Best Practices for Improving Cloud Incident Response in 2021
According to a recent report, 75% of enterprises are concerned about the security of their cloud assets, data, and systems. With the average global cost of a data breach coming in at $3.86 million, it has never been more important to be able to detect, prevent, and resolve incidents as effectively and as quickly as possible.
But doing so can be very challenging. The cloud landscape is quickly and ever-evolving, the sophistication of threats is growing, APIs are not secured, and the open-source used in cloud environments is inherently vulnerable.
This makes it difficult for DevSecOps, DevOps, and security teams to keep up, and threat actors have taken notice. They have also observed that too often data is duplicated to insufficiently protected or even unsupervised cloud environments. This leaves the organization exposed to risk and vulnerable to attacks.
To overcome this challenge, improve incident response, and bolster the organization’s security posture, a cloud-first security mindset must be embraced regarding the planning of incident response processes, investigating incidents, and responding to them.
Let’s take a closer look at the key pillars of this cloud-first mindset.
1. Planning
“Migrating systems to the cloud is not a lift-and-shift process – which also applies to the incident response process. Cloud is a different realm altogether, and expectedly, cloud incident response is too.” (Cloud Security Alliance)
Incident response should be part of the cloud migration strategy and planning from the outset. Otherwise, the response pattern will follow a reactive vs. a proactive path, which leads to delayed resolutions, financial loss, and potential damage to brand equity.
Accordingly, incident response requirements must be factored into the setting up of cloud environments to ensure that response can be automated and effectively orchestrated.
Three strong domains to cloud security vs. on-prem, and which must be taken into consideration during the cloud planning phase are:
- Governance for assuring regulatory compliance
- Visibility across multiple and distrusted systems, data, and endpoints
- Shared responsibility, with cloud as an enabler for all roles and stakeholders in the organization
2. Investigation
For example, leveraging the operational log files provided by the cloud service provider enables users to access insights not only into service operations but into security incidents.
When investigating an incident, they provide valuable information that will remain out of reach of the attacker. Even if the cloud systems or services are attacked and compromised, the logs files are protected and therefore cannot be deleted.
Another value for incident response lies in the fact that logs can help users to identify the IP address of the attacker, the attack timeline, and which systems were targeted.
It may be noted that all major cloud service providers offer such logging capabilities, some in a pay-per-service model, while others offer the service for free. Amazon Web Services (AWS), for example, offers multiple logging capabilities, including CloudTrail for audit logging, GuardDuty for security monitoring, and, CloudWatch for application monitoring.
Hypervisor-level control
Another feature of cloud computing that can aid in the response effort is hypervisor level control. That is, in a cloud environment – which is comprised of virtual machines (VMs), the hypervisor is the software that controls these VMs. When users have a hypervisor level account, they can build, suspend, or delete systems in the production environment at any time.
In the case of an incident, having hypervisor level control also enables them to create snapshots of compromised instances that can be used in evidence collection during incident investigation.
3. Response & containment
With the goal of accelerating cloud incident response, it is recommended to maintain a dedicated incident response environment in the cloud. This way, when an incident occurs, responders can more easily execute short-term containment actions, such as suspending or segregating systems in production and restore systems and data from backups for the reducing the duration of shutdowns and outages.
Meeting the cloud-first IR mandate
Cloudification brings with it many operational, cost, and competitive benefits. At the same time, it also extends the organization’s attack surface and introduces new vulnerabilities. The key to avoiding the risk and bolstering IR capabilities is to come with a cloud-first approach to planning IR and leveraging capabilities that are built into cloud computing, for optimizing investigations and resolutions.