Are You Prepared for Your Next Cloud Incident?
Cloud adoption continues to accelerate and exceed expectations year after year. Gartner expects public cloud services to grow another 21.7% in 2022, and while this is a positive direction for the industry as a whole, it creates a dramatic shift in cybersecurity risks. It also prompts a reevaluation of the solutions required to address those risks.
The combination of ever-changing emerging technology and extremely fast adoption creates an enormous challenge for security departments trying to keep an organization secure, all the while trying not to be considered naysayers who are slowing down the transition. The challenge is twofold. On one hand, new cloud services are continuously adopted to bring in more technologies that often interconnect with each other (and frequently require substantial privileges, opening a new route for a potential supply chain attack). On the other hand, even existing cloud solutions, which have already been vetted and adopted (and, ideally, also are secured), change at a rapid pace, both at the vendor level and at the adoption level. This makes it nearly impossible for those responsible for security to keep track of all the changes and maintain a high level of security.
Furthermore, the ease of adoption of cloud services, especially SaaS, alongside an increase in the product-led growth approach (where individual end users champion a product and expand its adoption in an organization), makes it very difficult for organizations to track their entire inventory of cloud resources and their associated risks. The challenge of shadow IT manifests itself more and makes what once was a niche problem a major risk for organizations.
On top of all these challenges, we are facing an immense shortage of skills. The cybersecurity industry has suffered a skills shortage for years now, with an estimated 2.7 million unfilled positions worldwide. Furthermore, there are far more security practitioners who understand the traditional on-premises security challenges and solutions than those with cloud security expertise. One attempt to alleviate this shortage is trying to convert cloud experts into cloud security experts, but this just presents another angle of that same problem—with cloud expanding so rapidly, experts are in short supply as well.
Unfortunately, the result of all of this is an unprecedented increase in cyberattacks in the cloud, growing even faster than cloud adoption itself. This situation is further intensified by the pandemic-driven transition to remote work. In the first quarter of the pandemic alone, we saw cloud attacks increase 630% (!), and that number has continued to grow ever since.
Organizations, unsurprisingly, are not prepared for this immense increase in incidents. Many are still building their incident response (IR) practice to begin with, most of which is focused on their on-premises environments, which combines in-house IR for lower-severity incidents with some form of retainer with a big IR company for higher-severity events. What’s almost universally true, even for organizations with a mature IR practice, is that only the traditional on-premises IR capabilities are mature, both for internal and external incident responders.
Unfortunately, what organizations are now discovering is that cloud IR is, in fact, quite different in several key ways:
- Cloud attacks are different. There is less focus on malware and host attacks and more focus on the abuse of functionality and cross-resource propagation. Incident responders who are not familiar with cloud-specific attacks will struggle to identify them.
- Forensics investigation is quite different in the cloud. Forensics is focused more on tracking activity across cloud resources and applications rather than host and endpoint forensics. It also relies a lot more on what’s provided by the cloud vendors instead of an organization’s own software and hardware and it requires different tools and skillsets (and, of course, it requires a solid understanding of cloud security).
- Insufficient or missing forensics data may be one of the most difficult challenges. Some of the missing data may be due to limitations imposed by the cloud provider or simply due to short default retention times (often no more than 90 days). In other cases, it may be inherent to the technology—for instance, a Kubernetes pod that was breached cannot be investigated a few days later, when it has already been destroyed as part of ordinary operations.
- Extreme interconnectivity. As adoption grows in companies, the cloud becomes increasingly interconnected and it is much more difficult to contain and isolate an incident without shutting down the entire organization.
- Skills shortages. Incident responders who understand the cloud well and also can deploy IR in those environments are very rare.
Given these challenges, it’s time to start building readiness for cloud incidents in your organization. Here are five tips for organizations that want to start this journey:
- Awareness—The first step is in acknowledging and understanding that there is a security gap and it must be addressed. This includes different stakeholders all the way from top management to the people holding the line at the security operations center.
- Forensics Data Retention— One of the biggest challenges in cloud forensics is availability of data; therefore, organizations must collect forensics data and retain it for future investigations.
- Cloud-Specific IR Plans, Playbooks and Tabletop Exercises—Many traditional IR plans are unsuitable for a cloud incident. Organizations need to adapt those plans to include these types of incidents.
- Hire, Train and Exercise— While the shortage of skills is real, there’s no alternative to putting in the work to mitigate this problem. You must invest in hiring cloud security experts in parallel with training and drilling your existing staff to become cloud security experts as well.
- Require Cloud IR Expertise—Make sure that your IR partner and the people assigned to you for future incidents really understand cloud IR and can support you in your next major incident.
Cloud adoption is continuing to increase, as is the innovation that is fueling the shift to these services. Preparing for new challenges and attacks in cloud environments is a critical step for organizations seeking to improve their security posture today and for the future.
