It’s 3AM. Do you know what your servers are doing? In this age of increased attacks and highly publicized vulnerabilities, deploying your infrastructure in a secure way is mission critical. In this session, Aaron Hackney and Major Hayden from Rackspace will reveal security strategies to focus your spending and reduce your risk.
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
The New Normal: Managing the constant stream of new vulnerabilities
1. Managing the constant stream of new
vulnerabilities
Aaron Hackney, Principal Architect
aaron.hackney@rackspace.com
Major Hayden, Principal Architect
major.hayden@rackspace.com
The New Normal
3. Vulnerabilities are now mainstream news
3www.rackspace.com
Source: https://twitter.com/mattblaze/status/573938261325844480
4. OUR MISSION TODAY:
To arm you with a solid strategy
to secure your infrastructure
efficiently.
4www.rackspace.com
5. Understand cognitive bias
5www.rackspace.com
“...we respond to the feeling of security and
not the reality. Now most of the time, that
works. Most of the time, feeling and reality
are the same…if our feelings match reality,
we make better security trade-offs.”
Bruce Schneier
TEDxPSU, 2010
Video link: http://www.ted.com/talks/bruce_schneier/transcript?language=en#t-53471
6. “If I had a dollar to spend on security,
I’d spend 99 cents on detection
and a penny on prevention.”
6www.rackspace.com
7. • Start with common sense prevention
– Principle of least privilege
• Then spend the bulk of your budget on layers of
detection
– Assume incidents will happen
• Create a rock-solid response plan
– Take feedback from the response process and
invest in prevention
7
The Security Life Cycle
www.rackspace.com
Incident Detection
ResponsePrevention
8. • Every server, network device, and application
generates some type of logs
• Collect your logs in a central location
• Monitor for critical events first
– Authentication attempts (successful and failed)
– Service/system restarts
– Network errors
– Configuration changes
• Monitoring for events can be cumbersome in
busy environments
– Graph your log line counts over time and look for
unusual peaks or spikes
Detection 101: Logging
8www.rackspace.com
9. • Use best practices and hardening standards to set a
minimum security spec for your systems
• Monitor for configuration changes with strong change
control processes
• Use deployment frameworks, like Ansible, Puppet, or
Chef
– Revision control makes change control easier
– Easy to audit large amounts of systems quickly
• Network segmentation can be a detection and
prevention mechanism
– Force attackers to be noisy if they choose to cross a network
segment
– Trending via NetFlow analysis may reveal attacks in progress
Integrity Monitoring & Auditing
9www.rackspace.com
Community-driven hardening standards for
common systems, including Linux, Windows,
and Cisco devices.
For more information, visit: http://www.
cisecurity.org/
10. Detect & Analyze
Gather data from any
available sensors, logs,
or observations.
Determine which
systems are involved
and the severity of the
breach.
Contain & Recover
Bring systems offline or
remove network
connectivity.
Provision new systems
and carefully restore
from clean backups.
Root Cause Analysis
How could we have
prevented the attack or
detected it sooner?
Turn security failures
into solid investments in
prevention.
• Rely on solid processes
so that everyone knows
their place during an
incident
10www.rackspace.com
Incident Response
11. 11
Incident Management
www.rackspace.com
• Communicate about an incident using criteria that
your employees and customers understand
– Reduce anxiety with frequent, concise
communications
– Using code names or alert levels may help
– Example: U.S. Department of Defense’s DEFCON
• Ensure everyone knows what’s happening what part
they play in the incident
Image source: Wikipedia, USAF Public Domain
12. • “What could we have done to prevent incidents like these?”
• Fishbone diagrams help with larger organizations
• Make a larger number of smaller changes
• Focus on the user experience
– Then find security improvements that provide good trade-offs
12
After the incident
www.rackspace.com
The book you never thought was
actually about information security.
13. Security User Experience
13www.rackspace.com
Business and user
requirements
Security, legal and
compliance
requirements
Customer
requirements
Review
Process
Process improvement
Technology upgrades
Vendor products
Communication
14. Plan for the unknowns
14www.rackspace.com
“Reports that say...that something hasn't happened are always
interesting to me, because as we know,
there are known knowns;
there are things that we know that we know.
We also know there are known unknowns;
that is to say we know there are some things we do not know.
But there are also unknown unknowns,
the ones we don't know we don't know.”
—Donald Rumsfeld, Former United States Secretary of Defense Photo source: Wikipedia, Scott Davis
US Army Public Domain