• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Cloud   »   Updating Forensics for the Cloud

Updating Forensics for the Cloud

  • Posted on:March 20, 2014
  • Posted in:Cloud, Security
  • Posted by:
    Mark Nunnikhoven (Vice President, Cloud Research)
4

I’ve written about how monitoring and incident response change in hybrid and full cloud environments as part of this series on operations. This post is going to touch on the changes facing forensics in cloud environments.

Define:Forensics

Before we dive in, I wanted to highlight that there are two definitions of “forensics” in use today. The most common of which means digging into an incident to determine what happened, step-by-step.

The technical definition (as per Google) is, “scientific tests or techniques used in connection with the detection of crime”. There are a few key words there, but at its core, it’s the same as our first definition with a whole lot more paperwork piled on.

Forensics in the law enforcement/legal sense is the same concept, but it comes with a significantly higher level of rigor around the techniques and documentation. Forensics as a discipline is not like you see it on TV crime dramas. You don’t (usually) get a lab coat, and it takes a lot longer than the 30 seconds of screen time it gets.

For this post, we’re going to address forensics in the common sense… looking into an incident to determine what happened.

Copy That

Step one in a solid forensics procedure is to make read-only copy of the system you’re investigating. In a traditional environment, you are typically constrained by available hardware, or, at the very least, storage space. In the cloud, that’s rarely an issue so we’re already ahead of the game.

Because we need to work on a read-only copy, we can use theĀ abundance of resources available in the cloud to make forensics a highly parallelized process.

This is a huge boon to the investigation. Combing through a TB of data block-by-block can be time-consuming. If you’re searching for multiple keywords and artifacts you can simply run each of these searches in parallel on a duplicate of the original system.

Optimized forensics process in the cloud

This image is licensed BY-NC-SA; please share it! Feel free to link to it directly at http://static.markn.ca/img/blog/optimized-forensic-procedure-in-the-cloud.png.

The flexibility lets you optimize the human portion of the process. It’s a game changer that will greatly decrease the time to resolution for investigations.

Repeatability

Everything in the cloud is based around an API model. During an investigation, you can benefit from this by including the API calls and commands in your report. Now, if your work needs to be repeated (very common in law enforcement and legal contexts), the only thing required is read-only access to the original data.

This continues the trend we’ve seen in monitoring and incident response where leveraging automation and the power of the cloud has immediate security pay-offs.

What’s Next?

Forensics is a major topic, and we’ve only seen a hint of the impact that hybrid and cloud environments will have on this area of your practice. Please add you thoughts in the comments below or on Twitter (where I’m @marknca).

As a reminder, next week (24-Mar-2014), I’ll be on the west coast at the AWS Summit in San Francisco and then on the east coast at AtlSecCon in Halifax talking about updating security operations to handle hybrid and cloud environments. If you’re attending either of these great events, be sure to stop by and say hello.

Related posts:

  1. Security Operations: The Big Picture
  2. Updating Network Security Monitoring for the Cloud
  3. Updating Security Operations For The Cloud
  4. Updating Incident Response For The Cloud

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, ę—„ęœ¬, ėŒ€ķ•œėÆ¼źµ­, å°ē£
  • Latin America Region (LAR): Brasil, MĆ©xico
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Ɩsterreich / Schweiz, Italia, Š Š¾ŃŃŠøŃ, EspaƱa, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.