Virtualization Technology News and Information
Event Driven Security in the Cloud: Where Do I Start?

Written by AJ Yawn, Principal, Coalfire

Cloud computing is growing rapidly, and according to multiple research studies, this growth is not expected to slow over the next five years. The rise in cloud computing is due to the cost savings, scalability, elasticity, and security of the cloud, specifically when leveraging the major cloud service providers (CSPs) such as Amazon Web Services, Microsoft Azure, and Google Cloud. It is widely understood that within cloud deployments there is a shared responsibility model with respect to security. The CSPs are responsible for the security of the cloud, while the customer is responsible for the security in the cloud. This model is a resource and cost benefit: organizations need not dedicate their own resources to securing the physical aspect of where their data lives. When thinking of cloud security, organizations often focus only on the security tools and technologies they will have to bring into their environment, not the security tools that already exist within the cloud. This is a common-and costly-oversight as companies are moving to and operating in the cloud.

The major CSPs offer a suite of security services that were built and designed specifically to perform security functions in their environment. Taking advantage of these tools can assist organizations with security incident response (IR) programs in the cloud. Information security incidents often result in reputational damage, financial losses, and/or a loss of system functionality. Because threats and attack vectors are growing rapidly, organizations must prepare to respond to incidents in real time. Detecting common attack vectors and common misconfigurations that could potentially lead to an incident is a critical aspect of the IR process. Effective IR is not only vital to the security of any organization, it is also a critical process evaluated during following compliance assessments: FedRAMP, SOC & SSAE 18, ISO, HITRUST, PCI-DSS, among others.

The National Institute of Standards and Technology (NIST) Special Publication 800-61, "Computer Security Incident Handling Guide," describes four key phases of the IR handling process:

1. Preparation

2. Detection and Analysis

3. Containment, Eradication, and Recovery

4. Post-Incident Activity

Security services and tools embedded in the CSPs' offerings can be leveraged within these four phases to automate the IR process for common security events. While the first and last phases are out of the scope of this article, they should be considered and implemented when developing IR plans.

The second phase, Detection and Analysis, can be accomplished via the logging, monitoring, and alerting tools built and designed by the CSPs. The detection phase is vital because your security team cannot respond to events or set up automation to block events without visibility to them. CSPs have developed native tools in their platforms to provide visibility to security event data, assisting with the detection phase; this should be considered when building out your security IR program. Once your security team has the needed security event data, you can incorporate event-driven security and automation into the IR program.

The next phase in NIST's IR process, Containment, Eradication, and Recovery, is where event-driven security and automation come into play. You can use the detection and analysis tools from phase 2 to trigger automated actions to contain, eradicate, and recover from a security event or incident. Automated tools will remove the incident from the environment and restore the impacted resources to the intended state prior to the incident occurring.

Automation is an enabling and efficient technology, and using the native tools designed to assist organizations with the specific cloud provider technology is a great way to incorporate automation into your security program. A great example of this is using tools to detect if users accessing your cloud environment authenticated via multi factor authentication (MFA) or if they made any changes that removed the configuration requiring MFA. This rule could detect any users that bypassed MFA and automatically place them into a restricted group that either locks out their account or limits their access. This is one example of how event-driven security and automation work together when events trigger automated actions to prevent security events or incidents.

Understanding how to automate responses to security events within the cloud begins with being aware of the services offered by the CSP(s) you choose. These tools will be vital in developing an event-driven security model that incorporates automation to contain, eradicate, and recover from security events.


About the Author

AJ Yawn, Principal, Coalfire

AJ Yawn is a Principal in Coalfire’s SOC practice. He manages 30+ SOC engagements per year helping a wide variety of SMBs and Fortune 500 companies improve their security posture. At Coalfire he has had extensive experience conducting security assessments for service providers across various industries including SaaS, IaaS, cloud service providers, datacenter providers, healthcare, payment card industry, and managed service providers. Prior to joining Coalfire, AJ spent over five years as an active duty Communications Officer in the United States Army, earning the rank of Captain. AJ graduated from Georgetown University with a M.S. in Technology Management and from Florida State University with a B.S. in Social Science. AJ possesses over 10 industry recognized IT certifications including the AWS Certified Solutions Architect-Associate, CISSP and PMP.

Published Friday, January 04, 2019 8:00 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2019>