This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics

Posted on 02-05-2024 10:51 AM
chuvakin
Staff
Reply posted on --/--/---- --:-- AM

LISTEN TO THE EPISODE

 

Guest:

Subscribe at Google Podcasts.

Subscribe at Spotify.

Subscribe at Apple Podcasts.

Subscribe at YouTube

Topics covered:

  • Could you share a bit about when you get pulled into incidents and what are your goals when you are?
  • How does that change in the cloud? How do you establish a chain of custody and prove it for law enforcement, if needed?
  • What tooling do you rely on for cloud forensics and is that tooling available to "normal people"? 
  • How do we at Google know when itโ€™s time to call for help, and how should our customers know that itโ€™s time? 
  • Can I quote Ray Parker Jr and ask, who you gonna call?
  • Whatโ€™s your advice to a security leader on how to โ€œprepare for the inevitableโ€ in this context? 
  • Cloud forensics - is it easier or harder than the 1990s classic forensics?

Resources:

2 2 93
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
johnfranolich
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Great podcast thanks Jason! I agree cloud is more ephemeral for cloud IR.

Questions:

Q1: In cloud what do you consider a security event vs. an incident? Is that different in cloud?

Q2: When it comes to monitoring ML environments, the community struggles because of various reason. There is the NVIDIA Morpheus project on github but its still a maturing space when it comes to cloud.  What design requirements do you ask from data scientists and engineers building out ML in the cloud that allows you to capture artifacts?

Posted on --/--/---- --:-- AM
chuvakin
Staff
Reply posted on --/--/---- --:-- AM

Not sure Jason is reading these, but I can try to answer.

Q1 Frankly, I don't see cloud breaking the "event vs incident" definition, in general. What I observed is a bit more uncertainty on what is considered an incident (e.g. on premise, a new vulnerability is very rarely an incident, while some cloud teams treat a major vuln as an all-hands-on-deck incident

Q2 Frankly, this is too long to answer here, perhaps we need a separate podcast episode on this. Got a guest in mind?