Doing It Together: Detection and Incident Response with Your Cloud Provider

Doing It Together: Detection and Incident Response with Your Cloud Provider

The dynamic and ephemeral nature of the cloud can make detecting and responding to cybersecurity incidents challenging, even for professionals with extensive security expertise yet with little cloud experience. Incident management is an important, and often overlooked, area where your responsibilities and the cloud provider responsibilities aren’t easily defined. Many incidents require close collaboration and support from the cloud provider to help investigate and mitigate them.

While many of the fundamentals of cybersecurity remain the same across on-premises and cloud environments, understanding the key differences is crucial for efficient detection and mitigation of security issues. 

What Changes in the Cloud 

Whether you’re in the cloud or not, cybersecurity is about safeguarding and preserving your systems and data. And though each incident is unique, standard investigative practices don’t change just because the cloud is involved.

However, there are some significant elements of threat detection and response that do change when your business is working in the cloud, including:  

Working in the cloud leads to a reduction in manual IT processes, with less of a focus on hardware and more on automation and “everything as code.” Securing the cloud requires new skills and new tools, and increased collaboration between Ops and Dev teams, and between a business and its cloud and security partners.  Effectively detecting and responding to threats in the cloud is therefore a multi-organization effort, with an increased emphasis on rapid data sharing. 

Detecting security threats in the cloud can be a challenge for many reasons, and tried and true methods for traditional security may not work as well when applied to the new environment. Telemetry collection methods are likely to change significantly in the cloud, with a gradually decreasing importance of network traffic and endpoint data sources and increasing application telemetry.

Working with your CSP

Governance sprawl is another new challenge of the cloud, requiring an effort to clearly understand and define areas of overlapping responsibility with the CSP and any other relevant partners. The concept of “shared fate” applies here, as proper cloud security requires a collaborative model for handling risks. Under the more proactive shared fate model, a CSP may provide security guidance to its partners at the deployment stage, as well as making ongoing security recommendations. 

A partnership with a CSP means it might be your cloud provider that recognizes an active security incident first, rather than your internal team. Wherever the issue is first identified, it is critical to share the information so that your internal team and your CSP’s security team can work in concert. Your CSP likely has an established process for incident reporting, so familiarizing yourself with how information should be shared can help save valuable time when facing an active incident.

There is a wide array of detection tools available to monitor your systems and data in the cloud, including many from your cloud provider. The earlier you identify an incident the better, and these tools can often provide advance warning of a cybersecurity breach or issue that could cause an outage.

Some of the tools that are available to identify incidents as early as possible include:

Employing tools like these, along with coordination between your organization’s security apparatus and your CSP’s incident response team, can help minimize the time data security issues or malicious intrusions remain undetected. 

Once the active threat of an incident is resolved, the focus can turn to remediation. Post-incident, a post-mortem analysis shared between you and your CSP can review the causes of an incident and identify areas for possible improvement.  With shared responsibility or shared fate in the cloud, your organization isn’t acting alone when responding to a cybersecurity incident — and with proper coordination, a security incident can be quickly identified and resolved.