cloud incident response

Guest:

• Arie Zilberstein, CEO and Co-Founder at Gem Security

Topics: 

• How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response?

• What are the key challenges of cloud detection and response?

• Often we lift and shift our teams to Cloud, and not always for bad reasons, so  what’s your advice on how to teach the old dogs new tricks: “on-premise-trained” D&R teams and cloud D&R?

• What is this new CIRA thing that Gartner just cooked up?  Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps?

• What do you tell people who say that “SIEM is their CDR”?

• What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?

 Resources:

• Video version of this episode

• Cloud breaches databases

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?

• 9 Megatrends drive cloud adoption—and improve security for all

• “Emerging Tech: Security — Cloud Investigation and Response Automation (CIRA) Offers Transformation Opportunities” (Gartner access required)

• “Does the World Need Cloud Detection and Response (CDR)?” blog

Guest:  

• Nader Zaveri, Senior Manager of IR and Remediation at Mandiant, now part of Google Cloud

Topics:

• Could we start with a story of a cloud incident response (IR) failure and where things went wrong? 
• What should that team have done to get it right? 
• Are there skills that matter more in cloud incidents than they do for on-prem incidents? Are there on-prem instincts that will lead incident responders astray in cloud?
• What 3 things an IR team leader needs to do to prepare his team for IR in the cloud?
• Are there on-premise tools that can stay on prem and not join us in the cloud?
• What processes should we leave behind? Keep with us?
• What logs and context should we prepare for cloud IR?  What access should we have behind “break glass”?
• While doing IR, what things should we look at in the cloud logs (which logs, also?) to expedite the investigation?

Resources:

• “How to Cloud IR or Why Attackers Become Cloud Native Faster?” (ep98)
• “How to prepare for detection & response in the cloud” Google Cloud Next 2022 presentation
• “Security Incident Response in the Cloud: A Few Ideas” blog
• GCP Cloud Logging
• “Security at Scale: Logging in AWS” paper
• “AWS Security Incident Response Whitepaper” paper

Guests:

• Matt Linton, Chaos Specialist @ Google
• John Stone, Chaos Coordinator @ Office of the CISO, Google Cloud

Topics:

• Let’s talk about security incident response in the cloud.  Back in 2014 when I [Anton] first touched on this, the #1 challenge was getting the data to investigate as cloud providers had few logs available. What are the top 2022 cloud incident response challenges?
• Does cloud change the definition of a security incident? Is “exposed storage bucket” an incident? Is vulnerability an incident in the cloud?
• What should I have in my incident response plans for the cloud? Should I have a separate cloud IR plan?
• What is our advice on running incident response jointly with a CSP like us?
• How would 3rd party firms (like, well, Mandiant) work with a client and a CSP during an investigation?
• We all read the Threat Horizons reports, but can you remind us of the common causes for cloud incidents we observed recently? What goals do the attackers typically pursue there?

Resources:

• “Building Secure and Reliable Systems” book (especially ch 14-16, and ch17)
• Google Cybersecurity Action Team Threat Horizons Report #4 Is Out! (#3, #2, #1)
• “Incident Plan vs Incident Planning?” blog (2013)