Cloud Incident Preparedness and Cloud Incident Response

What does it mean to be prepared for a Cloud Incident?

Author

Shilpi Bhattacharjee
April 04, 2024

Greetings from Cloud Security Podcast!

Firstly Thank you to everyone who came and said hello and spend time with us at Kubecon EU 2024, which if you would believe it was the largest Kubecon + CloudNativeCon conference till date with 12,000 onsite attendees.

Our team has been attending the last few Kubecons and its been incredible to see that this community is growing. With the acceleration of AI in 2023 and 2024, Kubernetes and Container are even more top of mind for people so its no wonder that this community and conference is growing. Also one of the folks we interviewed, Liz Rice, who has attended most Kubecons till date shared that she is seeing more end users than contributors and maintainers at these conferences which is an interesting maturity to see in this industry.

We had a bunch of fun and had some incredible chats, definitely looking forward to sharing those interviews with you very soon, make sure you are subscribed to our socials and keep an eye out on these newsletters to know when the episodes are dropping!

Kubecon EU 2024 in Paris was a wrap! πŸ™πŸΎ Here are the highlights:

1 - Kubernetes EU had the largest attendance by far - 12,500 in total. This is larger than the largest Kubecon USA conference.
2 - Kubernetes community was a lot more builders and end users of cloud native unlike previous years where it used to be more maintainers
3 - AI, DevSecOps, Identity, GPU, Cell based Kubernetes Architecture for security
4 - Next Kubecon EU is likely London (home turf for us) 😬

Click on the video to watch the highlights of our KubeconEU 24!

Next up ! Our team is headed to AWS Summit in London in April 2024 and we will be at BsidesSF and RSA in June 2024. If you are attending any of these events, definitely hit us up. We have some fun things planned as usual and some great conversations lined up so expect a lot of Cloud Security and AI Security goodness coming your way!

But before all of that, happy to report that Our Host, Ashish Rajan will be presenting at QCON London about A Zero Trust Future for Applications: Practical Implementation and Pitfalls. If you are in London and attending the event, do check this out.

Whats ahead in this newsletter…

  • Are You Truly Ready to Respond to a Cloud Incident?

    • Defining Cloud Incident Preparedness

    • The CSPM Misconception

    • Showing Security ROI to Leaders

  • The Rise of AI Coding Assistants: GitHub Copilot Unveiled

    • Security Use Cases

    • Should You Trust AI-Generated Code?

    • Data Privacy Considerations

  • Threat Hunting in the Cloud Wilderness

    • Threat Detection 101

    • Why Cloud IR is a Different Beast

    • CSPM Ain't Enough for Cloud Detection

    • Building Security Buy-In

Cloud Security Podcast Mar 24 Wrap Up

This month we covered some really intriguing topics, everything from being prepared for a Cloud Incident to Incident Response in Cloud to dissecting the world of AI Generated Code Security.

Click on the image to watch the full episode!

⚠️ Are You Truly Ready to Respond to a Cloud Incident? ⚠️

In this episode we spoke to Ariel Parnes, Co-Founder at Mitiga, (who also happened to have been nominated this week for the RSA Innovation Sandbox - Congratulations). We tackled a critical question: How prepared is your organization to detect, investigate, and respond to cloud security incidents?

Defining Cloud Incident Preparedness πŸ”‘

  • It's all about reducing the impact when (not if) an attack happens

  • Prevention focuses on probability, preparedness focuses on minimizing damage

  • Two main factors: visibility into logs/telemetry and the ability to extract attack storylines

The CSPM Misconception πŸ€”

  • Cloud Security Posture Management (CSPM) is NOT preparedness

  • CSPM identifies misconfigurations/risks, but doesn't cover incident response

  • "CSPM starts where incident preparedness ends" - prepare for both!

Do You Need a Security Data Lake? πŸ’§

  • As cloud ops mature, invest in data platforms for detection & response

  • CSPM alone isn't enough once your crown jewels live in the cloud

  • Having the right data is key for effective investigations

Showing Security ROI to Leaders πŸ’°

  • Metric 1: Time to detect, investigate & respond (the faster, the better)

  • Metric 2: Coverage of different attack detections (MITRE ATT&CK)

  • Use these metrics to quantify risk reduction and incident cost savings

Where to Start? πŸ’‘

βœ… Run a cloud-focused tabletop exercise (with architects!)
βœ… Assess visibility/log coverage for cloud incident response
βœ… Build a readiness plan to close the gaps identified

Click on the image to watch the full episode!

πŸ€– The Rise of AI Coding Assistants: GitHub Copilot Unveiled πŸ€–

This is a conversation we had with Joseph Katsioloudes, who works at the GitHub Security Lab at NDC Oslo 2024 about GitHub Copilot - Microsoft's AI coding assistant. If you're working with code in any capacity, specially AI generated code, this would definitely peak your interest!

What is GitHub Copilot?

  • An AI pair programmer that lives in your code editor πŸ’»

  • Provides code suggestions/auto-complete based on context

  • Can also generate code via comments or chat interface

Security Use Cases! πŸ”

GitHub Copilot isn't just for developers. Security professionals can leverage it for tasks like:

βœ… Generating penetration testing scripts and payloads
βœ… Identifying potential attack surfaces in open source projects
βœ… Creating fuzz strings for security testing
βœ… Exploring code bases more efficiently

Should You Trust AI-Generated Code? 🀨

The resounding answer: Nope! Well, at least not blindly.

  • Treat Copilot's suggestions like code from anyone else

  • Human review and security testing is still crucial

  • Copilot is a co-pilot, not a self-driving car! You're still in control

Data Privacy Considerations πŸ”’

For businesses/enterprises, no data is retained from GitHub Copilot usage. But for individual licenses:

  • You can opt-in or out of sharing analytics

  • Prompts are securely transmitted but not stored

  • Standard privacy practices apply, just like other products

Click on the image to watch the full episode!

πŸ” Threat Hunting in the Cloud Wilderness 🌩️

Doing Threat Hunting and Incident Response in the Cloud can feel sometimes that you are in the Wild Wild West. We had the pleasure of speaking to Andrew Tabona, Head of Cyber Threat Management & Incident Response at a Fortune 500 company about how do we tackle these things in Cloud!

Threat Detection 101

  • Detecting anomalies that indicate potential threats πŸ‘Ί

  • Analyzing patterns like suspicious IPs, dormant keys, reconnaissance activities

  • Going beyond traditional detection to handle cloud's scale & complexity

Why Cloud IR is a Different Beast?

  • Log sources & formats vary across cloud providers

  • Distributed artifacts across regions/services complicates forensics

  • Traditional incident response plans need cloud-specific adaptations

Silver Linings of Cloud IR

✨ Faster recovery via infrastructure as code & redeployment
✨ Abundant telemetry to paint attack narrative if you know where to look
✨ More Efficient IR processes & automation potential

CSPM Ain't Enough for Cloud Detection

  • Cloud Security Posture Management tools β‰  Real-time threat detection

  • You still need dedicated detection & response capabilities

  • But CSPM + CDR can be a πŸ’₯ Powerhouse combo for cloud security

Where to Start with Cloud Detection

  • Get relevant parties involved: CloudSec, Engineers, Intel, Red Teams

  • Identify log sources, context needed for high-fidelity detection

  • Start small, learn, and scale detection use cases over time

Building Security Buy-In

  • Get support from senior leaders - it trickles down

  • Build relationships & involve stakeholders early

  • Share cloud threat intel to spark realization of risks

Cloud IR Team Access

  • Aim for read-only access across cloud environments

  • Implement break-glass/just-in-time model for advanced privileges

  • Maintain auditing of who accessed what & why

First Steps for Cloud IR

  • Define RACI: Who does what during an incident? Containment?

  • Outline processes to gather context, logs, forensic data

  • Start with one cloud, then replicate processes to others

If cloud threats & incidents are keeping you up at night, you won't want to miss this candid discussion with a pro who has been there and done that!

Cloud Security Training from Practitioners!

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet. There are paid online and corporate trainings available for those looking to hit their Cloud Security goals this year!

Are you liking this new format newsletter? What can we do better? What else would you like to see here?

Our newsletter is on a path of self improvement and reinvention, Ashish and I have challenged ourselves to bring you even more value as we continue to evolve this each week &Β we would love to hear from youΒ πŸ“’ as to how can we make this newsletter even more awesome for you (On that note! Thank you for subscribingπŸ’™)


Hope you are enjoying this new look Cloud Security Newsletter, theres plenty more to come.

Peace!

Was this forwarded to you? You can Sign up here, if this was helpful for you.

Want to sponsor the next newsletter edition! Lets make it happen

Have a topic or idea in Cloud Security or AI CyberSecurity to share? Submit it here

Need Cloud Security or AI Security on Cloud Security Training or Expertise ? Let’s Connect