Security Incident Response in the Cloud: Some Ideas | Techno Glob


This quick blog is essentially a summary of our (joint with Marshall at Mandiant) Google Cloud Next 2022 conference presentation (video) and a pointer to a recently released podcast on the same topic — Security Incident Response (IR) in the Public Cloud.

In our next presentation, we only had 18.5 minutes to present some fun and insightful things about security incident response in the cloud.

Here’s what we decided. We focused Three challenges We observed with organizations preparing for security incident response in the cloud, they are:

  • skills: Cloud IR requires solid security incident response skills and equally solid cloud native technology skills
  • joint nature: Many (but not all) cloud instances will include a CSP,
    And many will include the client, the cloud provider, and one or more security service providers
  • Data: In many cases, telemetry, log, trace data will not be available or available through familiar mechanisms.

Next, we decided to focus on the critical differences, as well as the similarities—no less critical—in security incident response between on-premise and public cloud.

Now, if you want a — line summary, the similarity stems mostly from the fact that threat actors need to achieve their objectives and responders need to know the environment in order to respond well. affects how you do IR).

Here are Equality:

  • Data protection requirements.
  • A comprehensive understanding of the environment.
  • Standard investigative techniques have not changed.
  • Log data needs to be retained, normalized and analyzed. Time zones and time skew must be addressed.
  • Every event is different.

Similarly, the difference mainly stems from the fact that cloud technologies are often different and the operational methods for the teams behind said environment are also different. As a side note, while people may want to focus on logs from cloud services and containers, the environment is simply run differently and jointly with your cloud provider partner and this has a huge impact on IR.

Here are the difference:

  • Transient and dynamic nature of cloud.
  • Requires deep technical expertise of cloud native services.
  • Different baselines and norms.
  • Log data retention, understanding, context and volume
  • Depending on the CSP and the customer for relevant data.

Please watch the video and listen to the podcast. By the way, they cover completely different things, and especially in the podcast, we share some deep secrets about how Google does IR in the cloud …

Related Blogs on Cloud Security:


Security Incident Response in the Cloud: A Few Ideas was originally published by Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog written by Anton Chuvakin from Stories on Anton Chuvakin’s Media. Read the original post here: https://medium.com/anton-on-security/security-incident-response-in-the-cloud-a-few-ideas-ce38371a5412?source=rss-11065c9e943e—- -2



Source link