Cloud incident response demands cloud native capabilities

Cybersecurity balances business processes, operational controls, and technology but it also entails that those solutions are controlled to properly identify and manage risks on a continuous basis. In today’s business environment security is a fundamentally functional and non-functional requirement and cannot be an afterthought where issues are chased after systems are operational. Delays, financial losses, and damaged brand equity are the fruits borne from failure. That’s why it’s vital that best practices be implemented by companies from the onset of any cloud migration strategy: backed by a robust and real-time capability to plan, investigate, and respond to all security incidents.

Offices have traditionally offered a controlled IT environment and shifting work dynamics have introduced new weaknesses, but good security practices can help make business continuity possible. Talent demands have accelerated the need to understand how employees work and to provide IT resources that fit the environment where they’re used. Some employees are even resigning from their positions if work from home isn’t indefinite; the urgency to migrate, quickly, is all too real. Cloud services support business enablement with many organizations moving away from thick clients (workstations at desks to virtualized services) and migrating their data to multi-tenant servers that have ‘shared responsibility’ models of configuration/security. The level of security and requirements must always be considered before utilizing any new technology.

According to new data, 75% of enterprises are concerned about the security of their cloud assets, data, and systems. With the average breach having the potential to cost businesses millions, it has never been more important to be able to detect, prevent, and resolve incidents as effectively and as quickly as possible. However, the cloud has a unique incident response framework, and migrations aren’t a “lift and shift process”. The cloud services landscape is quickly and ever-evolving, the sophistication of threats is growing: APIs are not secured, and some open-source used in cloud environments are inherently vulnerable when supply change risks aren’t managed.

SMBs and their DevOps/security teams are perpetually having a difficult time keeping up, and threat actors aren’t easing off. They have also observed that too often data is duplicated to insufficiently protected or even unsupervised cloud environments. It’s only natural that developers rush to get things out the door (pulling off all controls) because the pressure to keep businesses running is high and can result in shortcuts: e.g., unsecured S3 data buckets. This leaves the organization exposed to risk and vulnerable to attacks and simple data breaches. cyber incident response (IR) should always be a part of the cloud migration strategy and planning from the start for security teams to effectively meet these new challenges.

Have a Plan for That

Start by planning to factor incident response requirements into the setting up of cloud environments to ensure that your response can be automated and effectively orchestrated. There are three essential domains that must always be taken into consideration for cloud deployments: governance for ensuring regulatory compliance; visibility across multiple (and distrusted) systems, data, and endpoints; and the cloud enabling all roles and stakeholders within an organization to assume an active role within any incident response plan.

A recent McKinsey report states that “The idea is to reduce the complexity of implementation, deployment, and maintenance with components increasingly deployed on the cloud. There would be no on-site installation of a hardware appliance; instead, everything would be pre-integrated and managed through a central console.”

Investigation and Prompt Response

Cloud service providers collect valuable information that can be used for evidence assessment, acquisition, and examination during an incident response, simply by accessing available log files for analysis. They provide valuable, protected, information that will remain out of reach of the attacker, even if the cloud systems or services are attacked and compromised. Log files track the attacker’s digital trail: forensics, the attack timeline, and which systems were targeted.

All major cloud service providers offer such logging capabilities, some in a pay-per-service model, while others offer the service for free. Amazon Web Services (AWS), for example, offers multiple logging capabilities, including audit logging, security monitoring, and application monitoring. Monitoring leads to action.

Hypervisor level control is the cloud equivalent of ‘yanking out the cables’ because it’s possible to build, suspend, or delete systems in the production environment at any time when you have a hypervisor level user account. It also enables users to create snapshots of compromised instances that can be used in evidence collection during incident investigation, thus preserving the chain of custody. An integrated, cloud-based platform accelerates this process as well as overall incident response, which is exactly what the leading market research firms envision.

“The proposition [of a centralized, cloud-based security console] would likely resemble a simple and competitively priced “security-in-a-box” solution. This sort of modular product suite would bundle different products on a cloud-based platform targeted at the needs of the high-maturity customer segment,” McKinsey wrote.

Maintaining a dedicated incident response environment in the cloud achieves this objective, today. This way, when an incident occurs, responders can more easily execute short-term containment actions, such as suspending or segregating systems in production and restore systems and data from backups for reducing the duration of shutdowns and outages.

Cloudification brings with it many operational, cost, and competitive benefits, while addressing the shifting demands of supporting employees who wish to work from home on a permanent basis. It also extends the organization’s attack surface and introduces new vulnerabilities. A cloud-first approach to IR leverages the medium’s capabilities for optimizing investigations and resolutions via a native platform and is key to avoiding the risks that are built into cloud computing. Implementing these best practices will help organizations to optimize their cybersecurity posture, limit risks, and enable smoother migrations to cloud providers in an ever-evolving landscape where threat actors and exploits are becoming increasingly more sophisticated.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.