EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

Guest:  

• Nader Zaveri, Senior Manager of IR and Remediation at Mandiant, now part of Google Cloud

Topics:

• Could we start with a story of a cloud incident response (IR) failure and where things went wrong? 
• What should that team have done to get it right? 
• Are there skills that matter more in cloud incidents than they do for on-prem incidents? Are there on-prem instincts that will lead incident responders astray in cloud?
• What 3 things an IR team leader needs to do to prepare his team for IR in the cloud?
• Are there on-premise tools that can stay on prem and not join us in the cloud?
• What processes should we leave behind? Keep with us?
• What logs and context should we prepare for cloud IR?  What access should we have behind “break glass”?
• While doing IR, what things should we look at in the cloud logs (which logs, also?) to expedite the investigation?

Resources:

• “How to Cloud IR or Why Attackers Become Cloud Native Faster?” (ep98)
• “How to prepare for detection & response in the cloud” Google Cloud Next 2022 presentation
• “Security Incident Response in the Cloud: A Few Ideas” blog
• GCP Cloud Logging
• “Security at Scale: Logging in AWS” paper
• “AWS Security Incident Response Whitepaper” paper