Gregg McCall

efficient cyber investigationsMany organizations today are not equipped to defend against traditional cyberattacks, as demonstrated by the ever-increasing numbers of successful breaches reported daily – the Privacy Rights Clearinghouse’s latest number is 900,875,242 records breached in 5,165 attacks over the past decade – and that’s U.S. only.

Even the largest companies appear to be less equipped to deal with more sophisticated cyberattacks, like the latest IoT-based Mirai DDoS attack or the attacks detected months or years after the initial breach, such as the Yahoo and Dropbox attacks.

Inundated by alerts, analysts lack the automated and intelligence-driven processes to hone in on attacks across the kill chain and breaches continue far too long. To address this fundamental mismatch, organizations need a new perspective on the way they detect and respond to attacks.

Like police investigations in the real world, every cyber investigation starts with a lead upon which a hypothesis is built. As more evidence is gathered in the field, the case continues to build until investigators can confirm or refute the direction of the investigation. This process is iterative until a conclusion is reached, and it must be thoroughly documented for future reference. This same process needs to be followed when investigating a cyberattack.

Organizations can improve their detection, investigation and response processes and enable analysts to hone in on and stop cyberattacks more efficiently with these simple steps.

Automate where it hurts the most

To really make a difference, saving time and resources, you need to automate the time-consuming analysis and investigation stages and not just the response. By automating the collection and analysis of leads across your security infrastructure, you can reduce the number of alerts and confirm real incidents worthy of investigation. Not only will this alleviate alert overload, it sharpens the skill set of less experienced analysts and frees senior analysts to let them focus on the complex, sophisticated attacks where human judgment is required.

Document everything to show the evidence and the rationale

Documentation is essential to presenting the chronology and context of an event, including situational and environmental information, such as initial findings, areas affected and evidence to support the incident storyline. Particularly in automated investigations using machine-based analysis, it is critical to document what decisions were made during the investigation process and why. Visualization tools create representative pictures that “connect the dots,” ensuring that analysts get a complete picture without missing critical details.

This information is important when a complex incident is handed off for manual investigation as well as scenarios where an investigation is passed from one analyst to another. With all evidence fully documented, security teams are better equipped to make decisions, conduct shift handover, and create managerial reports.

Combine the strengths of humans and machines

Machine-based analysis is essential for productivity and allowing professionals to focus their skills on the more complex tasks where human experience and intuition is needed. Machines can be built to simulate the way humans investigate – automatically take a lead and confirm or refute it by gathering intelligence from multiple sensors. Once the machine has collected all the relevant pieces of evidence and automatically pieced them together into an incident, humans can use their judgment to add new leads and evidence to the incident. In a continuous, self-learning process, this new evidence can be fed back into the machine, which applies it to past and future analyses to improve threat detection.

Collect the right information

Savvy attackers use multiple methods and vectors – such as malware, phishing and social engineering – to reach their targets. They study your network topology and find the weak points in your defenses. To address this challenge, your security coverage needs to consider multiple elements including network topology, attack chain and IT assets. Whether your organization has one central site or multiple campuses, you need visibility into traffic coming into each site and among sites using a variety of attack vectors.

In terms of the attack chain, it’s becoming increasingly difficult to detect attacks at the perimeter due to the many ways in. Therefore, you need to be able to identify and verify indicators of compromise across the attack chain through detection of lateral movement and command and control communications. Your IT assets, such as endpoints, servers and files, should also be protected using endpoint analytics and forensics.

Create unified workflows and a seamless investigation workspace

Once all the evidence has been gathered from multiple sensors across your network, it needs to be brought together and presented to the investigator in a coherent and logical manner designed for attack representation. Unified workflows and a single workspace enable analysts to access information from every sensor and perform network and endpoint forensics as needed to build the attack story.

Use machines to model how attackers operate and simulate the way analysts investigate

The key to boosting the efficiency of cyber analysts is to provide them with better insight into raw data to simplify the decision-making process. Start by modeling an attack – the attack surface, the attack components, steps, methods, technology – and how all those might be linked into an attack operation. Then focus on the human investigation workflow so you can mimic it properly and scale it up with accuracy. For example, how to dissect leads into individual pieces of forensic information that can be fused, correlated, triaged and connected into an incident view or how to decide which forensic query option is the best next step at each point in the investigation flow. Then you need to figure out how to interpret and apply the results.

Holistically applying these principles to design, implementation, data modeling, APIs, user interfaces and other components will result in a purpose-built, mission-centric defense system that makes your analysts more effective and productive.

The time has come for a new approach to cyber defense – let the automated system do the heavy lifting, and then empower your analysts to use their intuition and experience to stop the attacks in their tracks.


Help Net Security

  • info
  • discussion
  • exploit
  • solution
  • references
LibTIFF CVE-2016-5652 Heap Buffer Overflow Vulnerability

Bugtraq ID: 93902
Class: Boundary Condition Error
CVE: CVE-2016-5652
Remote: Yes
Local: No
Published: Oct 25 2016 12:00AM
Updated: Nov 20 2016 01:03AM
Credit: Tyler Bohan of Cisco Talos.
Vulnerable: LibTIFF LibTIFF 4.0.6
Not Vulnerable:


SecurityFocus Vulnerabilities

  • info
  • discussion
  • exploit
  • solution
  • references
HDF5 CVE-2016-4333 Local Heap Buffer Overflow Vulnerability

Bugtraq ID: 94416
Class: Unknown
CVE: CVE-2016-4333
Remote: No
Local: Yes
Published: Nov 17 2016 12:00AM
Updated: Nov 20 2016 12:12AM
Credit: Cisco Talos.
Vulnerable: HDF5 HDF5 1.8.16
Not Vulnerable:


SecurityFocus Vulnerabilities

TalkTalk has unveiled a healthy jump in post-tax profits on the same day a 17-year-old boy pleaded guilty to hacking the British telco.

This morning the teenager, who because of his age cannot be named, pleaded guilty at Norwich Youth Court to seven charges under the Computer Misuse Act.

He will be sentenced on 13 December, according to Sky News.

The youth was arrested in November last year by detectives from the Metropolitan Police's Cyber Crime Unit, who obtained a search warrant for his Norwich home.

Meanwhile, TalkTalk boasted that its profits jumped by £22m in the first half of this financial year, up from £11m in the six months ending September 2015 to £33m in the same period this year.

The jump in profits came in spite of the telco shedding 30,000 fixed-line broadband customers between the first half of fiscal year 2016 and H1 FY2017 as it enjoyed a net rise of 94,000 mobile subscribers, giving it a combined total of 4.76 million customers. Perhaps TalkTalk's cheesy telly ads showing a Gogglebox-style family streaming videos on their tablets are working after all.

Chief exec Dido Harding gave London business freesheet City AM a hair-shirt interview this morning, boasting of how the company has improved since the teenage hacker and his alleged accomplices walked off with the personal details and banking information of up to four million customers.

"We also learnt that if you're open and honest with your customers everything works out alright," she said. "They think, in adversity, we tried our damnedest to look after them."

TalkTalk’s revenues dipped by 1.1 per cent to £902m for the half-year, which the firm said was "as expected". It has previously admitted that the major October hack cost it 95,000 customers and around £45m in extra security and service restoration costs. ®

Sponsored: The state of mobile security maturity


The Register - Security

ICS Cyber Security Conference

Admiral Michael Rogers, Director of the U.S. National Security Agency (NSA) and Commander, U.S. Cyber Command to Keynote SecurityWeek's 2016 ICS Cyber Security Conference on Oct. 25

Security professionals from various industries will gather next week at the 2016 edition of SecurityWeek’s ICS Cyber Security Conference, the longest-running event of its kind. The conference takes place on October 24-27 at the Georgia Tech Hotel & Conference Center in Atlanta, Georgia.

SecurityWeek is honored to host Admiral Michael S. Rogers, Director of the U.S. National Security Agency (NSA) and Commander, U.S. Cyber Command, as our keynote speaker.

The event kicks off on Monday with a series of open and advanced workshops focusing on operational technology (OT), critical infrastructure, SCADA systems, and management. Participants will have the opportunity to learn not only how an organization can be protected against attacks, but also how attackers think and operate when targeting control systems.

Following his keynote on Tuesday, Admiral Rogers will take part in a conversation and questions session with SecurityWeek's Mike Lennon and conference attendees.

On the same day, Yokogawa’s Jeff Melrose will detail drone attacks on industrial sites, ICS cybersecurity expert Mille Gandelsman will disclose new vulnerabilities in popular SCADA systems.

ICS Cyber Security ConferenceIn addition to an attack demo targeting a Schweitzer SEL-751A feeder protection relay, the day will feature several focused breakout sessions and a panel discussion on risk management and insurance implications.

The third day of the event includes presentations on PLC vulnerabilities, attacks against air-gapped systems, cyberattack readiness exercises, and management issues.

Also on Wednesday, ExxonMobil Chief Engineer Don Bartusiak will detail the company’s initiative to build a next-generation process control architecture. Breakout sessions will focus on risk management, incident response, safety and cybersecurity programs, emerging technologies, and the benefits of outside cybersecurity services in the automation industry.

On the last day of the ICS Cyber Security Conference, attendees will have the opportunity to learn about the implications of the Ukrainian energy hack on the U.S. grid, practical attacks on the oil and gas industries, and how technologies designed for video game development and engineering can be used to simulate cyberattacks and evaluate their impact.

Speakers will also detail the status of ICS in developing countries, the need for physical security, the implications associated with the use of cloud technologies in industrial environments, and the implementation of a publicly accessible database covering critical infrastructure incidents. 

Produced by SecurityWeek, the ICS Cyber Security Conference is the conference where ICS users, ICS vendors, system security providers and government representatives meet to discuss the latest cyber-incidents, analyze their causes and cooperate on solutions. Since its first edition in 2002, the conference has attracted a continually rising interest as both the stakes of critical infrastructure protection and the distinctiveness of securing ICSs become increasingly apparent.

Register Now

*Additional reporting by Ed Kovacs

view counter

For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.

Previous Columns by Mike Lennon:

Tags:


SecurityWeek RSS Feed

ISC updates critical DoS bug in BIND DNS software Credit: Thinkstock

The Internet Systems Consortium (ISC) patched two vulnerabilities in domain name system software BIND, one of which was referred to as a "critical error condition" in the software.

BIND is the most commonly deployed DNS server on the internet, translating domain names into IP addresses so that users can access applications and remote servers without having to track IP addresses. BIND is the de facto standard on Linux and other Unix-based machines; a vulnerability in the software affects a large number of servers and applications.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

The latest BIND update, versions 9.9.9-P3, 9.10.4-P3, and 9.11.0rc3, patched a denial-of-service flaw (CVE-2016-2776) that could be exploited using specially crafted DNS request packets. The issue was uncovered internally by ISC and affects all servers that can receive request packets from any source, ISC said in its advisory. Affected versions include 9.0.x to 9.8.x, 9.9.0 to 9.9.9-P2, 9.9.3-S1 to 9.9.9-S3, 9.10.0 to 9.10.4-P2, and 9.11.0a1 to 9.11.0rc1.

Users are advised to update their BIND installations to the "patched release most closely related to your current version of BIND," or versions 9.9.9-P3, 9.10.4-P3, and 9.11.0rc3. The fix is also in the BIND 9 Supported Preview edition as version 9.9.9-S5.

"Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response," said the ISC, which has been maintaining BIND since 2000.

The issue is tied to a defect in the rendering of messages into packets when the nameserver is constructing a response. If the vulnerability is exploited via specially crafted requests, it could trigger an assertion failure in buffer.c while constructing a response to a specific type of a query. The exploit would succeed "even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query'."

The issue was marked high-severity with a 7.8 score on the Common Vulnerability Scoring System because it can be exploited remotely. Red Hat's advisory says the attack doesn't require any authentication, additional privileges, or user interaction to successfully exploit the flaw, so the issue is particularly dangerous.

It's easy to downplay the severity of a denial-of-service flaw in a security advisory, especially when compared against privilege escalation or remote code execution. However, because BIND is central to implementing the DNS protocol on the internet, a vulnerability that could be exploited to knock systems offline would have a wide-reaching impact. A specially crafted query that could crash the name server daemon isn't simply an inconvenience or a minor setback. It could bring portions of the internet to its knees.

ISC has not seen any evidence indicating attackers were aware of or had already exploited the vulnerability, but cautioned that all servers that can receive request packets from any source should be updated. ISC has patched the faults in its distribution, and various Linux distributions, such as Red Hat, are already shipping fixes for their own BIND implementations.

This BIND update also fixed a previously disclosed medium-severity DoS condition (CVE-2016-2775) in BIND's implementation of the lightweight resolver (lwresd) protocol. The error stems from the fact that a server can terminate if the resolver tries to resolve a query name, which, when combined with a search list, exceeds the maximum allowable length.

"A server which is affected by this defect will terminate with a segmentation fault error, resulting in a denial of service to client programs attempting to resolve names," ISC said in the advisory.

The vulnerability is also "troublesome" for embedded devices running BIND, as remediation involves fixing BIND and updating all the devices with the embedded software. "We will again see organizations scrambling to determine if they use the component, and where," said Mike Pittenger, VP of Security Strategy at Black Duck Software.

Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities affecting the LTE router/portable wireless hotspot D-Link DWR-932. Among these are backdoor accounts, weak default PINs, and hardcoded passwords.

D-Link DWR-932

Kim went searching for them after he previously poked around some Quanta LTE routers and also found a huge number of flaws, and a D-Link DWR-932 user noted that the two router types have many similarities.

In fact, he says that D-Link’s router is based on the Quanta models, and inherited some of the vulnerabilities.

The documented D-Link DWR-932 vulnerabilities affect the latest available firmware. Kim first responsibly disclosed them to the D-Link Security Incident Response Team in June, but after the company said early this month that they don’t have a schedule for a firmware release, he decided to go public with the details about some of the flaws.

In short, the firmware sports:

  • Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
  • A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
  • Multiple vulnerabilities in the HTTP daemon
  • Hardcoded remote Firmware Over The Air credentials
  • Lowered security in Universal Plug and Play, and more.

“At best, the vulnerabilites are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor,” says Kim, and advises users to stop using the device until adequate fixes are provided.

“As the router has a sizable memory (168 MB), a decent CPU and good free space (235 MB) with complete toolkits installed by default (sshd, proxy, tcpdump …), I advise users to trash their routers because it’s trivial for an attacker to use this router as an attack vector (ie: hosting a sniffing tool, LAN hacking, active MiTM tool, spamming zombie),” he noted.

The router is still being sold and used around the world.


Help Net Security

OVH, one of the world’s largest hosting companies, reported on Thursday that its systems were hit by distributed denial-of-service (DDoS) attacks that reached nearly one terabit per second (Tbps).

Octave Klaba, the founder and CTO of OVH, revealed on Twitter that the company detected a “lot of huge DDoS” in the past days. A screenshot posted by Klaba shows multiple attacks that exceed 100 Gbps, including simultaneous attacks that totaled nearly 1 Tbps. The largest single attack recorded by OVH peaked at 799 Gbps and 93 MMps.

This is not the only major DDoS attack reported in recent days. Earlier this week, investigative cybercrime journalist Brian Krebs said his blog, KrebsOnSecurity.com, had been targeted in an attack that peaked at 665 Gbps. While it hasn’t been confirmed, some evidence suggests that the attack was carried out in retaliation to a recent blog post exposing the operators of a booter service called vDOS.

The attack was mitigated by Akamai, but the attackers did not give up and Krebs said the company decided to stop providing DDoS protection services. As a result, the journalist has taken his website offline until he finds a new provider.

He pointed out that Akamai had been providing service at no cost. Before this attack, the largest DDoS attack mitigated by the company measured only 336 Gbps.

CloudFlare is confident it can help and it has already offered its services to Krebs. The company’s founder and CEO, Matthew Prince, said they had seen this type of attack before.

Krebs said the attack on his website appears to have been powered almost exclusively by a very large botnet of compromised IoT devices, such as webcams and routers, and no amplification has been used. The expert suggested the same “cannon” has also been tested against OVH and other organizations.

Before the attack that hit Krebs’ website, the largest reported attack, launched by anti-ISIS hackers against BBC websites, peaked at 600 Gbps. However, the magnitude of the attack could not be confirmed.

The largest DDoS attacks recently confirmed by security firms reached 500 Gbps (Arbor Networks) and 470 Gbps (Imperva Incapsula).

Related Reading: "Armada Collective" DDoS Threats Strike Again

Related Reading: Record Number of 100+ Gbps DDoS Attacks Hit in Q1 2016

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

A recent survey from the Cloud Security Alliance and Skyhigh Networks, titled IT Security in the Age of Cloud,...

showed a significant number of IT and security professionals are having trouble drinking from the proverbial security fire hose, and it just keeps getting more difficult. Nearly a third of the 228 respondents said they ignore network security alerts because there are too many false positives. Twenty-six percent of respondents said they receive more security alerts than they can investigate. These findings alone are not only a breach waiting to happen, but they essentially negate a significant portion of everything that has been done to improve security in the enterprise.

The study also found that 40% of respondents claim there's a lack of actionable intelligence in the network security alerts they do receive. What does that say about the security controls and processes they've invested in to this point? Oddly enough, a majority of respondents (53.7%) said their organizations plan to increase their security budget in the next 12 months. That begs the question: Are they just going to throw more money at the problem? The mantra is to simply invest more money and that will, presumably, fix everything. Unfortunately, information security programs aren't that simple. Quick fixes do not -- and never will -- work. What's needed to minimize these challenges in IT is a fresh look, and perhaps a significant retooling, of how information security is managed.

By and large, most problems related to network security alerts and the subsequent challenges and oversights are due to a lack of tuning of the security systems in use.

So how do IT and security pros move forward and get past this disarray with network security alerts? Everyone's situation is unique but there are some common strategies and tactics that can be utilized to gain some semblance of control over the situation. The first part is coming to an agreement on what matters. That is, what types of attacks against which specific systems in the network environment need the attention of IT and security staffs. This might involve enterprise applications in the DMZ combined with firewall and intrusion detection system (IDS) alerts. It might be internal-facing endpoints, perhaps involving DLP and malware protection. Whether it's external or internal, a security information and event management (SIEM) provider, managed security services provider or other entity might be involved. What new, or better, information is needed? Perhaps not enough information is being provided, or at least the right information, to help facilitate good decision-making?

I have found that, by and large, most problems related to network security alerts and the subsequent challenges and oversights are due to a lack of tuning of the security systems in use. Given the time constraints and lack of time management skills, combined with knowledge and training gaps related to products and security events -- what to look for -- many security systems are "set it and forget it." Unless there is continual measurement and subsequent tweaking of firewalls, IDS or intrusion prevention system, SIEM and the like, there's no possible way to achieve measurable improvements. Individual security systems must be treated as a feedback loop -- adjustments for which are then fed into the larger security program.

There are a lot of moving parts in properly setting and managing network security alerts, but the solution is simple. With user demands for simplicity and convenience, enterprises must set aside time and resources for this ongoing work to make security better. Otherwise, they're going through the motions, which serves to create a false sense of security and sets everyone involved up for failure over the long haul.

Next Steps

Find out the best way to manage the endless deluge of security alerts

Learn how to best conduct an information security assessment

Read how false positives can be reduced in security alerts

This was first published in September 2016


SearchSecurity: Security Wire Daily News

blog_microsoft_licensing_changes_SQMicrosoft has announced several new software licensing bundles, with a focus on productivity and security, along with many new models for large companies and different verticals.

Most long-time IT professionals will tell you that Microsoft’s software licensing schemes for business customers are like so many Facebook users’ relationship status: It’s complicated. We had enough difficulty untangling the intricacies of server, client, and applications licenses, CALs, per-user, per-device, and per-processor licensing models. And came along the cloud, to add subscription-based licensing to the mix.

To make matters worse, it’s a moving target; just about the time you think you finally have it figured out, they change things on you, and they have done it again a few months ago, with the introduction of the new subscription plans for Windows desktop operating systems. The good news is that customers, at least in some cases, have benefitted from ongoing efforts to simplify the licensing process, although whether this will actually save you money depends on your use case scenarios.

The most recent change announced in July provides a bundle with both client operating system and cloud productivity services, as well as the Enterprise Mobility + Security (EMS) pack, formerly known as the Enterprise Mobility Suite. “Bundling” is a popular sales model that combines products and services into one often attractively-priced package, so Microsoft’s new bundle includes Windows 10 Enterprise edition, Office 365 and EMS. They’re calling it the Secure Productive Enterprise bundle, and this is a way to simplify licensing for businesses that need these three products/services, all of which work together in today’s security-conscious, highly mobile, collaboration-focused work environment.

Secure Productive Enterprise (SPE) builds on Microsoft’s Enterprise Cloud Suite (ECS), that was introduced in December 2014 as a per-user licensing option through the Microsoft Enterprise Agreement (EA). The SPE bundle will come in two flavors: E3 and E5. The E3 model brings the three products listed above, and the change that is causing much confusion is the name of the Windows version, which is now officially Windows 10 Enterprise E3. This forced many people to think that this is now some sort of subscription-based version of Windows, but essentially this is just a regular Windows 10 Enterprise bundled with Office 365 E3 plan and EMS.

The Secure Productive Enterprise E5 version adds to the equation Microsoft’s new service, Windows Defender Advanced Threat Protection, which uses machine intelligence and the Azure based “intelligent security graph” to increase security levels; we’re preparing a blog post dedicated to this new service, so if you don’t want to miss it, use the form below to subscribe to our blog.

These are only the latest in a series of licensing changes we’ve seen over the last twelve months. We began the year with the news that Windows Server 2016, scheduled for release in late September, would be moving to a per-processor-core licensing model. Many customers weren’t happy with the decision, calling it a “revenue grab” – Microsoft explained it as part of the evolution of Windows Server to support the hybrid cloud.

Enterprises have seen some more licensing changes this summer, and Microsoft has announced additional modifications to enterprise licensing terms coming up in 2017. The first set of changes to Enterprise Agreement (EA) contracts took effect on July 1, and will affect small/mid-sized companies most, as it increased the number of seats qualifying for an EA to 500, up from the previous minimum 250 seats.

Those who no longer fit into the EA parameters aren’t the only ones who’ll be looking for alternatives. There’s more bad news for those companies that currently use a Select Plus agreement: Microsoft has announced that they’re retiring that program, which is a form of “a la carte” software purchasing. The good news is that the Open License program is expected to continue.

Another option is to switch to a Microsoft Products and Services Agreement (MPSA), a program that represents Microsoft’s effort to offer a simpler form of licensing agreement. Microsoft appears to be pushing the MPSA, which does work for those customers who fall into the 250-499 seat range. The MSPA is going to start offering something called Enterprise Advantage, and you might notice that its initials are also EA, so how’s that for confusion? It also has something else in common with the Enterprise Agreement, in that both are contracts of three years’ duration.

Once it becomes available, Microsoft says Enterprise Advantage will provide comparable benefits to the Enterprise Agreement. It will allow organizations to purchase across their entire org under the same agreement, and you’ll have the choice to either purchase company-wide or on a transactional basis. You can purchase whatever you need, whenever you want, without any additional enrollments. You can mix perpetual and subscription software with cloud services, and you can “true up or “true down” your subscriptions and services when necessary as your business changes. Here is Microsoft’s announcement of the impending availability and features of Enterprise Advantage from the Microsoft Volume Licensing Blog on the TechNet web site.

Later in 2017, there will be two more, specialized offerings for public sector and educational institutions, called Government Advantage and Education Advantage. There are currently volume licensing plans for small, mid-size and large businesses, and there are specialized programs for government, education, health-related and non-profit verticals. Small business licensing includes open licensing programs with the ability to add online services to the agreement, for those who are transitioning to the cloud.

Online services such as Office 365 can be covered by the MPSA, and it provides more flexibility than the more traditional licensing plans. Then there is the Cloud Solution Provider (CSP) agreement, which is for Microsoft partners who sell Microsoft cloud services to customers. Of course, if you’re IT is based mostly on-premises and your organization is large enough to have 500 or more seats, you can stick with the traditional Enterprise Agreement. However, if your contract is up for renewal, you should compare the cost and benefits of the EA vs. the MPSA to determine which best fits your needs.

You may also like:

  • 10 new Windows 10 features for sysadmins
  • The top 23 Cmd-line tools on my computer, and where…
  • The top 33 Windows 10 tips, tricks, hacks, and tweaks


GFI Blog