In advance of our upcoming webinar on “How to Prepare for and Recover from Attacks in Hybrid Enterprise Environments,” Lauren Bellero spoke with the presenters, Macie Thompson, CISSP, Director of Delta Risk’s Incident Response team, and Chris Murphy, CISSP, Director of Solution Architecture Managed Security Services. The team discussed some of the common misconceptions about security in hybrid environments, and how to prepare for the unexpected when you have a mix of on-premise and cloud solutions.
Q: I’d like to get your thoughts on preparing for and responding to threats and attacks in the cloud, versus on-premise environments. What are some of the differences and similarities you’re seeing? Does a hybrid environment require different approaches and tools?
Macie: The process is the same. The differences are where and how you’re getting your information or artifacts needed to determine the root cause of an incident, and what your options are when it comes to recovery. For example, take phishing in an Office 365 environment – if someone clicks a bad link and an email account is compromised, Microsoft is very good about notifying you of a login from an unusual IP address. That means you can catch the compromise very quickly.
If audit logging is turned on, you may even be able to see exactly what that attacker accessed or changed while logged in. If not, you could be stuck assuming all contents of the inbox were compromised. There are a lot of capabilities in the cloud that can improve response time, but you need to know what’s available and, in some cases, whether those things need to be enabled or not. If the same thing happens in an on-premise environment (email servers on-site) then that data will be pulled from different sources. Maybe you keep logs in a SIEM or maybe you haven’t been keeping detailed logs, but you should be able to find Exchange logs on the local device.
Some companies use a combination of Office 365 and on-premise services. What’s important is knowing where your data is, and where artifacts from different types of compromise can be found in your environment. In both scenarios, if an account is compromised, the password should be reset, or the account should be disabled and a new one should be created. It depends on your organization’s policy.
For larger scale incidents like ransomware, you’ll see similar differences in where you gather your log information for analysis. Also, you may have very different options for recovering from an incident. Systems in the cloud or virtual devices could take anywhere from a few minutes to an hour or two to spin up a new device from a known-good copy. If the compromise is major in an on-premise device, it may take hours to rebuild a device and restore it from backups, assuming those weren’t also wiped out.
Q: What are some common mistakes you come across with incident response planning, especially in hybrid environments?
Macie: Exposure is a problem I’ve seen in all types of environments. If you don’t know what devices or services you have exposed to the publicly-accessible Internet, you can’t secure them from attacks. Also, internal exposures can be a problem in hybrid environments. Sometimes organizations set up their web services in the cloud but unintentionally put a device on their internal network, instead of a DMZ-type of space. This can create pivot points to devices that contain privileged or confidential data.
Another problem we’ve seen is that organizations are unaware of available auditing or logging for their cloud environments. It’s important they know about those capabilities so they can be included for analysis during incident response.
Chris: When it comes to cloud, many organizations leave control for configuration and securing data in the hands of DevOps, versus on-premise networks which are almost exclusively the responsibility of your security team and IT staff. Network people don’t know what cloud people are doing. Communication is so important! Address this as part of the incident response planning – assume people are not talking. Build in processes and checklists to facilitate this. Include the people doing things in the cloud in your planning and processes. This is where a centralized security incident management platform that pulls in data from multiple sources – including logs from on-premise and cloud apps – can help expose holes and vulnerabilities, all in one view.
Q: Any final thoughts on what the future holds for organizations dealing with security in hybrid environments?
Chris: It’s not getting any easier. There are more things to worry about, more data and more compliance challenges. This makes the case for tools and capabilities beyond what you get with native applications and platforms. Those have some security capabilities, but they weren’t built with security in mind. They also don’t play well with other platforms when it comes to seeing alerts and prioritizing them.
Incident response planning and testing are important to a strong and proactive security posture, and today’s hybrid environments present new challenges. In addition to answering the question, “Am I prepared for an attack?”, organizations need to consider their cloud applications and infrastructure. Organizations that don’t want to be caught off-guard should carefully review their incident response plans and processes to be sure that they include this.
For more on this topic, register now for “How to Prepare for and Recover from Attacks in Hybrid Enterprise Environments.”