Jump to Content
Security & Identity

Cloud CISO Perspectives: How CISOs can work with cloud providers to improve incident response

September 27, 2024
https://storage.googleapis.com/gweb-cloudblog-publish/images/Cloud_CISO_Perspectives_header_4_Blue.max-2500x2500.png
Phil Venables

VP, TI Security & CISO, Google Cloud

Vinod D’Souza

Head of Manufacturing and Industry, Office of the CISO, Google Cloud

Hear monthly from our Cloud CISO in your inbox

Get the latest on security from Cloud CISO Phil Venables.

Subscribe

Welcome to the second Cloud CISO Perspectives for September 2024. Today, Google Cloud’s Vinod D’Souza and Chris Cornillie examine the vital role that CISOs play in working with cloud providers to improve their organization’s incident preparedness.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

--Phil Venables, VP, TI Security & CISO, Google Cloud

How CISOs can partner with their cloud provider to boost incident preparedness

By Vinod D’Souza, Office of the CISO, and Chris Cornillie, Government Affairs and Public Policy

We were reminded of the challenges that chief information security officers have faced for years this summer when a massive global IT outage impacted many vital industries, including airports and public transportation, hospitals and medical clinics, financial services, and news media. The risks posed by the complexity of the IT and cyber-physical systems that underpin the modern economy underline the need to make these systems more resilient.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Vinod_DSouza.max-600x600.jpg

Even for organizations that were unaffected, these events can put CISOs in the hot seat to field questions from executives and board members on measures taken to strengthen their organization’s readiness to respond and recover quickly. The industry is witnessing an unprecedented top-down focus on cyber resilience and incident preparedness. One of the key questions CISOs should be prepared to answer is about the role of cloud providers in incident management.

While it’s impossible to completely eliminate the risk that complex systems will sometimes fail, it is possible to mitigate adverse impacts to your organization with proper planning. That’s why Google Cloud adheres to a set of principles known collectively as site reliability engineering, or SRE, to design systems with failsafes and redundancies to ensure functionality in the face of cascading failures. It’s why we put rigorous emphasis on secure-by-design software and why we perform regular disaster-recovery tests at local, regional, and global scale.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Chris_Cornillie.max-600x600.jpg

Guided by our belief in shared fate, Google Cloud strives to be a trusted partner and advisor to our customers, including providing resources to build resilient applications and delivering break-glass support during an incident. While Google Cloud’s own tools and operating systems were not impacted by the faulty driver update, our customer support and incident management teams spent days working to restore a number of customer systems whose virtual machines had been impacted.

Based on Google Cloud and Mandiant experiences supporting customers during incidents, and on our participation in countless tabletop exercises with customers and partners, there are a number of ways customers can tap into their cloud providers’ expertise and scale to limit the blast radius of incidents and get back up and running faster.

Embrace shared fate

We believe strongly in the shared fate model and in taking a more active stake in customers’ security outcomes. Cloud customers come in all shapes, sizes, and levels of expertise. It’s why we’re committed to providing resources customers can leverage SRE principles to build resilient-by-default applications, including secure configurations, deployable blueprints, architecture frameworks, policy hierarchies, and high-assurance attestations of controls.

Regular testing of disaster recovery systems and incident response playbooks is critical to identifying and addressing gaps in planning.

Learners of all skill levels can tap into our online courses, certificate programs, and workshops delivered by Google Cloud experts. Defenders can take advantage of access to advanced security features, such as attack path simulation and AI-augmented security. We also offer our Risk Protection Program, which brings risk management via automation, guidance, and access to cyber insurance designed exclusively for Google Cloud customers.

Practice, practice, practice

Regular testing of disaster recovery systems and incident response playbooks is critical to identifying and addressing gaps in planning. Testing is also essential to building cohesion among cross-functional teams and building relationships with external stakeholders.

You don't want to wait for an incident to be the first time you run a given playbook or meet your industry or law enforcement counterparts. Partnering with Google Cloud and Mandiant to run tabletop exercises or crisis communications drills can help organizations enhance their strategic readiness to face real threats.

Security teams can’t afford to wait until an incident happens to review their SLA for the first time. It’s essential to understand what types of support the cloud provider will cover during an outage or incident, and what it won’t.

Further, participating in multi-stakeholder exercises organized by government agencies, such the biennial Cyber Storm exercise organized by the U.S. Cybersecurity and Infrastructure Security Agency, can offer staff exposure to a wider range of public sector and industry stakeholders.

Leverage the terms of your SLA

Service level agreements, or SLAs, are a key tool customers can use to evaluate cloud providers’ performance and hold them accountable for meeting predefined service level objectives. However, our experience has been that customers’ understanding of cloud SLAs varies widely.

Security teams can’t afford to wait until an incident happens to review their SLA for the first time. It’s essential to understand what types of support the cloud provider will cover during an outage or incident, and what it won’t. That way customers can expedite requests for customer support resources or compensation.

Organizations should take steps to prevent a scenario in which they find themselves completely locked out of their cloud accounts, whether as the result of an accident, outage, or malicious activity.

Misaligned expectations regarding a cloud provider’s incident management responsibilities under an SLA can cost customers at a time when every second counts. Tabletop exercises are fantastic opportunities to pressure-test SLAs and identify potential gaps in advance.

Set up customer account-recovery processes and out-of-band communication channels

Organizations should take steps to prevent a scenario in which they find themselves completely locked out of their cloud accounts, whether as the result of an accident, outage, or malicious activity. Google Cloud offers best practices and guidelines to assist customers in achieving their security and compliance goals as they deploy workloads on its platform. Refer to the Google Cloud security best practices center for detailed guidance and recommendations.

Any elevated permissions should be short-lived, lest they become an attractive target for attackers. In addition, customer administrators should work with their Google Cloud account team to establish an out-of-bound communication channel, such as a private Slack channel or Google Chat space, for emergency communications in the event the customer suspects a threat actor has gained network access and is monitoring official channels, such as email.

Harness threat intelligence for preparedness and response

CISOs are increasingly tapping into cyber threat intelligence to stay a step ahead of threats, whether that’s guiding investments in new controls, shaping incident response planning around specific threats, or gaining visibility into active campaigns. During an active incident, intelligence into the threat actor’s techniques and motivations can give incident responders a decisive advantage.

While cloud providers can support customers in restoring access to their environments or activate backups, cloud providers generally lack the visibility and access to customer environments needed to perform customer incident response and remediation at scale.

In addition, customers should engage their sectoral information sharing and analysis organizations (ISACs), allowing them to plug into information exchanges with industry peers and government agencies, while preserving privacy and confidentiality. Google Cloud is proud to be a threat intelligence partner to multiple ISACs.

Have the cavalry on speed dial

While cloud providers can support customers in restoring access to their environments or activate backups, cloud providers generally lack the visibility and access to customer environments needed to perform customer incident response and remediation at scale. The kinds of SRE skills and expertise cloud providers specialize in may not be well-suited to the kind of hand-to-hand combat an organization may need to extricate a threat actor from their network.

That’s why many organizations opt to retain an incident response specialist ahead of time, which can save crucial hours in the event of an incident. With solutions such as Mandiant Retainer, customers can even retain consulting and incident response services as part of their contract with Google Cloud.

Make Google part of your security team
To learn more about how you can prepare a resilient strategy to respond to cybersecurity incidents, please see our CISO Insights hub and contact us at Ask Office of the CISO.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

  • Activating your defender's advantage at mWISE ‘24: To stay ahead of evolving threats, security experts convened at mWISE ‘24 to tap into a vital but underutilized tool to strengthen their defenses: collaboration. Read more.
  • We can safeguard lives by building cyber-resilient healthcare. Here’s how: Healthcare CISOs face the complex challenge of evolving regulations, embracing collaboration, and using modern technology. We address all three in this Q&A. Read more.
  • CEOs often must secure their personal email on their own. Here’s how: Your personal email is a trove of family photos, shopping confirmations, and "password reset" links. It’s also a frontier for cyberattacks. Here’s how to protect it. Read more.
  • Google named a Leader in the IDC MarketScape: Worldwide SIEM for Enterprise 2024 Vendor Assessment: Google has been named a Leader in the IDC MarketScape: Worldwide SIEM for Enterprise 2024 Vendor Assessment, a recognition of our significant investments. Read more.
  • Introducing a new way to prevent account takeovers with certificate-based access: To help protect your organization from credential theft and accidental credential loss, we’re excited to announce the general availability of certificate-based access in our Identity and Access Management portfolio. Read more.
  • New CIEM support in Security Command Center can help reduce risk: To make identities easier to deal with, we’ve added new multicloud capabilities to Cloud Infrastructure Entitlement Management into Security Command Center. Here’s how it can help. Read more.
  • How to use automatic password rotation: Password rotation is a best practice that can be cumbersome and disruptive. Automation can help ease that burden, and we now offer a generic design to automate password rotation on Google Cloud. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

  • Mitigating the North Korean IT worker threat: Mandiant has tracked IT workers operating on behalf of the Democratic People's Republic of Korea (DPRK) since 2022. In this report, we examine the current state of the DPRK's efforts to obtain employment as IT workers and shed light on their operational tactics. Read more.
  • LummaC2: Obfuscation through indirect control flow: Mandiant researchers explore a control flow obfuscation technique employed by recent LummaC2 stealer samples to thwart analysis tools and stifle reverse engineering efforts. Read more.
  • Iran’s hidden hand in Middle Eastern networks: UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). They collect specialized tooling and passive backdoors that Mandiant believes supports several objectives in the government and telecommunications space throughout the Middle East. Read more.
  • UNC2970 backdoor deployment uses trojanized PDF reader: Cyber espionage group and North Korean-affiliated UNC2970 relies on legitimate job description content to target victims employed in U.S. critical infrastructure verticals. The job description is delivered to the victim in a password-protected ZIP archive containing an encrypted PDF file and a modified version of an open-source PDF viewer application. Read more.
  • Announcing the 11th annual Flare-On Challenge: When it's pumpkin spice season, that means it's also Flare-On Challenge season. This reverse-engineering contest draws thousands of players and is the foremost single-player CTF-style challenge for current and aspiring reverse engineers. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Google Cloud Security and Mandiant podcasts

  • Why aren't more defenders winning? How to gain the Defender’s Advantage: Why do so few defenders actually realize their Defender’s Advantage? Dan Nutting, Cyber Defense manager, Google Cloud, joins host Anton Chuvakin to discuss the new edition of the Defender’s Advantage ebook and importance of leading with intelligence in cyber defense. Listen here.
  • Sew your own: The value of security data fabric: You need security data fabric, says Josh Liburdi, staff security engineer, Brex. From what gets better when you deploy it, to how it can help data tooling, Anton goes security fashionista to explore one potential future for cybersecurity. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.

Posted in