In the rush to the cloud, infosec professionals struggle to translate their existing security capabilities, controls, and processes to the new environment. One of the last processes they adapt? Incident response, said Dave Shackleford, as he kicked-off his 2019 CyberCrime Symposium presentation. A primary reason, he said, is they can’t get the same real-time visibility into events that they could in their traditional environments.
Still, because organizational leaders and users continue to push forward with cloud moves — often with little knowledge of what’s involved — CISOs “better have a plan for when things go wrong,” said Shackleford, principal consultant, Voodoo Security, and long-time SANS Institute instructor.
According to SANS Institute’s 2019 Cloud Security survey, authored by Shackleford, 52% of respondents cited their inability to respond to incidents within their public cloud apps and data as a major concern, while 51% cited a lack of visibility into where their data’s processed. As major concerns, these rank among the top five.
There’s no question infosec pros face real challenges as they look to update IR processes for the cloud, including difficulties correlating events across environments, acquiring evidence, and accessing logs. The good news, said Shackleford, is that “they can adapt some of their IR practices and workflows to cloud-based environments.” To that end, he spent his session outlining ways attendees could improve IR capabilities for the cloud, based on the standard phases in the NIST 800 61R2 model.
People Problems Persist
Ten years ago, when Shackleford started teaching cloud courses for SANS Institute, high-profile security incidents included cases where CSPs were slow to detect large botnets operating on their systems. Today, users cause the vast majority of security incidents. “We’re our own worst enemy,” said Shackleford.
A good example: Despite a boatload of AWS protection tools and warning pop-ups, developers increasingly expose S3 buckets containing sensitive data to the public, mostly through configuration errors.
In the 2019 SANS survey, cloud visibility and IR worries were topped only by concerns over unauthorized outsider access, cited by 56% of respondents. Though only 19% have seen this concern become a reality, Shackleford said attacks on cloud resources have surged in recent years.
Unauthorized access anxieties, therefore, seem justified, as they’re inextricably connected to respondent concerns involving user errors. These included users misconfiguring interfaces and APIs; spinning-up containers and other components too rapidly to apply security controls; and failing to develop cloud security skills. While SOC teams naturally worry about breaches that result in data exfiltration, it’s also common for outsiders to piggyback on legitimate accounts so they can use resources on the account-holder’s dime.
For those respondents that did suffer breaches, account hijacking was the leading threat type. “Cloud security incidents are still largely caused by users, cyber-actors, and other people,” said Shackleford. “It’s the classic problem we've all been dealing with for some time.”
Matters of Trust
Meanwhile, fears over cloud personnel breaches have dropped, suggesting trust is increasing as the cloud matures. That’s promising, as the first phase of IR adaptation, according to Shackleford, involves collaborating with CSPs to understand their IR capabilities, data-sharing responsibilities, and other key details. IR phases — and recommendations for handling them in the cloud — include the following:
Preparation phase: Gather information from CSPs.
Even with cloud contracts in place, CISOs may need to regroup to get answers to some critical questions. It’s a simpler matter to gather such information from the “Big Three” CSPs — AWS, Microsoft, and Google — than from the numerous smaller SaaS providers that organizations typically use.
Shackleford said security heads should determine if CSPs have security SLAs, skilled IR staff, and law enforcement contacts; what IR processes they have in place; and how they monitor network traffic. While the large IaaS providers can answer such questions, “you’ll get some deer-in-the-headlights looks from small providers,” said Shackleford. “But, until the security industry pushes hard for answers on provider controls and capabilities, the situation’s not likely to improve.”
Another vendor issue impacting infosec teams is DFIR tool incompatibility. They’ll need to know when — or if — vendors will upgrade their on-prem product sets to facilitate capture in the cloud.
Preparation phase: Create a separate cloud IR team.
For evidence integrity and better security overall, said Shackleford, “isolate cloud IR teams in every way possible.” Provide them with a dedicated, restricted-access account for cloud security interactions and evidence acquisition. “If cloud-IR teams piggyback on existing production accounts, they can’t extricate their data without creating a mess,” he said.
Further, take advantage of isolation capabilities in, say, AWS or Azure. Then lock down these accounts, apply multi-factor authentication, and use a write-once storage model to protect logs and evidence.
Finally, he said, hold a game day for cloud IR teams at least once a quarter. Set-up specific security scenarios—an exposed S3 bucket, a newly spun-up rogue instance—and have them work the problem.
Detection and Analysis Phase
The good news here, said Shackleford, is that the major CSPs have developed APIs that enable connectivity to SIEMs and similar SOC products. Though vendors offer a range of SECaaS products, including event-management-as-a-service, he advised attendees to take advantage of their SOC’s existing tools and workflows and correlate on-prem and cloud events in-house.
The big CSPs offer native capabilities for collecting database activity, storage access, perimeter network, management portal, and orchestration logs, to name a few. By setting-up API connectors, SOCs can stream these logs into a cloud-based collection mechanism, compress them in a file, and import it for correlation.
Retrieving logs from SaaS providers, however, isn’t so easy. While some will agree to share, many won’t, and even when they do, that data may come in the form of a downloadable zip file delivered over a period of hours. “That’s hardly real-time incident monitoring and detection,” said Shackleford. CASBs and other SECaaS providers can help, though it means additional spending.
Containment and Response Phase
Among the most valuable tools for responding to potential compromises in cloud environments are triggers. SOCs can apply a metadata tag to any asset they want to track—servers, databases, new builds—and receive notifications when something changes. They can then move the system to a quarantined VPC, where the dedicated cloud team can monitor it or take corrective measures.
And remember: “It’s not all gloom and doom,” said Shackleford. While it key that CISOs understand their CSP IR capabilities, “many organizations are going to get stronger security from CSPs than they can create themselves.”
This is the fifth in our series of posts presenting key takeaways from our 2019 CyberCrime Symposium, held Oct. 17-18. The program — Cloud Security — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, don’t miss upcoming installments.