BruCON 0x0B has ended
Friday, October 11 • 14:00 - 15:00
Incident response in the cloud: foggy with a ray of sunshine

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Over the past few years we have seen organizations move a part of, or even their entire infrastructure to the cloud. With on-premise infrastructure it used to be clear that the security needed to be taken care of by the organization itself. With cloud infrastructure there is quite some confusion about who takes care of which security controls. This confusion has led to several painful incident response cases where we were called in only to discover we hardly had any data to work with. In general, we observe 3 common problems with incident response in the cloud:

1. Lack of knowledge about the different logging options within cloud environments. What is enabled by default and what is not?
2. Increased response times due to the lack of visibility and security knowledge about the cloud environments.
3. Lack of resources available to respond to the incidents, most organizations are not capable due to the limited amount of people and tools to respond timely.

This presentation consists of three key parts highlighting incident response challenges in the cloud, but also how we can purposely use what cloud providers offer us to improve our security operations.

The first section includes some key examples of what went wrong during incidents in cloud environments and lists some key challenges that we face as an incident response team to investigate security incidents in depth.

A second section in the presentation describes the overview of critical logs that are required to do incident response. These logs and settings are mapped on the 2 main cloud providers; Amazon AWS and Microsoft Azure. This will allow you to understand which logs are there by default and which logs should be activated for incident response and forensic investigations.

A 3rd section will introduce automated response, by explaining a use case were a system gets infected, server-less code will be executed to protect other systems and enable advanced analytics on the compromised system. This example is based on Microsoft Azure Security Center and applogic to enforce actions in case a specific alert is triggered.

avatar for Jeroen Vandeleur

Jeroen Vandeleur

Jeroen is the security architecture team lead and incident manager at NVISO where he specializes in security architecture, cloud security, and continuous security monitoring. By using his pragmatic and analytical skills, Jeroen assists clients in solving day-to-day security issues... Read More →

Friday October 11, 2019 14:00 - 15:00 CEST
01. Westvleteren University