Stackarmour

Incident Response at scale with DevSecOps

stackArmor was invited to present at the FBI Infragard Maryland Cybersecurity Conference on January 24, 2019 and talk about DevSecOps for Incident response. This blog post summarizes our presentation.

Organizations are continuing to adopt cloud services at a rapid pace due to the convenience and rapid innovation possible at scale. Market research firm Forrester states that nearly 60% of North American enterprises now rely on public cloud platforms, five times the percentage that did just five years ago.  And Gartner has projected for the worldwide public cloud services market to grow 17.3 percent in 2019 to total $206.2 billion, up from $175.8 billion in 2018. Clearly, cloud adoption is occurring at a rapid pace. So are the risks and challenges in managing these environments. Managing cloud environments at scale requires the extensive use of automation – DevSecOps is a rapidly emerging practice driven by the need for compliance driven organizations to incorporate security practices into the DevOps pipeline. First let us begin by defining what is DevSecOps.

Defining DevSecOps

DevSecOps is the practice of integrating security functions into a cloud platform based software development and operations lifecycle. DevSecOps involves creating a ‘Security as Code’ culture with maximum focus on automation to allow for scale and efficiency. As more cloud platforms are being adopted by Government and Commercial entities, Incident Response procedures and techniques must keep pace with these changes. Automation is critical!

Incident Response

There is an increasing focus on incidence response and reporting – DFARS 7012; HIPAA and many other regulatory standards require the ability to rapidly respond to incidents and report them in a timely manner. It is also important to capture all data surrounding the incident to allow for proper investigation. The snippet below provides an overview of cybersecurity incident reporting requirements for DOD contractors as part of the DFARS clause 252.204-7012.

(c)  Cyber incident reporting requirement.

            (1)  When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall—

                    (i)  Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and

Cloud environments are dynamic. Auto-scaling and automation of various management services causes instances to be spun up and then shut-down in minutes. The ability react quickly and capture data, analyze and react is difficult to do through traditional manual means.

Incident Response with DevSecOps

There are 4 key steps to incident handling based on the NIST SP 800-61 R2 special publication on incident management. Key steps include rapid detection and analysis as well as post-incident activity. The basic premise is to have an effective continuous monitoring and alerting system. FedRAMP accredited cloud platforms like AWS offer extensive monitoring and alerting services like GuardDuty, Config, Cloudtrail and Security Hub. As soon as an incident is detected, an automated response is triggered. Assuming an example where the IAM user credentials are compromised. This event is detected and the organization is alerted using Amazon Guardduty. The following automated incident response is triggered:

1. The event triggers a Lambda function that executes response to disable user account and lock access.

2. Take snapshots of all instances, and disks associated with the account.

3. Copy data to durable storage (s3) and set object lock so that data can’t be changed.

Clearly, in order to respond rapidly to security incidents, automation is critical. DevSecOps can help provide the automation to help meet new compliance and security requirements.

Learn more about DOD and DFARS requirements