Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Best practices for incident response in the age of cloud

Rishi Bhargava, co-founder and VP, Demisto | Sept. 5, 2016
Having an incident response platform can help internal and external teams collaborate, track incident response processes and automate key security tasks

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Most CISOs receive a rude awakening when they encounter their first major security issue in the cloud. If they identify a critical vulnerability that requires a patch, they may not have the authorization to tweak the cloud provider's pre-packaged stack. And if the customer does not own the network, there may not be a way to access details that are critical to investigating an incident.

In order to avoid a major security issue in the cloud, CISO’s must  have an incident response plan.  Here is how to build one:

1.  Establish a joint response plan with the cloud provider. If you have not yet moved to the cloud, the most practical first step is to establish a joint response process. Responsibilities and roles should be clearly defined, and contact information for primary and secondary contacts should be exchanged. Obtain a detailed explanation of what triggers the provider's incident response and how the provider will manage different issues.

2.  Evaluate the monitoring controls and security measures that are in place in the cloud.For an effective response on security issues related to cloud infrastructure, it is important to understand what kind of monitoring and security measures are in place by the cloud provider and what access you have to those tools. If you find they are insufficient, look for ways you can deploy a supplemental fix.

3.  Build a recovery plan. Decide whether recovery will be necessary in the event of a provider outage. Create a recovery plan that defines whether to use an alternate provider or internal assets as well as a procedure to collect and move data.

4. Evaluate forensic tools for cloud infrastructure. Find out what tools are available from the cloud provider or from other sources for conducting forensics in case of an incident. If the incident involves PII information, it might turn into a legal and compliance challenge, so having appropriate tools which can help with forensics and evidence tracking is essential.

Handling an incident in the cloud

Many incident response steps are similar whether you are dealing with the cloud or a local installation. However, there are some additional steps you may need to take in the case of a cloud incident:

  • Contact your provider's incident response team immediately, and be aggressive in your communications. If the provider's team cannot be reached, do everything you can on your end to contain the incident, like controlling connections to cloud service and revoking user access to the cloud service in questions.
  • If the incident cannot be controlled or contained, prepare to move to an alternate service or set up an internal server.
  • The cloud allows you to delay identification and eradication until the crisis has passed. In most cases, you can proceed immediately to restore production services by instantiating a new instance.


1  2  Next Page 

Sign up for Computerworld eNewsletters.