Forensics or fauxrensics? What to look for in cloud forensics and incident response [Q&A]
The rapid deployment of cloud resources has led to misconfigurations and security risks, leaving security teams scrambling to adapt and secure their businesses following migrations away from traditional on-premises environments.
Despite successfully enhancing prevention and detection in the cloud, organizations now face a significant challenge in assessing the true scope and impact of issues that do arise.
Compounded by complexities stemming from the spread of resources across multiple cloud providers and the adoption of container and serverless technologies, organizations need a better way to overcome the hurdles associated with investigation and response in cloud environments.
We talked to James Campbell, CEO and co-founder of Cado Security, to discuss the potential and opportunities provided by cloud incident response management solutions, highlighting the key capabilities that organizations should consider when evaluating cloud forensics and incident response solutions.
BN: Why is it so difficult to identify effective cloud forensics and incident response solutions?
JC: As organizations increasingly embrace cloud technologies, the need for forensics and incident response capabilities has become increasingly prevalent. Cloud technologies and associated threats are constantly evolving, requiring continuous adaptation and enhancement of incident response capabilities and playbooks.
In response, many security teams are seeking to move away from homegrown solutions and open-source tools, opting instead for more effective cloud forensics capabilities. However, in a market saturated with buzzwords and hype, distinguishing genuine cloud forensics from what I like to call 'fauxrensics' can be challenging. By this, I mean those solutions that don't provide the all-important capabilities that organizations really need for a cloud forensics and incident response solution to be effective.
BN: What are the key capabilities that enterprises should consider when evaluating a cloud forensics solution?
JC: There are several key capabilities that organizations should prioritize when seeking out cloud forensics solutions. I'll look to run through three of these here.
1. Depth of data
There's a common misconception that cloud forensics solely entails log analysis. However, this is inaccurate. Effective cloud forensics demands access to comprehensive datasets that go beyond traditional log data sources. While logs offer valuable insights, investigations require a deeper understanding of information derived from various sources such as disk, network, and memory within the cloud infrastructure. For instance, full disk analysis complements log analysis by providing essential context for pinpointing the root cause and scope of an incident. Therefore, a holistic approach that incorporates diverse data sources is essential for robust cloud forensics.
2. Chain of custody
This is crucial, especially in legal proceedings, to guarantee the integrity of data throughout an investigation. However, in complex, multi-cloud environments, preserving unaltered copies of forensic evidence securely is easier said than done. When assessing a cloud forensics platform, it's vital to ensure that any solution can autonomously manage and maintain the chain of custody in the background, recording and safeguarding evidence without human intervention.
3. Automated collection and isolation
The speed at which security teams can identify the root cause and scope of malicious activities often makes the difference in minimizing potential impacts. With this in mind, automating forensics data collection and system isolation becomes imperative to curb the spread and limit further damage during investigations. To make this possible, cloud forensics platforms must be able to natively integrate with incident management tools and/or provide built-in product automation rules.
BN: How important is it that these platforms are easy to use?
JC: It is incredibly important. Security teams shouldn't require deep cloud or incident response knowledge to perform forensic investigations of cloud resources. They already have enough on their plate.
We need to see a step change in solutions. In my experience as an incident responder, traditional forensics tools and approaches have made investigation and response overly tedious and complex. For this reason, modern forensics platforms must prioritize usability and leverage automation to drastically simplify the end-to-end incident response process.
BN: What features can help to improve the user experience?
JC: There are several that spring to mind. Primarily, analysts should be able to get the deep context they need at the click of a button. Here, data enrichment and usability features such as incident dashboards, a single timeline view, saved search, and faceted search can all be extremely useful in improving platform navigation and helping to identify key insights at speed.
Further, additional features can also be included to improve functionality and the user experience.
Cross cloud support, for example, can ensure that these platforms work effectively even when an incident spans multiple cloud service providers. Not only can these additions aid advanced analysts in achieving greater efficiency, but they can also support novel analysts, enabling them to undertake more complex investigations.
BN: Why is being proactive in relation to incident response essential?
JC: Realising that you lack access to crucial data essential for comprehending an incident during a crisis is a professional nightmare. Without it, responding swiftly becomes an uphill battle. It's like being lost in a maze without a map.
Keeping a finger on the pulse of evolving cloud threats is therefore vital in ensuring that you can avoid finding yourself in such a tricky situation.
Having the ability to continuously assess your incident response program enables you to rapidly identify and mitigate any gaps that could prevent the organization from being able to effectively respond to potential threats.
Effective cloud forensics and incident response solutions will empower security teams to be proactive, providing the means to identify their shortcomings before they come face to face with an incident.
Therefore, when evaluating or comparing platforms, it is vitally important to look out for those that can run readiness checks and highlight readiness trends over time. They should also be able to identify issues that could stifle investigations, highlight appropriate configurations, ensure correct logging and data decryption capabilities are in place, and verify that permissions are aligned with best practices.
BN: What would your parting advice be to companies considering cloud forensics tools?
JC: If you're not sure, then don't settle. Cut through the marketing and sales hype. Now, more than ever before, it's imperative for organizations to embrace real cloud forensics rather than 'fauxrensics' solutions. If such a product is unable to tick each of these critical boxes -- whether that's leveraging deep data far beyond log analysis or offering features that dramatically enhance the analyst experience -- then it is likely that there is a better alternative out there.
Image credit: Momius/depositphotos.com