Having an incident response platform can help
internal and external teams collaborate, track incident response processes and
automate key security tasks
Most CISOs receive a rude awakening when they encounter their
first major security issue in the cloud. If they identify a critical
vulnerability that requires a patch, they may not have the authorization to
tweak the cloud provider's pre-packaged stack. And if the customer does not own
the network, there may not be a way to access details that are critical to
investigating an incident.
In order to avoid a
major security issue in the cloud, CISO’s must have an incident response plan. Here is
how to build one:
1. Establish
a joint response plan with the cloud provider. If you have not yet moved to the cloud, the most practical first
step is to establish a joint response process. Responsibilities and roles
should be clearly defined, and contact information for primary and secondary
contacts should be exchanged. Obtain a detailed explanation of what triggers
the provider's incident response and how the provider will manage different
issues.
2. Evaluate
the monitoring controls and security measures that are in place in the cloud.For an effective
response on security issues related to cloud infrastructure, it is important to
understand what kind of monitoring and security measures are in place by the
cloud provider and what access you have to those tools. If you find they are
insufficient, look for ways you can deploy a supplemental fix.
3. Build a
recovery plan. Decide whether
recovery will be necessary in the event of a provider outage. Create a recovery
plan that defines whether to use an alternate provider or internal assets as
well as a procedure to collect and move data.
4. Evaluate
forensic tools for cloud infrastructure. Find out what tools are available from the cloud provider or
from other sources for conducting forensics in case of an incident. If the
incident involves PII information, it might turn into a legal and compliance
challenge, so having appropriate tools which can help with forensics and evidence
tracking is essential.
Handling an incident in the cloud
Many incident response
steps are similar whether you are dealing with the cloud or a local
installation. However, there are some additional steps you may need to take in
the case of a cloud incident:
·
Contact your provider's incident response team immediately, and
be aggressive in your communications. If the provider's team cannot be reached,
do everything you can on your end to contain the incident, like controlling
connections to cloud service and revoking user access to the cloud service in
questions.
·
If the incident cannot be controlled or contained, prepare to
move to an alternate service or set up an internal server.
·
The cloud allows you to delay identification and eradication
until the crisis has passed. In most cases, you can proceed immediately to
restore production services by instantiating a new instance.
Best practices for incident response in the
cloud
One critical issue
that many enterprises face is the lack of talent possessing the proper skills to manage security. It is difficult to
find the right candidates, and if you locate them, you can expect to have ato
pay top salaries. By the end of 2024, the Bureau of Labor Statistics expects
information security analyst jobs to grow 18%, and salaries are already
averaging well into six figures.
However, there are
some steps that you can take to bring new employees up to speed quickly or
enhance the skills of existing employees:
·
Promote collaboration
to help junior analysts benefit from the experience of senior analysts. As a
bonus, collaborative efforts may reveal duplicate efforts that can be
eliminated.
·
Create playbooks that
prescribe standard procedures for responding to incidents. Naturally, you
cannot create a guide for every potential situation, but playbooks can be
valuable guides and excellent training materials. Just remember to keep
playbooks updated, which is a task that can often be automated.
·
Speaking of
automation, many tasks can be automated, especially if they are repetitive and
routine. Mundane tasks take up an unjustifiable amount of time. Automation can
free your staff members for more important tasks.
·
Foster situational
awareness from both the historical and real-time points of view. An effective
analysis of past incidents can help you make better decisions about current
incidents.
·
Analyze incidents and
create a database to help determine the types of problems encountered, the
skills needed to address the issue, the frequency of each type of incident, and
other facts. Analysis can help you identify vulnerabilities and determine where
to bolster security.
Like most security best practices related to
cloud applications, incident response is also a shared responsibility. Planning
ahead for incident response is critical to make sure you have the right
contacts, tools and processes in place. Having an incident response platform
that can enable collaboration for internal and external teams, track incident
response processes and automate key security tasks, is essential in the time of
crisis to contain issues quickly and respond effectively.
No comments:
Post a Comment