Assume a Security Breach Will Happen — Then What?

By jarretraim -

Assume a Security Breach Will Happen — Then What?

The security breach at Yahoo in which 500 million users’ information was stolen is just the latest successful high profile attacks against large organizations.

At Rackspace, we field a lot of questions from our customers when breaches like this occur.

While studying individual attacks adds to our understanding of sophisticated threat actors and how they target large companies, it is more important to focus on how to build security operations capable of defending against these threats.

When building a security operation, we start with the assumption that a breach has occurred, is occurring now and will occur in the future. This assumption means our efforts are focused on detecting the adversary in the environment quickly, then moving to eject it before it can do damage to the business.

Many of the major security breaches of the last several years began with a spear phishing attack against a small set of users to compromise credentials, then used those credentials to access the organization. The attacker uses that initial access to recon the environment, pivot across the infrastructure, achieve persistence then identify and exfiltrate data.

This forces a security operation to focus on behavior analysis and anomaly detection to determine if a user on a system is performing legitimate administrative tasks or is an adversary. While tools can be a good force multiplier here, this process generally requires highly trained and equipped analysts operating in a 24x7x365 capacity.

Our managed security team offloads what we call the “block and tackle” of security, tasks like vulnerability management and patching, to other teams in our organization allowing our security operations team to spend time in your environment actively hunting for adversaries.

While a focus on detection is important, detecting an attack in the hours-to-days timeframe is only useful if a response can be mounted with the same urgency. At Rackspace, we use agreed upon, pre-approved actions with customers that allow our security operations teams to immediately respond to an intrusion and remove the attacker from the environment before they are able to recon, pivot and ultimately damage the business.

Finally, this operation requires a deep knowledge of the environment the security operation is protecting. If the security team doesn’t know what technology they are protecting, how that technology is organized into services for the business and how important those services (and the data inside them) are, it will be handicapped in its ability to effectively reduce risk to the organization.

The response to an attack should vary based on the sophistication of the attacker, the likelihood that the tools, tactics and procedures in use will be successful and the value of the target of the attack to the business. An old defense axiom applies to cyber security as much as it does to more physical operations — if you protect everything, you protect nothing.

I have the highest respect for information security professionals. Those of us who do this work know how difficult it is to make and execute security strategy inside organizations. These are few black and white answers and driving security strategy requires a sophisticated leadership team that understands the threat landscape and the business, paired with a set of high-level security professionals capable of delivering the required operation.

Most organizations lack the resources both in security leadership, headcount and capital to mount the type of operation capable of detecting and remediating a modern attack. This is why we built Managed Security at Rackspace. We want to help customers think through these tough questions, then build an operation that can reduce risk to their businesses.

Contact Rackspace to find out more about security for your multi-cloud environments, from dedicated infrastructure to AWS and Microsoft Azure.