SBN

Security Incident Response in the Cloud: A Few Ideas

This quick blog is essentially a summary of our (joint with Marshall from Mandiant) Google Cloud Next 2022 conference presentation (video) and a pointer to a just-released podcast on the same topic — security incident response (IR) in public cloud.

In our Next presentation, we only had 18.5 minutes to present a few fun and insightful things about security incident response in the cloud.

Here’s what we decided. We focused on three challenges that we observed with organizations preparing for security incident response in the cloud, these are:

  • Skills: Cloud IR requires both solid security incident response skills and equally solid cloud native technologies skills
  • Joint nature: Many (but not all) cloud incidents will involve a CSP,
    and many will involve a client, a cloud provider and one or more security service providers
  • Data: In many cases, telemetry, logs, traces data won’t be available or won’t be available via familiar mechanisms.

Next, we decided to focus on critical differences as well as similarities — no less critical — between security incident response on premise and in public cloud.

Now, if you want a one — line summary, the similarities mostly stem from the facts that the threat actors ultimately need to achieve their goals, and that responders need to know the environment to respond well (Duh, no brainer? Perhaps, but it affects how you do IR).

Here are the similarities:

  • Data preservation requirements.
  • Comprehensive understanding of the environment.
  • Standard investigative techniques have not changed.
  • Log data needs to be retained, normalized, and analyzed. Time Zones and time skew must be addressed.
  • Each incident is different.

Similarly, the differences mostly stem from the fact that cloud technology is often different, and operational practices for the teams behind called environments are different as well. As a side note, while people want to focus on logs from cloud services and containers, the fact that environments are just run differently, and jointly with your cloud provider partner, and that affects IR quite a lot.

Here are the differences:

  • Ephemeral & dynamic nature of the cloud.
  • Deep technical expertise of cloud native services required.
  • Different baseline and norms.
  • Log data retention, understanding, context and volume
  • Reliant on CSP & customer for relevant data.

Please watch the video and listen to the podcast. By the way, they cover completely different things, and in the podcast specifically, we share some deep secrets of how Google does IR in the cloud …

Related blogs on cloud security:


Security Incident Response in the Cloud: A Few Ideas was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/security-incident-response-in-the-cloud-a-few-ideas-ce38371a5412?source=rss-11065c9e943e------2