Continuous Cloud Security Incident Response | Lacework

Cloud Security Incident Response: Continuous vs. Emergency Approaches


July 19, 2019

Continuous monitoring and behavior analysis is essential to identifying vulnerabilities that exist within an organization’s environment. The monitoring solution should be able to identify anomalies for every activity happening within a cloud environment by baselining, and then analyzing, the actions of applications, networks, users, and all the different types of resources being used. By doing it this way, as opposed to relying solely on rules and signatures, you’ll be better equipped to identify where there are behavioral abnormalities that indicate a vulnerability.

As soon as an infrastructure monitoring tool detects an error in the system that runs counter to normalized behavior or a glitch that could potentially break the system, an alert is created. Now, every second lost in remediating that issue increases the chances of having a security incident. The remediation workflow, i.e. creating a ticket, assigning remediation to the responsible team, and making sure that the proper action is taken to resolve the issue becomes the biggest challenge in the race against time. This is where leveraging automation and executing planned incident response actions becomes key.

Emergency response, on the other hand, takes place when an incident has already occurred. The response is reactive in this case. Priorities and actions taken will be different. In both cases, a fast response is vital.

Fortunately, today’s organizations are
aware of the threats that attempt to
penetrate their cloud infrastructure and
are taking measures to prevent and
prepare for what seems to be inevitable. By
using this guide and following these best
practices you will learn how to reduce the time to anomaly detection and time to remediation of exploitable vulnerabilities across all cloud and virtualized services.

Cloud security is different: Traditional scanning tools are ineffective, legacy security tools can’t support API control plane, Agile and DevOps make security harder, and changes to workload and account configurations are constant. The inherent flexibility of the cloud means that organizations may adapt their cloud infrastructure configuration on a daily or even hourly basis to address changing needs. This fast pace of change and a dramatic increase in the people involved in configuration changes requires that organizations monitor the security of their cloud continuously through automation.

Security is everyone’s responsibility. Introducing a culture of security company-wide can only work to strengthen your defenses, improve your resilience, and prevent incidents from occurring in the first place. With the increase in continuous software delivery, there is an opportunity for us to improve the quality of software throughout each stage of development and delivery. Continuous monitoring allows us to conduct security assessments along the way, rather than at the end of a long development cycle when necessary changes can cause expensive delays.

However, the best practice involves much more than automated testing — continuous security monitoring needs to take place before, during, and after development and deployment.

Security incident response in the cloud is also vastly different from the traditional approach in Network Operations Centers (NOCs) and data centers. Software that runs in the cloud relies on connections to multiple services to give and receive information. Often times these services are integrated with other SaaS solutions to complete the business workflows involving other business units including sales and marketing. The more people who have access to your cloud environment, the harder it is to identify who is responsible once a security vulnerability is discovered. Continuous monitoring, analysis, and alerting on events and behaviors is crucial for well- orchestrated incident response to reduce MTTR (Mean Time To Resolve).

Photo by Sam X on Unsplash