HKCERT on challenges and responses of cloud incidents handling

Benard Kan, senior consultant, Hong Kong Computer Emergency Response Team CoordiLast month the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) received about 33 reports on WannaCry attacks and 500 enquiries on the ransomware.

Security incident handling is an integral part of security management that has become ever more important during the past years, said Benard Kan, senior consultant at HKCERT.

At last month's Cloud Expo Asia 2017 held in Hong Kong, Kan discussed the challenges on and responses to the handling of cloud incidents, which comprise preparation, detection, analysis, containment, eradication and recovery, as well as post-incident activities.

Often comes hand in hand with cloud incidents handling, organizations should also pay attention to the common way of apportionment of control and responsibilities between a cloud user and its cloud service provider (CSP).

In conjunction with cloud incidents handling, the likely apportionment of control and responsibilities between a cloud user and its cloud service provider is also worth noting. In terms of the basic cloud stack: infrastructure-as-a-service, platform-as-a-service and software-as-a-service, a cloud customer's control and responsibilities tend to rise as one moves up the cloud stack, and vice versa for cloud service providers.

Cloud characteristics: angels and devils

Cloud computing is often prized for its many facets of flexibility. However, Kan noted these very cloud characteristics may impact incidents handling in a negative way.

For example, the on-demand and self-service nature of the cloud delivery model can make incidents handling difficult if the associated resources and capabilities are not provided for in the service level agreement (SLA), or the management interface.

Concerning pooling, Kan suggested the methods and tools for incidents handling should be able to deal with the core technologies that enable resource pooling like virtualization.

Finally, the dynamics of elasticity can may complicate incident analysis, though it may also serve as a means to contain attacks, Kan noted.

"To adapt incident handling to cloud computing environments, cloud customers must clarify their requirements, while CSPs must strive to support these requirements and mirror them in the SLAs," Kan said.

Detecting cloud incidents

Detection is the discovery of the indicators of possible security incidents.

Timely detection of security incidents depends on systematic event monitoring -- adding in all the relevant existing event sources (e.g., OS and application log files) and security-specific event sources, where necessary.