Many organizations need to find another gear when it comes to zero-day vulnerabilities, according to a patching expert.
This week saw a huge Microsoft Patch Tuesday, with Microsoft releasing 14 patches, including four that fixed critical vulnerabilities. Sometimes those critical vulnerabilities can involve zero-days, which are vulnerabilities that are already being used in attacks before the vendor releases patches. The more usual order is that attackers develop exploits after a vendor issues a patch.
"With Microsoft Patch Tuesday, we see most people strive for 90 percent of their security patches applied within a week and a half. For zero days, it's a totally different story," says Rob Juncker, vice president of engineering at LANDesk Software. Juncker came to LANDesk via that company's acquisition of VMware's Shavlik unit.
According to Juncker, organizations need a separate, accelerated process to update systems threatened by zero-day vulnerabilities than they use for regular vulnerability patches.
"As soon as we release [a zero-day] patch, someone will pick up that patch, test it the next day and do some basic surface testing. After that's done they start pushing it out to critical systems, with awareness of how you would handle breakage. They take a little more risk on the upgrade with that testing," says Juncker. But he says that risk is balanced by the fact that attackers are already exploiting the vulnerability.
In the October Patch Tuesday, Microsoft patched three zero-day vulnerabilities. This month's patch collection was less severe, with just one zero-day, and even that one was somewhat loaded with caveats.
"The most important bulletin MS14-064 addresses a current zero-day vulnerability -- CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions," wrote Qualys CTO Wolfgang Kandek in a commentary about the November Patch Tuesday. "Attackers have been abusing the vulnerability to gain code execution by sending Powerpoint files to their targets. Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary patch in the form of a FixIt. This is the final fix for OLE Packager (Microsoft had patched the same software in October already with MS14-060) that should address all known exploit vectors."
Juncker cautions that organizations need to be aware of how many more zero-day vulnerabilities are being discovered these days than in the recent past. He also warns against the outdated idea that Microsoft's systems are the most vulnerable, and therefor that keeping up with Microsoft patches equates with being generally up to date.
"I think a lot of us focus on Microsoft products," Juncker says. "That's where a lot of the exploits used to be. Now they lead out with Java, they lead out with Adobe. The operating system isn't enough anymore. Make sure that you have a patch process that emphasizes not just servers, but make sure you get the endpoints."
Posted by Scott Bekker on November 12, 2014 at 4:36 PM0 comments
Longtime Microsoft channel executive Josh Waldo has joined Nintex as vice president of channel strategy and channel programs.
Nintex is a Bellevue, Wash.-based workflow automation platform provider. "With his passion for partners and extensive management and technology industry expertise, Josh is well-qualified to drive our channel marketing strategy and programs and help our channel partners experience success within the new cloud environment," Nintex CEO John Burton said in a statement.
Waldo was most recently senior director of cloud partner strategy in the Microsoft Worldwide Partner Group, where he was responsible for developing programs to help partners sell Microsoft's public cloud services.
According to Nintex's statement, Waldo's charter includes drawing new partners into its current stable of more than 1,000 partners and service providers worldwide.
Posted by Scott Bekker on November 12, 2014 at 4:36 PM0 comments
The drumbeat over the end of support for Windows Server 2003 is getting louder and more insistent.
On Monday, US-CERT issued an alert titled "Microsoft Ending Support for Windows Server 2003 Operating System" to warn subscribers about the risk that the deadline next summer represents for organizations' security postures.
US-CERT is part of the U.S. Department of Homeland Security, and CERT stands for Computer Emergency Readiness Team.
Much as it ended support for Windows XP on April 8, 2014, Microsoft will stop supporting Windows Server 2003 on July 14, 2015. At that time, Microsoft will no longer provide free security patches for newly discovered vulnerabilities, assisted technical support for the product or software updates.
"Using unsupported software may increase the risks of viruses and other security threats," CERT warns in the alert. "Negative consequences could include loss of confidentiality, integrity and or availability of data, system resources and business assets."
US-CERT's recommendations include looking for software vendors and service providers who offer assistance in migrating from Windows Server 2003 to a supported operating system or a cloud-based service.
The advisory follows recent announcements by several major partners, including Insight Enterprises, that they are rolling out major Windows Server 2003 migration initiatives.
Posted by Scott Bekker on November 10, 2014 at 11:47 AM0 comments
Six months after the end of support for Windows XP, the user base is finally responding.
Operating system market share figures released over the weekend by Net Applications show the kind of dramatic month-over-month drop in Windows XP's share that seemed like it should have come right around the end of support on April 8, 2014.
Windows XP fell from 23.87 percent of worldwide operating system usage in September to 17.18 percent in October. That 6.7 percentage point drop is a bigger decline in one month than the operating system's usage had fallen previously in the entire year. Windows XP was at 29.3 percent in January and had only fallen 5.43 percentage points through September. That period covered the April support deadline, and Microsoft had loudly and regularly been warning organizations, partners and users that the OS would be completely unpatched against newly discovered vulnerabilities and was therefore a serious security risk.
Windows 8 appears to be the prime beneficiary of users abandoning Windows XP. While Windows 7 gained about a third of a percentage point of share from September to October to top 53 percent share, and Mac OS platforms picked up about three-quarters of point to edge over 7 percent, the real gainer was the combination of Windows 8 and Windows 8.1.
Windows 8/8.1 jumped 4.54 percentage points to reach 16.8 percentage usage, good for second-most-used operating system version after Windows 7.
Net Applications puts together its rankings based on data collected from the browsers of site visitors to a network of clients that includes more than 40,000 websites worldwide.
Posted by Scott Bekker on November 03, 2014 at 10:54 AM0 comments
Microsoft's elite hosting program quadrupled to 100 partners in the year since its launch, with new partners fueling a 40 percent expansion in the number of service provider datacenters and contributing to a 20 percent boost in customers.
Microsoft unveiled the new enrollment number for the Cloud OS Program as part of its TechEd Europe 2014 event in Barcelona.
The Cloud OS Network consists of service providers that offer hybrid cloud solutions encompassing private clouds, service provider clouds and Microsoft Azure. The network, rolled out in October 2013, is an effort to build an elite community of partners around the Cloud OS that Microsoft rolled out in September 2012.
Cloud OS Network partners are an elite group among Microsoft's tens of thousands of hosting partners, rarer even than the 2,500 partners in the Gold Hosting Competency.
"When you look at the Cloud OS Network, you're looking really at the premier service provider player. The datacenter is their business," said Marco Limena, vice president of Hosting Service Providers at Microsoft.
While the 75 new service provider partners are a big addition in terms of raw enrollment numbers, their contribution to the overall datacenter and customer footprint is incremental compared with the two dozen large service providers Microsoft launched with a year ago.
With the first 25 Cloud OS Network partners, Microsoft claimed 425 datacenters and more than 3 million customers. Now, with 100 partners, those numbers slide up to 600 datacenters and 3.7 million customers.
Meanwhile, Microsoft's overall hosting business has been growing strongly since Microsoft redefined its previously core Windows Server operating system as only one component of a Cloud OS that also includes Azure and service provider clouds.
"We've had 11 consecutive quarters of double-digit growth," Limena said. "The overall ecosystem has 26,000 hosting partners. We added 5,000 in the past 12 months."
That broader ecosystem is getting interesting, as well. "The definition of a channel partner and a customer is really blurry," Limena explained. "When I look at the 26,000 partners, we are looking at a very diverse and agile ecosystem of players. Many of them are the traditional Web hosters that have been with us for a long time or the Exchange hosters who have been with us for a long time. But more and more in recent times, we are adding players like solutions integrators, ISVs or enterprise companies that see hosting not as their business but as more of a means to an end. For example, some enterprises are using hosting to extend capabilities to the supply chain."
Limena promises more activity in the coming months in this strategic area for Microsoft. We'll keep you posted on the news.
Update: In the original version of this blog entry, I implied via an indirect quote that Marco Limena said Cloud OS Network partners are a step above Gold Hosting Competency partners. That assertion was mine not Marco's and incorrectly compared two related, but not directly comparable, partner groups.
Posted by Scott Bekker on October 29, 2014 at 3:31 PM0 comments
Fresh off a recent round of investment, channel-focused Office 365 migration project automation specialist SkyKick is expanding its management team to accelerate North American growth and drive into new markets internationally.
The Seattle-based startup and a 2013 Microsoft Partner of the Year winner is adding three senior executives -- Steve Bonilla as COO, Peter Labes as vice president of business development and Eric Jewett as vice president of international operations. The executive additions, being announced Monday, follow a $3 million round of private equity and angel investor funding announced in late July.
"We have a strong bench around product development," said Todd Schwartz, co-CEO of SkyKick, in an interview. "By adding some industry veterans, this will help us in some areas that up until this point we haven't invested in."
Bonilla most recently was COO at Spiraledge and also held senior positions at Accenture and Digital Impact. "What we thought was very important as we build this company for the long term is we wanted to hire a COO with hardcore operational experience and experience in building companies from small to big," Schwartz said.
SkyKick picked up Labes and Jewett from Microsoft, where SkyKick co-founders Schwartz and co-CEO Evan Richman came from.
Labes was most recently senior cloud strategy lead for the Microsoft U.S. SMB Channel Group. Richman said Labes' experience with building the Office 365 business through the U.S. channel and previous channel-based business development experience with Sage Software make him a strong fit for SkyKick's ongoing channel-centric ambitions.
"There's a lot of change happening in the channel as the cloud is coming. [He's going to help] us work with those different partners and continue to support the channel in the best way possible," Richman said.
Jewett had several international roles at Microsoft, including worldwide director for Microsoft Azure Enterprise Sales Strategy, senior director of Microsoft Azure for Western Europe and worldwide director of Windows Server and Virtualization Marketing.
SkyKick's international strategy is to build the business first in other English speaking countries, like the United Kingdom, Australia and New Zealand, and branch out from there, Schwartz and Richman said.
The executive expansion reflects overall employee growth at SkyKick. When announcing the $3 million in new funding over the summer, SkyKick unveiled plans to double the company's headcount from 40 people to 80 employees over the next year.
Schwartz says SkyKick's buildout is only beginning. "Only 7 percent of SMBs have moved to the cloud over the last three years. We're still very much in the early days. This is only year three of probably a 10-to-15-year journey."
Posted by Scott Bekker on October 20, 2014 at 5:29 AM0 comments
Wireless standard upgrades often meet with a collective yawn by customers. If the wireless network is getting the job done, a speed increase often won't do enough to improve performance to justify the cost.
But Jamie Stark, senior product manager with Microsoft Lync, is evangelizing a recent wireless standard as a big opportunity to dramatically improve unified communications performance on mobile networks.
The opportunity, which for partners extends beyond those who specialize in Lync, is related to the new 802.11ac wireless standard. The standard was approved in January, and it turbocharges wireless bandwidth to single-link throughput of at least 500MBps.
"The promise of mobility with Lync is really strong. Customers think, 'Not only can I save a lot of money, not having this really extensive wired plant would be great,'" Stark told me. He says expense savings could go as far as removing a standard requirement to have air conditioning on every floor's equipment closet to keep existing switches for old telephone handsets cool.
"If I have a cell phone, tablet and a workstation with a headset, I don't need to be tethered down by a wire," Stark said.
An obstacle has been wireless bandwidth. "If a dozen people are in the conference room looking at a Lync meeting, it's easy to saturate an access point," Stark said.
The 802.11ac equipment removes the bandwidth barrier affecting current traffic levels. "It's absolutely an opportunity now. 802.11ac is now to the point in the market where folks are going to be buying that," Stark said. "The single biggest thing that I bring up to every one of the customers that I talk to is around Wi-Fi."
For more on emerging opportunities around Lync, see the recent RCP Partner Guide to Microsoft Lync here (registration required).
Posted by Scott Bekker on October 07, 2014 at 11:31 AM0 comments
The rumors over the weekend were correct, and Hewlett-Packard revealed Monday morning that it will split into two roughly equal-sized entities -- Hewlett-Packard Enterprise and HP Inc.
The move creates two massive new, if familiar, players in the tech industry -- Hewlett-Packard Enterprise's annual revenues for a recently concluded period would have been $58 billion, HP Inc.'s $57 billion. The new arrangement has implications across the IT industry, including for the many Microsoft partners who are also HP partners. Here are a few of the main takeaways that are visible at first blush.
A New Poster Child for Spinoffs
The IT industry commonly veers between two business poles -- mergers and acquisitions or spinoffs and sell-offs. Big events give us a shorthand to understand trends and HP's new decision is one of the biggest. As a symbol of old Silicon Valley, the PC industry, the printer industry or the new cloud+services world, HP's decision will become a major data point in all kinds of discussions about whether spinning off business divisions makes sense.
HP Chairman, CEO and President Meg Whitman was touting a strategy of "One HP" -- in other words, not splitting up -- recently enough that she needed to do some tap dancing about it on Monday morning in a call for investment analysts.
"Let me be clear, One HP was the right approach. During the fix-and-rebuild phase of our turnaround plan, we used the strength found in being together to become stronger throughout. But of course, the marketplace never stands still, and in our industry today more than ever, you have to compete harder and faster every single day. Being nimble is the only path to winning," Whitman said.
Already, HP's move is resparking conversations about EMC and VMware, as well as renewing calls for Microsoft to look into breaking up. Whether HP's spinoff is a success or a failure, it is high-profile enough that it will become shorthand for the one or the other.
A Star Is Born
Dion Weisler earned a level of industry renown with his elevation to the position of HP's executive vice president of Printing and Personal Systems Group in the summer of 2013. But the Australian-born tech industry veteran, who joined HP in January 2012, goes from being well-known by tech industry insiders to the type of business superstar who appears on CNBC with his elevation to CEO of the newly formed independent company, HP Inc.
According to Weisler's bio from the HP site, prior to his EVP role, he was senior vice president and managing director of Printing and Personal Systems for the Asia Pacific and Japan regions. He came to HP from Lenovo, where his top role was vice president and COO of Lenovo's Product and Mobile Internet Digital Home groups. He also worked at Telstra Corp., an Australian telecommunications company, and spent 11 years at Acer.
In a statement, Whitman gave this assessment of Weisler's performance as EVP, a job that precisely parallels what he'll be working on as CEO of HP Inc.: "Since assuming responsibility for the Printing and Personal Systems Group, Dion and his leadership team have done an excellent job of building our relationships with customers and channel partners, segmenting the market and driving product innovation."
Whitman Bets on Hewlett-Packard Enterprise?
Is Meg Whitman tipping her hand as to which of the two businesses has more potential?
"The board and the management are convinced that by separating HP into two new, independent companies, we will be able to accelerate the performance of both more rapidly than we could as currently configured," Whitman explained on the investor call.
Whitman will serve as CEO of Hewlett-Packard Enterprise, while serving as non-executive chairman for HP Inc.
She's chosen to focus her day-to-day attention on the business that moves forward with HP's lines of servers, storage, networking, services, software, cloud and converged systems. That's as opposed to the business built on notebooks, desktops, mobility, printing, managed print services and graphics.
Whitman will be the executive on the side of the business with larger expected profit margins and the side that includes the booming cloud market. That said, both businesses currently carry similar operating margins, according to a slide deck for investment analysts (10.2 percent for Hewlett-Packard Enterprise and 9.4 percent for HP Inc.).
More Layoffs Coming
HP has always done things in a big way because of its scale. While Microsoft makes headlines for layoffs in the 18,000-employee range, HP was already committed to laying off between 45,000 and 50,000 people.
During the call about the spinoff, an HP slide revealed that "incremental opportunities for reductions have been identified...independent of the separation transaction." The latest figure is that the entity once known as HP has need of 55,000 fewer employees. The elimination of 5,000 or 10,000 people from the payroll beyond the company's previous guidance means additional money for R&D and sales, according to an HP slide.
The layoffs and other job eliminations are proceeding, with about 36,000 jobs already eliminated. Expect uncertainty and trepidation from HP contacts until they're certain what the other 19,000 eliminated jobs will be.
Spotlight on Future Products
HP executives provided hints on Monday about what product lines they're most excited about for future growth.
On the Hewlett-Packard Enterprise side, it's Apollo, Gen 9 and Moonshot servers, the 3PAR storage platform, the HP OneView management platform and the HP Helion Cloud. For HP Inc., mobility is an area where the company is looking to gain traction, while the spinoff is also looking to build a business in 3-D printing.
HP Financial Services
There wasn't a lot of detail about partners on Monday, but one area where channel partners did get mentioned involved financing. Going forward, both companies appear to view HP Financial Services as a strategic capability for partners and customers.
"By leveraging its HP Financial Services capability, the company will be well positioned to create unique technology deployment models for customers and partner partners based on their specific business needs," the company said in a statement about the Hewlett-Packard Enterprise side. "Additionally, the company intends for HP Financial Services to continue to provide financing and business model innovation for customers and partners of HP Inc."
Posted by Scott Bekker on October 06, 2014 at 12:56 PM0 comments
The security professional's toolbox is fairly mature, with ethical hackers commonly using familiar and powerful tools such as Metasploit, Nmap, Wireshark and dozens of others, many of them conveniently wrapped up for free in the security-focused Kali Linux distribution.
Still, in the fast-moving field of IT security, new threats and tools are constantly emerging. In a standing-room-only session at Interop New York this week, David Rhoades of Maven Security Consulting recommended five up-and-coming tools that can help penetration testers do their jobs better.
Rhoades' presentation followed one on vulnerability management by John P. Pironti, president of IP Architects LLC, in which Pironti noted that two of the most significant classes of vulnerabilities remain cross-site scripting and SQL injection. Addressing the cross-site scripting problem is a relatively new tool called XSScrapy by security researcher Dan McInerney, Rhoades noted. The description of XSScrapy on GitHub Inc. is a "Fast, thorough, XSS spider. Give it a URL and it'll test every link it finds for cross-site scripting vulnerabilities."
Designed for devops, the team behind Gauntlt aimed to help make development of new code more secure by creating a tool that makes checking for vulnerabilities repeatable, reliable, reviewable, rapid and resilient with a reduced attack surface. The tool launches other attack tools at a target and reports the results.
One of the Gauntlt developers, Mani Tadayon, described it as the opposite of static code analysis in a presentation announcing the tool in 2012. "We're looking at the system as, kind of, not a black box but a grey box. We're looking at the running instance. The difficulty with code analysis is like, what is it? Is it Java, is it Ruby? Is it this framework? That framework?" Tadayon said. "[With Gauntlt] it's like, we don't [need to] know what's going on inside your app."
Another relatively recently released platform for performing security tests on Web applications is Minion from the Mozilla Project (the team behind the Firefox browser).
A USB hack presented by SR Labs at BlackHat 2014 in August and called BadUSB introduced a new form of malware that reprograms the controller chips inside USB devices. "USB sticks, as an example, can be reprogrammed to spoof various other device types in order to take control of a computer, exfiltrate data, or spy on the user," SR Labs explained in a description of the session.
Finally, Rhoades pointed his audience to Kali Linux Nexus NetHunter. Developed by Offensive Security, the company behind Kali Linux, and Kali community member "BinkyBear," NetHunter takes the idea of a penetration platform and essentially puts that particular hell on wheels.
NetHunter is designed as an open source penetration testing platform for an Android OS tablet (Nexus 10), mini-tablet (Nexus 7) or smartphone (Nexus 5). Some of the tools include wireless 802.11 frame injection, one-click MANA Evil Access Point setups, HID keyboard and even BadUSB-based "man-in-the-middle" attacks.
Posted by Scott Bekker on October 02, 2014 at 9:44 AM0 comments
Kaseya this week issued another core platform release and this month will open a beta program for some additional functionality.
"With 8, we have shifted the focus to security," said Yogesh Gupta, CEO of Kaseya, in a telephone interview.
Release 8, which became generally available on Tuesday, is the latest of Kaseya's regularly scheduled releases. Since joining the MSP remote monitoring and management (RMM) and IT systems management tool vendor in the summer of 2013, Gupta has kept Kaseya to a development cycle built around releases every January, May and September.
The Kaseya 8 release comes on the heels of the company's acquisition of Scorpion Software, a security company focused on two-factor authentication, password management and single sign-on.
For now MSPs and other customers looking to use the Scorpion technology alongside the core Release 8 must license AuthAnvil separately. Integration is scheduled for a future release. Nonetheless, Kaseya is simultaneously shipping new releases of all three AuthAnvil products -- Single Sign On, Two-Factor Authentication and Password Server.
A major new security feature in Kaseya's core management platform comes in an enhancement to Kaseya Remote Control. The component now allows administrators to work privately on remote servers and workstations so that people near the target machine can't see what is being done.
Other new features include the ability for administrators to isolate and view individual Terminal Server sessions, improvements to Office 365 management and tighter integration between the main dashboard and Kaseya Traverse Service Level Management.
The beta launching this month is for integrated enterprise mobile management (EMM). The design goal for Kaseya's EMM is combined mobile device management and bring your own device features within Kaseya's core management platform.
According to Kaseya's roadmap, the company intends to be able to roll the EMM functionality into Release 9 of the platform in January 2015.
Posted by Scott Bekker on September 30, 2014 at 11:18 AM0 comments
Hitting a delivery date promised in July, Microsoft on Monday launched three new cloud competencies for partners.
At the same time, Microsoft drastically reduced the number of customers a partner is required to have to achieve the SMB competency's silver tier, and announced improvements to Pinpoint, the partner directory for customers.
The three new competencies that went live on Monday were Small and Midmarket Cloud Solutions, Cloud Productivity and Cloud Platform. They are the first cloud-specific competencies Microsoft has launched in the Microsoft Partner Network (MPN).
Gavriella Schuster, general manager of the Microsoft Worldwide Partner Group, announced a change to the SMB competency in a blog post.
"Based on insight and input from the partner community, we have determined that the appropriate threshold for the Small and Midmarket Cloud Solutions competency is 10 new customers over the last 12 months, down from the 15 customer limit we announced in July. The other eligibility components remain the same at 150 net new seats and three customer references," Schuster wrote.
Schuster also said an updated Pinpoint directory was going live on Monday and that Microsoft had released new materials to help partners optimize their Pinpoint listings. According to a Microsoft spokesperson, changes include better access and more tailored search.
Posted by Scott Bekker on September 29, 2014 at 1:13 PM0 comments
Details are starting to emerge about Cloud Solution Provider (CSP), a promising partner program that Microsoft previewed at its Worldwide Partner Conference (WPC) in July.
The CSP program is designed to accommodate the requests by partners to be able to bundle Microsoft services and own the customer billing, a requirement that was partly but not fully addressed with the Office 365 Open program.
"Partners in this [Cloud Solution Provider] program will be able to directly provision customer subscriptions and provide one monthly bill for both Partner and Microsoft services. They will also directly manage their customer subscriptions with in-product tools in the Partner Admin Center and own the technical support relationship," wrote John Case, corporate vice president of Microsoft Office, in a blog entry announcing the program on July 14.
Calling CSP "a true cloud reseller program" during a WPC keynote that same day, Case also said the program would create opportunities for distributors, MSPs, ISVs and hosting providers. Those are very different types of partners, however, and as Microsoft begins to sign up partners and get feedback, the CSP is evolving.
In a blog post Wednesday, Gavriella Schuster, general manager of the Microsoft Worldwide Partner Group, revealed that CSP will now have two levels, and she provided a loose rollout schedule.
"After speaking with partners of all types and sizes, we've made the decision to rollout the CSP with two business model options for partners to participate. In the first business model, partners will sell Microsoft Cloud Services directly to customers (1-Tier). These are partners that typically have existing broad market reach, a 24/7 technical support relationship with their customers as well as direct ownership of the billing -- a feature that was the most requested from partners," Schuster wrote. "The second business model consists of resellers who sell Microsoft Cloud Services through distribution partners (2-Tier)."
Over the summer, Case said the program would be rolled out to select partners in 48 countries. Schuster said onboarding for the 1-Tier is happening now, but implied that the main rollout would happen after the full documentation of partner requirements is posted to the Partner Portal in mid-October.
Partners interested in the 2-Tier will need to wait a little longer. "We expect most partners to participate through the 2-Tier model, and we'll have more information to share about that program later this calendar year," Schuster said.
By product, Microsoft has said CSP would start with Office 365 and Windows Intune, and Microsoft Azure, Dynamics CRM Online and other products will follow.
The CSP is in addition to three new cloud competencies that Microsoft planned to take live next week.
Posted by Scott Bekker on September 24, 2014 at 12:15 PM0 comments