As presented on 1/31/2018 at Cisco NYC Security Open House. These slides describe how a proper Disaster Recovery infrastructure, with a proper an automated network integration can provide instant recovery from Ransomware attacks and can improve security of the production environment.
2. Topics
• Why Disaster-Recovery-as-a-Service (DRaaS) at a security open house?
• How does DRaaS turn into RRaaS (Ransomware-Recovery-as-a-Service)
• How do I use DRaaS to improve production security?
• How do we leverage new technology to automate it?
• How does it all change in a Hybrid IT world?
3. DDoS & Cyberattack - 2017 FUD
• 2017 Global Ransomware damage exceeds $5B. Up from $325M in 2015
• 35% increase in # of attacks per target, Q1 to Q3 2017*
• 55% increase in attacks >10Gbps*
• 20+ reflection vectors with 600x1 amplification (CLDAP newest)
• EternalRed/SambaCry *nix server exploit
• Repear sleeper BotNet: 9 exploits in D-link, Linksys… (Mirai 2.0)
• DDoS being used as a distraction for Cybersecurity
*Corero DDoS Trends Report 2017
4. Ransom DDoS (RDoS)
We are Armada Collective.
If you haven heard for us, use Google. Recently, we have launched some of the largest DDoS attacks in history.
Check this out, for example: https://twitter.com/optucker/status/665470164411023360 (and it was measured while we were DDoS-ing 3 other
sites at the same time)
We will start DDoS-ing your network if you don't pay 20 Bitcoins @ 14sJhJTVzQBAhZ4a8o2BCb1LufxoZ7UpAT by Monday
Right now we will start small 30 minutes UDP attack on your site's IP: xx.xx.xx.xx. It will not be hard, just to prove that we are for real
Armada Collective. Check your logs.
If you don't pay by Friday, massive attack will start, price to stop will increase to 40 BTC and will go up 2 BTC for every hour of attack.
In addition, we will be contacting affected customers to explain why they are down and recommend them to move to OVH. We will do the
same on social networks
Our attacks are extremely powerful - sometimes over 1 Tbps per second.
Prevent it all with just 20 BTC @ 14sJhJTVzQBAhZ4a8o2BCb1LufxoZ7UpAT
Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
AAnd nobody will ever know you cooperated.
5. Ransomware: Proactive solutions are not enough
Full Cyber & Business
Continuity Protection
Proactive Reactive
Threat monitoring & mitigation
Disaster Recovery & IT
Resiliency Orchestration
6.
7.
8.
9.
10. Webair Disaster-Recovery-as-a-Service
Platforms:
• Vmware, HyperV
• Physical Servers
• Native HCI platforms
• IBM iSeries, AIX, Mainframe (i, P, Z)
• Native storage replication (Nimble, NetApp Snap Mirror, EMC, Object)
Features:
• Fully Managed Failover AND Failback
• Fully Managed Quarterly testing with reporting
• 72 hours per month of DR environment usage included
• 30 Day Journal history
• Synchronous 15 minute RPO SLA, 1 Hour RTO SLA
• Portal Access with on-demand testing, and spin up
• Application specific failover
• Automated runbook creation, including scripting, network automation, 3rd party APIs
12. Disaster-Recovery-as-an-entry-point
• Recovery infrastructure is often ignored until needed
• Forcing a DR failover event can expose new attack vectors
• DR site security not on-par with production
• MSSP monitoring at recovery site?
• Asset, Vulnerability, Penetration testing of DR site?
13.
14. Improve Production Security
• MSSP full accountability
• Consistent security & technology
• Reference Architecture:
• Replica of production @DR
• SIEM @ DR
• DRaaS API & Automation
• Free Usage of recovery infrastructure
• Enhanced Security:
• Replica for DLP, asset & vulnerability scanning,
penetration testing
• Reduce production vulnerability exposure time
• Reduce time to remediation
15. “Usable” Ransomware Recovery
• Application specific failover & failback
• Is it easier than paying off the ransom?
• DRaaS and RRaaS is not about replicating data, its about the network.
16. DR Network Automation & Exposure
Traditional Methods:
• MPLS, VPN, cross connects
• Internal & external route injection
(iBGP/eBGP, static…)
• DNS
• Double-NAT
• L2 Stretch..
• More dirtiness
Security Implications:
• All security related change control must be
matched at DR (ACLs..)
• DR-Site must be considered standalone
“branch office”
• DR-Site requires feature parity to support
security platforms
• Solid/Proper Security & DR scenario may
require major changes to production (re-IP)
17. DR Networking & Security: A better way
Using Software-Defined Perimeter tools for DRaaS automation
• i.e: AppGate, ScaleFT, NSX
• Enforces Zero-Trust security models across organization
• Abstracts security control from network architecture
• Policy based, global security
• Provides software-defined controller for automation
18. DR Networking & Security: A better way
SDP for Disaster Recovery
• Policy based failover & failback between production/DR
• No traditional network changes required to failover/back
• Network team not required for proper DR configuration
• Security guaranteed to be same at DR site
• Requirement:
• Organization must utilize the SDP software
• DRaaS provider/infrastructure must support
• 1+1 = 3
20. DR Networking & Security: Fabric
Fabric for Disaster Recovery
• Automated capacity increases to recovery site via API
• Follows your infrastructure
• Easy traffic segmentation:
• Replication traffic
• Easy traffic segmentation via multiple VXCs
• Dangerous L2 stretch only enabled at recovery time (l2 overlap)
• Part of IT Resilience Orchestration
22. Hybrid IT: New Disruption Opportunities
• Non-traditional Prod/DR
• “Production” in SaaS
• Internet connectivity more important
• Hyperscale on-ramp
• IoT phone-home to SaaS
• Hosted Voice & SIP
• 3rd parties being attacked
• Cohesive Security Policies
23.
24. Direct Access Cloud
• Cloud infrastructure privately connected to customer environments
• Cloud infrastructure which is local, low-latency, data-sovereign
• Predictable performance
• Utilize organization’s existing security policies and devices
• “Air-Gapped” cloud infrastructure
• Single point accountability
• Single network & security integration
• “Workloads’s best interest at heart”
• Match Hyperscale counterparts, i.e. AzureStack
26. • Tier 3 rated, SOC1, SOC2, FISMA, CJIS, HIPAA, PCI-DSS, NYS DFS 500, Open-IX Compliance
• 400 Cabinet capacity, up to 8MW Power
• 3 Generators on-site with 7+ days worth of fuel on-site
• Hyperscale on-ramp on premises (AWS, Azure, Google)
• DDoS monitoring and mitigation on-premises
• Eco-system of managed services on-premises
• Provides native transport services to all NY metro offices and data centers
• Tax-Exempt and Hydro-Electric “green” power allocation from NYPA
• Outside 25 mile NYC “blast zone” with Manhattan Bypass fiber routes
• BCDR seats on-premises
• LIRR train station on-premises
Webair NY1
27. THANK YOU
Gartner Notable Vendor
Magic Quadrant Disaster-Recovery-as-a-Service, 2017
Market Guide for IT Resiliency Orchestration, 2017
Hype Cycle for Cloud Security, 2017
Hype Cycle for Business Continuity Management and IT Resilience,
2017