October 31, 2016 1 Comment

Implications of an Agile Culture

Recently, I met with many industry analysts, customers, and press at Gartner Symposium/ITxpo. In numerous conversations, I was asked about the organizational implications of changing company culture and how this relates to digital business transformation. As you create a culture of agility (see previous blog), what organizational changes will a more aware, informed, and responsive culture imply (and necessitate)?

To begin, your approach to talent will be more dynamic. You will need to change how you acquire, manage, and retain the types of people required to succeed. Today, this talent isn’t found through traditional channels. Recently, Procter & Gamble received nearly 1 million applications for just 2000 positions. This resume overload is already causing many companies to embrace new models for talent acquisition that depend upon platforms and machine intelligence.

After making the best hire, digitization involves transforming how talent is allocated, a particularly difficult challenge for companies with large distributed workforces. Innovators are leveraging analytics and artificial intelligence (AI) to better understand what each person can contribute and how best to team them with others to quickly and effectively solve specific business challenges.

An agile culture also fundamentally changes what it means to be a manager. Rather than overseeing the work of part- and full-time company employees, digital managers must orchestrate a regularly changing mix of contributors who come together as needed. This requires the ability to manage different types of workers, including contractors and vendors with varying skill sets for shorter durations, often tapping into pools of human and technological capital from elsewhere in the business.

Externally, being agile means you will have greater visibility into your company’s supply chain, as well as better situational awareness about the things that impact it. This involves connecting, processing, and analyzing distributed data where it is generated, which Cisco is helping companies do with our Edge Analytics Fabric. With greater intelligence from these capabilities, your traditional supply chain will evolve into a flexible, orchestrated, and more automated ecosystem of companies that can come together and part ways as needed, increasingly on an opportunity-by-opportunity basis.

All of these changes must be underpinned by agile business processes that enable companies to execute faster, even adapting to real-time events and context shifts. In short, agility isn’t just a software development or supply chain discipline—it needs to permeate your resources, business processes, and operating model. As you develop an agile culture, your company will begin to experience the real benefit of digitization—fundamentally changing how you deliver value to customers.

This is only possible when management welcomes and prioritizes change. In my next blog, I will expand on this issue of embracing change and introduce a key transformation concept I call “actionable accountability.”

Keywords: agile, culture, partner, ecosystem, business process, organization, silos, cross-functional, talent, management, collaboration, digital business transformation, hyperawareness, informed decision-making, fast execution

Authors

Kevin Bandy

No Longer with Cisco

Sundown EK: You Better Take Care

Talos Group

This post was authored by Nick Biasini

Over the last six months the exploit kit landscape has seen some major changes. These changes began with Nuclear ceasing operations in April/May and arrests in Russia coinciding with the end of Angler in June. Recently, Neutrino has been added to the list of exploit kits that have stopped being actively used in 2016. What remains is a group of smaller exploit kits vying for pole position in an industry that continues to generate millions of dollars from payloads such as ransomware and banking trojans.

It’s now time to turn to another exploit kit that is active on the landscape, Sundown. The Sundown exploit kit has previously been part of a second tier of exploit kits that includes Magnitude and Sweet Orange. These kits successfully compromise users, but typically are not accompanied with the advanced techniques and wide-spread use of the other major exploit kits. It’s not to say these kits aren’t significant threats, but from a potential victim perspective they historically do not have the reach associated with other EKs from before such as Angler or RIG.

Authors

Talos Group

Talos Security Intelligence & Research Group

We’re All in the App Business Now

Christian Thomas

If you thought that the internet has come to dominate our lives, you should see what’s coming next. More web users and devices, faster broadband speeds and the continuing explosion of video are all contributing to global digital transformation. What’s more, everything from cities to cars is becoming networked, as the internet of things takes shape.

How Can Service Providers Make the Most of Their Network Infrastructure?

In June, Cisco’s VNI Global IP Traffic Forecast, 2015-2020 predicted that by 2020, there will be 26.3 billion networked devices and connections across the world (up from 16.3 billion in 2015), and that IP video will represent 82 percent of global traffic by 2020, up from 70 percent in 2015.

In the midst of this revolution, it’s easy to forget that the virtual world is rooted in physical infrastructure. But service providers can be cruelly reminded of this by the pressure to keep up with ever-increasing speed and capacity demands on their networks.

Updating network equipment can be expensive and impractical. But today, IT infrastructure is increasingly being made available as a service. move beyond the limitations of their physical network architecture, designing virtual programmable networks to suit their purposes.

At Cisco, we are leading the way in helping service providers bridge the gap between networks and apps, enabling them to thrive in a digital world.

The Programmable Revolution: A Springboard for Innovation

In a competitive market where connectivity is taken for granted, service providers need to make sure that they are offering the best possible value.

A network whose virtual ‘brain’ is at arm’s length from its physical ‘muscles’ can help you do this because it is both simpler to operate, and more flexible, meaning that businesses can provide a better service at a reduced cost.

One service provider developing this approach is the Qatari company Ooredoo, which has agreed to create a relationship with Cisco to set a roadmap for network function virtualisation (NFV) and deliver virtual managed services to the Qatar market. Ooredoo will be trialling Cisco’s Cloud VPN, part of our Virtual Managed Service portfolio, which offers secure business connectivity and routing for site-to-site, remote access, and internet gateway applications.

Technology pioneered by Cisco, like segment routing, enables businesses to distribute their data more efficiently, managing its flow like the conductor of an orchestra directs music. Programmable networks can also be automated to a large extent, significantly cutting down operational costs.

The ability to better handle high traffic is a key advantage of programmable networks – but it’s not the only one. They can also empower service providers to increase their revenue through custom options and new business models. Areas getting a lot of attention right now are the delivery of OTT services such as internet TV and cloud storage, as well as services related to the Internet of Things, like in-car networks for the automotive industry.

The Door to the Future is Open

The future is collaborative – which is why we build our technology using open APIs. This means that different components can communicate easily with each other, and networks can be restructured and adapted to reflect changing conditions and new challenges.

Equally, we want to equip other organisations with the skills and tools to make the most of the digital revolution. Our DevNet programme provides developers with the resources to build innovative, network-enabled apps, and our Digital Network Architecture community within this is a place for developers, architects and operators to come together, learn and share ideas.

We’re leading this community through our commitment to open standards. Because when it comes down to it, innovation is about human as well as digital networks.

KEY TAKEAWAYS

More web users and devices, faster broadband speeds and the continuing explosion of video are all contributing to global digital transformation.
In the midst of this revolution, it’s easy to forget that the virtual world is rooted in physical infrastructure. But service providers can be cruelly reminded of this by the pressure to keep up with the speed and capacity demands on their networks.
Updating equipment can be challenging and sometimes costly. But a network made available as a service enables businesses to move beyond the limitations of their physical architecture, and design virtual programmable networks to suit their purposes.
A network whose virtual ‘brain’ is at arm’s length from its physical ‘muscles’ is simpler to operate and can be automated, enabling businesses to cut down operational costs.
Programmable networks can also empower service providers to increase their revenue through developing new products and business models.
If you want to learn more: visit our Evolved Programmable Network page.

Authors

Christian Thomas

Head of Pre-sales engineering

Global Service Provider,Cisco France

2 Comments

Why Cisco Customers LOVE Extending UCS Deployments with HyperFlex

Gil Haberman

Hi again! You may have heard by now that Cisco’s Hyperconverged Infrastructure – Cisco HyperFlex Systems – has been engineered on Cisco UCS, and in this blog I will share what it means to you. In nutshell, engineering HyperFlex on UCS not only allows you to extend existing tools and skillset to hyperconvergence, but also provides the platform to create the most adaptive and flexible hyperconverged solution in the market.

Cost Efficiency

Cisco HyperFlex provides the unique ability to truly scale resources independently. When you need to scale just compute, for example in non-persistent VDI deployments, you can simply add UCS blades or racks that join the hyperconverged resources as compute-only nodes. This is done with our IOvisor, a VIB that provides a network file system (NFS) mount point to vSphere, effectively adding these servers to the unified pool of available resources. You don’t have to pay the high cost of disks and software in additional nodes, significantly lowering your overall TCO by truly adapting resources to the needs of your specific environment.

Convenience and Flexibility

One of the benefits of running on the same UCS platform is that you can leverage existing assets in the your datacenter. Continuing the example of expanding the hyperconverged cluster, you can grab an existing UCS B200, C220 or C240 and add them as compute-only nodes. Once the VIB is deployed, these compute-only nodes become part of the joint pool.

Dynamic Resource Utilization

Another key aspect of this model is the ability to shift these resources across Hyperconverged (HCI) and converged or traditional infrastructure. The compute-only nodes can be used to support the hyperconverged cluster, and based on seasonal or daily application demands they can also be shifted to support your traditional infrastructure, providing true cloud-like agility across your datacenter.

Leverage Existing Skillset

Too often hyperconverged solutions don’t play well within your datacenter, requiring separate management paradigms dedicated to hyperconverged clusters. By engineering HyperFlex on UCS we allow you to extend the popular UCS Manager policy management to HyperFlex clusters. Both deployment and expansion processes leverage UCS service profiles, streamline daily operations and increase overall infrastructure consistency and reliability across the datacenter. HyperFlex nodes are managed like any other UCS server in your datacenter.

Want to learn more?

Check out our Next-Generation Data Platform for Hyperconvergence whitepaper
Read about the latest release of HyperFlex 1.8
Visit the Cisco HyperFlex Website

Authors

Gil Haberman

Product Manager

HyperFlex Product Marketing

4 Comments

The Evolution of Scoring Security Vulnerabilities: The Sequel

Omar Santos

Back in April, I wrote a blog post about the new version of the Common Vulnerability Scoring System (CVSS). The changes made for CVSSv3 addressed some of the challenges that existed in CVSSv2. For example, CVSSv3 analyzes the scope of a vulnerability and identifies the privileges an attacker needs to exploit it. The CVSSv3 enhancements allow vendors to better analyze security vulnerability impact. The changes in CVSSv3 also help our customers more easily determine the urgency with which they need to respond to vulnerabilities

In my previous blog post, I shared the details of a study that analyzed the differences between CVSSv2 and CVSSv3 scores using scores provided by the National Vulnerability Database (NVD). I have continued to monitor the way vulnerabilities are scored using the new version of CVSS because Cisco will soon begin supporting the new version. In my previous study, back in April, I analyzed 745 vulnerabilities. I recently expanded the data set and this new analysis includes a total of 3862 vulnerabilities. I kept the scores and data vendor neutral and used only NVD’s CVSSv2 and CVSSv3 scores.

CVSSv3 Metrics

If you are not familiar with the CVSS metrics, you can read the CVSSv3 specification at FIRST’s website: https://www.first.org/cvss/specification-document. You can also use the CVSSv3 calculator: https://www.first.org/cvss/calculator/3.0

FIRST has also published several examples of CVSSv2 vs. CVSSv3 scores at: https://www.first.org/cvss/examples

I have included screenshots of the Base, Temporal, and Environmental metrics from FIRST below for your reference.

Figure 1 - CVSSv3 Base Metrics — Figure 1 – CVSSv3 Base Metrics

Figure 2 - CVSSv3 Temporal Metrics — Figure 2 – CVSSv3 Temporal Metrics

Figure 2 - CVSSv3 Environmental Metrics — Figure 3 – CVSSv3 Environmental Metrics

Study Results

The total number of vulnerabilities studied was 3862. These were vulnerabilities disclosed from January 1, 2016 thru October 6, 2016 and the source of the data is NVD.

The average base score increased from 6.5 (CVSSv2) to 7.4 (CVSSv3). This is illustrated in Figure 4.

Fgure 4 – Average Base Score — Figure 4 – Average Base Score

Cisco adopted a Security Impact Rating (SIR) in 2015, which uses basically the same scale as the CVSSv3 qualitative severity rating scale. This was done to help organizations properly assess and prioritize their vulnerability management processes.

Figures 5 and 6 include high-level statistics for the qualitative severity differences between CVSSv2 and CVSSv3 scores for the vulnerabilities assessed in this study.

Figure 5 - Qualitative Metrics Change — Figure 5 – Qualitative Metrics Change

Figure 6 - CVSSv2 vs. CVSSv3 Qualitative Metrics Distribution — Figure 6 – CVSSv2 vs. CVSSv3 Qualitative Metrics Distribution

There were several vulnerabilities whose base score decreased from a higher to a lower QM category when scored with CVSSv3. The following table depicts vulnerabilities for which the QM category increased (not just the score) when going from CVSSv2 to CVSSv3.

However, there were far more vulnerabilities whose CVSSv2 base score increased when scored with CVSSv3.

Seventy-four percent (74%) of the vulnerabilities that scored Low in CVSSv2 increased to Medium when scored with CVSSv3.

The following table summarizes the top 3 Common Weaknesses Enumerators (CWEs) of the vulnerabilities that increased from Low to Medium when scored with CVSSv3.

Forty-four percent (44%) of the vulnerabilities that scored Medium in CVSSv2 increased to High when scored with CVSSv3.

Figure 8– Medium to HIgh Change — Figure 8– Medium to High Change

The following table summarizes the top 3 CWEs of the vulnerabilities that increased from Medium to High when scored with CVSSv3.

Twenty-eight percent (28%) of the vulnerabilities that scored High in CVSSv2 increased to Critical when scored with CVSSv3.

The following table summarizes the top 3 CWEs of the vulnerabilities that increased from High to Critical when scored with CVSSv3.

Why Should I Care?

One thousand seventy-seven (1077) vulnerabilities moved from Low or Medium to High or Critical. That is a 52% increase in High or Critical vulnerabilities.

As stated in our Security Vulnerability Policy in all of our security advisories:

“Cisco will provide an evaluation of the base vulnerability score, and in some instances, will provide a temporal vulnerability score. End users are encouraged to compute the environmental score based on their network parameters. The combination of all three scores should be considered the final score, which represents a moment in time and is tailored to a specific environment. Organizations are advised to use this final score to prioritize responses in their own environments. In addition, Cisco uses the Security Impact Rating (SIR) as a way to categorize vulnerability severity in a simpler manner. The SIR is based on the CVSS base score, adjusted by PSIRT to account for Cisco-specific variables, and will be included in every Cisco Security Advisory.”

Cisco takes a comprehensive approach to security and trust. Transparency and accountability in vulnerability management through Cisco’s Product Security Incident Response Team (PSIRT) is one of our core principles. This is why I want to share these results with you in anticipation of Cisco PSIRT using CVSSv3 in the first half of 2017.

Authors

Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations

4 Comments

Ending Poverty Through Financial Inclusion

Tae Yoo

World Savings Day was established in 1924 to promote the value of thrift. Representatives of 29 countries wanted to bring to mind the idea of savings and its relevance to both the individual and the economy.

Today, the focus of the banks that organize World Savings Day is on the “unbanked,” the more than 2.5 billion people who lack access to formal financial services. Most of these individuals are living close to or below the poverty line. And without access to the banking services many of us take for granted, the unbanked are not able to reach their full potential.

Without a savings account, it can be difficult to save for unplanned expenses like repairing your home. Without health insurance, your family is at risk if one of you gets sick. Without the ability to take out a loan, you can’t start a new business that will enable you to become economically self-sufficient.

Financial inclusion is an approach to help all people become financially independent and economically self-sufficient. This is achieved by providing access to affordable and relevant financial products and services. Financial inclusion helps underserved people increase their productivity, incomes, and resilience to withstand the unexpected. They become able to provide food, housing, and healthcare for their families as well as invest in education for their children.

Consider Thomas Bugembe who lives in Uganda. Thomas is committed to serving the children in his community. Ten years ago, he made his vision of building Maryhill Junior School real: two small rooms on a rented plot of land and just under 40 students. Opportunity International, a global non-profit organization, provides financial services and training to people like Thomas.

Over the years, Thomas has taken out multiple loans to expand Maryhill, availing himself of the school improvement loans and other educational support services offered by Opportunity International. The school now has kindergarten classes, an assembly hall, clean running water, and electricity. Today, Thomas’ school serves 356 students from K-7, many of whom live on campus. Thomas’ efforts also have created new jobs in his community: the school now employs 14 teachers and seven caregivers. Thomas hopes to add computers and a library in the near future.

With help, the unbanked can lift themselves out of poverty and contribute to the growth and vibrancy of their communities. However, many of the most vulnerable people live in rural and remote areas, making it difficult to reach them. In addition, many financial institutions are not able to handle large numbers of small transactions in a sustainable manner.

To overcome these challenges, organizations like Opportunity International are turning to digitization. Digitization connects people, processes, and things intelligently. For example, mobile banking enables organizations to scale and reach more people like Thomas living in rural and remote communities, and provide the types of services that can best serve them. Digitization also gives us access to more data that we can use to make better decisions and so derive more benefit from the digital revolution.

Digitization will play an important role in reaching the unbanked. Accelerating Financial Inclusion with Digitization: Bringing an End to Extreme Poverty shares Cisco’s point of view for how technology can bring the world together to make the vision of ending extreme poverty a reality.

Will you join us?

Discover more at csr.cisco.com and follow us on Twitter @CiscoCSR

Authors

Tae Yoo

No Longer with Cisco

3 Comments

Reduce Risk with Subscription

Joann Starke

The software market has changed radically over the last three or four years. So have software license models. Big Data, cloud and mobile have forced changes. One of the most significant is the sun setting of the standard – the perpetual license.

Perpetual licenses redirect scarce resources to negotiate pricing. For both you and the vendor with no value generated. They increase business risk. Force you to pay for functionality that may not be consumed for another few years. They divert money targeted to new initiatives.

Hybrid cloud has rapidly become the deployment model of choice to achieve speed and agility. Approximately 73% of organizations are investigating or deploying worldwide. What is needed is a new license model that mirrors the consumption model for hybrid cloud.

NOW AVAILABLE! Subscription licenses for Cisco ONE Enterprise Cloud Suite. Watch this video to learn more:

https://youtu.be/Xv3y8MzhnZE

Continue reading “Reduce Risk with Subscription”

Authors

Joann Starke

No Longer with Cisco

5 Comments

National Cybersecurity: A Collaborative Approach is Required

Edna Conway

As we wrap up National Cybersecurity Awareness Month in the U.S., cybersecurity continues to be a top-of-mind issue for business, government and consumers alike. In February 2016, President Obama announced a Cybersecurity National Action Plan to improve the United States’ cybersecurity posture. The non-partisan Commission on Enhancing National Cybersecurity was created and charged with making recommendations for actions that can be taken over the next decade to strengthen cybersecurity in both the U.S. public and private sectors.

The Commission has conducted a series of public forums in which they invited business, academic and government leaders to address cybersecurity issues. I was honored to be invited to provide testimony at a recent public meeting of the Commission. I focused my testimony on cybersecurity not as a standalone issue, but as an element of an intertwined platform of collaboration, function and security—a comprehensive security strategy.

A comprehensive security strategy demands an architecture that designs, deploys and monitors the right security in the right place at the right time. The key to doing so lies in addressing security across the value chain: the end-to-end lifecycle for hardware, software or services that deliver value.

I offered the Commission three foundational elements we apply at Cisco to build our value chain security strategy:

Retain a third-party value chain member’s flexibility to deploy the right physical security, operational security and security technology, in the right stage of its own ecosystem. This allows for the proprietary innovation that our ecosystem members bring to the table.
Apply a risk-based approach to the deployment of value chain security in order to ensure economic and operational viability. Namely, evade the pitfall of perfection being the enemy of progress.
Avoid proliferation of certification or accreditation schemes or guidelines. Leveraging those already in place should allow swifter implementation, broader adoption and further security enhancement. These include standards such as ISO 27001 “Information Security Management,” ISO 27036 Part 3 “ICT Supply Chain Security,” ISO 20243 “Mitigating Maliciously Tainted and Counterfeit Information & Communications Products,” and NIST SP 800-161 “Supply Chain Risk Management Practices” among others.

These foundational elements allow an enterprise (public or private) to build a flexible security architecture for the value chain. Layering physical and operational security with security technology and development can allow value chain members to effectively collaborate and drive comprehensive security. Inclusion of value chain security across the third-party ecosystem can serve to increase assurances of cybersecurity within the context of the broader security strategy programs of business and government alike.

In a connected world that demands a comprehensive approach to security, a public-private partnership is an essential element for our collective success. The Commission has completed its public hearings and is anticipated to make its recommendations to the President on December 1, 2016. Full statements of those invited to testify are available on the NIST site.

To learn more about Cisco’s Value Chain Security Program, visit http://www.cisco.com/c/en/us/about/trust-transparency-center/built-in-security/value-chain-security.html.

Join the National Cyber Security Month conversation on Twitter @CiscoSecurity #CyberAware.

Authors

Edna Conway

Chief Security Officer

Chief Security Officer, Global Value Chain

October 28, 2016 Leave a Comment

Your industrial network doesn’t have to be a scary movie

Scot Wlodarczak

Another Halloween is upon us, and jack o’lanterns, ghosts, and diabolical clowns are springing up everywhere. October is also National Cybersecurity Month—another reminder that the world can be a frightening place, with sophisticated new attacks on a regular basis.

the-national-cybersecurity-institute-is-using-the-events-of-this-month-t_2069_40089636_0_14118660_500 — *Source: Nationalcybersecurityinstitute.org*

The 2016 Cisco Annual Security Report reports that the industrial sector has some of the lowest quality security infrastructure in use. Out on the factory floor, you may be working with a security Frankenstructure and aging industrial control systems that lack protection against modern threats. Clusters of machines can be islands of vulnerability, and opening up connections on the plant floor across more sites creates even more opportunities for something to creep in.

And the potential for problems continues to grow as more people, processes, and things get connected on the IoT. Gartner estimates that there will be over 20 billion connected things by 2020. More IoT connections mean more potential targets and vulnerabilities.

Ed Featherston’s article IoT and #Big Data – Who Owns All the Data? reminds us that it’s not easy to safeguard the massive flood of high-velocity data that passes through increasingly connected systems.

We recommend a set of approaches to keep your factory safe in the frightening world we live in:

Create, educate, and enforce security policies
Lock down your factory with defense-in-depth security
Strengthen your first line of defense with physical security
Control who is on the network with device profiling
Use industry best practices, such as the ISA IEC 62443 standard, to set up zones and design schemas to segment and isolate your sub-systems
Reduce Capex (and Opex) with a remote security solutions
Implement strong firewall and intrusion prevention, secure remote access (RA) solutions, and email and web security

Don’t be the victim that wanders out into the woods with a failing flashlight to investigate a weird noise. Start with a strategic approach that looks beyond securing devices and focuses on end-to end-security. This buyer’s guide can help you select a vendor to keep you and your factory safe from things that go bump in the night: Buyer’s Guide: 10 Questions to Ask Your Industrial Control Cybersecurity Vendor.

Creating an agile and secure platform helps you beat the fear factor and support growth and innovation. For more information, see how one manufacturer upgraded their security to block against thousands of threats daily.