Incident Detection and Response in the Cloud

Written by Lior Zatlavi, Senior Cloud Security Architect, Ermetic.

Cloud technology is not the future of business. Not anymore; now it’s the present. Businesses born today are often cloud-native, and older businesses are migrating their workloads to the cloud, looking for agility and efficiency.

This has some implications for security, now that everyone can access the cookie jar. On-premise systems kept a tight lid on that jar, with a separation of powers between IT in charge of the equipment—the hardware and operating systems—and development staff supplying their code. As cloud services replace those on-premise data centers, these tasks are now distributed across the cloud infrastructure.

This distributed architecture changes a lot of the ways we handle Incident Detection and Response (IDR). Incidents in the cloud are different in nature and the challenges they pose for defenders are also different than those they grew used to working with on-premise systems.

Unlike data centers, cloud infrastructures are dynamic and always changing. With thousands of configuration settings that need to be managed, many things can go wrong. Misconfigurations and vulnerabilities can arise as a result, and being online, attackers only need to scan the Internet looking for those vulnerabilities to find an attack point.

While the adversaries can exploit various attack vectors, effective protection depends on identity, the most important layer of protection in the post-perimeter world. That’s because attackers are often just a permission away from having the access to manipulate pretty much whatever they want.

These factors all contribute to spark the growth of data breaches and incidents in the cloud, while also making it more difficult to secure those workloads. In the event of a breach, a defender in an on-premise system can take the server apart for forensic investigation; the company has all the data. Without physical access to servers, defenders in a cloud-based system don't always have control over what kind of data they will have access to or if what they are looking for even exists. They must depend on the cloud vendor holding the data to remediate problems, perform forensic analysis, and other tasks.

Defenders are also outnumbered. The shortage of cybersecurity talent is more than a talking point, it’s a reality. The cloud is still a relatively new technology, not quite 20 years old, so there are few people who have extensive experience. Companies that want to hire defenders for cloud infrastructure, have to compete not only with other enterprises, but with vendors and other organizations. There are not enough experts who understand cloud security, especially across multiple clouds such as AWS, Azure and Google.

Fortunately, for all the challenges, the cloud also offers some solutions. There are controls in the cloud environment that didn’t exist in on-premise systems; everything is data that can be processed to extract intelligence, and recovery can be extremely fast -- just run a script and you have new infrastructure.

So how can cloud-based organizations leverage their environment to face these new IDR challenges? A few best practices can help.

• Asset Management: The foundation of a good incident response plan is a well designed cybersecurity strategy, which at its core provides deep visibility into the environment. Know what you need to protect and monitor, and how to respond. What are the critical assets in your environment and what are the potential attack vectors for them? What could be the blast radius from a breach in a certain point? This requires a continuous, autonomous process, to keep pace with quickly changing environments.
• Prevention: The easiest security incidents to respond to are those that are prevented. Therefore, routinely perform "assessment projects" across the infrastructure to address low hanging issues such as eliminating the use of static credentials or removing unnecessary public internet access. These projects not only reduce risk exposures, they also provide visibility into cloud infrastructure and help forge relationships with relevant stakeholders.
• Least Privilege: It’s almost a cliché that identity is the new perimeter, but it’s true. Managing identity and permissions is more complicated in the cloud and it’s easy to get them wrong. Having the ability to set the right kind of permissions for identities is the backbone for containing the scale of attacks, since excessive permissions enable adversaries to move laterally. While much of the focus is placed on permissions for human accounts, machine identities are just as important, if not more important, to protect. Matching the right access permissions with user accounts, whether human or machine, is central to maintaining a good security posture.
• Relationships: Tightening security controls can result in some pushback; it carries costs and can inconvenience some users. Nevertheless having a security strategy which is clear and easy to articulate, and building relationships with other stakeholders can help. For example, building relationships with the R&D organization will help in the event of an incident. You can’t build relationships while putting out fires.
• Playbook: Build a playbook that contains the scenarios the organization is prepared to respond to and provide details on the role of every stakeholder. The playbook has to be verified and coordinated with all stakeholders, and also tested in war game exercises which should be logged and archived for access later.

The cloud offers the capabilities needed for quick recovery from security incidents, if you have a well designed and tested recovery plan. This includes having the backups, data and other resources available in order to meet time to recovery goals.

About the Author

Lior Zatlavi is Senior Cloud Security Architect at Ermetic. He has more than 15 years of experience in cybersecurity, working for the Israeli government and with the elite cybersecurity unit of the Israel Defense Forces (IDF). Lior is a Certified Information Systems Security Professional (CISSP), has a Master of Science in Electrical Engineering from Tel Aviv University, and a Bachelor of Science in Applied Mathematics from Bar Ilan University.