Your incident management process is greatly impacted by the tools you have available to carry it out. Technology should be your friend when it comes to gaining visibility and obtaining contextual data. You need tools to send alerts when issues arise, as well as track activity for compliance reporting purposes.
So, how do you choose the right incident management tools for your organization’s use cases?
Understand Your Needs
First, you need to take a step back and understand what your needs look like. This means getting your arms around what the biggest threats to your organization are, how they come in, and what your options for defense are.
It may help to make a list of your most common use cases and identify areas where you already have appropriate tooling vs. areas where it’s time to invest in more or better solutions. Not sure where to start? Our Cloud Security Playbook can help you conceptualize and map out your organization’s cloud security strategy.
Build a Clear Incident Response Process
Next, you will want to map out your incident response process. Doing this can help you figure out how tools need to be connected to each other and whether you have the technology and personnel you need to adequately respond to specific security incidents. As we explained in this earlier post, the key aspects of this process that you want to focus on include:
- Alert Management: What happens when an alert comes in?
- Operations Tool Integration: How are operations tools connected to incident response processes?
- Audit Trails: Do you have full visibility into actions taken and results achieved, for both internal and external reporting?
Of course, no technology exists in a vacuum these days. You can’t just pick a piece of software and set it up alongside the rest of your stack. Tools need to fit together, and they need to add up to something greater than the sum of their parts. (For additional information on selecting and integrating appropriate technology, see A Blueprint for Selecting Security Technologies Inside the Cloud.) So when it comes to incident management and reporting, you need to look at what’s going on not just on the security side of the house, but with DevOps as well.
Development and Operations teams have their own sets of tools that they use to execute their day-to-day tasks. From an Operations perspective, these may include tools such as:
- PagerDuty for event intelligence and response orchestration
- VictorOps for on-call management and incident notifications
- Slack for chat ops and team communication
Development tools may include configuration management and infrastructure automation tools such as:
To make sure your security processes are as efficient and successful as possible, you want to make sure that any security tools you introduce are tightly integrated with tools like these that DevOps is already using. Two examples of how this should play out are discussed below.
Monitoring and Alerting
To catch security incidents early and accurately, you need to have behavior-based monitoring set up. This will allow you to:
- Identify untrusted system modifications
- Catch threats that signatures miss
- Immediately detect anomalous user, process, or file activity
This way, as soon as something goes wrong from a security perspective, teams will receive an alert. Let’s say one of your developers pushes a new update to production, and your security monitoring tool detects a known vulnerability (or CVE). With a continuous security monitoring tool like Threat Stack Cloud Security Platform®, the vulnerability would be flagged immediately, and the alert sent directly into whichever DevOps tools your team already has in place. For us, it’s PagerDuty. This way, the development team is in-the-know about the issue, and security can begin triaging and then resolving it.
Security should enable continuous deployment — and not be a roadblock. The key to achieving this is choosing incident management and reporting tools like Threat Stack that are purpose-built for teams running in the cloud and that are compatible and complementary with the tools they already use. This helps teams centralize tools and correlate data from across their cloud environment.
Of course, beyond dealing with incidents as they arise, your team likely needs to produce artifacts that can be used for event review and compliance purposes. That means your incident management tools should have reporting features built in.
Depending on your exact compliance requirements, here are some of the areas you may need to report on:
- Date, time, and severity of incidents
- Verification that appropriate controls and processes are in place at all times
- How that data is being stored and transmitted securely
- Documentation of incident management processes
Specifically from an incident management perspective, you need reporting that will allow you to review and document security incidents as they happen. With Threat Stack, all Severity 1 alerts (high severity) are automatically stored for one year and can be retrieved at any time. This way teams can:
- Ensure that internal controls and processes are met
- Receive scheduled daily reports
- Be prepared for audits
With the appropriate incident management tools aligned to your compliance needs, your company will be able to meet HIPAA, PCI DSS, SOC 2, ISO 27001, and SOX 404 regulations.
Wrapping Up . . .
When it comes to security, it can often be daunting to choose the “right” tools for your unique organization. Boiling it down to what will work well with the DevOps tools you already have can be a good way to get started. From there, you can get serious about your requirements, specifically for monitoring, alerting, and compliance — areas that no organization can ignore in today’s business climate. Always choose tools that integrate easily with your current solutions and enable you to meet business and security goals seamlessly and on time.
To learn more about best practices for cloud security, download a free copy of our recently published Cloud Security Use Cases Playbook.