I have a calendar alert goes off at 9:30 AM to “Reach out to Layer 8”, which is a little project I devised for myself. When the reminder fires, I open a file called “Friends.txt” that contains several people’s names, departments and phone numbers. I select a name from list and give them a call. This is usually a quick chat. I try to keep the conversation below 15 minutes, and we generally discuss overlap in our roles or projects that we have in common or new projects that the other might not have visibility in to. I end the call by saying something to the effect of “If you see anything weird, let me know”.  This is how I know the status of my Layer 8 sensor array.

I am willing to say that you have these types of contacts in most of the departments in your organization and that you have worked security events with these contacts in the past. I would also say 15 min’s of chat time is nothing when compared to getting hours, if not days of lead-time on a security event.

Lead-time is crucial to success and an actual human, who just happens to be fully versed in the standard functioning of whatever program/system/process they are assigned to, is the exact person you want to give you a heads up. We all have a series of consoles and reports that are run on regular intervals. This will give us information about what has happened, things from the past. It will also give information or alerts on things or events that are known. What about the unknown, the events which are not pre-defined. How would you go about finding out about these events?

You start by looking at “normal”.

The Network Operation team knows what the standard load is on our network segments. They know what the standard ports and protocols used by the majority of the applications are. They know where Core servers “live.” The SQL DBA’s know where the SQL servers are as well. They also know what the transaction logs should look like and they know what instances are housed on each server and what Web servers they connect to. The Web folks know what systems are running what versions of IIS and what versions of Tomcat and Apache. You can see where this is going… They are perfectly versed in what normal looks like and they are perfectly placed to notice when something falls outside of normal.

“But shouldn’t these teams be reporting this information to you as part of your Incident Response Plan?” you ask. The answer is “Yes”. Yes they would, but how much time would be lost before that was the case? How much time would be spent troubleshooting the issue before an alarm is raised? Due-diligence by any team could include cycling services, re-applying patches or service packs. Replacing hardware is not unheard of. All of this takes time. A Layer 8 sensor call could only take a few minutes and your access to security/threat related intelligence is a resource that the other team may not have You can, and most likely already do, even function as a Layer 8 sensor for them as well, letting them know about vulnerabilities or exploits; the type of information that you are versed in.

So, what is the status of your Layer 8 sensor array? I highly recommend putting one in place.

A number of enhancements to Policy Based Encryption for Email Security.cloud are now available to improve the ease of use and extend the capabilities of Policy Based Encryption. These enhancements are specific to each encryption service, either PBE-E or PBE-Z.

Policy Based Encryption E

• Outlook Plugin Enhancements – Encrypting from within Outlook is streamlined, and senders now have the ability to set a one-time portal password that recipients can use to pick up their messages without creating an account.
                                     
• Attempt TLS – When enabled, PBE-E will attempt to use TLS as the first choice to securely deliver messages with no extra effort required by the sender or recipient. If TLS is not supported by the third party recipient’s mail server, push or pull encryption will be used.
   
• Pickup Portal Enhancements – The pickup portal user interface has been improved for faster navigation, message sorting, and advanced searching. Messages can now be exported to save locally in a variety of formats.

Policy Based Encryption Z

• Encryption Reporting Portal – This new portal allows administrators to view and search for messages that have been encrypted. Administrators can see how a message was encrypted, if it was successfully delivered, and when. Data can also be exported for reporting.

Learn more about these features by reading the attached PDF documents.

I’m extremely happy to announce that NetBackup Appliances 2.6.0.3 is now Generally Available!

NetBackup 2.6.0.3 is the latest update for NetBackup 52xx Appliances and the equivalent Appliance patch release to NetBackup 7.6.0.3.  It can be applied in an upgrade to Appliances running ANY 2.5.x or 2.6.0.x version.

This release includes all 336 fixes included in the NetBackup 7.6.0.3 release, including resolutions for most commonly downloaded EEBs, customer escalations, and critical internally found defects.

The 2.6.0.3 release also contains:

•     Built-in VLAN support
•     Active Directory CLISH configuration
•     Web console usability enhancements

To download 2.6.0.3, please visit the following page:

NetBackup Appliance 2.6.0.3 Release
 http://symantec.com/docs/TECH217250

To check to see if your particular Etrack is resolved in NetBackup Appliances 2.6.0.3, please refer to these Release Notes:

Symantec NetBackup 52xx Appliance Release Notes - Release 2.6.0.3
 http://symantec.com/docs/DOC7458

The documentation pack for this release can be found here:

Complete Symantec NetBackup 52xx Appliance Documentation Set - Release 2.6.0.2
 http://symantec.com/docs/DOC7465

The NetBackup Appliances Late Breaking News can be found here:

NetBackup 5xxx appliance series Late Breaking News
 http://symantec.com/docs/TECH145136

Bookmark the NetBackup Appliances Common Topics page to have these and many more useful links handy:

 http://go.symantec.com/nba

Finally, more information on this release can be found by accessing the NetBackup 7.6.0.3 release announcement, which is also available here on Connect:

 http://www.symantec.com/connect/blogs/netbackup-7603-netbackup-76-maintenance-release-3-now-available

How much does hiring an underground hacker cost these days? Symantec takes a closer look at Hacking as a Service (HaaS), and why the number of hackers has boomed in today's dynamic technology environment.

Calling all storage management and business continuity folks! Here’s your chance to win a $200 Amazon gift card by completing the survey at the link below to enter the drawing. The research survey is to study our users’ online information gathering behavior and should only take about 3-5 minutes to complete. All the qualifying participants* who finish the survey can enter the drawing and get the chance to win US$200 Amazon Gift card.

*Qualifying participants: Strategic or functional IT whose job responsibility related to storage management, application, availability, and business continuity.

Please click below link to begin the survey. Thank you.

http://svy.mk/1m76yFz

Note: The survey will close on August 7th 3pm (PST), please finish your response today!

For some people, it might be a little bit hard to find the documents and patches for NetBackup easily and efficiently. Here provide a simple way to find them, just remember Symantec official web site and simple navigation link, that's all you need to do.

1. Visit Symantec offical web site: www.symantec.com, scroll down and click "Supported Products A-Z".

2. In the supported product list, choose the product you want. Scroll down and click "NetBackup Enterprise Server"

3. Now we've entered into NetBackup Enterprise Server Technical Support web. Here we can find the documents and files, as follows:

4. Click "Documentation", you'll navigate to the following location, where you'll find the admin guide for each release, and compatibility guide.

5. Click "Download Files", you'll navigate to the following location, where you can download patch for each release.

Hope helps.

Thanks

Version 6.1 for VOM (Veritas Operation Manager) has been released recently. This new version brings management capabilities for Cluster File System and Flexible Storage Sharing (FSS) environments. In this blog entry I will highlight how to start using VOM to manage FSS and how to create a new volume.

Before being able to manage FSS it is necessary to upgrade the Managed Host (MH) version in the cluster nodes. The reason is that CFS 6.1 comes with a package that does not include the new capabilities from VOM in order to manage FSS. You can check your MH version clicking on the Settings icon and then on Hosts. You should see the list of all Cluster Hosts managed through VOM.  If the cluster is not currently added to VOM for management then you can click on Add Host and add the nodes. The MH Version column will show what is the Managed Host version. The cluster brings 6.0 version, but 6.1 is needed in order to be managed by VOM. In a fresh installed or upgraded cluster, the MH version will be 6.0.0.0.

Therefore, the first step to start enjoining the new features is to push MH 6.1 from the VOM server.

In order to push the new package (6.1) make sure that along with your VOM 6.1 deployment, the Managed Host package has been downloaded from http://www.symantec.com/operations-manager

At the VOM console, click on the Settings icon and then on Deployment. Click on Upload Solutions  and select the Veritas_Operations_Manager_Managed_Host_Bundle_6.1.0 that you had previously downloaded from the Symantec site. Once the bundle has been uploaded, click on Base Releases and you will see the vom-6.1.0.0-mh package. Clicking on Applicable Hosts I can clearly see my six nodes where I can install the new package. Select all the nodes pressing the Control key, right click and select Install.

The Recent Task tab at the bottom can be used to monitor the deployment.

Once the tasks are completed, you can verify that the new MH version is now 6.1.0.0.

The first thing we notice at the new VOM version is that in the Server Perspective there is a new “Storage Clusters” folder. Any cluster that is using Cluster File System (CFS), Cluster Volume Manager (CVM) or Flexible Storage Sharing (FSS) will be grouped in this new folder.

Keep in mind that FSS Capable will only appear for CVM Protocol Version equal or greater than 130. This is important for any cluster that has been upgraded. Until CVM Protocol is not updated to 130 the cluster will not be FSS capable.

Once we click on one specific Storage Cluster, we will be able see a tab with the Hosts belonging to that cluster, Disks, the Shared Disk Groups, Volumes and Applications running on the cluster.

Selecting the Disk tab will provide a view of all the storage seen by each of the servers. From VOM we can now select one or various disks and Export them, so they will be visible by the other cluster nodes.

Once the disk has been exported, note that one new icon is being used to show a remote disk.

I can use the Control key to select all the disks I want and with one go make all the disks available to all the cluster nodes. When using FSS, it may be interesting to add the column FSS State to the normal display. On the Properties section for any disk, right click on FSS State and select Show as column.

Once I have exported all the disks for each node, I can go to any of the nodes and take a look to what disks are being seen. The FSS State column will show which ones are locally exported and which ones are remote.

From now on, I can select the disk that I want and create Disk Groups and Volumes. There are several ways to accomplish this. I could for example select all the disks I want using the Control key, right click and select Create Disk Group.

On the wizard I only need to type the Disk Group name:

Here I have an option to provide a Custom Name to each disk selected. I will use this option to provide a more meaningful name to each disk where the prefix with the node name is respected.

Once you are done, click on Next to complete the wizard. You can monitor the Task tab for completion:

The Shared Disk Group tab will show the new Disk Group that has been created:

I can then right click on the Disk Group and select Create Volume.  This brings me to a wizard where I can manually select the disks to be used or let Volume Manager to choose them for me.

I am going to manually select two disks from two different hosts in order to create a mirrored volume:

I will enable FastResync so if one server is rebooted or down, only the data modified during that period of time is resynchronized.

Finally I can create a File System on that volume. I will mount it as Cluster type in all the available nodes.

Finally I can see the new volume and mount point, and all the systems where the file system is mounted.

This completes this first entry about the exciting new capabilities provided by VOM. I am very excited to see how we are simplifying the configuration and management of shared nothing architectures, and even more excited to see what we will be bringing in the near future.

Building application and storage availability without SAN is becoming easier.

Carlos.-

The term incident response means a lot of things to a lot of people. Historically, words like “unpleasant” or “chaotic” come to mind when thinking about the last time many organizations responded to the suspicion of a compromise by external attackers. Today, for most organizations incident response is a part of their security program but is still primarily a reactive premise centered on a plan or policy document that describes how they should handle such an event.

How do you ensure your incident response plan is optimized to handle the demands of an escalating threat landscape? Is a plan enough?

I recently spent some time talking with the Incident Response experts on my team, our partners, and about 80 customers in CISO roundtable events over the past few months. A clear answer surfaced.

An incident response plan is a key building block to success in cyber defense but you can’t stop there.  We must focus on turning our incident response plans into an Incident Response PROGRAM.

But what makes an Incident Response (IR) Program? How do you turn your plan into a program? Consider these recommendations:

1. Dedicate Project Management Resources. An IR PM is responsible for coordinating all areas of the Incident Response process:

   1. The triage of incoming requests for assistance from the NOC, the Helpdesk, SIEM/MSSP alerts, SecOps, etc...

   2. Coordinating resources and planning

   3. Managing 3rd party vendor engagement and contracting when needed

   4. Driving completion of milestones outlined in your IR process

   5. Managing each incident within a Case Management tool

   6. Sending out status updates and Communications to internal stakeholders

   7. Documenting lessons learned and driving/tracking the learning’s into implementation.

   8. Updating IR plans and policies based on new learning’s from prior incidents

   9. Escalating changes to project scope or plan to the appropriate IT resource owners and business owners

   10. Proactively disseminating project information to all stakeholders

2. Implement Case Management. A frightening 80% of CISO Roundtable participants responded they were not using any sort of case management tool. Case Management tools are a critical component of any IR program in order to manage workflows and customize IR processes, coordinate resources, prioritize activities, document and track incidents and activities, retain evidence for litigation purposes, and evaluate the success of an IR plan. Case Management can:

   1. Enable an organization to manage workflows

   2. Coordinate resources

   3. Prioritize activities

   4. Customize IR process to specific scenarios

   5. Document status and maintain a timeline of events

   6. Correlate across incidents, over time, to identify persistence campaigns

   7. Track evidence for litigation needs

   8. Evaluate performance of the IR plan over time

   9. Generate reports for auditors, law enforcement, and management

3. Conduct and Maintain an Investigation Skills inventory. The heat of an incident is not the time you want to realize that you don’t have the skills you need. Will IR investigations in your environment require SCADA expertise? Mobile platforms? Embedded Systems? IoT devices? It’s highly recommend that you maintain an up-to-date skills assessment of your internal investigation team and place 3rd party vendors on retainer to cover the gaps.

4. Purchase a Retainer.  Consider putting a 3rd party vendor on retainer. This not only helps to back up your own teams in the case of a surge of activity, but can also provide expertise in the case of a data breach that are difficult to maintain internally such as crisis communication and legal support.

5. Create and Maintain Incident Playbooks. A playbook is a document with specific guidelines for given scenarios. A playbook defines specific steps to follow unique to DDoS, ATP, malware outbreaks, web server compromise, and so on.

6. Understand Business Context of Systems and Applications. As part of an investigation, it may be required to take systems and applications offline for analysis. When investigating a system for potential compromise, considering the business impact and knowing what confidential data is known to be stored on, or passed through, the system is critical. Leverage Data Loss Prevention solutions to map out the important data flows in your organization.

7. Cross-Organizational Buy-in. Success in IR often requires cross-functional buy-in from both IT owners of an array of systems and the business owner of the data in those systems. Don’t wait until an incident to engage key stakeholders and obtain their buy-in on how your IR plan would be implemented.

8. Practice, practice, practice! Just like Disaster Recovery plans, IR plans need to be tested. This can be as simple as regular table top exercises or as thorough as use of “cyber range” solutions that simulate attack scenarios. 

9. Create and Maintain an Incident Response Plan. Though we are discussing the need to evolve your plan into a program, this doesn’t mean to downplay the need for a plan. Plans define and document things like internal stakeholders, vendor and support contact lists required to ensure success of the program.

A plan is a key enabler but it’s ultimately a statement of intent. Success comes only in consistent execution of the plan in a way that’s orchestrated, measurable, repeatable, and optimized. Focus on turning your plan into a program. Though I have worked with some customers who have many of these recommendations implemented, I haven’t come across an organization yet with all of them. Most have very few of these in place.

Which one are you?

-----

Clint M. Sand is responsible for global service delivery of Symantec’s emerging cyber security services such as Incident Response. Read more posts by Clint on Symantec Connect and follow him on Twitter and LinkedIn to stay informed of new posts. Learn more about Symantec’s Incident Response service at go.symantec.com/incidentresponse.  

Climate change has continued to become a central focus of business leaders worldwide.  The US Environmental Protection Agency (EPA) recently released its proposed new emissions target for power plants, calling on emissions reductions of 30% (from 2005 levels) by 2030. US President Obama emphasized the reality and importance of climate change in his State of the Union address. And a recent report Risky Business highlights climate change risks for businesses, as well as the costs faced if we continue with business as usual. The report, authored by Former U.S. Treasury Secretary and Goldman Sachs CEO Hank Paulson, former New York Mayor Michael Bloomberg and hedge-fund manager/philanthropist Thomas Steyer states “our findings show that, if we continue on our current path, many regions of the US face the prospect of serious economic effects from climate change.”

On July 15th, Symantec once again emphasized its commitment to combatting climate change and supporting climate change policy. Alongside over 70 businesses including eBay, Adidas, Moda Health, NIKE, and more, Symantec signed the Oregon Business Climate Declaration calling for state action on climate change.

The declaration states:

“There is a clear and present need for action on climate to protect our region’s natural assets, its vibrant communities and its growing economy. We business leaders of the Pacific Northwest endorse the Climate Declaration because we support using energy efficiently, investing in cleaner fuels, advancing renewable energy, and reducing greenhouse gas emissions.

Starting today, right here, the Pacific Northwest can lead the way. We can create a healthy climate and a strong, more resilient economy, by fostering innovation, advancing public health, spurring economic development through job creation and speeding technological advancement throughout our region.”

The declaration was highlighted by various media outlets including the Portland Business Journal in an article titled “Which Oregon companies have joined the latest fight against climate change?”.

At Symantec, we are convinced that a strong, international coalition of governments, businesses, and civil society organizations is required to effectively address climate challenges. We therefore encourage others to follow the lead of the Climate Declaration signatories and sign the Declaration – whether at the national and/or state level - to acknowledge the importance of climate change impacts on our business and society, and show your support for developing innovative solutions that protect our planet while enabling continued economic growth.

The Oregon Climate Declaration is a companion to the national Climate Declaration launched in 2013 by CERES and BICEP, and also supported by Symantec. To read more about our commitment to climate change visit this article highlighting the one-year anniversary of the national Climate Declaration, as well as our Corporate Responsibility Report that outlines our environmental strategy and approach to mitigating our impacts on climate change. 

Cecily Joseph is Symantec’s Vice President of Corporate Responsibility and Chief Diversity Officer.

Here is some of July 2014's most viewed content in the Storage and Clustering community:

1. Veritas disk group disabled
2. NEW RELEASE: Introducing Storage Foundation High Availability 6.1
3. How to check VCS version and update?
4. NEW LAUNCH: Symantec Disaster Recovery Orchestrator
5. How to find the LUN size with veritas commands?
6. HBA checking commands
7. Keep Calm and Do It All... With Veritas Operations Manager 6.1
8. Making Virtual IP as source IP on Windows 2008 R2 node
9. Veritas Cluster Server I/O Fencing Deployment Considerations
10. How to clear udid_mismatch? 

Miss seeing the June Newsletter? Available here.

In my last post, I described the advances made with the cumulative hotfix installer and where you can find the related installation and versioning information on Enterprise Vault servers. This has prompted the question from a community member of ‘What about the old days, pre-CHFs, how do I find out what hotfixes were installed then?’

In earlier releases, hotfix installation was a manual effort by an administrator who would receive a set of binaries that needed changing on a server and instructions to back-up the corresponding files that were to be replaced, then physically overwrite those files with the new ones. As this was simply a copy / replace effort at the file system level, there are no corresponding registry changes or installation log files available on the server to later interrogate for hotfix details. Many companies would track server changes within their own change control workflow, but equally others may just edit and forget, so how can they identify the presence or not of such a point hotfix?

Well, you can still confirm what hotfixes are installed on Enterprise Vault servers prior to 10.0.4, but it is a less scientific approach that requires manual review of the File Version details of the binaries that make-up Enterprise Vault. Here is an example from a 9.0.2 system:

• Check the regkey HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS\Enterprise Vault\Install\Version to determine the build number of the current installed major version or service pack on this server, as this regkey does still exist in older versions

For my 9.0.2 example, the build number of that release is 9.0.2.1061

• Open the …\Enterprise Vault program directory in Windows Explorer
• Add ‘File Version’ to the displayed columns, by right clicking on the column headers and selecting ‘More…’, then enabling the ‘File Version’ header

• Sort the folder contents by File Version, and scroll down to the end of the files listed with the major / service pack build number identified in Step 1. If any additional files are listed after this with a File Version of x.x.x.yyyy, then this indicates the presence of hotfixes on the server as they are files from a build that occurred after the major / service pack release

So, in my 9.0.2 example above, there appear to be three different build binaries installed, which will usually correspond to three installed hotfixes – one file from build 9.0.2.1175, two files from 9.0.2.1180 and one from 9.0.2.1181

As I mentioned though, this is not a particularly scientific approach for a number of reasons. Firstly, the Enterprise Vault program directory will contain a number of files that do not fit the standard build number File Version pattern as

1. Our full build number versioning is only applied to EXEs and DLLs that we produce, there will be many other file types (such a *.config, *.sql, *.txt etc) with no File Version to differentiate on
2. The directory will also contain some interop DLLs with a File Version of x.x.x.0 that does not include the actual specific build number, e.g. 9.0.2.0., so if new versions of these files were distributed in a hotfix, they will also not appear with a different File Version
3. There are other third party libraries that we use also present which will have their own versioning standards

In addition to this, some Enterprise Vault and third party binaries reside in sub directories of the primary program folder and could also have been changed by a point hotfix.

To cater for these scenarios, there is an additional check that can be made on your server:

• Check the regkey HKEY_LOCAL_MACHINE\SOFTWARE\ KVS\Enterprise Vault\Install\InstallationDate (for 32 bit installs) or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS\Enterprise Vault\Install\InstallationDate (for 64 bit installs) to determine when the current major version or service pack was installed on this server
• Open the …\Enterprise Vault program directory in Windows Explorer
• In the Search box in Windows Explorer, enter the following criteria

datemodified:>InstallationDate AND kind:-Folder AND Name:-*.txt AND Name: -*.log AND Name:-*.InstallLog AND Name:-*.InstallState AND Name:-Vault.msc AND Name:-EvAzStore_Svc.xml

where InstallationDate is the mm/dd/yyyy hh:nn:ss representation of the value in the registry

These search criteria should return all files in the Enterprise Vault program directory and its sub directories that have been modified after the major version / service pack was installed, but filter out any folders, text files, log files, the VAC msc and EV authorization store which all regularly get updated during normal EV processing. So, in short, these criteria will hopefully provide a different, but corresponding, view on binary files that have been changed since installation, most likely due to a hotfix deployment, including any files that have changed in sub directories as well.

In my 9.0.2 example, this search returned the following results:

The results revealed a number of additional file changes in the Converters sub directory to third party libraries, which looking at their ‘Date Modified’ appear to have been deployed at the same time as the change to install the 9.0.2.1175 version of EVConverterSandbox.exe, so most likely were a part of that specific hotfix.

With the two methods above then, you can get a clear view of what has changed on your EV server since the original installation of the major / service pack version, and from that, determine the build number of any new binaries which will correspond to point or even cumulative hotfix installations. That may well be enough if you are simply trying to compare the installation state of two servers and confirm if both have the same hotfixes installed.

However, in the case of point hotfixes where you have no registry keys or installation files to correlate results with, the final piece of this ‘science’ project that may be necessary is to relate the new binaries and their build number to the original point hotfix package itself, just in case you need to get it again. On this front a simple google search on ‘BinaryName AND “BuildNumber”’ should suffice. For example:

quickly gets me to the original source for the point hotfix, and confirmation that this hotfix did indeed include an update to EVConverterSandbox.exe and a number of third party files in the Converters folder. And if google does not provide the answer, our Support team no doubt can. 

So, I hope that helps you understand the binary configuration of your Enterprise Vault servers and, if the need arises, how to determine a server’s hotfix state. It is a somewhat painful process, I know, and one of the reasons for introducing the cumulative hotfix installer in 10.0.4 was to ensure that hotfix distribution and identification could be a more automated, transparent and auditable process moving forward, so we encourage all of our customers to try and upgrade to the latest versions as soon as possible to benefit from such product enhancements.

セルフトラッキングの利用者は、アプリやデバイスを通じて無数の個人情報を生成しています。このようなデータは漏えいのリスクから保護されているのでしょうか。

The Asprox botnet adds more malicious skills to its résumé.

Russian cybercrime group stole user names and passwords from 420,000 sites. Perhaps it’s time to move on from the password.

Grupo de cibercriminosos russos roubou nomes de usuário e senhas de 420 mil sites. Talvez seja a hora de deixar de utilizar senhas.

Email scams that prey on people's sympathies are often called, "419 Scams", and have continued to be an easy and inexpensive way for cyber criminals to make money. We take a deeper dive into the social engineering of these scams, and give advice on how to fight back.

While Bitcoins have been a popular cryptocurrency used to protect user identity in various transactions, hackers have found ways to exploit it, through mining (laundering), ransomware and theft. We look at how cyber criminals are using this digital currency to get rich.

Symantec is now a Community Member of the AllSeen Alliance open source consortium, a collective effort to address fundamental use cases, in order to hasten the adoption and availability of the Internet of Things.

In todays threat landscape we stand to learn from 160 years of disease research to better prepare our security professionals to discover and prevent digital diseases. In this multipart blog, I propose some ideas from the field of epidemiology and how they can be applied to the security realm.

Cyberespionage group uses sophisticated malware to target former Eastern Bloc countries.