CSA CCSK – Handling Security Incidents with CSP

  1. CSP incident response and Security Notification

Hello friends. So welcome to this lecture on CSP Incident Response and security notification. So in this lecture we’ll study that okay, when an incident happens, in case of cloud, what all would be required, because breaches do generally happen on premise or on cloud as well. So in that case, what should be the reaction? What we need to check at the CSP end that okay, whether they have any kind of incident response plan and how do they notify the customer. So all these are the questions which should come in the security professionals mind or within organization should brainstorm. It is pretty obvious that incidents can happen or do happen at the CSP end.

So the latest example is the Capital One breach. We all know that breach happened. So when such a scenario occurs right, or a breach happens, so it is really or come as a very awkward and unfortunate surprise if an enterprise Incident Response planning is not appropriate or they don’t have any knowledge. But in such case when our data is with the cloud, we also need to understand that, okay, what kind of things we need to check at the CSP end. So for such a thing, because here we need two approaches as well. One is we need to check that okay, incident response at cloud provider and then at the organization end.

Because in this case, both things would be required. Organization incident Response plan and CSP incident Response plan. But since the data is hosted at the CSP end in case of cloud, so we should have a complete or a thorough understanding as well their Incident Response plan. So we need to verify two things. One is the Incident Response plan and the notification process when such breach happens, who will notify and in what time they will notify. So in case of incident response plan so we need to check that, okay, does the CSP have a security Incident response plan? Does that specify how to detect and respond to such incidents? Do they have clear bifurcation in the plan? So can customer review the copy? Have you got the copy? So try to get a copy.

That okay. What is their incident response plan? So can customer discuss with the CSP after reviewing? So it is like again, like we discussed in the CSA, so maintaining a good relationship with the CSP and the representative with whom you interact. So it would be good opportunity, if you have a good relationship, you can go ahead and discuss such kind of things freely with the CSP and have your queries resolved. And similarly on the notification of security incident when a breach happened. So customers need to check with CSP, notify customers via some communication channel that okay, which communication channel will be used? Like email would be there or a phone would be there or a message would be there.

So all these things should have customers should have a clarity on that depending on the seriousness and the threshold in case of an incident will occur, who will be liable? Right? So will CSP or the customer, notify the law enforcement or the authorities, which needs to be notified. Let’s say if there is a breach related to the EU citizen and it is regulated in the GDPR, then who will notify the regulated authorities that such and such breach has happened with customer or the CSP? So all these things should be clearly mentioned in the contract as well, like we discussed in the real lecture. Who will take possession of the computing events used to store or process data, let’s say when there is a legal hold and all those things. So, how the possession of those things will be managed in case of EDiscovery and all? We’ll learn the concept of EDiscovery in our legal section.

So these two things we need to check when we check for the incident response plan and a security notification in case of cloud service provider, to have a clear understanding that how they have defined rules and responsibilities, how the organization will notify, who will notify, the law enforcement agencies, all these things. As a customer, as an organization, we need to check in order to so that there is no confusion at the when an incident or a breach happened. So this is it, friends in this lecture. Thank you for watching this lecture. Meet you in the next lecture.

  1. Incident response process in a cloud

Hello friends. So welcome to this lecture on incident response process in cloud. So in the last lecture we studied that okay, how CSP managed their incident response plan? Has customer got the copy? How the CSP will handle the notification? And in this lecture we’ll study that incident response process in the cloud. Because we know that, okay, incidents can happen, do happening and are happening in cloud. Like we discussed the example of Capital One.

So how to handle in such scenarios? Do we have the incident plan ready? So like in traditional environment, organization owns the infra and everything is under our control. But in case of cloud environment, we already know that it is the CSP who is handling our data. As for the different models, customers have access to the different type of data. In some cases, you may not have access to the metadata. You are completely dependent on the CSP. So data is scattered across the different countries. So the idea here is that we need to check that is the organization or as a customer incident plan ready. So really, to prepare an incident plan or incident response process, we need to have a good discussion with our on premise incident response team and then prepare a plan.

We need to understand that, okay, how they have categorized the incidents, how they have mentioned the will handle the priority of incidents, all those things. We should have a better clarity and prepare roles and responsibilities, contact numbers, backup contact numbers in case when such incident happens, what communication channels will be used in order to declare that okay, this incident has happened, how they have categorized the incident response process, how they have categorized the events, incidents, all those things. We need to have a solid understanding of that. We also need to show that CSP roles and responsibilities are clear. That okay, what responsibilities are at the CSP end or what responsibilities needs to be maintained by the organization or the customer and when such an incident happens. So the Dur division of responsibilities should also be very clear.

Maintain the contact details for all those people. And in case of incident response plane, what all is required, right? So incident response would be good. When we have a good, you can say that logging of everything we are monitoring, that okay. We are using the different tools for monitoring. We have done the application level monitoring, OS level monitoring depending on the service model we are using is Pass and SaaS. Because in each model we have a different permission.

So do as much as this login do the monitoring. So in that case, so you can monitor that okay, what has happened. And it will be easy for you to correlate make sure that you are logging all the API calls. Like in AWS, there is a service called as AWS Cloud Trail, which basically monitors all the API calls. What is happening if someone has changed the firewall rules, someone changed the security group or someone created a load balancer. So all those API calls are being logged in that. So in case of Azure, also we have Azure monitoring and all those services are there. So make sure that a customer is well familiar with all these services and using these services and everything is being logged in and some kind of correlation tool. Also we have or a SIM tool like Splunk is there to correlate if any such incident happens. And last but not the least, we need to make sure that all this is documented, mentioned in the SLA along with the penalties.

Because if such an incident happens and there is a failure from the cloud service provider side, we need to be clearly mentioned that okay, what all penalties would be there, what kind of compensation should be there. And this needs to be documented because remember, if nothing thing is document, it is the responsibility of the customer only. So that is a very important point we need to understand, because in Cloud we need to understand about the contracts, about the SLAs and all those things, privacy level agreement. So this is it, friends, in the incident response process in Cloud. So, thank you for watching this lecture. Meet you in the next lecture. Thank you.

  1. Access to logs and CSP Support

Hello, friends. So welcome to this lecture on access to logs and CSP supports like in the incident handling we started. That okay. We should have monitoring enabled. We should have understanding about the notification process. So all this is possible if we have access to the logs for doing the forensics investigation and CSP provider support to us. So what all things we need to take care? Let’s study in this lecture in cloud environment as an organization or customer needs to check the below things at a high level. See, this is not a complete list.

One can have a brainstorm with an organization, but just to kickstart the process, one can take care of the following things or just take them as an initial checklist. So in cloud environment a customer organization need to think that okay, how they can get the time synchronized audit logs means they are time synchronized, means they have the time stamped with the audit logs and all those things.

So without the timestamp, there is no fun of having logs because you’ll not be able to correlate when that incident happens because for all the forensics investigation and everything for presenting that particular evidence in a court, you need the timestamp that okay, what event has happened at what time? Right? So that is required. So other thing is we need to check and understand that how the logs are created, where those are stored because in our cloud we have already understood that data is dispersed because the number of availability zones and regions in case of cloud environment. So that was one point we need to understand.

The other is we need to have a clear understanding that till what extent the CSP of the cloud service provider will support the customer or organization if such kind of incident happens? Till what extent they’ll be able to provide the logs? Because in a different model like in IAS Pas and SaaS, there is a different kind of responsibilities with the CSP and the customer and customer also has access to certain data. For example, in case of SaaS some incident has happened, who will provide the metadata that is the data about the data. In case of past there are different responsibilities. So from a customer perspective this should be very clear till what extent the cloud service provider is supporting that when such an authorized disclosure of data has happened, what kind of model that CSP followed?

Because when such an incident happens, let’s say during the night time and that evidence or documents need to be sized or we need data as soon as possible, what is the availability of the CSP, all those things we need to take care and last but then not the least that all such things like we discussed for the incident that these needs to be mentioned in the SLA and contract along with the penalty.

So here also we need to clearly mention that okay, support model who will notify the law agencies about the metadata. Everything, each and everything should be mentioned in the contract and like discussed also it needs to be clearly discussed. Brainstorm with your legal entities about the cloud deployment, how the data is stored, how the keys are managed, what are the different concerns. Only then it will help you to have a solid contract, prepare a solid contract with the service provider. So these are the points which we need to take care of. So this is it. Friends in this lecture. Thank you for watching this lecture. Meet you in the next lecture.