With new vulnerabilities surfacing daily, businesses need a solid strategy and internal plans to deal with them. This vendor-neutral talk helps people discover the things they need to do to get their house in order before considering costly technology purchases.
Handwritten Text Recognition for manuscripts and early printed texts
The New Normal - Rackspace Solve 2015
1. The New Normal
Managing the constant stream of new vulnerabilities
A a r on H a ck n ey, P r i n ci p a l A r ch i t ect
a a r on . h a ck n ey@r a ck sp a ce. com
M a j or H a yd en , P r i n ci p a l A r ch i t ect
m a j or. h a yd en @r a ck sp a ce. com
3. 3
Vulnerabilities Are Now Mainstream News
Source: https://twitter.com/mattblaze/status/573938261325844480
4. 4
OUR MISSION TODAY:
To a r m y o u w i t h a s o l i d s t r a te g y to
s e c u r e y o u r i n f r a s t r u c t u r e
e f f i c i e n t l y.
5. 5
Understand
Cognitive Bias
“...we respond to the feeling of security and not the
reality. Now most of the time, that works. Most of
the time, feeling and reality are the same…if our
feelings match reality, we make better security
trade-offs.”
Bruce Schneier
TEDxPSU, 2010
5
6. 6
If I had a dollar to
spend on security,
I’d spend 99 cents on detection
and a penny on prevention.
7. 7
• Start with common sense prevention
• Principle of least privilege
• Then spend the bulk of your budget on
layers of detection
• Assume incidents will happen
• Create a rock-solid response plan
• Take feedback from the response
process and invest in prevention
The Security Life Cycle
Incident Detection
ResponsePrevention
8. Image FPO
Detection 101: Logging
• Every server, network device, and application
generates some type of logs
• Collect your logs in a central location
• Monitor for critical events first
• Authentication attempts(successful and failed)
• Service/system restarts
• Network errors
• Configuration changes
• Monitoring for events can be cumbersome in busy
environments
• Graph your log line counts over time and look for unusual
peaks or spikes
8
9. 9
Integrity Monitoring & Auditing
• Use best practices and hardening standardstoset
a minimum security spec for your systems
• Monitor for configuration changes with strong
change control processes
• Use deployment frameworks, like Ansible, Puppet,
or Chef
– Revision control makes change control easier
– Easy to audit large amounts of systems quickly
• Network segmentation can be a detection and
prevention mechanism
– Force attackers to be noisy if they choose to cross a
network segment
– Trending via NetFlow analysis may reveal attacks in
progress
Community-driven hardening
standardsfor common systems,
including Linux, Windows, and Cisco
devices.
For more information, visit:
http://www.cisecurity.org/
10. 10
Incident Response
Detect & Analyze Contain & Recover Root Cause Analysis
Rely on solid processes
so that everyone
knows their place
during an incident
• Gather data from
any available
sensors, logs, or
observations.
• Determine which
systems are
involved and the
severity of the
breach.
• Bring systems
offline or remove
network
connectivity.
• Provision new
systems and
carefully restore
from clean backups.
• How could we have
prevented the
attack or detected it
sooner?
• Turn security
failures into solid
investments in
prevention.
10www.rackspace.com
11. Image FPO
Incident Management
• Communicate about an incident using criteria that your
employees and customers understand
– Reduce anxiety with frequent, concise
communications
– Using code names or alert levels mayhelp
– Example: U.S. Department of Defense’s DEFCON
• Ensure everyone knows what’shappening what part
they play in the incident
11
12. 12
After the incident
• “What could we have done to prevent incidents like
these?”
• Fishbone diagramshelp with larger organizations
• Make a larger number of smaller changes
• Focus on the user experience
– Then find security improvements that provide good trade-offs
The book you never thought was
actually about information security.
13. 13
Security User Experience
Business and
user
requirements
Security, legal
and
compliance
requirements
Customer
requirements
Review
Process
Process improvement
Technology upgrades
Vendor products
Communication
14. 14
Plan for the unknowns
“Reports that say...thatsomething hasn't happened are always
interesting to me, because as we know,
there are known knowns;
there are things that we know that we know.
We also know there are known unknowns;
that is to say we know there are some things we do not know.
But there are also unknown unknowns,
the ones we don't know we don't know.”
—Donald Rumsfeld, Former United States Secretary of Defense Photo source: Wikipedia, Scott Davis
US Army Public Domain