Deprecating Support for TLS 1.0 / 1.1 – Improving Encryption Strength and your Security Posture

TLS Background

Transport Layer Security or TLS provides privacy and data integrity for applications communicating over the Internet. It can be used in many Internet services today such as VPN, Email Exchange, and most commonly, Web Services (HTTPS). There have been 2 released versions of Secure Sockets Layer (SSL) and 4 versions of TLS spanning the last 25 years of security advancements. Each successive release addresses security vulnerabilities or weaknesses in a prior release:

SSLv2 documented in RFC 6176, released in 1995
SSLv3 documented in RFC 6101, released in 1996
TLS1.0 documented in RFC 2246, released in 1999
TLS1.1 documented in RFC 4346, released in 2006
TLS1.2 documented in RFC 5246, released in 2008
TLS1.3 documented in RFC 8446, released in 2018

Current TLS Support

Our mission within Cisco Umbrella has always been to provide powerful security solutions that are easy to deploy and simple to manage. To maintain the simplicity for our customers and provide for the most backwards compatibility for those running legacy or unpatched operating systems, Cisco Umbrella has previously chosen to continue supporting all TLS Protocols 1.0 or later, deprecating only specific weak / insecure ciphers.

What’s Changing?

Cisco Umbrella will deprecate support for all TLS / SSL versions prior to version 1.2 on March 31st, 2020. After this date customers will be unable to connect without leveraging a TLS1.2 compatible client.

Why change now?

There are a few compelling events that caused us to re-evaluate our risk evaluation of TLS1.0 / 1.1.

1 – Apple, Google, Microsoft, and Mozilla announced in October of 2018 that they will deprecate support for TLS1.1 and prior within their browsers, forcing all TLS communications to be TLS1.2 or higher on March 31st, 2020.

2 – As of June 2018, the Payment Card Industry Security Standards Council (PCI-SSC) officially began enforcement of a new policy requiring any sites certified under PCI-DSS to deprecate TLS1.0 and any SSLv2/v3 configurations. While they will allow TLS1.1, there is a strong recommendation to implement only TLS1.2 and later protocols.

3 – As of 2014, the National Institute of Standards and Technology (NIST) formalized policy 800-52 which requires US Government Agencies to adopt TLS1.2 and deprecate use of TLS1.1 and before.

Upon re-evaluation of the associated risks and certification landscape, Cisco determined that now is the time to complete deprecations for anything prior to TLS1.2.

Source:
https://umbrella.cisco.com/blog/2019/09/06/deprecating-support-for-tls-1-0-1-1-improving-encryption-strength-and-your-security-posture/

Mid-Year Update: 2019 SonicWall Cyber Threat Report

It’s almost cliché at this point, but the cyber arms race — and respective cybersecurity controls and technology — moves at an alarming pace.

For this reason, SonicWall Capture Labs threat researchers never stop investigating, analyzing and exploring new threat trends, tactics, strategies and attacks. They publish most of their findings — the data they can share publicly, anyway — in the annual SonicWall Cyber Threat Report.

But to ensure the industry and public are able to stay abreast of the quickly shifting threat landscape, the team offers a complementary mid-year update to the 2019 SonicWall Cyber Threat Report. Download the exclusive report to explore the stories, behaviors and trends that are shaping 2019 — as they are happening.

Malware volume dips in first half

In 2018, global malware volume hit a record-breaking 10.52 billion attacks, the most ever recorded by SonicWall Capture Labs threat researchers.

Fortunately, during the first six months of 2019, that trend slowed — at least somewhat. SonicWall recorded 4.8 billion* malware attacks, a 20% drop compared to the same time period last year.

Ransomware rising

Did you think ransomware was an outdated tactic? The latest 2019 data proves otherwise. Despite overall declines in malware volume, ransomware continues to pay dividends for cybercriminals.

All told, global ransomware volume reached 110.9 million for the first half of 2019, a 15% year-to-date increase. The exclusive mid-year update outlines which countries followed this trend and which were victimized by an increase in ransomware attacks.

Attacks against non-standard ports still a concern

As defined in the full 2019 SonicWall Cyber Threat Report, a ‘non-standard’ port means a service running on a port other than its default assignment, usually as defined by the IANA port numbers registry.

For the first half of 2019, 13% of all malware attacks came via non-standard ports, a slight dip due to below-normal activity in January (8%) and February (11%).

Encrypted threats intensify

In 2018, SonicWall logged more than 2.8 million encrypted threats, which was already a 27% jump over the previous year. Through the first six months of 2019, SonicWall has registered a 76% year-to-date increase.

Machine learning, multi-engine sandboxes evolving to ‘must-have’ security

So far in 2019, the multi-engine SonicWall Capture Advanced Threat Protection (ATP) cloud sandbox has exposed 194,171 new malware variants — a pace of 1,078 new variant discoveries each day of the year.

IoT malware volume doubled YTD

The speed and ferocity in which IoT devices are being compromised to deliver malware payloads is alarming. In the first half of 2019, SonicWall Capture Labs threat researchers have already recorded 13.5 million IoT attacks, which outpaces the first two quarters of last year.

Bitcoin run keeping cryptojacking in play

Late 2018 data showed cryptojacking on the decline. But with the surging values of both bitcoin and Monero, cryptojacking rebounded in 2019. Cryptojacking volume hit 52.7 million for the first six months of the year.

How do cybercurrency prices influence cryptojacking volume? The exclusive mid-year update looks deeper into the numbers.

Source
https://blog.sonicwall.com/en-us/2019/07/mid-year-update-2019-sonicwall-cyber-threat-report/

WiFi Protection in Public Places

WiFi Internet has added much convenience to our daily lives, with its easy accessibility in public places such as restaurants, hotels, and cafes; malls, parks, and even in airplanes, where we can connect online for faster transactions and communication. Like any online technology, however, it’s vulnerable to hacker abuse, posing potential threats to you and your mobile devices.

Public WiFi hotspots in particular are unsecure, easily hacked by cybercriminals. Some ways you can be hacked when connected to public WiFi include (MUO, Bates, 10/3/16):

The hacker can get between you and the WiFi hotspot when hooked to the network, to perform man-in-the-middle attacks and spy on your connection.
The hacker can “spoof” the legitimate WiFi, creating an “evil twin” that you log onto without noticing it’s a fake—which again, lets them spy on your data in transit.
A hacker can “sniff” the packets on the unencrypted network you’re attached to, reading it with software like WireShark, for identity clues they can analyze and use against you later.
They can also “hijack” a session in real-time, reading the cookies sent to your device during a session, to gain access to private accounts you’re logged into. This is typically known as “sidejacking.”
Finally, they can “shoulder-surf,” simply watching you over your shoulder, to view your screens and track your keystrokes. In crowded places, it’s easy for hackers to “eavesdrop” on your connection.

Ways you can protect yourself when using public WiFi include (Wired, Nield, 8/5/18):

Connect only to more trusted public networks, like Starbucks, rather than any random public WiFi that shows up in your WiFi connection settings, as in a shopping mall or park.
Connect only to websites that show HTTPS, not just HTTP, which means the data transmission between the site and you is encrypted.
Don’t provide too much personal data, such as email addresses and phone numbers, if the WiFi network requires it to connect. Better to not connect than risk unwanted ads or even identity theft.
Don’t do public file or print sharing over public WiFi networks. This is even more true of financial transactions: banking on unsecured WiFi networks is an invitation to hackers to steal your data in transit.
Use a Virtual Private Network (VPN) on your mobile device, so you can be certain your data is encrypted to and from your mobile device.

The last piece of advice should probably be your first line of defense. Trend Micro WiFi Protection, for example, protects your devices from online threats by providing just such a VPN. It safeguards your private information when using public hotspots by automatically turning on when the device connects to an unsecured WiFi network. This ensures total anonymity from public servers and hides your data from hacker inspection by encrypting your data over the network. Trend Micro WiFi Protection also includes built-in web threat protection that protects you from online frauds and scams that can come your way via malicious links—and notifies you if there are any WiFi security issues on the network itself. You’ll be happy to also know that Trend Micro WiFi Protection does not affect your WiFi speed as it connects to its local or regional secured server.

Stay safe on public WiFi! Trend Micro WiFi Protection is available for PC, Mac, Android and iOSdevices.

Source
https://blog.trendmicro.com/wifi-protection-in-public-places/

Set up Chrome Browser Cloud Management

Enroll cloud-managed Chrome Browsers

Next: 3. Set policies for enrolled Chrome Browsers

After you have access to your Google Admin console, here's how to enroll the devices where you want to manage Chrome Browsers. You'll then be able to enforce policies for any users who open Chrome Browser on an enrolled device.

Step 1: Generate enrollment token

In your Google Admin console (at admin.google.com)...
Go to Device management.
(Optional) To add browsers in the top-level organization in your domain, keep Include all organizational units selected. Alternatively, you can generate a token that will enroll browsers directly to a specific organizational unit by selecting it in the left navigation before moving on to the next step. For more information, see Add an organization unit.
At the bottom, click Add to generate an enrollment token.
In the box, click Copy to copy the enrollment token.

Step 2: Enroll browsers with the enrollment token

Enroll browsers on Windows

Option 1: Use the Group Policy Management Editor

Under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome, set CloudManagementEnrollmentToken to the generated token you copied above.

Clear the current enrollment if one exists using:
-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Enrollment

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, set CloudManagementEnrollmentMandatory under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome to true

Notes:

The token must be set at a local machine level. It won't work at the user level.
If the machines you are enrolling are imaged from the same Windows source, make sure that you have used Microsoft's System Preparation tool (Sysprep) so that each enrolled machine has a unique identifier.

Option 2: Download the reg file

Click Download .reg file. The downloaded .reg file automatically adds the token and clears the current enrollment when run.

When you use the reg file, Chrome browser will still respect the CloudManagementEnrollmentMandatory policy in Option 1, blocking launch if enrollment fails. See the note above if you're enrolling machines imaged from the same Windows source.

Enroll browsers on Mac

Option 1: Use a policy

Push the token to your browser as a policy named CloudManagementEnrollmentToken. Setting policies on Mac devices requires the Apple Profile Manager.

Note: If you choose to manually set policies, be aware that Mac OS will delete the policy files on every sign-in. Learn more about setting up policies on Mac in the Quick Start Guide and help center.

Option 2: Use a text file

Push the token in a text file called CloudManagementEnrollmentToken, under /Library/Google/Chrome/. This file must only contain the token and be encoded as a .txt file, but should not have the .txt filename extension.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /Library/Google/Chrome/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

If a token is pushed using both methods above, Chrome will use the value present in the policy and ignore the file. The token is stored in a directory under the home directory on the user's Mac. Each Mac OS user must enroll separately.

Enroll browsers on Linux machines

The token can be pushed by creating a text file called enrollment_token, under /etc/opt/chrome/policies/enrollment. This file must only contain the token and nothing else.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /etc/opt/chrome/policies/enrollment/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

Step 3: Launch Chrome Browser and confirm enrollment

After setting the enrollment token using one of the methods in Step 2, quit Chrome Browser (if it's open) and launch Chrome Browser on the managed device.
Sign in to the Google Admin console (admin.google.com).
Go to Device management Chrome management Managed browsers. All browsers that have been launched with your enrollment token will appear in the browser list.
(Optional) To see additional details, click a machine's name.

Notes:

If you have multiple installations of Chrome Browser on a single device, they will show up in the browser list as a single managed browser.
Enrollment tokens are only used during enrollment. After enrollment, they can be revoked in the Admin console. However, enrolled browsers will still be registered.
On Windows, only system installations are supported because Chrome Browser requires admin privileges to register.

Just after registering, not many fields are populated. You need to enable browser reporting to access detailed reporting information. For more information, see Step 4: Enable Chrome Browser reporting.

Unenroll and re-enroll devices

To remove policies and to unenroll a device in Chrome Browser Cloud Management, delete both the enrollment token and the device token.

To re-enroll a device, delete the device token while leaving the enrollment token in place. The device token was created by Chrome during the initial enrollment. Make sure not to revoke the enrollment token. If you accidentally delete the enrollment token, create a new one.

Note: Unenrolling browsers from Chrome Browser Cloud Management doesn't delete the data that's already uploaded to the Google Admin console. To delete uploaded data, delete the corresponding device from the Admin console.

Questions

When are enrollment tokens used?

Enrollment tokens are only used during enrollment. They can be revoked after enrollment and enrolled browsers will still be registered.

Does this token enrollment process require admin privileges on Windows?

Yes. On Windows, only system installations are supported.

What gets uploaded during the enrollment process?

During the enrollment process, Chrome Browser uploads the following information:

Enrollment token
Device ID
Machine name
OS platform
OS version

Why don't I see a Chrome management section in my Admin console?

If you have the legacy free edition of G Suite, Chrome management isn't currently available in your Admin console. Support for legacy free edition will be rolled out in the future.

source:
https://support.google.com/chrome/a/answer/9301891?hl=en

OpenDns setup on IOS 11 devices

This Knowledge Base article will show you how to set up your IOS device in order to use OpenDNS.

Note:

These instructions only work for Wi-Fi connections because iOS does not allow you to change the DNS servers when connected to cellular networks. Also, the changes are network specific, so you'll need to change the DNS servers every time you connect to a new wireless network. The good news is that iOS remembers the settings, so you won't have to repeat these changes whenever you reconnect to a known network.

Also, this works the same on all iOS devices.

Changing your IOS device DNS settings:

From the IOS device home screen, tap Settings.
Tap Wi-Fi, ensure it is enabled and your wireless network is connected.
Click the symbol next to your wireless network, as shown below.
The screen shown below appears. Tap the Configure DNS field.
Ensure Manual is selected and delete the current DNS servers by tapping on the symbol.
Tap Add Server and enter OpenDNS resolvers 208.67.222.222. Repeat this process to add another DNS server as follows 208.67.220.220, as shown below.
Tap Save to exit the menu.

That's it! You've updated your IOS device DNS servers!

source:
https://support.opendns.com/hc/en-us/articles/228008947-IOS-11-Configuration-for-OpenDNS

Attackers Use Legacy IMAP Protocol to Bypass Multifactor Authentication in Cloud Accounts, Leading to Internal Phishing and BEC

Threats to cloud-based applications have been growing, and passwords — the traditional method used to secure accounts — are often no longer enough to protect users from the dangers that they potentially face. The need for more comprehensive security in cloud-based applications has led to vendors offering multifactor authentication (MFA) as an integral feature of their products and services. By using MFA, users limit the risk that an attacker will gain control of their accounts by spreading authentication across multiple devices.

However, while MFA provides an additional layer of security for protecting account access, it’s not a fool-proof feature. For example, a recent study from Proofpoint examined brute-force attacks against user accounts in major cloud services. The attacks reportedly took advantage of legacy email protocols, phishing, and credential dumps to bypass MFA.

Notably, attackers were able to abuse legacy protocols — most commonly the IMAP authentication protocol — to bypass even multifactor authentication. The study noted that the IMAP protocol can be abused under certain situations, such as when users employ third-party email clients that do not have modern authentication support. IMAP abuse can also be performed in two other cases: when the targets do not implement applications passwords and when it is done against shared email accounts where IMAP is not blocked and/or MFA cannot be used. The report also said these attacks can often go undetected, instead looking like failed logins rather than external attempts. Threat actors use these accounts as entry points into the system, after which lateral movement is carried out via internal phishing and BEC to expand their reach within the organization.

The six-month study saw over 72 percent of cloud tenants being targeted at least once by attackers, while 40 percent had at least one compromised account within their system. Even more concerning, 15 out of every 10,000 active user accounts were successfully breached. Hijacked servers and routers were used as the main attack platforms, with the network devices gaining access to approximately one new tenant every 2.5 days during a 50-day period.

Roughly 60 percent of the tenants involved in the study that were using Microsoft Office 365 and G Suite were targeted with the password-spraying attacks via IMAP, and 25 percent fell victim to a successful breach.

As more companies across industries adopt cloud-based services, it’s expected that cybercriminals will go after accounts for cloud-based platforms. Once an account has been compromised, whether through hacking or brute force, the account could be used to communicate with executives and their staff. Internal BEC emails could trick the targets into transferring funds and personal or corporate data or downloading malicious files. Compromised email accounts, for example, had been found replying to email threads to deliver malware. These BEC attempts can be difficult to detect given that they come from legitimate (though compromised) email accounts.

A feature such as MFA is only one part of an effective multilayered security implementation. Organizations looking to boost their security can start with these best practices:

Passwords still have a role to play as a component of multifactor authentication. Ensure that users have passwords that are strong and regularly changed to stay protected from brute-force attacks. This could mean includes using at least 12 characters with a mix of upper and lowercase letters, numbers, and special characters. Ask users to avoid common or easily-guessable passwords or passwords that show obvious information such as names or birthdates.
Educate employees on how to identify phishing attacks. Common indicators that an email is a phishing attempt include suspicious-looking email addresses and the presence of misspellings and typographical errors.
Furthermore, attackers often try to make their phishing attempts as convincing as possible. Thus, users should avoid giving out personal and company information unless they are absolutely certain that the person or group they are communicating with is legitimate.

Given that cybercriminals use compromised accounts and internal BEC emails, organizations should also consider the use of security solutions designed to combat the growing threat. Trend Micro’s existing BEC protection uses AI, including expert rules and machine learning to analyze email behavior and intention. The new and innovative Writing Style DNA technology goes further by using machine learning to recognize the DNA of an executive’s writing style based on past written emails. Designed for high-profile users who are prone to being spoofed, Writing Style DNA technology can detect forged emails when the writing style of an email does not match that of the supposed sender. The technology is used by Trend Micro™ Cloud App Security™ and ScanMail™ Suite for Microsoft® Exchange™ solutions to cross-match the email content’s writing style to the sender’s by taking into account the following criteria: capital letters, short words, punctuation marks, function words, word repeats, distinct words, sentence length, and blank lines, among 7,000 other writing characteristics.

Source
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/attackers-use-legacy-imap-protocol-to-bypass-multifactor-authentication-in-cloud-accounts-leading-to-internal-phishing-and-bec

Easier Wi-Fi Planning, Security and Management from the Cloud

Wi-Fi access is ubiquitous, but it’s not always easy to plan, deploy, secure and manage, especially for distributed businesses and enterprises.

SonicWall believes there’s an easier approach. Our product teams have revamped our Wi-Fi management solutions with innovation at its foundation. Top-of-mind during the entire process, our focus was on evolving our Wi-Fi technology in four key areas: security, performance, simplicity and intuitiveness.

On paper, those sound obvious. But we wanted to be sure the execution matched the vision — to remove all the complexity without impacting the end-user experience. The outcome of this effort is four new SonicWall wireless solutions:

SonicWall WiFi Cloud Manager
SonicWall SonicWave 200 Series Wireless Access Points
SonicWiFi Mobile App
SonicWall WiFi Planner

Intuitive wireless management for the next era

One of the constant nightmares for network admins is an unmanageable network. As your network expands, policies change and threats increase, it is often difficult to keep pace.

Discovering an outage only after it has happened — or malware after it has creeped into your network — is disastrous. SonicWall arms you with the right tool to gain insights into your network to keep pace with changing network requirements.

SonicWall WiFi Cloud Manager is an intuitive, scalable and centralized Wi-Fi network management system suitable for networks of any size. With simplified management, wireless analytics is richer and easily accessible from anywhere with an internet connection. The cloud-based management solution is designed to be user-friendly and resilient while simplifying access, control and troubleshooting capabilities.

With a fresh UI, WiFi Cloud Manager can be accessed via SonicWall Capture Security Center to deliver powerful features and simplified onboarding via the cloud from a single pane of glass. Centralized visibility and control over SonicWall’s wired and wireless networking hardware reduces complexity and the need for costly overlay management systems. It also can be deployed across multiple regions for greater network visibility into disturbed enterprises.

For network admins on the go, SonicWall introduces SonicWiFi mobile app to set up and monitor your network. Easily onboard your APs and setup mesh with this app. It is available on iOS and Android.

Advanced wireless security — with or without a firewall

Organizations, big and small, need secure wireless solutions for extending connectivity to employees, customers and guests. The new SonicWave 200 series wireless access points deliver enterprise-level performance and security with the range and reliability of 802.11ac Wave 2 technology at an affordable price.

Built on industry-leading next-gen security, these APs features a dedicated third radio for security scanning. In fact, advanced security features like Content Filtering Service (CFS) and the Capture Advanced Threat Protection (ATP) sandbox service can be performed on the AP itself, enabling organizations to mitigate cyberattacks even where firewalls aren’t deployed.

_{SonicWave 200 access points are available in three options, including 231c for indoor, 231o for outdoor and 224w for wall-mount requirements.}

Manage dozens or even thousands of SonicWave wireless access points from anywhere you have an internet connection via the cloud or through the firewalls, providing you ultimate flexibility.

The SonicWall WiFi Cloud Manager provides you a single-pane-of-glass view of your entire wireless network. SonicWave access points also support SonicWall Zero-Touch Deployment, which allows the access points to be automatically identified and registered. SonicWiFi mobile app also lets you set up, manage and keep track of your network.

SonicWave access points leverage mesh technology to negate complexity from wireless expansion, especially at remote or distributed locations. Mesh networks are easy to set up, effortless to expand, and require fewer cables and less manpower to deploy, reducing installation costs. The new push-and-snap mounting bracket further adds to the ease of installation.

Easily plan, deploy your wireless networks

IT administrators often hear complaints about unreliable Wi-Fi connectivity leading to poor user experiences. This is mostly because Wi-Fi networks are not designed correctly to begin with. AP placements could be wrong, there may be radio frequency barriers or there simply isn’t enough capacity and coverage.

SonicWall WiFi Planner is a simple, easy-to-use, advanced wireless site survey tool that enables you to optimally design and deploy a wireless network for enhanced wireless user experience.

This tool lets you customize your settings per your surroundings and requirements to obtain maximum coverage with the fewest number of access points. You can prevent interference in your deployment on a best-effort basis through auto-channel assignment.

With a cloud-based UI, you also have the flexibility to collaborate with global teams. It is ideal for new access point deployments or to ensure excellent coverage in your wireless network. Available at no added cost, SonicWall WiFi Planner is accessible through WiFi Cloud Manager.
Together, these products deliver a powerful wireless solution, paving way for the next era of wireless security. Welcome to the future of wireless security.

Source
https://blog.sonicwall.com/en-us/2019/02/easier-wi-fi-planning-security-management-from-the-cloud/

Migration Tools for the Azure Hybrid Cloud

While the hybrid cloud offers a number of benefits, moving to the hybrid cloud isn’t the easiest of tasks. To get there, you need to perform an analysis of the workloads and services that you are considering moving to the hybrid cloud to ensure that they are suitable candidates for running in the cloud.

Next, you need to perform an initial cost analysis. Cost saving is one of the main benefits of moving to the hybrid cloud. However, accurately estimating the cost savings can be difficult. Sometimes you may not really know the real costs until you actually make the move. Finally, you need a way to move all or select parts of your on-premise workloads into the cloud. Fortunately, if you’re considering a move to the Azure hybrid cloud then Microsoft provides several tools that can help you with the different aspects of your hybrid cloud migration. Let’s take a closer look at some of Microsoft’s most important hybrid cloud migration tools.

Cloud Migration Assessment

Accessing your current environment is the first step in moving to the hybrid cloud and Microsoft Assessment and Planning toolkit (MAPs) can help you discover the servers across your IT environment. MAPs can automatically collect data and analyze your on-premise system hardware configuration. MAPs primarily uses WMI to collect information from Windows and Linux based servers as well as Hyper-V and VMware environments. When it’s finished it generates an Inventory Results Report that can be opened in Excel and passed on to other tools.

Estimating Costs

Understanding the impact of a move to the cloud is vital for both your company’s operational efficiencies as well as its bottom line. Cost is often the number one factor that will prompt businesses to move into the cloud. To help evaluate the costs of moving to Azure Microsoft provides their Azure Total Cost of Ownership Calculator (TCO Calculator). The TCO Calculator is a web-based tool that prompts you to enter the details of your on-premise server infrastructure. First, you tell it your workloads and their details like the type of servers they are running on. Next, you enter the details of your on-premises database and storage infrastructure. Finally, you supply the amount of network bandwidth you are currently consuming. The results of your MAPs analysis can be feed into the TCO Calculator.

Azure Hybrid Use Benefit

Another tool that can help in your hybrid cloud migration is the Azure Hybrid Use Benefit. The Azure Hybrid Use Benefit allows customers with Software Assurance to run Windows VMs on Azure at a reduced rate potentially providing significant cost savings. Azure Hybrid Use Benefit can be used with Windows Server Datacenter and Standard edition licenses that are covered by Software Assurance or Windows Server Subscriptions. Windows Server Datacenter Edition customers can use licenses both on-premises and in Azure. Windows Server Standard Edition customers can assign the Azure Hybrid Use Benefit for licenses on Azure. However, if they do they cannot use the Standard Edition license on-premise. While the actual savings depends on the Azure usage and size and type of VMs, one example Microsoft touts is that for every 100 Window Server licenses you can run up to 200 virtual machines with a potential savings of over $300,000 a year (based on the D3-V2 VM size).

Azure Migrate Service

The Azure Migrate service is a paid Azure service that assesses migrating on-premise VMware workloads to Azure. The Azure Migrate service can only work with on-premises VMware VMs. The VMware VMs must be managed by vCenter Server. To use the Azure Migrate service you must install a local virtual collector appliance that analyzes on-premises VMware VMs. The service performs performance-based sizing as well as cost estimates for moving the VMs to Azure. If you want to analyze Hyper-VMs or physical servers you need to use the Azure Site Recovery Deployment Planner for Hyper-V. The Azure Migrate service has a free 180 day trial period.

Azure Site Recovery and Azure Database Migration

While its main purpose is disaster recovery, Azure Site Recovery (ASR) is can also be used to migrate VMs to Azure. ASR is a paid service and it can migrate a number of different systems types to Azure including VMs on AWS, VMware, Hyper-V or physical servers. You can configure ASR to take advantage of your Azure Hybrid Use Benefit with PowerShell. If you want to migrate databases then you can use the Azure Database Migration Service which is also a paid service that can migrate SQL Server, Amazon RDS SQL and Oracle to Azure SQL Database.

Source
https://www.petri.com/migration-tools-for-the-azure-hybrid-cloud