Please find the attached

Topic: The best practices for incident response in the cloud

Read and respond to below two students Discussions. (5-6 lines would be more sufficient)

#1.Posted by Soundarya

As cyber threats grow in range, organizations have to discover progressed strategies to protect their increasingly complicated technology environments like cloud. Security teams at the moment are protecting even large attack surfaces that include more cloud services/ applications including mobile endpoints. Here are some of the risks that most organizations may face when migrating to cloud, few among them are stolen credentials, data loss, reduced visibility and control and so on.

While cloud computing enables agility by empowering users to create, modify, and scale storage, network and compute resources on-demand, this often occurs with limited security oversight. When cloud security governance issues do arise, incident response teams often face barriers to quick resolutions, which includes:

- Privileged Users: In the cloud, multiple users with elevated privileges coupled with rapid and constant resource change, makes it difficult to pinpoint the root cause of an incident. An audit trail that can be correlated with all the configuration changes is necessary to quickly pinpoint the responsible user and action that led to an incident.

- Alert Fatigue: The rapid pace of change in cloud environments can inundate the security team with alerts. In order for security to keep pace, alerts must support auto-remediation, or integrate with existing incident response tools and DevOps workflows.

- Lack of Context: Without context, alert severity is hard to ascertain making it tough to prioritize the appropriate response. For example, investigation of an incident involving a database that is receiving suspicious traffic should be prioritized over an incident involving a database that is associated with an open security group, but not connected to the internet. Risk severity must be algorithmically quantified by assessing context.

- Dynamic Environment: The ephemeral nature of cloud resources makes it challenging to perform investigations in constantly changing public cloud computing environments. For example, how do you investigate what transpired on a particular IP address two weeks ago, when environments are being spun up and torn down daily, and IP addresses are constantly being re-assigned to various applications? A current or point-in-time snapshot of the environment is required to perform a thorough analysis.

In order to avoid security issues in cloud, RedLock CSI team recommended following below security practices,

- Prioritize risks: Large cloud environments can generate thousands of alerts. Ensure you have an automated way to risk rank resources; for example, an A thru F ranking based on severity and exploitability of risks. Ranking your resources enables your teams to prioritize remediation based on the severity of business risks, violations, and anomalies.

- Assess impact: Once alerts start pouring in, alert fatigue can quickly set in if the security analysts have limited context or visibility into the cloud environments. Ensure that your tools can not only tell you what potentially could go wrong but can actually pinpoint the impact of such misconfigurations.

- Respond rapidly. Rapidly address issues by integrating alerts into your existing workflows for automated remediation and policy orchestration. These could include SIEM tools like Splunk.

- Maintain a Configuration Management Database, for the public cloud: Security incident response investigations typically require historical context, which can be challenging to maintain in dynamic cloud computing environments.

#2.Posted by Suraj Ramesh

It is very important to get the proper assistance and support from the cloud vendors when the application is in development and testing and specially when its up and running in production. There are cases when the businesses experience that there is proper interaction or service provided by the cloud vendors hen there is breakdown in any service. There are cases when the businesses knows about the issue in the patch or service but just can fix it because of the access issues as he does not owns it. To avoid some situations , below are some important guidelines that businesses should take in order to be safe at such crash downs. One thing that the company can do is to buy the service with joint  an with the cloud provider.

This helps to increase the communication with the service provider and the business. It makes them clear to assign the proper IAM roles and responsibilities among the employees. Also, this makes to function. as a team. Contact information are shared among the company and service providers. This helps the business to analyse the critically of the issue and they know the efficiency of the service provider to calculate how much time it can take to get  fix to have a less impact on the business.It is also important to have a track of all the issues that has been fixed till date. Monitoring this information and maintaining the security measures helps to analyse which services and technologies should be in the place to overcome such issues.

There should always be a backup plan to implement to deal with crash down cases. Effort and cost require to overcome any issue should be calculated. It should be analysed that what is the best way to deal with breakdown other service, fixing it or switching to alternative service or provider.  Cloud vendors, to be at top of the businesses provide tools which can be used as sources to fix the incident. It is important to have this tools ready to use as any breakdown or breach in banking data or PHI can cause the business to suffer a heavy penalty and loss. It is also important to have a dedicated support team to deal with such cases. Always keeping track of previous incidents can help to be prepare more robust architectures strategies.

Also, the architecture and the service that are implied for the application can be a different. Break down in that architecture ca be of any technology and services. It is important to analyse this so that this information can be used as a feedback for the team to let them decide what are the skill sets that the team wants to deal with such cases. It can help you to spend your budget wisely on the human resources. Also, it is very important to detect what is the reason for the  break down. It can be the application which can be causing a breakdown in the service. Configuring a special alert system is one thing that a business should work on. Immediate alerts should be integrated into the workflows so that the team can start to take immediate actions and prevent the businesses from major losses.