Design Goals of Cloud Response - Security Pillar

Design Goals of Cloud Response

Although the general processes and mechanisms of incident response, such as those defined in the NIST SP 800-61 Computer Security Incident Handling Guide, remain true, we encourage you to evaluate these specific design goals that are relevant to responding to security incidents in a cloud environment:

  • Establish response objectives: Work with your stakeholders, legal counsel, and organizational leadership to determine the goal of responding to an incident. Some common goals include containing and mitigating the issue, recovering the affected resources, preserving data for forensics, and attribution.

  • Document plans: Create plans to help you respond to, communicate during, and recover from an incident.

  • Respond using the cloud: Implement your response patterns where the event and data occurs.

  • Know what you have and what you need: Preserve logs, snapshots, and other evidence by copying them to a centralized security cloud account. Use tags, metadata, and mechanisms that enforce retention policies. For example, you might choose to use the Linux dd command or a Windows equivalent to make a complete copy of the data for investigative purposes.

  • Use redeployment mechanisms: If a security anomaly can be attributed to a misconfiguration, the remediation might be as simple as removing the variance by redeploying the resources with the proper configuration. When possible, make your response mechanisms safe to execute more than once and in environments in an unknown state.

  • Automate where possible: As you see issues or incidents repeat, build mechanisms that programmatically triage and respond to common situations. Use human responses for unique, new, and sensitive incidents.

  • Choose scalable solutions: Strive to match the scalability of your organization's approach to cloud computing, and reduce the time between detection and response.

  • Learn and improve your process: When you identify gaps in your process, tools, or people, implement plans to fix them. Simulations are safe methods to find gaps and improve processes.

In AWS, there are a number of different approaches you can use when addressing incident response. The following section describes how to use these approaches:

  • Educate your security operations and incident response staff about cloud technologies and how your organization intends to use them.

  • Prepare your incident response team to detect and respond to incidents in the cloud, enable detective capabilities, and ensure appropriate access to the necessary tools and cloud services. Additionally, prepare the necessary runbooks, both manual and automated, to ensure reliable and consistent responses. Work with other teams to establish expected baseline operations, and use that knowledge to identify deviations from those normal operations.

  • Simulate both expected and unexpected security events within your cloud environment to understand the effectiveness of your preparation.

  • Iterate on the outcome of your simulation to improve the scale of your response posture, reduce time to value, and further reduce risk.