Because yes, you can automate incident response in the cloud, as Jeroen Vandeleur, Service Line Manager for cyber architecture and cloud security at NVISO, proves in his presentation. That is, provided you enable the available means in the cloud to log and centralize the necessary information, “this is part of the shared responsibility regarding security in the cloud!” Otherwise, you will have no idea about the means, the motive and the opportunity of the cyber criminal. “It would be like a murder case, without a body.”
Common mistakes relate to traffic filtering/logging, enabling default logging, the retention period of log data, access management, host configurations and identification of resource owner – “6 challenges when doing incident response in the cloud.” Both MS Azure and Amazon AWS provide basic and advanced security features, “so make use of what is available,” with Jeroen Vandeleur providing a concise comparison of both offerings.
The ultimate proof of the pudding is in showing how to actually automate incident response handling in a SOC. NVISO has an agile and flexible approach, based on the military ‘observe, orient, decide, act upon’ principle (OODA). Jeroen Vandeleur provided an example of how to script response rules, based on an internal incident case, finishing with an extensive demo (with reference where the script code can be found).
This webinar was the final session in the Cloud Security experience-sharing event, with grateful appreciation expressed to Jeroen Vandeleur as the driving force behind this event.