While data is migrating to the cloud at unprecedented rates, the number of cloud security incidents is growing rapidly in response. In its recent cloud threat report, Palo Alto’s Unit 42 concluded threat actors have become adept at exploiting common, everyday issues in the cloud. These range from misconfigurations, weak credentials and lack of authentication, to unpatched vulnerabilities and malicious open source software packages. The report revealed, for example, that sensitive data was found in 63% of publicly exposed storage buckets.

Enterprises have also found that their legacy security tools, while having cloud adaption roadmaps, still face major limitations. Based on a survey conducted by (ISC)², 43% of business respondents observed a higher degree of risk in the cloud and 24% of organisations experienced a public cloud-related security incident in the past 12 months.

As a result, digital forensics and incident response (DFIR) experts are facing a lose-lose decision: close an incident without digging deeper than the surface level that’s presented in a detection platform; or rely on outdated tools, open source platforms and spreadsheets to stitch together an investigation. Either way, hackers are slipping through the net.

Fortunately, cloud security is rapidly evolving, with modern forensics and incident response platforms that promise the three pillars of speed, visibility, and confidence. Automation is also a core component of these platforms with the goal of greatly simplifying cloud investigations by streamlining the end-to-end process – from data capture and process to analysis.  This approach allows security analysts to concentrate on what matters most – risk mitigation. 

The three pillars: speed, visibility, and confidence, in turn, underpin a modern digital forensics and incident response platform that stops security teams needing to make risk-based decisions with limited context. 

Pillar 1 – Speed: Companies migrate to the cloud for the speed, agility and automation it offers. However, cloud security has not followed suit and manual processes abound. When a cloud incident is detected today, security teams use a patchwork of rudimentary tools to manually collect and process the additional data that’s required for an in-depth investigation. The Unit 42 report found on average, security teams take 145 hours (approximately six days) to resolve a security alert. 60% of organisations take longer than four days to resolve security issues.

With the amount of data that sits in the cloud today, organisations require the ability to automatically capture and process data at cloud speed and scale. Security teams shouldn’t have to worry about working across multiple cloud teams, access requirements, or the fact that their investigation spans multiple cloud platforms, systems and regions.

Pillar 2 – Visibility: Today, when a cyber-incident occurs, security teams have little choice but to resort to their endpoint detection and response platform; however, EDRs were built to provide real-time visibility for detection purposes, not to perform a deep dive investigation for incident response purposes. While the visibility an EDR can provide could be enough for an analyst to determine if a deeper investigation is required, it’s rarely enough to complete one. 

The other problem is with ephemeral infrastructure. These resources spin up and down continuously, making it almost impossible for security experts to investigate a breach and understand which assets and data have been compromised. If malicious activity occurs between the time one of these resources is spun up and down, that data is lost forever. 

Hackers are taking advantage of this because it helps them cover their tracks. For example, containers have become a top target amongst attackers. With this in mind, it’s critical that security teams have the ability to automate data acquisition in container environments as soon as malicious activity is detected to ensure critical evidence is preserved for investigation purposes. 

The increased adoption of multi-cloud only further complicates matters when it comes to incident response. With most organisations leveraging more than one cloud platform, security teams are now tasked with understanding how to secure hundreds of different cloud services and analyse countless different data sources, on top of everything else they already have on their plate.  

Pillar 3 – Confidence: The (ISC)² survey found that the skills and expertise that multi-cloud environments demand meant that three out of the four top cloud security challenges are related to having the right talent, along with an in-depth understanding of each cloud platform. Due to the speed at which organisations have migrated data to the cloud, security teams have had no choice but to apply existing technologies that were built to support on-premises investigations to the cloud. However, these traditional approaches make it impossible to move quickly, especially without deep cloud expertise and incident response know-how. . This hampers deeper investigations and is exacerbated by the sheer volume of events and incidents security experts have to deal with each day.

Automating the digital forensics journey means security analysts of all levels can conduct thorough investigations more frequently and remediate security incidents with confidence before they are at risk of escalating. 

Conclusion

Despite the benefits the cloud can offer, there is still a realistic fear that security incidents in modern cloud environments can be a financial, legal and technical minefield. Today, doing investigations in the cloud is complex, time consuming and frustrating. Security teams end up not having time to dive in deep enough, increasing the risk that they missed something significant. Fortunately, modern digital forensics and incident response are finally ready for the challenges multi-cloud environments create