Learn how to overcome security challenges, such as: identity theft, spoofed transactions, DDoS business disruption, criminal extortion and more. You'll learn how a security strategy promotes confidence in the cloud.
3. Increasing and costly security threats
• Average cost per data breach to Australian business is $2.5 million
• PWC research found 48% increase in reported global security
incidents last year versus prior year
• McAfee says cost to the global economy from cybercrime is
anywhere is $400 - $600 billion per year
Source: PWC Global State of Information Security Study 2015, Gartner, MacAfee. Crn.com
4. P R O P R I E T A R Y & C O N F I D E N T I A L 4
Top
Cloud
Challenges
2016
1. Lack of
resources/expertise
2. Security
3. Compliance
4. Managing multiple
cloud services
5. Managing costs
SOURCE: RightScale 2016 State of the Cloud Report
5. Brannon Lacey
General Manager, Emerging Businesses
Leads Digital Marketing and Managed Security
business units at Rackspace.
Prior to Rackspace, Brannon was a Principle at
Samsung Venture Investment Corp and a Manager
within the Strategy Practice at Accenture.
Brannon holds an MBA from Columbia Business
School and duel degrees in Entrepreneurship and
Management Information Systems from the University
of Arizona.
INTRODUCTION
6. About Rackspace
PORTFOLIO
of Hosted Solutions
10 WORLDWIDE
Data Centers
6,200 RACKERS
DEDICATED :: CLOUD :: HYBRID
Annualized RevenueOver $2B
60% 100OF
THE
WE SERVE FORTUNE®
GLOBAL FOOTPRINT
Customers in 120 Countries
7. Global Reach
SERVING BUSINESSES IN 120 COUNTRIES
DATA CENTERS:
Ashburn, VA
Chicago, IL
Herndon, VA
Grapevine, TX
Richardson, TX
OFFICES:
Amsterdam, Netherlands
Hayes,UK
Zurich, Switzerland
DATA CENTERS:
Crawley, UK
Slough, UK
OFFICES:
Quarry Bay, Hong Kong
Sydney, Australia
Bangalore, India
DATA CENTERS:
Fo Tan, Hong Kong
Erskine Park, Australia
OFFICES:
Austin, TX
Blacksburg, VA
Chicago, IL
Cincinnati, OH
Duluth, GA
New York, NY
San Antonio, TX
San Francisco, CA
St. Louis, MO
North America EMEA APACLATAM
OFFICES:
Mexico City, MX
9. RACKSPACE® MANAGED CLOUD
WORKLOAD / EXPERTISE INFRASTRUCTURE SERVICE
Technology Stack Platform
Fanatical Support®
24x7x365
DEDICATED HOSTING
PRIVATE CLOUD
PUBLIC CLOUD
HYBRIDCLOUD
CLOUD SCALE APPS
DATA SERVICES
DIGITAL
CLOUD OFFICE
IT TRANSFORMATION
SECURITY
SECURITY AND COMPLIANCE
®
10. Anatomy of an Attack
General Manager, Emerging Business :: @rackspace
J A R R E T R A I M
11. Jarret Raim
Director of Strategy & Engineering
Responsible for the development, implementation and
support of all customer facing security products and
services.
Jarret has held several internal security architecture
and product management roles at Rackspace to
include the creation of Barbican key management
product, now part of the official OpenStack
ecosystem.
Jarret holds Masters and Bachelors degrees in
Computer Science from Trinity and Lehigh
Universities, respectively.
INTRODUCTION
12. Advanced Persistent Threat
• Advanced – use of sophisticated techniques
like malware exploits of vulnerabilities
• Persistent – external command and control
driven by a threat actor, continuous and varied
attacks
• Threat – Human based organization with
specific goals.
Image courtesy of Wikipedia
An advanced persistent threat (APT) is a set
of stealthy and continuous computer
hacking processes, often orchestrated by
human(s) targeting a specific entity.
13. Anatomy of
an Attack
• Recon the target
• Exploitation of the target,
establishing local control
• Command established with
exploited resources
• Recon, pivot and privilege
escalation
• Data collection and exfiltration
14. Anatomy of
an Attack
• Recon the target
• Exploitation of the target,
establishing local control
• Command established with
exploited resources
• Recon, pivot and privilege
escalation
• Data collection and exfiltration
18. Anatomy of
an Attack
• Recon the target
• Exploitation of the target,
establishing local control
• Command established with
exploited resources
• Recon, pivot and privilege
escalation
• Data collection and exfiltration
20. Anatomy of
an Attack
• Recon the target
• Exploitation of the target,
establishing local control
• Command established with
exploited resources
• Recon, pivot and privilege
escalation
• Data collection and exfiltration
21. Malware: Poison Ivy
• RATs are generally considered ‘low-tech’,
but are used as part of APT style attacks
• Poison Ivy has been in use for over 8
years, repacking and other techniques
allow it to still be effective
• Includes key logging, screen capturing,
video capturing, file transfers, password
theft, system administration, traffic
relaying, and more
• Primarily seen at financial institutions – an
indication of its use in APT
Remote Access Tools (RATs) offer
unfettered access to compromised
machines. They are deceptively simple—
attackers can point and click their way
through the target’s network to steal data
and intellectual property.
22. Anatomy of
an Attack
• Recon the target
• Exploitation of the target,
establishing local control
• Command established with
exploited resources
• Recon, pivot and privilege
escalation
• Data collection and exfiltration
23. Example Pivot: Target
1. Attacker recons Target and
catalogues suppliers using public
sources
2. Fazio is compromised through
spearfishing, which grants access to
Target network
3. Attacker uses default password in
BMC to move through network
(unconf)
4. Attacker installs POS malware and
sets up exfiltration servers
5. Credit Card information is collected
and exfiltrated
An attacker is said to be ‘pivoting’
when they recon and compromise
additional machines after an initial
incursion – this is also known as
lateral movement
Attackers had access to the Target
networks for just over 30 days. They
were detected, but Target was unable
to respond due to limited staffing / tool
flood issues
24. C U S T O M E R S E C U R I T Y O P E R A T I O N S
25. A Security Strategy for the New Normal
Building upon the most effective elements of traditional security with a focus on three key areas for uniquely
effective protection in today’s threat landscape
• Prioritize your data and understand its business value
• Abandon the traditional reactive posture triggered by alerts
• Enable immediate action to protect data and minimize business impact
3
OUR SECURITY APPROACH
Proactive Detection Rapid Response Deep Expertise
26. Rackspace Managed Security Operations
5
• Holistic 24x7x365 capability to monitor, alert and
respond to security incidents on our customers behalf
• Do as much as we can on behalf of our customers and
do it quickly:
‣ Minimize impact by replacing graduated response
with immediate action
‣ Enabled by preapproved actions
• Security best practice and hygiene = Compliance
outcomes
• All customer interaction and oversight handled by a
dedicated Customer Experience Team to ensure:
‣ Quality
‣ Consistency
‣ Reliability
Customer
Customer Experience Team
Customer Security
Operations Center
Compliance Team
27. Know Your Enemy
7
• The APT actor is a PERSON…
‣ Highly sophisticated
‣ Highly motivated
‣ Well-trained
‣ Well-equipped
• An APT Actor is backed by…
‣ Powerful nation states
‣ Well-resourced organized crime
groups
Who is a Advanced Persistent Threat (APT)?
28. Technology Alone
Will Not Succeed
7
Experienced Security analysts are key for effective
protection. Rackspace analysts are:
• Highly experienced
• Highly motivated
• Well-trained
• Well-equipped
Backed by…
• Fanatical Support®
• Best-in-breed technology
29. 29
Rackspace Managed Security
Reduces an APT’s Most Precious Resource: Time
RESPOND
Swift & Sure
• Triage & investigate
• Execute cyber response
• Respond immediately
through pre-approved actions
DETECT
Automated & Expertise-Driven
• Monitor systems & networks
• Identify anomalies through
proactive cyber hunting
REPORT
Timely & Risk-Based
• Event-driven flash
& after-action reporting
• Weekly metrics reporting
• Monthly cyber-risk reporting
DETER
Proactive & Predictive
• Prepare the battlespace
• Understand the threat landscape
• Set operational plan & procedure
• Understand business risk
29
ACTION
AFTERACTION
ANTICIPATION
AWARENESS
SUPPORT
REPORT
MEASURE
30. CYBER HUNTING
• What is Cyber Hunting?
‣ Proactive analysis of data
‣ Generic and targeted (focused) hunting
• Why do we Hunt?
‣ Catch what is missed by tools
• How does Hunting improve security
posture?
‣ Earlier detection in the
Attacker Life Cycle
‣ Fills gaps in tool visibility
31. WHAT DO WE HUNT FOR?
• Intel-based Indicators of Compromise
(IOCs)
‣ Known bad IP Addresses, Domain
Names, Hashes, etc.
• Anomaly-Based Indicators of
Compromise (IOCs)
‣ Abnormal scheduled tasks
‣ Auto-start programs
‣ Process masquerading
‣ Other anomalous activity
• Indicators of Attacks (IOAs)
‣ Attacker Life Cycle (Cyber Kill-Chain)
‣ Behavioral indicators
32. Hunting through the Attack Life Cycle
Detecting earlier in lifecycle reduces risk of attacker achieving objectives
Degrading security posture / health as the attack lifecycle progresses
Conduct
Background
Research
Execute Initial
Attack
Establish
Foothold
Enable
Persistence
Conduct
Enterprise
Recon
Move Laterally
to New
Systems
Escalate
Privileges
Gather and
Encrypt Data
of Interest
Exfiltrate Data
From Victim
Systems
Maintain
Persistent
Presence
OSINT
HUMINT
SIGINT
Spear
Phishing &
Malware
SQL Inject
Broser
Compromise
PWD
Guessing
RATs
Droppers
User Creds
Service
Generation
Web Shell /
Beaconing
Registry Keys
/ Sticky Keys
Disable
Security
Agents
Port
/ Services
Scans
Network and
Account
Enumeration
Network
Monitoring
RDP
PSExec
Application
Exploitation
Scheduled
Tasks / Jobs
PWDump /
GSECDump
WCE
Token
Manipulation
Account
Creation
WinRAR
XOR
Encryption
Tools
Move Data to
Repository
Encrypted
Containers
Custom Apps
FTP (If You
Let Them)
DNS Exfil
Citrix
SSH / Telnet
VPN
INTEL
GATHERING
COMMAND
& CONTROL
PRIVILEGE
ESCALATION
INITIAL
EXPLOITATION
DATA
EXFILTRATION
33. M A N A G E D S E C U R I T Y O F F E R I N G S
34. Challenges to Implementing Effective Security
Limited security
expertise and
resources to
adequately protect
environment
Budget constraints
in supporting
security initiatives
Adoption of
security
technologies and
analytic tools to
prevent, identify
and respond to
advanced attacks
Increased adoption
of cloud-based IT
services
Adoption of
security
technologies and
analytic tools to
prevent, identify
and respond to
advanced attacks
35. Rackspace Managed Security
Deep Expertise. Leading Tech. Advanced Protection.
DETECT &
RESPOND TO
THREATS 24X7X365
Leverage experienced
Rackspace security
experts to monitor
and manage your
environment
around the clock.
LEVERAGE
SECURITY EXPERTS
ON YOUR IT AND
SECURITY TEAM
Use Managed Security
as a security force
multiplier, tailoring
support to meet your
tactical and strategic
security goals.
EMPLOY INDUSTRY
BEST PRACTICES
AND ADVANCED
SOLUTIONS
Best-of-breed solution
partners to provide
collective expertise and
advanced technology to
help protect your
Managed Cloud.
ADDRESS SECURITY
GOALS WHILE
LOWERING TCO
Managed Security has
a significantly lower
Total Cost of
Ownership (TCO) over
comparable internal
and external solutions.
36. 36
How Is Managed Security Implemented?
• Host and Network Protection – Provides advanced host and network protection
platforms targeted at zero-day and non-malware attacks as well as traditional
compromise tactics.
• Security Analytics – Utilizes a leading Security Information and Event Management
(SIEM) platform paired with big data analytics platforms to collect and analyze data
from the customer environment.
• Vulnerability Management – Employs scanning and agent technologies to
understand the customer’s environment and uses this data to tailor our Customer
Security Operations Center response to threats and attacks in the environment.
• Log Management – Rackspace will collect standard operating system logs from the
hosts in the environment. During the onboarding process, Rackspace will identify
additional data to be collected. All log data is retained for 1 year with additional
retention available.
37. 37
How is Compliance Assistance Implemented?
• Configuration Hardening and Monitoring – Assigns security configuration profiles
to hosts based on accepted standards such as those from the Center for Internet
Security (CIS), as well as community best practices. Rackspace detects and logs
deviations from these profiles in real-time to allow for comprehensive documentation
and reduced vulnerability windows.
• Patch Monitoring – Provides an understanding of what threats are applicable to an
environment including what Common Vulnerabilities and Exposures (CVE) are
present.
• User Monitoring – Monitors and documents user host access, authentication level
and login times to enable customers to demonstrate compliance with access controls.
• File Integrity Management – Detects, reports, and documents changes to files on a
host based on the customer’s security and compliance requirements.
39. Rackspace Compliance Assistance
Leverage Rackspace Expertise to Address your Governance, Risk & Compliance (GRC) Goals.
ADDRESS
COMPLIANCE
GOALS
Provide monitoring,
management, and
reporting necessary to
help you meet your
goals.
LEVERAGE
SECURITY
EXPERTS ON YOUR
IT AND GRC TEAMS
Add Rackspace
expertise to support
your team or your
existing compliance
team resources.
EMPLOY INDUSTRY
BEST PRACTICES
AND ADVANCED
SOLUTIONS
Use leading technology
to support compliance-
related monitoring and
management.
ADDRESS
COMPLIANCE
GOALS WHILE
LOWERING TCO
Provide lower Total
Cost
of Ownership (TCO)
over comparable
solutions
and services.
40. RMS Implementation
Provides advanced host and
network protection platforms
targeted at zero-day and non-
malware attacks as well as
traditional compromise tactics.
HOST AND NETWORK PROTECTION
41. RMS Implementation
Utilizes a leading Security
Information and Event Management
(SIEM) platform paired with big data
analytics platforms to collect and
analyze data from the customer
environment.
SECURITY ANALYTICS
42. RMS Implementation
Employs scanning and agent
technologies to understand the
customer’s environment and uses
this data to tailor our Customer
Security Operations Center
response to threats and attacks in
the environment.
VULNERABILITY MANAGEMENT
43. RMS Implementation
Rackspace will collect standard
operating system logs and work
with you to identify additional data
that may collected. All log data is
retained for one year with additional
retention available.
LOG MANAGEMENT
44. Compliance Assistance
Implementation
Assigns security configuration profiles to
hosts based on accepted standards such
as those from the Center for Internet
Security (CIS), as well as community best
practices. Rackspace detects and logs
deviations from these profiles in real-time
to allow for comprehensive
documentation and reduced vulnerability
windows.
CONFIGURATION HARDENING AND MONITORING
45. Compliance Assistance
Implementation
Provides an understanding of what
threats are applicable to an
environment including what
Common Vulnerabilities and
Exposures (CVE) are present.
PATCH MONITORING
46. Compliance Assistance
Implementation
Monitors and documents user host
access, authentication level and
login times to enable customers to
demonstrate compliance with
access controls.
USER MONITORING
We currently serve businesses in 120 countries around the world.
We provide Fanatical Support for the World’s Leading Clouds
We support these technology stacks: OpenStack, AWS, Microsoft and VMware.
Fanatical Support combines our expertise and our results-obsessed 24/7/365 customer service.
In the past few months, we’ve been very busy.
Here’s a good summary view that shows the expertise we have and the choice we provide.
Whatever your workload, we offer a choice of technology stacks and platforms all backed by Fanatical Support.
Together that means you get the best fit and the best service.
And under it all is our focus on security.
RSA attack.
Each day, there seems to be news about a security threat or data breach that is larger or more sensational than the day before. These stories outline real exposure that threatens your customers’ environment, business & personal reputation, and “bottom line”.
• The threats are dynamic and ever-present. These threats often occur without warning, can be directed at any part of your business, and come from anywhere in the world.
• Damage from malicious parties can range from the theft of confidential & sensitive data to a complete shutdown of your business. The result is not only lost revenue and escalated costs from recovery but only potential liability costs and compliance-related fines.
Each day, there seems to be news about a security threat or data breach that is larger or more sensational than the day before. These stories outline real exposure that threatens your customers’ environment, business & personal reputation, and “bottom line”.
• The threats are dynamic and ever-present. These threats often occur without warning, can be directed at any part of your business, and come from anywhere in the world.
• Damage from malicious parties can range from the theft of confidential & sensitive data to a complete shutdown of your business. The result is not only lost revenue and escalated costs from recovery but only potential liability costs and compliance-related fines.
According to Gartner growth in enterprise demand for Managed Security Service Providers (MSSPs) is driven primarily by four factors:
Security staffing and budget constraints (separated into two categories above) –Successfully defending against security threats require specialized expertise and technology. Meeting the need internally is resource intensive and leveraging outside resources is often prohibitively expensive. In addition, security professionals with the necessary expertise are in high-demand and difficult to find and retain.
Adoption of security technologies and analytic tools to prevent, identify and respond to advanced attacks – As the threats are dynamic and ever-changing, the tools and methods to address threats must evolve at least as quickly.
Increased adoption of cloud-based IT services – Traditional security measures implemented in the Enterprise are typically not sufficient for cloud-based environments.
Evolving compliance reporting requirements – Industry and regulatory mandates vary and provide a level of complexity that organizations may struggle to address over and above security concerns.
MANAGED SECURITY from Rackspace is a security service offering designed to protect customers from advanced cyber threats, such as Advanced Persistent Threats (a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time, usually for the primary goal of data theft). This service is backed by a Rackspace 24x7x365 Security Operations Center staffed with security professionals who use tools tailored to the customer, threat profile and environment, leveraging big data analytics to detect unseen threats (zero days) through behavioral and anomaly detection. The value of MANAGED SECURITY can be broken down into four categories:
Detect & Respond to Threats – Leverage experienced Rackspace security experts monitor your environment for potential threats from a 24x7x365 security operations center. Rackspace professional response and expert analysis is tailored to your need, from strategic planning for best practice cloud security or tactical day-to-day security monitoring and threat analysis. In addition, MANAGED SECURITY provides a holistic view of security in context of customer’s entire Rackspace hosted environment.
Leverage Security Experts – Add security expertise to your IT capabilities to help solidify your security posture. Use MANAGED SECURITY as a “force multiplier” to extend the resources of your existing Security team
Employ Best Practices & Advanced Solutions - Leverage leading technology solutions and advanced threat intelligence. Rackspace works with select partners who are security market leaders and innovators, allowing you to take advantage of security best practices enhanced with the collective expertise of Rackspace and its partners.
Lower TCO - Provides significantly lower Total Cost of Ownership (TCO) over internally developed security operations centers and comparable managed security service offerings, allowing you to leverage Security expertise that is in high-demand, costly, and difficult to find & retain.
MANAGED SECURITY from Rackspace is a security service offering designed to protect customers from advanced cyber threats, such as Advanced Persistent Threats (a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time, usually for the primary goal of data theft). This service is backed by a Rackspace 24x7x365 Security Operations Center staffed with security professionals who use tools tailored to the customer, threat profile and environment, leveraging big data analytics to detect unseen threats (zero days) through behavioral and anomaly detection. The value of MANAGED SECURITY can be broken down into four categories:
Detect & Respond to Threats – Leverage experienced Rackspace security experts monitor your environment for potential threats from a 24x7x365 security operations center. Rackspace professional response and expert analysis is tailored to your need, from strategic planning for best practice cloud security or tactical day-to-day security monitoring and threat analysis. In addition, MANAGED SECURITY provides a holistic view of security in context of customer’s entire Rackspace hosted environment.
Leverage Security Experts – Add security expertise to your IT capabilities to help solidify your security posture. Use MANAGED SECURITY as a “force multiplier” to extend the resources of your existing Security team
Employ Best Practices & Advanced Solutions - Leverage leading technology solutions and advanced threat intelligence. Rackspace works with select partners who are security market leaders and innovators, allowing you to take advantage of security best practices enhanced with the collective expertise of Rackspace and its partners.
Lower TCO - Provides significantly lower Total Cost of Ownership (TCO) over internally developed security operations centers and comparable managed security service offerings, allowing you to leverage Security expertise that is in high-demand, costly, and difficult to find & retain.
Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.