulnerability management strategies and explains why investing in this process is worth consideration.
Two security leaders who moved to the private sector after working on cybersecurity initiatives in Washington, D.C., during the Obama administration are also profiled this month: Phyllis Schneck, managing director of Promontory Financial Group, now an IBM company, and Alissa Johnson, the CISO at Xerox.
“I learned that there really isn’t a lot of difference between there and here,” Johnson said. “Xerox has no nuclear secrets, but hackers are still attacking us and trying to get data using the same tools and technology.”
It’s no surprise implementing DevOps is tricky. What is surprising is the growing number of companies turning to artificial intelligence to help make things go more smoothly.
Just in the last few weeks, startup Harness.io began offering a continuous delivery as a service platform for developers that uses machine learning to monitor an application and roll it back as necessary. And another new company, Applitools, is also offering an AI-powered, cloud-based approach for test automation.
In other words, it’s the bots to the rescue.
Torsten Volk, managing research director for hybrid cloud, software-designed data center, machine learning and cognitive computing at Enterprise Management Associates, based in Boulder, Colo., said when implementing DevOps, the hurdles to an average developer pushing out code are quite challenging, and using AI and machine learning could simplify things dramatically. Volk, who will speak at the DevOps Enterprise Summit 2017 in San Francisco on DevOps in the enterprise, said it’s time to streamline the process — something he calls “intent-based DevOps.”
“If a developer has a task, a developer should receive a workspace that is dedicated to that task,” Volk explained. “Right now, a developer doesn’t have a realistic environment where he can test something or try to experiment with scalability. You want to put the intent of that application into the workspace the developer is using to speed up the process.”
That way of implementing DevOps means using machine learning, which can be quickly trained in an organization’s best practices, to speed things along and give the developer the necessary help and tools. “If you can do that, you eliminate the worries,” Volk said.
Automation and implementing DevOps
That’s certainly the intent with Harness, which in fact was named for the concept of a safety harness, said founder and CEO Jyoti Bansal. Harness is aimed at an area nearly every company struggles with when implementing DevOps: automation.
“There are two problems that happen when people are trying to automate,” Bansal explained. “The first is how do you automate. You create tons and tons of scripts, but they’re unmanageable and not maintainable. And the second part is, once you do something, the code is so complicated, it’s hard to verify. The goal of Harness is to solve those two problems: Make automation easy and verification really, really easy.”
Harness tackles this problem by first allowing automation scripts to be created using a simple drag-and-drop GUI. Bansal claimed this approach takes a three- to six-month scripting job and whittles it down to 30 minutes. Once the automation is complete, when implementing DevOps, it’s vital to continue to ensure it’s working, and that’s where the AI piece comes in.
“We use machine learning that knows what is normal, so it knows when something is not working,” he said. “Are we seeing more errors or deviations? We’re building that safety net in, so developers can move as fast as they want to. And if they fail, Harness is there to catch them.”
Applitools for implementing DevOps
AI is also the cornerstone of the Applitools offering, which was designed to make visual testing so fast it could be a reliable piece of a continuous delivery effort when implementing DevOps, said Gil Sever, co-founder and CEO. “At a high level, we make sure that an app looks right on different devices,” he said.
At the heart of the process is a new AI-powered technology that can break down a computer or mobile screen just like the human eye does, Sever said, and can then very rapidly spot any problems. “And if it finds a problem, it can decide, like a human, if that’s something an actual human would notice or not. And if not, it doesn’t flag it,” Sever said.
When implementing DevOps, Applitools can be used for production testing tasks, including regression testing and cross-browser testing. And it can even be used to monitor transactions. “We’re able to compare the number of steps done visually with what we’ve seen on hundreds of other apps,” Sever said. “If there is something unusual, like it takes more steps than usual or is done in a different way, it will signal the team that made the app so they know there is something different and less efficient.”
According to Volk, the power of AI really does come down to efficiency. “People need to see that it sounds like science fiction, but most of it can be done today. The reason why it’s not done is that everyone is so bogged down with keeping the lights on.”
There are no guarantees when it comes to infosec technology, but more companies today are exploring the concept of a cyber warranty for their products.
One such security vendor, SentinelOne Inc., has established itself as one of the pioneers in the burgeoning cyber warranty market. Last year, the company established a ransomware warranty on its Endpoint Protection Platform (EPP) worth up to $1 million. If a customer using EPP to defend against ransomware gets infected with WannaCry or another ransomware variant, SentinelOne cuts a very expensive check to the company.
Jeremiah Grossman, chief of security strategy at SentinelOne, talked with SearchSecurity at Black Hat 2017 about the company’s threat protection guarantee and where it stands today. He also talked about the challenges of developing a cyber warranty, as well as the benefits of having one, and how it compares to the growing cyberinsurance market. Here is part one of the conversation with Grossman.
How does EPP work, and why did you decide to develop a cyber warranty for it?
Jeremiah Grossman: SentinelOne, as Gartner classifies this space, is next-generation endpoint protection. The way we deploy it is we put an agent at all the endpoints. You control it via the cloud, and we stop malware from infecting you.
Our secret sauce is that we have machine learning and behavioral analysis; if something looks malicious, rather than being identified by known signatures as malicious, we can stop it.
I was brought into the company for two reasons. One was to focus on ransomware. I was looking at it three or four years ago because all the stars aligned for this to be the next billion-dollar cybercrime market.
And second, when we enter in such a crowded space … you have to differentiate between 60 other players all saying their products work and the rest don’t. So we differentiated by designing a product warranty; our ransomware warranty is built around [SentinelOne EPP] because I have a special skill set having done that many times before.
So, at this time last year, I gave a presentation at Black Hat. There were four vendors that had a warranty; now, there are 18.
A cyber warranty must have been a hard sell at first. What was that conversation like?
Grossman: Everybody said I was crazy. Everybody said, ‘No one will ever do that.’ But when you work out the math and all of the objections, you can do it. I really do generally encourage every other vendor, including our competitors, to do it, and I’ll teach them how, if they like.
You need to do two things. You need to know statistically how well your product works. For example, our product, in terms of ransomware, has a less than 1% failure rate over a given year.
You’ve got to model your losses. In the event that you fail, what’s the loss? And then you have to reinsure it. That’s the critical part.
Reinsurance on a security product warranty ends up being, in my experience, $20,000 to $25,000 or less per year, not per customer, for a lot of customers. When you get over all the excuses, you can do this. I wouldn’t have come to SentinelOne unless they gave me the opportunity to design a warranty, which is the first ever of its kind in this space.
Now, it’s all well and good to offer a warranty, but what happens when you [undergo] trial by fire? The bottom line is, this year, there were no claims and no payouts, even in context of WannaCry and NotPetya. We had two large-scale ransomware outbreaks that were viral in nature. In each one, I lost a week in my life, but imagine our incentives — we have millions in liability outstanding, and we have to get on this outbreak right now. Customers like that.
We had no reports of infection, no claims and no payouts in each case. When you have a product that works, you’ll be okay. You might suffer anxiety, but the customers will be good.
It sounds stressful, but at the same time, you must be thinking if you can get through these ransomware outbreaks, then that’s going to do wonders for the appeal of your cyber warranty.
Grossman: The appeal is cool from a dollars-and-cents standpoint. First, it gives the customer a sense of confidence that you’re not just selling them a line. We’re putting our money where our mouth is. The customers don’t want to get hacked and we really, really don’t want them to get hacked.
And the second thing is a $1 million warranty is a good token gesture, but when the average losses on a breach for the midscale are between $3 million and $7 million, then that warranty has to go up. It’s not like we drew this line at $1 million and we’re done now; we’re going to increase the things we trigger on — not just ransomware, the level of payouts and what we pay out on. So we’ll do v2 of our warranty.
How hard was it to figure out those thresholds and limits for what triggers the warranty?
Grossman: Those are really hard numbers to get. We do it like cyberinsurance does it. There are hard costs and there are soft costs. Hard costs will be downtime, incident response, fines, legal fees and things like that.
No one covers the soft costs, like reputation [damage]. Cyberinsurance doesn’t, and we don’t either. No one really knows how to measure soft costs.
That seems like something customers are going to ask for.
Grossman: They can ask all they want. I’ll give you two ends of that conversation. Let’s say Target had a breach, and their stock takes a momentary loss, and then they recover. Everybody’s stock recovers.
The other side of that is that there’s a term called indirect hard loss. Let’s use Target as an example again; even though the company has been made whole, you can take a statistical average of a customer that transacts, let’s say, $100 a year at Target. The customer that got hacked [at] Target isn’t going to go away, but maybe they transact $50 a year going forward instead of $100.
So that $50 is your indirect hard loss. That’s the one everybody has to calculate, but you can only calculate it internally if you know the numbers. And that’s going to be a hard cost to even equate to reputational damage. We don’t have those numbers in the industry right now.
And you haven’t had any claims and any payouts?
Grossman: None that I’m aware of. I helped design about half the warranties, so I’m familiar with them. And it’s kind of a biased sampling for two reasons.
One is only the companies that have really, really good products are going to offer a warranty. And two, the warranties have only been around a year or two, and sales haven’t fully ramped up yet, so the sample size is still relatively small.
Have you had customers try to wiggle out of the parameters of the warranty and say things like ‘Well, I didn’t get hit by ransomware, but I had this happen’?
Grossman: No. Maybe it will happen if we have double or triple the number of customers. But the terms are pretty specific. There’s not a lot of equivocation.
In cyberinsurance, they have that happen all the time. There was a case — I don’t remember the company name — where the victim had cyberinsurance. There was a spear phishing attack and [the threat actor] said, ‘I am the CFO, please wire money to this Chinese bank account.’
The money got sent, and the company wanted to make a cyberinsurance claim, but the carrier said, ‘No,’ on the basis that that wasn’t a hack. That’s social engineering. That’s not security. Those are the kinds of conversations that happen.
Phishing and social engineering attacks are pretty common. Do they present a loophole, then, for cyberinsurance?
Grossman: I don’t know if it’s a loophole. A lot of times, attackers use phishing to plant malware. But this case was just an attacker pretending to be somebody else. There was no malware.
If the policy said, ‘We’ll cover that kind of social engineering attack,’ then great, it’s covered. But, in this case, it didn’t. The policy was protecting against a breach.
Stay tuned for part two of the interview with Jeremiah Grossman of SentinelOne.
Social good software leader Blackbaud bets big on Microsoft Azure as the two companies plan to go deeper on integrations, innovation and sector leadership to scale global good
BALTIMORE — Oct. 18, 2017 — As part of bbcon 2017, Blackbaud (Nasdaq: BLKB), the world’s leading cloud software company powering social good, and Microsoft Corp. (Nasdaq: MSFT), plan to expand their partnership in support of their mutual goals to digitally transform the nonprofit sector.
The nonprofit sector represents the third largest workforce behind retail and manufacturing in the United States with approximately 3 million organizations globally. Blackbaud, the largest vertical cloud software provider in the space, announced its intention to fully power its social good-optimized cloud, Blackbaud SKY™, with Microsoft Azure. The two companies highlighted a three-point commitment to collaboration for the good of the global nonprofit community. This announcement comes just days after Microsoft launched its new Tech for Social Impact Group, which is dedicated to accelerating technology adoption and digital transformation with the nonprofit industry to deliver greater impact on the world’s most critical social issues.
“This newly expanded partnership between Microsoft and Blackbaud will allow both companies to better meet the unique technology challenges nonprofits face,” said Justin Spelhaug, general manager of Microsoft Tech for Social Impact. “By combining Microsoft’s cloud platforms and expertise with Blackbaud’s leading industry solutions, we will create new opportunities for digital transformation to empower nonprofits to make an even bigger impact on the world.”
“The nonprofit community plays a vital role in the health of the entire social economy, and we’ve been working for more than three decades to help these inspiring organizations achieve big, bold mission outcomes,” said Mike Gianoni, president and CEO of Blackbaud. “For nearly that long we’ve also been a Microsoft partner, and we’re incredibly enthusiastic about forging new ground together as we tackle some of the most pressing issues nonprofits face. Both companies couldn’t be more committed to this space, so the nonprofit community should expect great things from this expanded partnership.”
The newly expanded partnership between Microsoft and Blackbaud will focus on three key areas:
Deeper integration between Microsoft and Blackbaud solutions, with Blackbaud’s cloud platform for social good, Blackbaud SKY, powered by Microsoft Azure
Blackbaud has been developing on the Microsoft stack for over three decades. As a leading Global ISV Partner, Blackbaud is already one of Microsoft’s top Azure-based providers. Today, Blackbaud announced its intention to fully power Blackbaud SKY™, its high-performance cloud exclusively designed for the social good community, in Microsoft’s Azure environment.
“Blackbaud’s expanded Azure commitment will be one of the most significant partner bets on Microsoft’s hyperscale cloud, and the most significant to transform the social good space,” Spelhaug said. “We often highlight the engineering work behind Blackbaud SKY™, because it demonstrates the power of Microsoft Azure and the kind of forward-looking innovation and leadership that the nonprofit sector greatly needs.”
Details of the investment are not publicly available but the companies plan to share more about the partnership in coming months. Blackbaud also announced its plans to become a CSP (Cloud Solution Provider) partner for the Microsoft platform, simplifying the purchase, provisioning and management of Blackbaud and Microsoft cloud offerings. For nonprofits that want the security, power and flexibility of the cloud plus the services and support of a trusted solution provider that deeply understands their unique needs, Blackbaud will be able to deliver both Microsoft and Blackbaud solutions through a unified purchase experience.
A commitment to pursuing best-in-class nonprofit cloud solutions that bring together the best of both companies’ innovation for a performance-enhanced experience for nonprofits — from funding, to mission operations, to program delivery
Blackbaud and Microsoft plan to pursue innovative ways to fully harness the power, security and reliability of Microsoft’s Azure-Powered solutions (e.g., Office 365, Dynamics) and Blackbaud’s industry-leading, outcome-focused solutions that cater specifically to the unique workflow and operating model needs of nonprofits — all with the goal of improving nonprofit performance across the entire mission lifecycle.
This includes exploring how both companies’ respective cloud artificial intelligence (AI) and analytics innovations can be leveraged in new ways to drive even greater sector impact.
“There is massive opportunity to empower the nonprofit community through creative tech innovation,” said Kevin McDearis, chief products officer at Blackbaud. “Every 1 percent improvement in fundraising effectiveness makes $2.8 billion available for frontline program work. This is just one example of the type of impact Blackbaud focuses on with our workflows and embedded intelligence, and we couldn’t be more thrilled to team up with Microsoft to push into new areas of innovation that move the sector forward, faster.”
Joint sector leadership initiatives that make innovation, research and best practices more accessible to nonprofits around the world
Nonprofits are addressing some of the world’s most complicated issues. As shared value companies, Microsoft and Blackbaud share a commitment to helping nonprofits meet those needs. Microsoft is globally known for its unmatched philanthropic reach and impact. And Blackbaud, which exclusively builds software for social good, invests more in R&D and best-practice-driven research for global good than any technology provider. Both companies were among just 56 companies named to the Fortune 2017 Change the World list.
Together, Microsoft and Blackbaud intend to partner on initiatives that make innovation more accessible for nonprofits large and small, while also exploring ways the companies’ data assets, community outreach and sector leadership can be synergistically and responsibly applied to improve the effectiveness and impact of the entire nonprofit community.
Microsoft and Blackbaud will share further details in the coming months. Learn more about Microsoft’s Technology for Social Impact Group here. Visit www.Blackbaud.com for more on Blackbaud.
Blackbaud (NASDAQ: BLKB) is the world’s leading cloud software company powering social good. Serving the entire social good community—nonprofits, foundations, corporations, education institutions, healthcare institutions and individual change agents—Blackbaud connects and empowers organizations to increase their impact through software, services, expertise, and data intelligence. The Blackbaud portfolio is tailored to the unique needs of vertical markets, with solutions for fundraising and CRM, marketing, advocacy, peer-to-peer fundraising, corporate social responsibility, school management, ticketing, grantmaking, financial management, payment processing, and analytics. Serving the industry for more than three decades, Blackbaud is headquartered in Charleston, South Carolina and has operations in the United States, Australia, Canada and the United Kingdom. For more information, visit www.blackbaud.com.
Microsoft (Nasdaq “MSFT” @microsoft) is the leading platform and productivity company for the mobile-first, cloud-first world, and its mission is to empower every person and every organization on the planet to achieve more.
Microsoft Media Relations, WE Communications for Microsoft, (425) 638-7777, firstname.lastname@example.org
Nicole McGougan, Public Relations Manager for Blackbaud, (843) 654-3307, email@example.com
Calling on tech companies that offer encrypted services to deploy those services using “responsible encryption,” Deputy Attorney General Rod Rosenstein picked up the anti-encryption baton from former FBI Director James Comey.
Rosenstein’s comments at the United States Naval Academy Tuesday echoed Comey’s position on the use of encryption by criminals and others to evade law enforcement or national security agencies. In an attempt to rebrand the debate around “going dark,” Rosenstein urged tech companies to deploy what he called “responsible encryption,” or encryption that can be bypassed by the tech company in order to provide law enforcement agencies access to encrypted data subject to a court order.
“Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization,” Rosenstein said, adding that it was not necessary for the government to mandate any particular key management or escrow service, but rather for individual companies to deploy encryption or encrypted services in a way that supports a “lawful access” to encrypted data on demand by law enforcement or national security agencies.
“Look, it’s real simple. Encryption is good for our national security; it’s good for our economy. We should be strengthening encryption, not weakening it. And it’s technically impossible to have strong encryption with any kind of backdoor,” said Rep. Will Hurd (R-Texas), when asked about Rosenstein’s proposal for responsible encryption at The Atlantic’s Cyber Frontier event in Washington, D.C.
“This is a conversation we’re going to be involved in forever,” Hurd said. “You can protect our digital infrastructure, chase bad guys and protect our civil liberties all at the same time. It’s hard, but we can do it. And our civil liberties are not burdens — they’re the things that make our country great. So, you can call it whatever you want, but make sure you have strong encryption.”
Rep. Will Hurd(R-Texas)
Unlike previous calls from the Department of Justice to curb secure, end-to-end encryption and put government-accessible backdoors on all data, Rosenstein suggested tech companies that offer encrypted communications services incorporate the ability to access encrypted data in response to court orders.
Rosenstein concluded by saying, “There is no constitutional right to sell warrant-proof encryption. If our society chooses to let businesses sell technologies that shield evidence even from court orders, it should be a fully informed decision.”
In other news
- The latest company to accidentally expose data in an Amazon Web Services Simple Storage Service bucket is Accenture, a global management consulting and professional services giant — and cloud service provider. Chris Vickery, cyber-risk analyst for UpGuard Inc., a cybersecurity company based in Mountain View, Calif., reported the exposure in a blog post. “Accenture, one of the world’s largest corporate consulting and management firms, left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients,” Vickery wrote. “The servers’ contents appear to be the software for the corporation’s enterprise cloud offering, Accenture Cloud Platform, a ‘multi-cloud management platform’ used by Accenture’s customers, which ‘include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500’ — raising the possibility that, if valid, exposed Accenture data could have been used for critical secondary attacks against these clients.”
- The Federal Deposit Insurance Corporation (FDIC) suffered as many as 54 data breaches of personal information from the start of 2015 to the end of 2016, according to an audit by the FDIC Office of Inspector General (OIG). The FDIC, a government agency formed in the wake of the Great Depression to protect bank customers, insures all deposits at participating banks up to at least $250,000. To accomplish its mission, the FDIC collects large amounts of data, including personally identifiable information about bank customers. Writing in the audit report, which included in-depth reviews of some of the reported FDIC data breaches, the FDIC OIG “initiated this audit in response to concerns raised by the Chairman of the Senate Committee on Banking, Housing, and Urban Affairs regarding a series of data breaches reported by the FDIC in late 2015 and early 2016. Many of these data breaches involved PII.”
- Trustwave’s SpiderLabs researchers reported a sophisticated hybrid cyberattack against banks netted thieves as much as $40 million. According to the report, the scam involved people opening bank accounts, while also breaking into the banks’ computer systems to manipulate overdraft limits on those accounts, and then having other people withdraw large amounts from ATMs abroad. While the attacks described in the SpiderLabs report were mostly against banks in post-Soviet states, the researchers warned the techniques would spread. “Currently, the attacks are localized to the Eastern European and Russian regions. However, in cybercrime, this area is often the canary in the mineshaft for upcoming threats to other parts of the world.” SpiderLabs warned: “All global financial institutions should consider this threat seriously and take steps to mitigate it.”
- Rapid7 reported a SQL injection vulnerability in the SmartVista end-to-end banking payment software offered by Switzerland-based BPC Banking Technologies. Rapid7 first notified BPC of the vulnerability in May and, after receiving no response from BPC, notified the U.S. CERT Coordination Center in July. Rapid7 recommended SmartVista users contact BPC support directly for assistance, but in the meantime, users should limit as much as possible access to the SmartVista management interface. The security vendor also recommended performing regular audits of successful and failed logins and using web application firewalls to prevention attacks using SQL injection.