Speakers: Anton Chuvakin, Senior Security Staff, Google Cloud Office of the CISO
Tell us about your session at Google Cloud Next '22
Anton Chuvakin: Hello this is Anton Chuvakin With a short introduction to our Next 2022 presentation focused on preparing for security and response in the cloud. Now, the main part of the presentation is focusing on five critical similarities between incident response in the cloud and on premise. And of course, five differences. When we talk about security incident response, we covered items like this: You do need to preserve data, you do need to collect data, you do need to apply certain standard investigative techniques. These things do not change between cloud and on premise, Funny enough, Marshall (Heilman) from Mandiant, my co-speaker, mentioned that one of the critical similarities between IR in the cloud and on premise is that, ,wait for it, every incident is different. Every incident is different on premise and every incident is still different in the cloud. Even though infrastructure is of course very similar. We're gonna look at log data, we're gonna look at context data, we're gonna use standard techniques. This doesn't change and frankly, Attackers are largely the same people. However, in addition to similarities, there are critical differences that are useful to highlight in this regard. For example, cloud itself is a very different realm. We're talking about things like ephemeral infrastructure, things that change, dynamic technology and practices. To me, different baselines and norms is one other highlights from the presentation because we are describing how cloud itself is different and how cloud security differs, hence it affects cloud incident response. Now you do need to look at very different context data to understand what actually happened and to back trace the attacker steps. Now, we also mentioned that in the cloud, you are very often reliant on a cloud service provider for some of the data points. You cannot do it alone. You have to solicit the collaboration from your cloud provider and occasionally from an incident response firm as well.