Incident Response Is Changing
The enterprise security market has seen fast incorporation of more and more cloud, Internet of Things (IoT), and mobile devices into enterprise security environments, which traditionally abound with servers, workstations, and networking and security devices. In this context, enterprises are faced with decentralized services and products from a variety of service providers and device vendors. As a result, security issues cannot be contained in a controllable scope as they used to, and more weak points are exposing enterprises to an array of potential threats. This is especially true of hybrid environments.
So what is hybrid? In the context of cybersecurity, hybrid is defined as a mix of on-premises and cloud resources, that is, devices in an enterprise’s IT environment plus a cloud environment, which work collaboratively to meet business needs.
Following are examples of incident response (IR) policy changes made to adapt to hybrid environments:
- Traditional IT environments change slowly and are so relatively stable. In hybrid environments, traditional devices also show their presence in clouds, which change at a faster pace. Therefore, IR in such an environment should also be faster.
- In a traditional environment, logs are sent from security information and event management (SIEM) software to the security operations center (SOC) before IR is performed. A hybrid environment will involve more external logs, whose reliability and availability are hard to ensure.
- Traditional environments have operational technology (OT) behind firewalls. Hybrid environments, however, are characterized by a blurred divide between OT and IT, which interconnect and interact with each other in a variety of ways.
- Technical support teams of hybrid environments should work in a way more akin to cloud product development teams.
While the hybrid is more efficient, it brings more security risks to IR. What’s worse, experience in handling IR in pure IT environments cannot be directly reused in hybrid environments. It is a sad fact that efficiency and security cannot coexist. Enterprises have to find a balance between the two according to actual conditions. New risks accompanying hybrid environments include the following:
- A user needs to deal with more device vendors.
- Increasing OT connections expose organizations to more risks of attack.
- There are an increasing number of professional systems in OT environments, but related experts are lacking in number.
- A cloud environment changes at a fast pace, and so do the platform and services. This makes it rather difficult for users to keep themselves updated about the latest status of various systems and services.
- No unified cloud service maintenance model or tool is currently available.
What Challenges Do Hybrid Environments Bring to IR?
When clouds are involved, traditional security devices need to be adapted to specific cloud environments. Thus, security capabilities should shift from heavy reliance on hardware platforms to a close connection to clouds. This means that technical support teams responsible for IR should work more closely with development teams, which is a really great challenge for both.
At the same time, hacker groups are becoming more interested in cloud-related vulnerabilities. Therefore, cloud environments with improper protection are more vulnerable to security threats.
Threats in the cloud include:
- API abuse
- Availability attacks like DDoS
- Poor identity control
- Use of poor or default policies and configurations
- Exposure of assets
As for API abuse, API developers often prioritize efficiency and functionality, giving little regard to security. An API developer seldom considers what will happen when the same API is repeatedly called for malicious purposes, which is usually an API DoS attack, and so adds no related protection. Many APIs, more often than not, have no requirement for the uniqueness of order numbers when called and do not perform identity authentication on applications, making it possible to exfiltrate data.
IR is mainly performed manually in traditional IT environments, but manual IR is unrealistic in the ever changing cloud environments as an alert may already lose effect when technical support personnel begin to respond after being notified of an event. A typical example is a DoS attack on a gaming website, where a local anti-DDoS device works at full capacity and a cloud cleaning center is required to step in. If the cloud cleaning center responded scores of minutes or even hours later, gaming users would be long gone. A cloud cleaning center should be as good as being able to respond within minutes or even seconds.
How Should We Cope With the Challenges to IR?
To enhance IR efficiency while maintaining new service level agreements (SLAs) for hybrid environments, we should adopt the following key IR improvement measures:
- Access control
IR-related roles in cloud environments include the on-premises technical support team, cloud-related technical support team, operations service team, development team, and partner’s team. These teams should be discriminated in terms of access, with clear boundaries between different roles.
- Dynamic resources
The scalability of cloud resources can be leveraged to dynamically scale security policies and technologies. Security policies should be designed in a visualized manner and the choice should be users’ when it comes to whether to visualize or adopt certain policies.
- Timely update of TTPs (tactics, techniques and procedures)
TTPs include SOPs, SLAs, and tools. In terms of IR, people are most important because experienced personnel can change a manual process to an automatic one by reference to best practices.
- SOP and automation of DevOps integration
A full pipeline should be implemented for deployment of devices and applications in a cloud environment. Besides, tools should be constantly improved in automation and intelligence.
- Continuous improvement
As cloud users’ business keeps changing, the development of cloud services and applications should also be continuously improved.
IR capabilities represent the operational capacity and require joint support from effective hybrid solutions, extensive skillsets, standardization capability, and development capability as well as the personnel training system, standardization system, and continuous improvement system. Only with all these in place, can we cope with challenges resulting from constant changes in the security sphere and customers’ business. The key to IR is rapidity. Without it, all other capabilities would fall void. As the saying goes, when the hide wears out, the fur will go, too.
In response to the increasing demand for hybrid security services in international markets, NSFOCUS proposes a hybrid “Cloud in a Box” solution that links on-premises resources to cloud resources. This solution enables fast IR, specifically, only seconds after an incident is spotted, and security teams to handle and mitigate the incident within minutes.
Recently, the “Cloud in a Box” solution won the “2019 Global Excellence” award issued by Silicon Valley Communications and was listed in its Info Security Products Guide. Silicon Valley Communications is a world-renowned information security research and consulting agency. Its publication Info Security Products Guide provides authoritative guidance to end users in understanding of optional solutions and protection of their digital resources from security threats.
Jason Escaravage/Phil Hamill, Booz Allen Hamilton. Incident Response beyond Enterprise IT. 2019 RSA Conference
Josh Shaul, Akamai Technologies. Designing for API Doomsday. 2019 RSA Conference