Incident Response Comes to the Cloud: 3 Reasons to Choose an IaaS Solution
SHON W. HARRIS
Information security professionals have been hesitant to embrace a paradigm shift in Digital Forensics/Incident Response (DFIR) of moving their data breach detection and response technologies from on-premises to the cloud. But in the past year, that hesitation has subsided as emerging technology solutions have raised the bar considerably on what information security professionals can achieve by moving their DFIR workloads to the cloud.
A year ago, one in two professionals cited concerns about access to the underlying information needed for forensic examination from a cloud solution, 43% pointed to a lack of understanding as to what information from the cloud provider is required for analysis and 40% were hesitant about multi-tenancy, according to survey results presented by the SANS Institute at the 2018 RSA Conference.
That resistance from information security teams has started to fade. In particular, a growing number of middle-market U.S. companies have discovered that cloud-based DFIR platforms enable them to deploy a highly available and elastic solution that can be spun up quickly, ingest a large volume of collected data for analysis, store that data in a secure repository, and then shut down upon completion of the DFIR without making a major investment in technology infrastructure.
Indeed, the SANS 2019 Incident Response Survey released in July reported “crucial improvements” in DFIR were made by organizations over the course of the past year. These improvements have been supported by the migration of DFIR workloads to the cloud.
There are a few technology approaches to enable IR in the cloud, but the strategy that offers the ability to maximize both efficiency and performance is to adopt an Infrastructure as a Service (IaaS) solution.
There are three advantages to an IaaS solution for conducting IR in the cloud:
- Nearly unlimited data storageA data breach response and investigation can require the collection and storage of massive amounts of data from networks and endpoints. Migrating your DFIR workloads from an on-premises solution to an IaaS solution provides virtually unlimited data storage capacity on an as-needed basis, which is both faster to deploy and less expensive to obtain.
- Scalable compute powerInformation security incidents create a tremendous amount of pressure on team members to ingest, process and index a huge volume of data as quickly as possible so the breach can be isolated and analyzed. A cloud-based IaaS solution enables the IR team to increase the compute power needed to meet this demand much faster than they otherwise could with their existing internal resources.
- Accelerate incident analysisAn IaaS solution for IR allows digital investigators to use the same forensics tool in the analysis of collected data from endpoints in both the on-premises and cloud-based IT environments. This is a crucial efficiency benefit that enables teams to accelerate their IR because they can rely on a single tool for all collection, ingestion and data analysis, as opposed to switching from one product to another across both IT environments.
AccessData has been an industry leader in the migration of digital forensics investigations and incident response to cloud-based platforms. In October 2017, AccessData became the first digital forensics software product available to users in a cloud environment with the debut of AD Lab on Amazon Web Services®. Then earlier this year, we introduced a new version of AD Enterprise, our software for managing internal forensic investigations and post-breach analysis, which included first-to-market integration with cybersecurity platforms to automate the early stages of data collection.
AD Enterprise is a powerful tool for post-breach analysis, offering live data preview at the endpoint. It can be deployed in the cloud quickly and securely, which is an attractive option for many organizations that need a tool for post-breach analysis but lack the time and resources to spin up their own IR technology infrastructure when they’re in the chaos of a cyber incident. AD Enterprise can be up and running within a matter of hours.
This is not just about efficiency, it’s also a crucial risk management consideration. It takes bad actors just minutes to compromise an organization. And once they’re in, our research found that more than 30% of attackers can get data out within a matter of hours, minutes or even seconds, while 67% need days to exfiltrate your data. Timing is absolutely crucial and every hour that passes could make the difference between a successful lockdown and a major breach.
AccessData’s digital forensics IaaS offerings have been tested, approved and are ready to be deployed by customers on either the Amazon Web Services or Microsoft® Azure® cloud platforms. Our cloud-based solutions have been used to fully process and index as much as 7 TB of data in 24 hours, spin up large numbers of processing engines to ingest large data sets quickly and efficiently, and access as much data storage as needed at an affordable price. Moreover, all client data that is processed or stored with our IaaS offerings is protected behind a robust multi-factor authentication system with multiple layers of encryption and is secured by a design taking advantage of many technologies offered through the AWS and Azure ecosystems. All data is encrypted while in transit or at rest, 24/7/365.
Incident Response is moving to the cloud. An IaaS solution can provide more robust data storage, scalable computing power for ingesting and processing data, and faster incident analysis. This not only reduces up-front capital investments but also mitigates risk on the IR team during a time of great organizational stress.
Shon W. Harris has worked in Information Technology for nearly 20 years, and is the principal cloud architect for AccessData’s Cloud offerings. He lives in Utah where when not working with his head in the clouds, you will probably find him in the mountains exploring, or on the golf course slicing away.