Digital forensics in modern cloud environments [Q&A]
Increasingly applications and infrastructure are moving to the cloud and containers. But although this offers convenience and cost savings it introduces challenges when security incidents occur.
We spoke to James Campbell, CEO and co-founder of Cado Security to find out about the importance of digital forensics when dealing with cloud system breaches.
BN: What is the biggest challenge organizations face when investigating incidents in the cloud?
JC: The biggest challenges revolve around speed and access. When a cyber incident occurs in the cloud today, security analysts spend countless days using a patchwork of rudimentary tools to collect and process the data needed for a manual investigation. The days or months it takes to collect, process, and analyze data is precious time that a hacker has free rein to inflict damage on companies. Even worse, because of the heavy lift and time required to conduct a proper investigation, incidents often get closed without digging deeper than the surface level presented in a detection platform.
As cloud adoption continues to increase exponentially, security teams are now under extreme pressure to become cloud experts. To complicate matters further, many organizations leverage more than one cloud platform, meaning security analysts need to understand the complexities and intricacies of each. Time, tool, and access limitations coupled with the complexity of the cloud often make it impossible for security teams to investigate the true root cause, scope, and impact of a security incident.
BN: Why is there an increased need to conduct a thorough forensic investigation after a cyberattack?
JC: Simple: conducting a thorough forensics investigation post-breach is critical to identifying the root cause and preventing future breaches. However, due to the heavy lift required to conduct a proper investigation, incidents often get closed without investigating deeper than what’s provided in a traditional detection solution, leaving risk on the table where hackers are slipping through the net.
While low-level system data collected by traditional detection solutions provide security teams with a high-level overview of what happened, a proper investigation requires more. Security analysts need access to 100 percent of the data surrounding a security incident. Further, security experts need to be able to investigate multiple data sources, including disk information, cloud provider logs, memory, and more in a single pane of glass. That’s where digital forensics solutions can help -- providing the context to understand the full breadth of an incident to empower security analysts to make fully informed decisions and identify the root cause.
BN: How does the accelerated adoption of cloud computing change the game when it comes to digital forensics and incident response?
JC: Legacy forensic tools were built decades ago to support on-premise environments, but the problem is that data doesn't live there anymore. It's moving to the cloud at exponential rates, and where data goes, cyber attackers follow. Today, when security teams need to investigate a threat in a modern environment using traditional approaches, it's incredibly complex and time-consuming. Data is collected and processed manually, and security experts are stuck relying on multiple tools and spreadsheets to stitch together an investigation.
To keep up with the accelerated pace of cloud adoption and the uptick in cloud threats, the digital forensics tools of today must drastically reduce the amount of time, resources, and money required to investigate a security incident. By utilizing the power of automation to streamline the most tedious parts of a forensics investigation, including data capture and processing, security teams can quickly and precisely investigate a security incident even when the data required spans multiple cloud platforms, systems, and regions.
BN: What elements of on-prem digital forensics don't translate to conducting investigations in the cloud?
JC: The collection and processing of data are vastly different in cloud environments vs. on-prem. The reason being is that the cloud enables speed and scale that simply isn't available in an on-prem world. Previously, the data collection process alone could take hours (even days), as organizations often had to factor in flying someone to the location of the hardware or waiting for it to be shipped.
In addition, forensic investigations often require massive amounts of data, and all of this data needs to be processed and normalized. This often requires extensive time, manual effort, and results in no added value until the processing is complete. At Cado, many organizations we’ve spoken to have shared similar stories -- it can take days or even weeks before an investigation can even begin. In the meantime, the attacker is running around potentially exfiltrating data. That's why when conducting investigations in the cloud, it's imperative that organizations leverage security solutions that enable them to process massive amounts of data captured across countless assets simultaneously.
BN: With the move to cloud, organizations are also relying more and more on containers. Is it possible to conduct forensic investigations on containers given their ephemeral nature?
JC: Absolutely. The challenge with containers is that they spin up and down continuously. If malicious activity occurs between the time one is spun up and down, that data can be lost forever, which is why we've seen attackers take advantage of these environments to cover their tracks.
However, it is possible to conduct forensic investigations despite their ephemeral nature. Cloud-native digital forensics solutions provide the speed and automation required to capture incident data across container environments before it's gone. By integrating forensics into your day-to-day investigation workflow, you can ensure evidence is captured, processed, and preserved as soon as malicious activity is detected. This level of visibility empowers analysts to rapidly understand which assets and data have been compromised without wondering if something was missed.