A New World, a New Security Approach

Cyber Operations for the New Normal

The recent explosion of cloud computing services, mobile devices and other new technologies has upended existing security paradigms.

Gone are the days of setting and forgetting the latest tools. New, sophisticated technologies and techniques have enabled our adversaries — be they advanced and persistent or simply malicious and determined — to pick the locks we had stacked around our perimeter.

In response, technology companies and innovators are building new capabilities. Yet attackers continue to find ways into enterprise environments. The sheer number of successful breaches of large, well-resourced companies and government organizations speaks for itself.

Without an effective strategy, a robust plan and the right people to execute it, security teams and the companies they seek to protect will continue to lose.

Meanwhile, the business risk of breaches continues to rise. According to Forbes, the current cost of cyber crime has reached upwards of $500 million — an amount that has quadrupled from 2013 to 2015, and is set to do so again by 2019.

These costs are closely tied to the increasing time between breach and discovery.

The exact length varies, but several recent studies place it between 150–200 days. Many breaches actually go undetected for years. This reality is often difficult to digest, but understanding and accepting it enables security teams to build a strategy to better protect businesses and fight back.

Today’s security programs cannot guarantee that a network won’t be compromised. Instead, the challenge is to understand the threat and implement controls and capabilities that protect data and effectively manage risk.

The concept of “business risk proposition” is well known to business leaders worldwide, and it accurately represents the challenge for today’s security leaders, who can no longer consider security an IT problem.

A New Approach

To address these new realities, Rackspace Managed Security has built a security operation that takes the most effective elements of a traditional security strategy,  focusing on three key areas that make it uniquely effective in today’s threat landscape:

  1. We prioritize your data and understand its value to the business.

The defensive strategies of yesterday focused on the perimeter. Today, we are laser-focused on the data. Rackspace takes an increasingly dynamic and contextualized approach to security, rooted in deep understanding of the data we are protecting and its impact on your business.

Understanding data and its associated business functions points us to the users, systems and data streams that normally interact with it. With a clear, well-informed picture of “normal,” we can tune our tooling, direct our threat intelligence and enable our cyber hunters to actively search for that which is anomalous.

  1. We’ve abandoned the traditional reactive posture triggered by alerts.

 Today we begin with the assumption that an attacker has gained access to the network, and our security operations team proactively hunts it down. When we accept that traditional perimeter tooling is unlikely to be effective against an advanced attacker, we must also accept that adversaries may be active on our networks. This isn’t an indication of failure; it merely defines the battleground on which we will detect and defeat the enemy.

Fortunately for us, that battle will be fought on home territory. Cyber hunting missions are designed to identify artifacts and activity which, in isolation, appear benign, but may be indicative of an attacker’s presence on the network. Using intelligence to break down what’s known as an attacker’s TTP — “tactics, techniques and procedures,” we are able to determine exactly what to look for at a granular level. Highly skilled and experienced cyber analysts can then systematically patrol the environment for any evidence that an attacker has been active — and that  dramatically reduces time-to-detection.

  1. We take immediate action to protect data and minimize business impact.

 Too many security operations still practice a monitor-detect strategy, which is reactive in nature. This over-reliance on technology to provide an alert, and the resulting graduated response has exacerbated that crippling time-to-detect length of 150-200 days. When detection finally occurs, it’s too far down the kill chain, and the resulting impact to the business is often devastating.

Rackspace Managed Security uses a catalog of preapproved actions allowing for an immediate response. Understanding our environment, knowing our priorities and having a clear appreciation of the weapons in our arsenal are all advantages the attacker does not have. We use these advantages ahead of time to plan, validate and approve the actions we must take to be effective when we identify malicious activity. Starved of time, attackers are much less likely to identify the data they seek or achieve a persistent presence in the environment.

Winning on the New Battleground

 Delivering a robust and effective security operation in today’s threat landscape is no trivial task, and a shift in thinking is a critical first step. Security practitioners must become security leaders — not only capable of building a complex security operation and leading the daily fight against attackers, but also of guiding their business units and boardrooms through an increasingly complex decision-making process — if they are to be effective at managing business risk.

Detecting and responding effectively to today’s attackers means putting the data you are protecting at the heart of the security operation, adopting a proactive approach to detecting anomalous activity on the network and honing the ability to respond swiftly and effectively to malicious activity when it is detected.

Dangerous and sophisticated attacks are a daily challenge for security teams everywhere. An effective security strategy must deploy highly skilled analysts to actively patrol the network, guided by a thorough understanding of the data they protect and its priority to the business. They must also be agile enough to respond appropriately and immediately. Such an operation will make our adversaries’ work more complex, more expensive and more likely to fail.

This is the new normal.

Daniel Clayton served as Senior Director Rackspace Security Operations. He oversaw all Rackspace global cyber security operations, including the Rackspace Managed Security Customer Security Operations Center and the Internal Security Operations Center. Prior to joining Rackspace, Daniel spent more than two decades with UK and US government intelligence and security services, where he developed and managed intelligence and security operations programs in multiple international locations, to include SOCs within the U.S. National Security Agency and the U.K. Government Communications Headquarters.


  1. Daniel, you are spot on with your approach. The unknown threats will continue to increase in both volume and sophistication. When state developed cyber weapons are released on the web, the urge to try them out by bad actors is impossible to over come. And each time it is implemented, defensive tactics are observed, and the attackers up the game for the next assault.

    At CyGlass we have been implementing and refining our AI and Machine Learning technologies for over 10 years with clients in the DoD and intelligence communities. Detecting network events, then processing them through an ensemble of algorithms to focus on those areas of real concern is central to our solution. By reducing the noise of thousands of alerts, CyGlass allows the SOC personnel to implement both automated and human remediation plans.

    Keep up the good work, unfortunately it won’t get easier.


Please enter your comment!
Please enter your name here