RMS Security Breakfast
•Download as PPTX, PDF•
0 likes•682 views
Learn how to overcome security challenges, such as: identity theft, spoofed transactions, DDoS business disruption, criminal extortion and more. You'll learn how a security strategy promotes confidence in the cloud.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (13)
Similar to RMS Security Breakfast
Similar to RMS Security Breakfast (20)
More from Rackspace
More from Rackspace (20)
Recently uploaded
Recently uploaded (20)
RMS Security Breakfast
- 3. Increasing and costly security threats • Average cost per data breach to Australian business is $2.5 million • PWC research found 48% increase in reported global security incidents last year versus prior year • McAfee says cost to the global economy from cybercrime is anywhere is $400 - $600 billion per year Source: PWC Global State of Information Security Study 2015, Gartner, MacAfee. Crn.com
- 4. P R O P R I E T A R Y & C O N F I D E N T I A L 4 Top Cloud Challenges 2016 1. Lack of resources/expertise 2. Security 3. Compliance 4. Managing multiple cloud services 5. Managing costs SOURCE: RightScale 2016 State of the Cloud Report
- 5. Brannon Lacey General Manager, Emerging Businesses Leads Digital Marketing and Managed Security business units at Rackspace. Prior to Rackspace, Brannon was a Principle at Samsung Venture Investment Corp and a Manager within the Strategy Practice at Accenture. Brannon holds an MBA from Columbia Business School and duel degrees in Entrepreneurship and Management Information Systems from the University of Arizona. INTRODUCTION
- 6. About Rackspace PORTFOLIO of Hosted Solutions 10 WORLDWIDE Data Centers 6,200 RACKERS DEDICATED :: CLOUD :: HYBRID Annualized RevenueOver $2B 60% 100OF THE WE SERVE FORTUNE® GLOBAL FOOTPRINT Customers in 120 Countries
- 7. Global Reach SERVING BUSINESSES IN 120 COUNTRIES DATA CENTERS: Ashburn, VA Chicago, IL Herndon, VA Grapevine, TX Richardson, TX OFFICES: Amsterdam, Netherlands Hayes,UK Zurich, Switzerland DATA CENTERS: Crawley, UK Slough, UK OFFICES: Quarry Bay, Hong Kong Sydney, Australia Bangalore, India DATA CENTERS: Fo Tan, Hong Kong Erskine Park, Australia OFFICES: Austin, TX Blacksburg, VA Chicago, IL Cincinnati, OH Duluth, GA New York, NY San Antonio, TX San Francisco, CA St. Louis, MO North America EMEA APACLATAM OFFICES: Mexico City, MX
- 8. www.rackspace.com For the World’s Leading CLOUDS We provide FANATICAL SUPPORT® ®
- 9. RACKSPACE® MANAGED CLOUD WORKLOAD / EXPERTISE INFRASTRUCTURE SERVICE Technology Stack Platform Fanatical Support® 24x7x365 DEDICATED HOSTING PRIVATE CLOUD PUBLIC CLOUD HYBRIDCLOUD CLOUD SCALE APPS DATA SERVICES DIGITAL CLOUD OFFICE IT TRANSFORMATION SECURITY SECURITY AND COMPLIANCE ®
- 10. Anatomy of an Attack General Manager, Emerging Business :: @rackspace J A R R E T R A I M
- 11. Jarret Raim Director of Strategy & Engineering Responsible for the development, implementation and support of all customer facing security products and services. Jarret has held several internal security architecture and product management roles at Rackspace to include the creation of Barbican key management product, now part of the official OpenStack ecosystem. Jarret holds Masters and Bachelors degrees in Computer Science from Trinity and Lehigh Universities, respectively. INTRODUCTION
- 12. Advanced Persistent Threat • Advanced – use of sophisticated techniques like malware exploits of vulnerabilities • Persistent – external command and control driven by a threat actor, continuous and varied attacks • Threat – Human based organization with specific goals. Image courtesy of Wikipedia An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity.
- 13. Anatomy of an Attack • Recon the target • Exploitation of the target, establishing local control • Command established with exploited resources • Recon, pivot and privilege escalation • Data collection and exfiltration
- 14. Anatomy of an Attack • Recon the target • Exploitation of the target, establishing local control • Command established with exploited resources • Recon, pivot and privilege escalation • Data collection and exfiltration
- 15. Phishing
- 17. Spear Phishing Jarret Raim: Recon
- 18. Anatomy of an Attack • Recon the target • Exploitation of the target, establishing local control • Command established with exploited resources • Recon, pivot and privilege escalation • Data collection and exfiltration
- 19. Spear Phishing Jarret Raim: Exploit
- 20. Anatomy of an Attack • Recon the target • Exploitation of the target, establishing local control • Command established with exploited resources • Recon, pivot and privilege escalation • Data collection and exfiltration
- 21. Malware: Poison Ivy • RATs are generally considered ‘low-tech’, but are used as part of APT style attacks • Poison Ivy has been in use for over 8 years, repacking and other techniques allow it to still be effective • Includes key logging, screen capturing, video capturing, file transfers, password theft, system administration, traffic relaying, and more • Primarily seen at financial institutions – an indication of its use in APT Remote Access Tools (RATs) offer unfettered access to compromised machines. They are deceptively simple— attackers can point and click their way through the target’s network to steal data and intellectual property.
- 22. Anatomy of an Attack • Recon the target • Exploitation of the target, establishing local control • Command established with exploited resources • Recon, pivot and privilege escalation • Data collection and exfiltration
- 23. Example Pivot: Target 1. Attacker recons Target and catalogues suppliers using public sources 2. Fazio is compromised through spearfishing, which grants access to Target network 3. Attacker uses default password in BMC to move through network (unconf) 4. Attacker installs POS malware and sets up exfiltration servers 5. Credit Card information is collected and exfiltrated An attacker is said to be ‘pivoting’ when they recon and compromise additional machines after an initial incursion – this is also known as lateral movement Attackers had access to the Target networks for just over 30 days. They were detected, but Target was unable to respond due to limited staffing / tool flood issues
- 24. C U S T O M E R S E C U R I T Y O P E R A T I O N S
- 25. A Security Strategy for the New Normal Building upon the most effective elements of traditional security with a focus on three key areas for uniquely effective protection in today’s threat landscape • Prioritize your data and understand its business value • Abandon the traditional reactive posture triggered by alerts • Enable immediate action to protect data and minimize business impact 3 OUR SECURITY APPROACH Proactive Detection Rapid Response Deep Expertise
- 26. Rackspace Managed Security Operations 5 • Holistic 24x7x365 capability to monitor, alert and respond to security incidents on our customers behalf • Do as much as we can on behalf of our customers and do it quickly: ‣ Minimize impact by replacing graduated response with immediate action ‣ Enabled by preapproved actions • Security best practice and hygiene = Compliance outcomes • All customer interaction and oversight handled by a dedicated Customer Experience Team to ensure: ‣ Quality ‣ Consistency ‣ Reliability Customer Customer Experience Team Customer Security Operations Center Compliance Team
- 27. Know Your Enemy 7 • The APT actor is a PERSON… ‣ Highly sophisticated ‣ Highly motivated ‣ Well-trained ‣ Well-equipped • An APT Actor is backed by… ‣ Powerful nation states ‣ Well-resourced organized crime groups Who is a Advanced Persistent Threat (APT)?
- 28. Technology Alone Will Not Succeed 7 Experienced Security analysts are key for effective protection. Rackspace analysts are: • Highly experienced • Highly motivated • Well-trained • Well-equipped Backed by… • Fanatical Support® • Best-in-breed technology
- 29. 29 Rackspace Managed Security Reduces an APT’s Most Precious Resource: Time RESPOND Swift & Sure • Triage & investigate • Execute cyber response • Respond immediately through pre-approved actions DETECT Automated & Expertise-Driven • Monitor systems & networks • Identify anomalies through proactive cyber hunting REPORT Timely & Risk-Based • Event-driven flash & after-action reporting • Weekly metrics reporting • Monthly cyber-risk reporting DETER Proactive & Predictive • Prepare the battlespace • Understand the threat landscape • Set operational plan & procedure • Understand business risk 29 ACTION AFTERACTION ANTICIPATION AWARENESS SUPPORT REPORT MEASURE
- 30. CYBER HUNTING • What is Cyber Hunting? ‣ Proactive analysis of data ‣ Generic and targeted (focused) hunting • Why do we Hunt? ‣ Catch what is missed by tools • How does Hunting improve security posture? ‣ Earlier detection in the Attacker Life Cycle ‣ Fills gaps in tool visibility
- 31. WHAT DO WE HUNT FOR? • Intel-based Indicators of Compromise (IOCs) ‣ Known bad IP Addresses, Domain Names, Hashes, etc. • Anomaly-Based Indicators of Compromise (IOCs) ‣ Abnormal scheduled tasks ‣ Auto-start programs ‣ Process masquerading ‣ Other anomalous activity • Indicators of Attacks (IOAs) ‣ Attacker Life Cycle (Cyber Kill-Chain) ‣ Behavioral indicators
- 32. Hunting through the Attack Life Cycle Detecting earlier in lifecycle reduces risk of attacker achieving objectives Degrading security posture / health as the attack lifecycle progresses Conduct Background Research Execute Initial Attack Establish Foothold Enable Persistence Conduct Enterprise Recon Move Laterally to New Systems Escalate Privileges Gather and Encrypt Data of Interest Exfiltrate Data From Victim Systems Maintain Persistent Presence OSINT HUMINT SIGINT Spear Phishing & Malware SQL Inject Broser Compromise PWD Guessing RATs Droppers User Creds Service Generation Web Shell / Beaconing Registry Keys / Sticky Keys Disable Security Agents Port / Services Scans Network and Account Enumeration Network Monitoring RDP PSExec Application Exploitation Scheduled Tasks / Jobs PWDump / GSECDump WCE Token Manipulation Account Creation WinRAR XOR Encryption Tools Move Data to Repository Encrypted Containers Custom Apps FTP (If You Let Them) DNS Exfil Citrix SSH / Telnet VPN INTEL GATHERING COMMAND & CONTROL PRIVILEGE ESCALATION INITIAL EXPLOITATION DATA EXFILTRATION
- 33. M A N A G E D S E C U R I T Y O F F E R I N G S
- 34. Challenges to Implementing Effective Security Limited security expertise and resources to adequately protect environment Budget constraints in supporting security initiatives Adoption of security technologies and analytic tools to prevent, identify and respond to advanced attacks Increased adoption of cloud-based IT services Adoption of security technologies and analytic tools to prevent, identify and respond to advanced attacks
- 35. Rackspace Managed Security Deep Expertise. Leading Tech. Advanced Protection. DETECT & RESPOND TO THREATS 24X7X365 Leverage experienced Rackspace security experts to monitor and manage your environment around the clock. LEVERAGE SECURITY EXPERTS ON YOUR IT AND SECURITY TEAM Use Managed Security as a security force multiplier, tailoring support to meet your tactical and strategic security goals. EMPLOY INDUSTRY BEST PRACTICES AND ADVANCED SOLUTIONS Best-of-breed solution partners to provide collective expertise and advanced technology to help protect your Managed Cloud. ADDRESS SECURITY GOALS WHILE LOWERING TCO Managed Security has a significantly lower Total Cost of Ownership (TCO) over comparable internal and external solutions.
- 36. 36 How Is Managed Security Implemented? • Host and Network Protection – Provides advanced host and network protection platforms targeted at zero-day and non-malware attacks as well as traditional compromise tactics. • Security Analytics – Utilizes a leading Security Information and Event Management (SIEM) platform paired with big data analytics platforms to collect and analyze data from the customer environment. • Vulnerability Management – Employs scanning and agent technologies to understand the customer’s environment and uses this data to tailor our Customer Security Operations Center response to threats and attacks in the environment. • Log Management – Rackspace will collect standard operating system logs from the hosts in the environment. During the onboarding process, Rackspace will identify additional data to be collected. All log data is retained for 1 year with additional retention available.
- 37. 37 How is Compliance Assistance Implemented? • Configuration Hardening and Monitoring – Assigns security configuration profiles to hosts based on accepted standards such as those from the Center for Internet Security (CIS), as well as community best practices. Rackspace detects and logs deviations from these profiles in real-time to allow for comprehensive documentation and reduced vulnerability windows. • Patch Monitoring – Provides an understanding of what threats are applicable to an environment including what Common Vulnerabilities and Exposures (CVE) are present. • User Monitoring – Monitors and documents user host access, authentication level and login times to enable customers to demonstrate compliance with access controls. • File Integrity Management – Detects, reports, and documents changes to files on a host based on the customer’s security and compliance requirements.
- 38. Next Steps CONTINUE THE CONVERSATION Speak to a Rackspace Security Specialist READ MORE ONLINE http://www.rackspace.com/security
- 39. Rackspace Compliance Assistance Leverage Rackspace Expertise to Address your Governance, Risk & Compliance (GRC) Goals. ADDRESS COMPLIANCE GOALS Provide monitoring, management, and reporting necessary to help you meet your goals. LEVERAGE SECURITY EXPERTS ON YOUR IT AND GRC TEAMS Add Rackspace expertise to support your team or your existing compliance team resources. EMPLOY INDUSTRY BEST PRACTICES AND ADVANCED SOLUTIONS Use leading technology to support compliance- related monitoring and management. ADDRESS COMPLIANCE GOALS WHILE LOWERING TCO Provide lower Total Cost of Ownership (TCO) over comparable solutions and services.
- 40. RMS Implementation Provides advanced host and network protection platforms targeted at zero-day and non- malware attacks as well as traditional compromise tactics. HOST AND NETWORK PROTECTION
- 41. RMS Implementation Utilizes a leading Security Information and Event Management (SIEM) platform paired with big data analytics platforms to collect and analyze data from the customer environment. SECURITY ANALYTICS
- 42. RMS Implementation Employs scanning and agent technologies to understand the customer’s environment and uses this data to tailor our Customer Security Operations Center response to threats and attacks in the environment. VULNERABILITY MANAGEMENT
- 43. RMS Implementation Rackspace will collect standard operating system logs and work with you to identify additional data that may collected. All log data is retained for one year with additional retention available. LOG MANAGEMENT
- 44. Compliance Assistance Implementation Assigns security configuration profiles to hosts based on accepted standards such as those from the Center for Internet Security (CIS), as well as community best practices. Rackspace detects and logs deviations from these profiles in real-time to allow for comprehensive documentation and reduced vulnerability windows. CONFIGURATION HARDENING AND MONITORING
- 45. Compliance Assistance Implementation Provides an understanding of what threats are applicable to an environment including what Common Vulnerabilities and Exposures (CVE) are present. PATCH MONITORING
- 46. Compliance Assistance Implementation Monitors and documents user host access, authentication level and login times to enable customers to demonstrate compliance with access controls. USER MONITORING
- 47. Compliance Assistance Implementation Detects, reports, and documents changes to files on a host based on the customer’s security and compliance requirements. FILE INTEGRITY MANAGEMENT
Editor's Notes
- 4
- Just a quick look at who we are as a company.
- We currently serve businesses in 120 countries around the world.
- We provide Fanatical Support for the World’s Leading Clouds We support these technology stacks: OpenStack, AWS, Microsoft and VMware. Fanatical Support combines our expertise and our results-obsessed 24/7/365 customer service. In the past few months, we’ve been very busy.
- Here’s a good summary view that shows the expertise we have and the choice we provide. Whatever your workload, we offer a choice of technology stacks and platforms all backed by Fanatical Support. Together that means you get the best fit and the best service. And under it all is our focus on security.
- RSA attack.
- Each day, there seems to be news about a security threat or data breach that is larger or more sensational than the day before. These stories outline real exposure that threatens your customers’ environment, business & personal reputation, and “bottom line”. • The threats are dynamic and ever-present. These threats often occur without warning, can be directed at any part of your business, and come from anywhere in the world. • Damage from malicious parties can range from the theft of confidential & sensitive data to a complete shutdown of your business. The result is not only lost revenue and escalated costs from recovery but only potential liability costs and compliance-related fines.
- Each day, there seems to be news about a security threat or data breach that is larger or more sensational than the day before. These stories outline real exposure that threatens your customers’ environment, business & personal reputation, and “bottom line”. • The threats are dynamic and ever-present. These threats often occur without warning, can be directed at any part of your business, and come from anywhere in the world. • Damage from malicious parties can range from the theft of confidential & sensitive data to a complete shutdown of your business. The result is not only lost revenue and escalated costs from recovery but only potential liability costs and compliance-related fines.
- According to Gartner growth in enterprise demand for Managed Security Service Providers (MSSPs) is driven primarily by four factors: Security staffing and budget constraints (separated into two categories above) –Successfully defending against security threats require specialized expertise and technology. Meeting the need internally is resource intensive and leveraging outside resources is often prohibitively expensive. In addition, security professionals with the necessary expertise are in high-demand and difficult to find and retain. Adoption of security technologies and analytic tools to prevent, identify and respond to advanced attacks – As the threats are dynamic and ever-changing, the tools and methods to address threats must evolve at least as quickly. Increased adoption of cloud-based IT services – Traditional security measures implemented in the Enterprise are typically not sufficient for cloud-based environments. Evolving compliance reporting requirements – Industry and regulatory mandates vary and provide a level of complexity that organizations may struggle to address over and above security concerns.
- MANAGED SECURITY from Rackspace is a security service offering designed to protect customers from advanced cyber threats, such as Advanced Persistent Threats (a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time, usually for the primary goal of data theft). This service is backed by a Rackspace 24x7x365 Security Operations Center staffed with security professionals who use tools tailored to the customer, threat profile and environment, leveraging big data analytics to detect unseen threats (zero days) through behavioral and anomaly detection. The value of MANAGED SECURITY can be broken down into four categories: Detect & Respond to Threats – Leverage experienced Rackspace security experts monitor your environment for potential threats from a 24x7x365 security operations center. Rackspace professional response and expert analysis is tailored to your need, from strategic planning for best practice cloud security or tactical day-to-day security monitoring and threat analysis. In addition, MANAGED SECURITY provides a holistic view of security in context of customer’s entire Rackspace hosted environment. Leverage Security Experts – Add security expertise to your IT capabilities to help solidify your security posture. Use MANAGED SECURITY as a “force multiplier” to extend the resources of your existing Security team Employ Best Practices & Advanced Solutions - Leverage leading technology solutions and advanced threat intelligence. Rackspace works with select partners who are security market leaders and innovators, allowing you to take advantage of security best practices enhanced with the collective expertise of Rackspace and its partners. Lower TCO - Provides significantly lower Total Cost of Ownership (TCO) over internally developed security operations centers and comparable managed security service offerings, allowing you to leverage Security expertise that is in high-demand, costly, and difficult to find & retain.
- MANAGED SECURITY from Rackspace is a security service offering designed to protect customers from advanced cyber threats, such as Advanced Persistent Threats (a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time, usually for the primary goal of data theft). This service is backed by a Rackspace 24x7x365 Security Operations Center staffed with security professionals who use tools tailored to the customer, threat profile and environment, leveraging big data analytics to detect unseen threats (zero days) through behavioral and anomaly detection. The value of MANAGED SECURITY can be broken down into four categories: Detect & Respond to Threats – Leverage experienced Rackspace security experts monitor your environment for potential threats from a 24x7x365 security operations center. Rackspace professional response and expert analysis is tailored to your need, from strategic planning for best practice cloud security or tactical day-to-day security monitoring and threat analysis. In addition, MANAGED SECURITY provides a holistic view of security in context of customer’s entire Rackspace hosted environment. Leverage Security Experts – Add security expertise to your IT capabilities to help solidify your security posture. Use MANAGED SECURITY as a “force multiplier” to extend the resources of your existing Security team Employ Best Practices & Advanced Solutions - Leverage leading technology solutions and advanced threat intelligence. Rackspace works with select partners who are security market leaders and innovators, allowing you to take advantage of security best practices enhanced with the collective expertise of Rackspace and its partners. Lower TCO - Provides significantly lower Total Cost of Ownership (TCO) over internally developed security operations centers and comparable managed security service offerings, allowing you to leverage Security expertise that is in high-demand, costly, and difficult to find & retain.
- Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
- Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
- Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
- Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
- Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
- Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
- Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.
- Rackspace Security professionals, based in the 24x7x365 Customer Security Operations Center (CSOC), leverage these market-leading security tools from trusted partners as part of the Managed Security offering.