The New NormalMa na g i ng th e cons ta n t s t r ea m of new v u l ner a b i l i t i es

A a r o n H a c k n e y, P r i n c i p a l A r c h i t e c ta a r o n . h a c k n e y @ r a c k s p a c e . c o m

M a j o r H a y d e n , P r i n c i p a l A r c h i t e c tm a j o r . h a y d e n @ r a c k s p a c e . c o m

2

2014 Was Rough

HeartbleedApril 2014

SandwormOctober 2014

POODLEOctober 2014

ShellshockSeptember 2014

3

Vulnerabi l i t ies Are Now Mainstream News

Source: https://twitter.com/mattblaze/status/573938261325844480

Graphic was selected is show placement and can be replaced with another image.

4

OUR MISSION TODAY:To a r m y o u w i t h a s o l i d s t r a t e g y t o

s e c u r e y o u r i n f r a s t r u c t u r e e f f i c i e n t l y .

5

Un d e r s t an dC o g n i t i ve B i as“...we respond to the feeling of security and not the reality. Now most of the time, that works. Most of the time, feeling and reality are the same…if our feelings match reality, we make better security trade-offs.”

Bruce Schneier

TEDxPSU, 2010

5

6

If I had a dollar tospend on security,

I’d spend 99 cents on detectionand a penny on prevention.

This graphic was selected is show placement and can be replaced with another image.

7

• Start with common sense prevention

• Principle of least privilege

• Then spend the bulk of your budget on layers of detection

• Assume incidents will happen

• Create a rock-solid response plan

• Take feedback from the response process and invest in prevention

The Secur i ty L i fe Cycle

Incident Detection

ResponsePrevention

Image FPO

Detect ion 101: Logg ing• Every server, network device, and application

generates some type of logs

• Collect your logs in a central location

• Monitor for critical events first

• Authentication attempts (successful and failed)

• Service/system restarts

• Network errors

• Configuration changes

• Monitoring for events can be cumbersome in busy environments

• Graph your log line counts over time and look for unusual peaks or spikes

8

9

Integr i ty Moni tor ing & Audi t ing

• Use best practices and hardening standards to set a minimum security spec for your systems• Monitor for configuration changes with strong

change control processes• Use deployment frameworks, like Ansible, Puppet,

or Chef– Revision control makes change control easier

– Easy to audit large amounts of systems quickly

• Network segmentation can be a detection and prevention mechanism– Force attackers to be noisy if they choose to cross a

network segment– Trending via NetFlow analysis may reveal attacks in

progress

Community-driven hardening standards for common systems, including Linux, Windows, and Cisco devices.

For more information, visit: http://www.cisecurity.org/

10

Inc ident Response

Detect & Analyze Contain & Recover Root Cause Analysis

Rely on solid processes so that everyoneknows their place during an incident

• Gather data from any available sensors, logs, or observations.

• Determine which systems are involved and the severity of the breach.

• Bring systems offline or remove network connectivity.

• Provision new systems and carefully restore from clean backups.

• How could we have prevented the attack or detected it sooner?

• Turn security failures into solid investments in prevention.

10www.rackspace.com

Image FPO

I nc ident Management• Communicate about an incident using criteria that your

employees and customers understand– Reduce anxiety with frequent, concise

communications– Using code names or alert levels may help– Example: U.S. Department of Defense’s DEFCON

• Ensure everyone knows what’s happening what part they play in the incident

11

12

Af ter the incident

• “What could we have done to prevent incidents like these?”• Fishbone diagrams help with larger organizations• Make a larger number of smaller changes• Focus on the user experience– Then find security improvements that provide good trade-offs

The book you never thought wasactually about information security.

13

Secur i ty User Exper ience

Business and user

requirements

Security, legal and

compliance requirements

Customer requirements

Review Process

Process improvementTechnology upgrades

Vendor productsCommunication

14

Plan for the unknowns

“Reports that say...that something hasn't happened are always interesting to me, because as we know,

there are known knowns;there are things that we know that we know.

We also know there are known unknowns;that is to say we know there are some things we do not know.

But there are also unknown unknowns,the ones we don't know we don't know.”

—Donald Rumsfeld, Former United States Secretary of Defense Photo source: Wikipedia, Scott DavisUS Army Public Domain

O N E FA N AT I C A L P L A C E | S A N A N T O N I O , T X 7 8 2 1 8

U S S A L E S : 1 - 8 0 0 - 9 6 1 - 2 8 8 8 | U S S U P P O R T: 1 - 8 0 0 - 9 6 1 - 4 4 5 4 | W W W . R A C K S PA C E . C O M

© R AC KS PAC E LT D. | R AC KS PAC E® AND FANAT IC AL S U PPOR T ® AR E S ER VIC E MAR KS OF R AC KS PAC E U S , INC . R EGIS T ER ED IN T HE U NIT ED S T AT ES AND OT HER C OU NT R IES . | WWW. RA C K S P A C E. C OM

US

Thank you