Similar to traditional information technology (IT) environments, adversaries are using cloud environments as entry points to infect, harm, and disrupt business operations. Threat actors know that critical data may be duplicated to poorly protected or unsupervised cloud environments. So, what should you do if you discover a cyber breach is taking place by way of or within your cloud environments? It’s important to recognize that tackling cloud incidents is different than addressing those within traditional IT environments. Here are five ways that your organization can address cybersecurity incidents in the cloud:
No. 1: Understand the differences between your cloud and traditional environments. Implementing security measures to protect your cloud environments and its sensitive data will only get you so far. Remember that what you monitor in a cloud environment is different from traditional, on-premise environments. In the cloud, you’ll need to focus more on applications, application programming interfaces, and user roles. Furthermore, consider all the actions that incident responders need to take to successfully do their job within a cloud environment. You’ll need to ensure they have visibility and proper access, or they’ll be unable to find, fix, and ultimately eradicate infections.
No. 2: Make cloud an integral part of your incident response. Threats to the cloud will persist, and incident responders will need to evolve to keep pace with the rapidly evolving landscape. Keep incident response in mind when building cloud environments, remembering that reactive incident response doesn’t work in the cloud. Your DevOps and cloud architecture teams should consider incident response requirements as they set up cloud environments so that response is automated and coordinated.
No. 3: Don’t underestimate the pre-work. Cloud moves at warp speed, with everything happening much too fast for reactive incident response to start when an alert comes in. Thinking about how you should approach incident response in the cloud before an event happens will drastically close the gap in response time, potentially going from days to seconds. The optimal infrastructure and tools need to be there first, with the ability to see into environments. We suggest periodically doing configuration checks and routine compromise assessments as good cloud security hygiene practices.
No. 4: Coordinate with other enterprise teams. Look at gaps in responsibilities or even geographies, identifying potential hurdles to achieve a more coordinated response effort. Take your cloud architecture team, for example. Incident response may not be a priority for them, yet they may have certain controls your incident responders need to access or understand better. Breaking down traditional team silos and establishing collaborative relationships between traditionally disparate groups will improve your cloud security posture. If you know who to call and how to work together, all key players can act faster and more effectively.
No. 5: Get to know your service providers. Just as you should understand the roles and responsibilities of your internal teams, you should understand what your service providers are responsible for during an event. Don’t assume your vendors will handle everything for you. Cloud service providers typically have incident response teams. Carefully read the service agreement and know who—your team or the provider’s—is available for each aspect of a response. It’s important to find out exactly what they’ll alert you about and how they’ll support your team. By building a relationship with these critical points of contact, you can save valuable time during an event.
Using the cloud has many benefits, but also increased risks. Without proper configuration, your internal responders might not have proper visibility, tools, or access to dig into the matter and resolve it accordingly. By considering the cloud’s unique and complex challenges alongside traditional environments—like proper configuration, visibility and access rights, and alert reporting—companies will benefit from a coordinated incident response effort, saving costly interruptions and data exposure.
