- "Our experience has shown we can count on XYPRO's customer support team for prompt, reliable service."
XYPRO Engineering Team Building – doing the Robot!
February 27 2014
As part of our annual corporate kick-off event, this year the entire engineering team took part in a full day team building exercise. Taking over all the available space at our Simi Valley headquarters, we were split up into color-coded groups, each of which included members of different parts of the engineering team. Armed with a Lego Mindstorm EV3 kit, each group was presented with a series of tasks (requirements), which consisted of pre-constructed courses on which the robots needed to navigate a maze and move obstacles around the course . The challenge? Design and build a robot that would be able to complete the tasks by the end of the day.
Structured roughly along the lines of our Software Development Life Cycle (SDLC), time was allocated for requirements definition, project planning, design, development and unit testing, QA testing, and deployment.
Things got off to an energetic start with each team doing a good job of dealing with 600+ Lego pieces, learning the software used to program the robots, and planning out the approach. Would some teams jump straight into robot building, with others spending more time documenting requirements and planning? Each team allocated their tasks well so everyone was kept busy, but what factor would planning things out early play? Would those who made that early effort see a payoff later in the day…?
As the day progressed, some very different approaches were becoming apparent, and the teams were realizing that completing all three challenges was going to be difficult, if not impossible. The teams naturally started with challenge #1 which wasn’t necessarily the easiest. Some gentle “guidance” by the mentors to evaluate all the challenges and focus on the easiest challenge first proved helpful and soon each team was making solid progress on that challenge.
With 90 minutes to go before “deployment”, each team was given some time to QA their robots on the actual challenge courses. Some teams’ robots completed the challenge on the first try, others needed tweaking, but all had something ready to attempt the challenges. Each team returned back to their workshops to complete final tweaks before deployment .
The moment of truth, the “Deployment Phase.” Each team must now present their robot, outline the approach they took to the challenges, and detail what worked (and what didn’t!). Scores were based on how well they worked together as a team, how well they presented their solution, and of course, how well their robots completed the challenges.
Each team gave an entertaining and informative presentation describing their efforts during the day, the approach they’d taken, and the robot they’d designed. Some of the teams that jumped straight into building their robots found that some more time on initial design would’ve been helpful. Each team presented a robot that was able to complete at least one of the challenges, and as such, all should be very proud of their efforts.
This exercise reinforced the importance of planning, particularly when confronted with such a daunting task (600+ pieces! Understanding requirements!!! A new programming environment!! Difficult challenges!!! Ridiculously short timeframes!!!). It also reminded us of the value of working together as a team, which really was the main point.
At the end of the day, the Blue team (or “Team Teal” as they renamed themselves) won, narrowly defeating the Yellow team by only one point! Congratulations to all the teams, on what was a fun and very constructive day. Bring on Kick-Off Challenge 2015!
DBIR 2013 Blog Part III – What does this all mean to me?
December 24 2013
In this blog series, we’ve been discussing the 2013 Verizon DBIR, which includes the following facts:
|•||621 confirmed data breaches studied in detail|
|•||19 contributors, including government agencies, private security organizations and consulting companies|
|•||44 million records compromised|
|•||The largest and most comprehensive data breach study performed each year|
|•||75% of attacks were opportunistic - not targeted at a specific individual or company - with the majority of those financially motivated|
|•||37% of breaches affected financial institutions|
In the most recent blog entry of this series we covered some key observations from the report. In this blog we’ll look at what those observations mean to HP NonStop server users, and draw some final conclusions. Note that the full report is available here: http://www.verizonenterprise.com/DBIR/2013/
Key observations from the last blog, with their relevance for NonStop users:
Most Attacks Still Use Basic Techniques
The vast majority of attacks exploited weak or stolen credentials, and were considered “low" or “very low" in difficulty (on the VERIS scale which Verizon uses to categorize breaches).
NonStop relevance: Protect “the basics" - implement strong user authentication; implement (and enforce) password management processes; enforce a policy of minimum required access; ensure no shared accounts (especially SUPER) and keep track of all privileged user activity with keystroke logging. These relatively simple steps will ensure that the types of attacks that Verizon observed in over 70% of cases will fail.
14% of breaches were insider attacks
The majority of insiders committing sabotage were former employees using old accounts or backdoors not disabled, and the vast majority of IP theft cases committed by internal people took place within 30 days of announcing their resignation.
NonStop relevance: Ensure your NonStop user provisioning is integrated with your Enterprise Identity Management system, if you have one - that way as users are decommissioned at the enterprise level, they’re also decommissioned on the NonStop. Integrate your NonStop with a Security Incident Event Management (SIEM) solution. That way any suspicious activity can be viewed at an enterprise level, and may be clearer as a result. The “basic" protections above also apply here.
Data at rest is most at risk
66% of breaches involved data at rest in databases and file servers (the rest was data being processed when it was accessed)
NonStop relevance: Protect your data at rest, with encryption or tokenization. Note that Volume Level Encryption (VLE) doesn’t really provide the requisite level of protection, as once a user is signed on to the NonStop, their access is based on standard Guardian/Safeguard rules - the “encryption" becomes transparent to them. VLE is really best used to protect entire disks from theft.
Types of attack vary depending on industry and region
37% of breaches affected financial institutions, banks are often subjected to ATM skimming
NonStop relevance: As many NonStop users are banks or other financial institutions, the findings in this report are particularly relevant. The recommendations should be carefully studied and applied where it makes sense in customers’ environments.
Spotting a breach isn’t always easy, or quick
66% of breaches in the report took months, or even years, to discover. 69% of breaches were spotted by an external party, with 9% being spotted by customers!
NonStop relevance: This is where using a SIEM gives some real benefits. By aggregating all security events across the enterprise and presenting them in a normalized fashion, it can be a lot easier to notice anomalies. It’s critical for NonStop users to gather and forward all NonStop-based security events and forward them to the enterprise SIEM, if one is present, to ensure that any clues from the NonStop regarding a possible breach are included in the analysis.
As you can see, and as we’ve mentioned in earlier blogs, looking after the security fundamentals is probably the best “bang for your buck" in terms of securing your critical, NonStop-based applications and their data. To further underscore this, the PCI DSS v3.0 standard has just been published, and it includes an increased focus on the basics, as hinted at in earlier PCI announcements.
Back In Training – NonStop Technical Bootcamp 2013
December 02 2013
XYPRO has just returned from a very exciting few days in San Jose, attending the second annual NonStop Technical Bootcamp. The event was held at the San Jose Doubletree hotel, as it was last year, although this year the venue was bursting at the seams! It turns out that, whilst the number of vendors and HP representatives was roughly the same as last year, user attendance was up over 200% from last year – a sure sign that the event is going from strength to strength. The majority of new user attendees this year came from the Asia-Pacific/Japan region, but there were attendees from Russia, Japan, Taiwan, Israel, UAE, South Africa, Brazil and more.
There had been rumours of a big announcement coming from HP at this years’ event, and the opening general session was packed, (in spite of the Beer Bust the night before—(which itself is becoming quite a tradition, and a great way to kick off the week). Randy Meyer, in his new role as VP and General Manager of Integrity Servers, jumped pretty quickly to the big news – that HP has committed to bringing the NonStop to x86 (Intel Xeon) processors. This is A BIG DEAL because, as summarised in many other articles, it removes any possible perception of HP’s lack of commitment to the platform, and any FUD (Fear, Uncertainty, Doubt) around the future of the Itanium processor. For the time being, NonStop will be available with both types of processor, and at some point (one presumes) the Xeon-based line will replace the Itanium one.
At XYPRO, we’re very excited about this announcement, for the same reasons that everyone else is. We’re also looking forward to the project to port our software to this new platform,; which, from everything we’ve heard, should be a relatively straightforward exercise.
Both of the main conference days were very busy, with excellent content in the presentations and great traffic past the exhibitor booths – indeed, at times things got pretty crowded in the high traffic areas. There was a rumour going around that next year the event will be in a bigger venue, which will be great.
We took the opportunity to meet one on one with many of our customers – these sessions are always great for getting product feedback, discussing possible enhancements and product direction, and just generally catching up with friendly faces. If for some reason we missed catching up with you, and there’s anything you need to discuss with us, please get in contact with me, or your XYPRO Sales representative, and we’ll line something up.
As the name “Technical Bootcamp” implies, this conference had a major focus on training and on Sunday XYPRO provided 8-hours of pre-conference training on key NonStop security topics. In the first 4-hour session, “Make the Most of your NonStop Security Bundle”, XYPRO’s Dave Teal explained the fundamentals of Audit and Authentication and all the benefits included with the advanced security software included with the OS on HP NonStop servers. Dave described how to easily install, configure, implement and use these valuable solutions and help streamline security audits to meet compliance regulations. In the second 4-hour session, “Everything You Need Know for PCI Compliance on HP NonStop”, XYPRO’s Rob Lesan went through the why's and how's to meet and exceed PCI compliance regulations easily and efficiently while making the whole process simple and non-intrusive. Both sessions were jam-packed with NonStop technical experts looking to increase their security knowledge.
XYPRO presented on both the Monday and the Tuesday. Monday’s presentation, “Industry-standard, enterprise-wide Voltage Encryption and Tokenization – no code changes required!” was done in conjunction with Voltage, and was an overview of XYPRO’s new XYGATE Data Protection (XDP) product and Voltage’s SecureData. XDP utilizes intercept technology to seamlessly allow NonStop applications to encrypt or tokenize sensitive data using Voltage’s SecureData product, without any application code changes. Tuesday’s presentation was with another XYPRO partner, NetAuthority, and covered “Stronger User Security with Advances in Multi-Factor Authentication”. The session discussed the growing threat of cybercrime, the various multi-factor authentication solutions that have been deployed to protect online and mobile users, and new technologies like NetAuthority’s DeviceLink product which provides two-factor authentication without the overhead of hardware tokens, one time passwords, or other intrusive technologies. Both presentations were well attended, and had some great Q&A activity at the end (or in the exhibit area after the session).
Visit the Connect website for additional info on the XYPRO presentations and other Bootcamp sessions. The NonStop Innovations blog also has a lot of the bootcamp presentations along with interviews with a number of vendors, so check that out at http://www.nuwave-tech.com/hp-nonstop-innovations.
On Monday evening XYPRO hosted a dinner celebrating their 30th Anniversary. This event was held at The Table, in San Jose, and saw about 65 of XYPRO’s customers, partners and employees getting together to enjoy some fantastic food, great service, and one or two adult beverages in a casual environment.
Once again, a fantastic event, and we’re looking forward to being “Back in Training” in November, next year – hope to see you there!