Incomplete Thought: Cloud Forensics and IR?

Taking a page of Chris Hoff’s method of posting incomplete thoughts, I found myself wondering why there is so little talk in security circles about performing forensics and incident response in public cloud environments. Do people just not care? Is it just easier to kill the image and spin up a new ‘clean’ image? Is it just too hard? Is there not enough guidance?

What’s up with that?

One comment

  1. Brian Honan says:
    August 21, 2012 at 7:48 am

    Its something I have been saying we need to look at for quite a while. I recently gave a talk at Janet CERT on this issue http://www.slideshare.net/brianhonan/incident-res

    Last year at RSA Europe I also hosted a round table discussion on IR and forensic issues with Cloud Computing and it highlighted a number of key points. It was an interesting roundtable as I had a number of people from different backgrounds, including EU and US based law enforcement, so we covered a lot of areas. Some of which are included in the above presentation.

    As an industry we have a lot to do in this space as traditional IR will not scale or indeed apply to the cloud. Unfortunately I think it will take a major breach of an organisation using the cloud and a subsequent lack of ability to respond properly before it becomes a mainstream topic.

    Reply

Leave a Reply to Brian Honan Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top