Cloud Hosting

Incident response planning and the development of incident handling procedures are core to any effective information security program. As enterprise cloud use becomes more ubiquitous, it's more important than ever to include the cloud in the incident response process.

Incident response, in general, encompasses plans, processes and controls that help organizations prepare for, detect, analyze and recover from an incident.

Cloud incident response is no different. Organizations still need plans, procedures and controls that facilitate incident detection and response actions. The infrastructure, however, has changed. Many organizations use cloud service providers (CSPs) for private and public cloud deployments, as well as a variety of SaaS, IaaS and PaaS systems. How cloud incident response is done, therefore, has some unique differences.

Cloud deployments involve the shared responsibility model. This means some assets and services in the cloud could be wholly or partially managed by CSPs. If organizations experience an intrusion in a SaaS cloud, for example, incident response efforts might not be triggered due to limited investigation capabilities and little visibility or telemetry available related to events and indicators of compromise. Within a more diverse IaaS cloud, however, many objects and assets are under the control of the customer and are largely their responsibility.

Another difference is that many of the security tools and controls teams rely on within on-premises data centers are not always the best fit for cloud environments. Some aren't compatible, for example, or have implementation or performance challenges. Other tools might not be attuned to cloud API calls and cloud working models to contextually detect attacks and intrusion indicators.

A third difference is that the entire cloud fabric is software-based. This means more emphasis is placed on using cloud-native services as guardrails and critical elements of the incident response workflow -- for example, focusing primarily on automation and orchestration. Finally, new costs can arise with cloud log and event generation, as well as cloud security services.

The benefits of building a cloud incident response function are many, especially as growth in cloud deployments continues. The worst time to figure out how to respond to an incident is during an incident, so preparation is key. Having a sound cloud incident response strategy in place ensures teams can quickly and effectively respond to security incidents, which, in turn, means the following:

The top challenges of cloud incident response include the following:

Incident response frameworks from NIST, ISO and SANS Institute, while not cloud-specific, are often used by organizations to create an incident response plan.

The Cloud Security Alliance offers a cloud-specific framework, which outlines the following four key phases:

The following best practices should be considered when building and executing cloud incident response strategies:

Dave Shackleford is founder and principal consultant with Voodoo Security; a SANS analyst, instructor and course author; and GIAC technical director.

Continue reading here:
Cloud incident response: Frameworks and best practices - TechTarget