- Cloud Security Newsletter
- Posts
- Cloud Incident Preparedness and Cloud Incident Response
Cloud Incident Preparedness and Cloud Incident Response
What does it mean to be prepared for a Cloud Incident?
Greetings from Cloud Security Podcast!
Firstly Thank you to everyone who came and said hello and spend time with us at Kubecon EU 2024, which if you would believe it was the largest Kubecon + CloudNativeCon conference till date with 12,000 onsite attendees.
Our team has been attending the last few Kubecons and its been incredible to see that this community is growing. With the acceleration of AI in 2023 and 2024, Kubernetes and Container are even more top of mind for people so its no wonder that this community and conference is growing. Also one of the folks we interviewed, Liz Rice, who has attended most Kubecons till date shared that she is seeing more end users than contributors and maintainers at these conferences which is an interesting maturity to see in this industry.
We had a bunch of fun and had some incredible chats, definitely looking forward to sharing those interviews with you very soon, make sure you are subscribed to our socials and keep an eye out on these newsletters to know when the episodes are dropping!
Next up ! Our team is headed to AWS Summit in London in April 2024 and we will be at BsidesSF and RSA in June 2024. If you are attending any of these events, definitely hit us up. We have some fun things planned as usual and some great conversations lined up so expect a lot of Cloud Security and AI Security goodness coming your way!
But before all of that, happy to report that Our Host, Ashish Rajan will be presenting at QCON London about A Zero Trust Future for Applications: Practical Implementation and Pitfalls. If you are in London and attending the event, do check this out.
Are You Truly Ready to Respond to a Cloud Incident?
Defining Cloud Incident Preparedness
The CSPM Misconception
Showing Security ROI to Leaders
The Rise of AI Coding Assistants: GitHub Copilot Unveiled
Security Use Cases
Should You Trust AI-Generated Code?
Data Privacy Considerations
Threat Hunting in the Cloud Wilderness
Threat Detection 101
Why Cloud IR is a Different Beast
CSPM Ain't Enough for Cloud Detection
Building Security Buy-In
Cloud Security Podcast Mar 24 Wrap Up
This month we covered some really intriguing topics, everything from being prepared for a Cloud Incident to Incident Response in Cloud to dissecting the world of AI Generated Code Security.
β οΈ Are You Truly Ready to Respond to a Cloud Incident? β οΈ
In this episode we spoke to Ariel Parnes, Co-Founder at Mitiga, (who also happened to have been nominated this week for the RSA Innovation Sandbox - Congratulations). We tackled a critical question: How prepared is your organization to detect, investigate, and respond to cloud security incidents?
Defining Cloud Incident Preparedness π
It's all about reducing the impact when (not if) an attack happens
Prevention focuses on probability, preparedness focuses on minimizing damage
Two main factors: visibility into logs/telemetry and the ability to extract attack storylines
The CSPM Misconception π€
Cloud Security Posture Management (CSPM) is NOT preparedness
CSPM identifies misconfigurations/risks, but doesn't cover incident response
"CSPM starts where incident preparedness ends" - prepare for both!
Do You Need a Security Data Lake? π§
As cloud ops mature, invest in data platforms for detection & response
CSPM alone isn't enough once your crown jewels live in the cloud
Having the right data is key for effective investigations
Showing Security ROI to Leaders π°
Metric 1: Time to detect, investigate & respond (the faster, the better)
Metric 2: Coverage of different attack detections (MITRE ATT&CK)
Use these metrics to quantify risk reduction and incident cost savings
Where to Start? π‘
β
Run a cloud-focused tabletop exercise (with architects!)
β
Assess visibility/log coverage for cloud incident response
β
Build a readiness plan to close the gaps identified
π€ The Rise of AI Coding Assistants: GitHub Copilot Unveiled π€
This is a conversation we had with Joseph Katsioloudes, who works at the GitHub Security Lab at NDC Oslo 2024 about GitHub Copilot - Microsoft's AI coding assistant. If you're working with code in any capacity, specially AI generated code, this would definitely peak your interest!
What is GitHub Copilot?
An AI pair programmer that lives in your code editor π»
Provides code suggestions/auto-complete based on context
Can also generate code via comments or chat interface
Security Use Cases! π
GitHub Copilot isn't just for developers. Security professionals can leverage it for tasks like:
β
Generating penetration testing scripts and payloads
β
Identifying potential attack surfaces in open source projects
β
Creating fuzz strings for security testing
β
Exploring code bases more efficiently
Should You Trust AI-Generated Code? π€¨
The resounding answer: Nope! Well, at least not blindly.
Treat Copilot's suggestions like code from anyone else
Human review and security testing is still crucial
Copilot is a co-pilot, not a self-driving car! You're still in control
Data Privacy Considerations π
For businesses/enterprises, no data is retained from GitHub Copilot usage. But for individual licenses:
You can opt-in or out of sharing analytics
Prompts are securely transmitted but not stored
Standard privacy practices apply, just like other products
π Threat Hunting in the Cloud Wilderness π©οΈ
Doing Threat Hunting and Incident Response in the Cloud can feel sometimes that you are in the Wild Wild West. We had the pleasure of speaking to Andrew Tabona, Head of Cyber Threat Management & Incident Response at a Fortune 500 company about how do we tackle these things in Cloud!
Threat Detection 101
Detecting anomalies that indicate potential threats πΊ
Analyzing patterns like suspicious IPs, dormant keys, reconnaissance activities
Going beyond traditional detection to handle cloud's scale & complexity
Why Cloud IR is a Different Beast?
Log sources & formats vary across cloud providers
Distributed artifacts across regions/services complicates forensics
Traditional incident response plans need cloud-specific adaptations
Silver Linings of Cloud IR
β¨ Faster recovery via infrastructure as code & redeployment
β¨ Abundant telemetry to paint attack narrative if you know where to look
β¨ More Efficient IR processes & automation potential
CSPM Ain't Enough for Cloud Detection
Cloud Security Posture Management tools β Real-time threat detection
You still need dedicated detection & response capabilities
But CSPM + CDR can be a π₯ Powerhouse combo for cloud security
Where to Start with Cloud Detection
Get relevant parties involved: CloudSec, Engineers, Intel, Red Teams
Identify log sources, context needed for high-fidelity detection
Start small, learn, and scale detection use cases over time
Building Security Buy-In
Get support from senior leaders - it trickles down
Build relationships & involve stakeholders early
Share cloud threat intel to spark realization of risks
Cloud IR Team Access
Aim for read-only access across cloud environments
Implement break-glass/just-in-time model for advanced privileges
Maintain auditing of who accessed what & why
First Steps for Cloud IR
Define RACI: Who does what during an incident? Containment?
Outline processes to gather context, logs, forensic data
Start with one cloud, then replicate processes to others
If cloud threats & incidents are keeping you up at night, you won't want to miss this candid discussion with a pro who has been there and done that!
Cloud Security Training from Practitioners!
Want to learn more about Cloud Security or know someone who wants to, we got you !
If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.
Have you joined our FREE Monthly Cloud Security Bootcamp yet. There are paid online and corporate trainings available for those looking to hit their Cloud Security goals this year!
Are you liking this new format newsletter? What can we do better? What else would you like to see here?
Our newsletter is on a path of self improvement and reinvention, Ashish and I have challenged ourselves to bring you even more value as we continue to evolve this each week & we would love to hear from you π’ as to how can we make this newsletter even more awesome for you (On that note! Thank you for subscribingπ)
Hope you are enjoying this new look Cloud Security Newsletter, theres plenty more to come.
Peace!
Was this forwarded to you? You can Sign up here, if this was helpful for you.
Want to sponsor the next newsletter edition! Lets make it happen
Have a topic or idea in Cloud Security or AI CyberSecurity to share? Submit it here
Need Cloud Security or AI Security on Cloud Security Training or Expertise ? Letβs Connect