Forensics or fauxrensics? What you should pay attention to in cloud forensics and incident response (Q&A)

The rapid deployment of cloud resources has led to misconfigurations and security risks. Security teams are now challenged to adapt and secure their organizations after migrating from traditional on-premises environments.

Despite successful improvements in prevention and detection in the cloud, companies today face a major challenge in assessing the true extent and impact of emerging problems.

The problems are further exacerbated by the distribution of resources across multiple cloud providers and the adoption of container and serverless technologies. Therefore, organizations need a better solution to overcome the hurdles associated with investigation and response in cloud environments.

We spoke to James Campbell, CEO and co-founder of Cado Security, about the potential and capabilities of cloud solutions for incident response management and highlighted the key features that organizations should consider when evaluating cloud forensics and incident response solutions.

BN: Why is it so difficult to find effective cloud forensics and incident response solutions?

JC: As organizations increasingly use cloud technologies, the need for forensics and incident response capabilities has become increasingly important. Cloud technologies and the threats associated with them are constantly evolving, requiring continuous adaptation and improvement of incident response capabilities and playbooks.

In response, many security teams are looking to move away from homegrown solutions and open source tools and instead opt for more effective cloud forensics capabilities. However, in a market full of buzzwords and hype, it can be difficult to distinguish true cloud forensics from what I like to call “faux forensics.” By this, I mean those solutions that don’t provide the important features that organizations really need for a cloud forensics and incident response solution to be effective.

BN: What key features should companies consider when evaluating a cloud forensics solution?

JC: There are several key capabilities that organizations should prioritize when looking for cloud forensics solutions. I’ll go through three of them here.

1. Data depth

There is a common misconception that cloud forensics only involves log analysis. However, this is not true. Effective cloud forensics requires access to comprehensive data sets that go beyond traditional log data sources. While logs provide valuable insights, investigations require a deeper understanding of information from various sources such as disks, networks, and storage within the cloud infrastructure. For example, a full disk analysis complements log analysis by providing essential context to determine the root cause and scope of an incident. Therefore, a holistic approach that incorporates various data sources is essential for robust cloud forensics.

2. Chain of evidence

This is especially critical in legal proceedings to ensure the integrity of data during an investigation. However, in complex multi-cloud environments, keeping unaltered copies of forensic evidence safe is easier said than done. When evaluating a cloud forensics platform, it is important to ensure that any solution can manage and maintain the chain of evidence autonomously in the background, recording and securing evidence without human intervention.

3. Automated detection and isolation

The speed with which security teams can determine the root cause and scope of malicious activity often helps minimize potential impact. With this in mind, automating forensic data collection and system isolation is essential to contain the spread and limit further damage during investigations. To enable this, cloud forensics platforms must be able to integrate natively with incident management tools and/or provide built-in product automation rules.

BN: How important is it that these platforms are easy to use?

JC: It’s incredibly important. Security teams shouldn’t need extensive knowledge of cloud or incident response to perform forensic investigations of cloud resources. They already have enough on their plate.

We need to see a fundamental shift in solutions. In my experience as an incident responder, traditional forensics tools and approaches have made investigation and response overly tedious and complex. This is why modern forensics platforms must prioritize ease of use and leverage automation to dramatically simplify the end-to-end incident response process.

BN: What features can help improve the user experience?

JC: I can think of several. First and foremost, analysts should be able to get the detailed context they need at the click of a button. This is where data enrichment and usability features like incident dashboards, a unified timeline view, saved searches, and faceted search can be extremely useful to improve platform navigation and help quickly uncover key insights.

In addition, additional features can also be integrated to improve functionality and user experience.

For example, cross-cloud support can ensure that these platforms continue to function effectively even when an incident affects multiple cloud service providers. These additions can not only help advanced analysts work more efficiently, but also help novice analysts conduct more complex investigations.

BN: Why is it important to be proactive in responding to incidents?

JC: Realizing during a crisis that you don’t have access to critical data that is essential to understanding an incident is a professional nightmare. Without that data, a quick response becomes a losing battle. It’s like getting lost in a maze without a map.

That’s why it’s important that you stay up to date with the evolution of new cloud threats to ensure that you don’t end up in such a tricky situation.

The ability to continuously evaluate your incident response program allows you to quickly identify and close gaps that could prevent your organization from effectively responding to potential threats.

Effective cloud forensics and incident response solutions enable security teams to act proactively and identify their weaknesses before they are faced with an incident.

Therefore, when evaluating or comparing platforms, it is critical to look for vendors that can perform readiness audits and demonstrate readiness trends over time. They should also be able to identify issues that may hinder investigations, highlight appropriate configurations, ensure proper logging and data decryption capabilities are in place, and verify that permissions are in line with best practices.

BN: What would be your final advice to companies considering cloud forensics tools?

JC: If you’re not sure, don’t settle. Cut through the marketing and sales hype. Today, it’s more important than ever for organizations to use true cloud forensics instead of “fauxrensics” solutions. If such a product doesn’t meet all of these critical criteria – whether it’s leveraging deep data well beyond log analysis or offering features that dramatically improve the analyst experience – then there’s probably a better alternative.

Photo credit: Momius/depositphotos.com