With the meteoric growth of cloud computing and its associated scale and agility, automation across all stages of the security lifecycle is central to many security teams’ approach. While “shift left” and DevSecOps approaches have spent lots of time on preventing vulnerabilities from entering the pipeline, and fixing them when they do, security teams have struggled to adequately manage cloud incidents when they do inevitably occur. The complexity of the cloud coupled with the ever-increasing volume of alerts makes it extremely difficult to strike the right balance between diving deep and tackling the next problem. That’s where automation comes in. Leveraging cloud speed and automation can empower security teams to drastically expedite the end-to-end incident response process.
This blog breaks down automated incident response in the cloud. We’ll explore what it is and offer best practices and tools for security teams looking to implement automated incident response in their organization.
Defining Automated Incident Response
Automated Incident Response refers to proactively setting up a pipeline with the goal of automatically identifying and resolving security incidents. At the core, this involves:
- Detection: Identifying potentially malicious activity in the environment.
- Alert Validation: Determining whether the alert is a false positive or a real threat.
- Incident Resolution: Resolving the incident e.g. in the case of recoverable infrastructure such as auto-scaling groups or containers, this can be as simple as terminating the impacted system.
In a security-mature organization, automating incident response will rely on a patchwork of interconnected systems, such as a SOAR (Security Orchestration, Automation and Response) an XDR (Extended Detection and Response) solution, and an incident response platform.
Traditional Incident Response Steps Provide the Necessary Building Blocks
Before applying automation, let's first consider the steps of “classic” incident response.
Identify and Contain the Incident
The first step in any incident response plan is to identify and contain the incident. This is often the most difficult part of the process, as incidents can be difficult to identify. However, there are some common signs of an incident that all organizations should be aware of. These include:
- Anomalous activity on network traffic or devices
- Sudden changes in system or application performance
- Unexplained data loss or corruption
- Security breaches or attempts
Once an incident has been identified, the next step is to contain it. This is done to prevent the incident from spreading and causing further damage while you take the time to fully investigate. Containment can be achieved through a variety of methods, such as disconnecting affected systems from the network, isolating them in a virtual environment, or physically removing them from the premises.
Investigate and Eradicate the Threat
Once the incident has been contained, the next step is to eradicate the threat. However, in order to take steps toward removing the threat, you need to fully understand its scope, impact and root cause. This is often a difficult and time-consuming process, especially in the cloud where capturing, processing and analyzing the data required for an in-depth investigation becomes more complex. However, it is critical to a successful incident response plan.
Recover From the Incident
The final step in any incident response plan is to recover from the incident. This includes restoring any data that was lost or corrupted. It is also important to put measures in place to prevent such an incident from occurring again. This includes reviewing the incident response plan and making changes as needed.
There are a variety of tools and resources available to help organizations craft and implement a robust incident response plan. Below are some of the most popular:
Evaluating Automated Incident Response Solutions
Automated incident response is the process of automatically detecting, investigating and responding to incidents. It is a growing area of security that is being implemented to help organizations drastically reduce their Mean Time to Response (MTTR) and the overall cost to the organization.
Organizations are increasingly turning to automated incident response solutions -- especially those organizations that have migrated to the cloud and wish to take advantage of cloud speed and scale to expedite the end-to-end incident response process. While it may feel familiar to apply traditional incident response solutions and methods to the cloud, this approach will not enable security teams move fast -- and attackers will always remain one step ahead. Alternatively, solutions that were built specifically for incident response in the cloud reduce the amount of manual effort that is required to adequately respond to an incident.
There are a number of automated incident response solutions on the market. Organizations should carefully consider their needs as part of their evaluation and selection process. Some things to consider include:
- Is automation applied to all phases of the incident response process: from data capture to processing and analysis?
- Does the solution seamlessly integrate into my broader security ecosystem and work well with the tools I’ve already invested in (such as my SOAR, CSPM and XDR solutions)?
- Will I be able to analyze multiple data sources in a single screen?
- Is this solution going to empower my team even if they don’t have deep cloud / incident response expertise?
- Will this solution enable our organization to apply an automated incident response process across our entire cloud environment – even container and serverless environments?
At Cado, we’ve built a tool for automating investigation and response in the cloud. You can access a free 14-day trial of the Cado platform to perform your own investigation. For more information on this topic, take a look at our playbook “Ultimate Guide to Incident Response in AWS”.
Cloud Investigations
