Written by AJ Yawn, Principal, Coalfire
Cloud computing is growing rapidly,
and according to multiple research studies, this growth is not expected to slow
over the next five years. The rise in cloud computing is due to the cost
savings, scalability, elasticity, and security
of the cloud, specifically when leveraging the major cloud service providers
(CSPs) such as Amazon Web Services, Microsoft Azure, and Google Cloud. It is widely
understood that within cloud deployments there is a shared responsibility model
with respect to security. The CSPs are responsible for the security of the cloud, while the customer is
responsible for the security in the
cloud. This model is a resource and cost benefit: organizations need not
dedicate their own resources to securing the physical aspect of where their
data lives. When thinking of cloud security, organizations often focus only on
the security tools and technologies they will have to bring into their
environment, not the security tools that already exist within the cloud. This
is a common-and costly-oversight as companies are moving to and operating in
the cloud.
The major CSPs offer a suite of
security services that were built and designed specifically to perform security
functions in their environment. Taking advantage of these tools can assist organizations
with security incident response (IR) programs in the cloud. Information security
incidents often result in reputational damage, financial losses, and/or a loss
of system functionality. Because threats and attack vectors are growing rapidly,
organizations must prepare to respond to incidents in real time. Detecting common
attack vectors and common misconfigurations that could potentially lead to an
incident is a critical aspect of the IR process. Effective IR is not only vital
to the security of any organization, it is also a critical process evaluated during
following compliance assessments: FedRAMP, SOC & SSAE 18, ISO, HITRUST, PCI-DSS,
among others.
The
National Institute of Standards and Technology (NIST) Special Publication
800-61, "Computer Security Incident Handling Guide," describes four
key phases of the IR handling process:
1. Preparation
2. Detection and Analysis
3. Containment, Eradication, and
Recovery
4. Post-Incident Activity
Security
services and tools embedded in the CSPs' offerings can be leveraged within these
four phases to automate the IR process for common security events. While the
first and last phases are out of the scope of this article, they should be
considered and implemented when developing IR plans.
The second phase, Detection and Analysis,
can be accomplished via the logging, monitoring, and alerting tools built and
designed by the CSPs. The detection phase is vital because your security team
cannot respond to events or set up automation to block events without visibility
to them. CSPs have developed native tools in their platforms to provide
visibility to security event data, assisting with the detection phase; this
should be considered when building out your security IR program. Once your
security team has the needed security event data, you can incorporate event-driven
security and automation into the IR program.
The next phase in NIST's IR
process, Containment, Eradication, and Recovery, is where event-driven security
and automation come into play. You can use the detection and analysis tools
from phase 2 to trigger automated actions to contain, eradicate, and recover
from a security event or incident. Automated tools will remove the incident
from the environment and restore the impacted resources to the intended state
prior to the incident occurring.
Automation is an enabling and
efficient technology, and using the native tools designed to assist
organizations with the specific cloud provider technology is a great way to incorporate
automation into your security program. A great example of this is using tools
to detect if users accessing your cloud environment authenticated via multi
factor authentication (MFA) or if they made any changes that removed the
configuration requiring MFA. This rule could detect any users that bypassed MFA
and automatically place them into a restricted group that either locks out
their account or limits their access. This is one example of how event-driven
security and automation work together when events trigger automated actions to
prevent security events or incidents.
Understanding how to automate responses
to security events within the cloud begins with being aware of the services
offered by the CSP(s) you choose. These tools will be vital in developing an
event-driven security model that incorporates automation to contain, eradicate,
and recover from security events.
##
About the Author
AJ Yawn, Principal, Coalfire
AJ Yawn is a Principal in Coalfire’s SOC practice. He manages 30+ SOC engagements per year helping a wide variety of SMBs and Fortune 500 companies improve their security posture. At Coalfire he has had extensive experience conducting security assessments for service providers across various industries including SaaS, IaaS, cloud service providers, datacenter providers, healthcare, payment card industry, and managed service providers. Prior to joining Coalfire, AJ spent over five years as an active duty Communications Officer in the United States Army, earning the rank of Captain. AJ graduated from Georgetown University with a M.S. in Technology Management and from Florida State University with a B.S. in Social Science. AJ possesses over 10 industry recognized IT certifications including the AWS Certified Solutions Architect-Associate, CISSP and PMP.