Cybersecurity insights from industry experts.

Doing It Together: Detection and Incident Response with Your Cloud Provider

Detection and incident response in a cloud environment can be a new challenge for security professionals who build their expertise before the cloud, and requires coordination between your organization’s internal teams and your cloud security provider’s security apparatus.

Anton Chuvakin, Security Advisor at Office of the CISO, Google Cloud

November 1, 2023

4 Min Read
a padlock and documents displayed within a cloud.
Source: Techa Tungateja via Alamy Stock Photo

The dynamic and ephemeral nature of the cloud can make detecting and responding to cybersecurity incidents challenging, even for professionals with extensive security expertise yet with little cloud experience. Incident management is an important, and often overlooked, area where your responsibilities and the cloud provider responsibilities aren't easily defined. Many incidents require close collaboration and support from the cloud provider to help investigate and mitigate them.

While many of the fundamentals of cybersecurity remain the same across on-premises and cloud environments, understanding the key differences is crucial for efficient detection and mitigation of security issues. 

What Changes in the Cloud 

Whether you’re in the cloud or not, cybersecurity is about safeguarding and preserving your systems and data. And though each incident is unique, standard investigative practices don’t change just because the cloud is involved.

However, there are some significant elements of threat detection and response that do change when your business is working in the cloud, including:  

  • A need for new skills. Properly detecting and responding to an incident in the cloud requires technical expertise relating to the cloud and cloud-native services.

  • More developer involvement. Incidents in a cloud environment means more interaction between security on one side and DevOps developers on the other.

  • A focus on applications, not infrastructure. Working in the cloud places a greater emphasis on application security than physical infrastructure security and endpoint security.

  • More stakeholders involved. A cybersecurity incident in the cloud will often involve a company’s cloud service provider (CSP) as well as one or more security service providers and/or other partners.

Working in the cloud leads to a reduction in manual IT processes, with less of a focus on hardware and more on automation and "everything as code." Securing the cloud requires new skills and new tools, and increased collaboration between Ops and Dev teams, and between a business and its cloud and security partners.  Effectively detecting and responding to threats in the cloud is therefore a multi-organization effort, with an increased emphasis on rapid data sharing. 

Detecting security threats in the cloud can be a challenge for many reasons, and tried and true methods for traditional security may not work as well when applied to the new environment. Telemetry collection methods are likely to change significantly in the cloud, with a gradually decreasing importance of network traffic and endpoint data sources and increasing application telemetry.

Working with your CSP

Governance sprawl is another new challenge of the cloud, requiring an effort to clearly understand and define areas of overlapping responsibility with the CSP and any other relevant partners. The concept of "shared fate" applies here, as proper cloud security requires a collaborative model for handling risks. Under the more proactive shared fate model, a CSP may provide security guidance to its partners at the deployment stage, as well as making ongoing security recommendations. 

A partnership with a CSP means it might be your cloud provider that recognizes an active security incident first, rather than your internal team. Wherever the issue is first identified, it is critical to share the information so that your internal team and your CSP's security team can work in concert. Your CSP likely has an established process for incident reporting, so familiarizing yourself with how information should be shared can help save valuable time when facing an active incident.

There is a wide array of detection tools available to monitor your systems and data in the cloud, including many from your cloud provider. The earlier you identify an incident the better, and these tools can often provide advance warning of a cybersecurity breach or issue that could cause an outage.

Some of the tools that are available to identify incidents as early as possible include:

  • Network, host, application, and cloud platform logs to flag suspicious activity.

  • Cloud provider analytics to distinguish malicious activity from everyday usage.

  • Threat detection through hypervisor-level instrumentation

Employing tools like these, along with coordination between your organization's security apparatus and your CSP's incident response team, can help minimize the time data security issues or malicious intrusions remain undetected. 

Once the active threat of an incident is resolved, the focus can turn to remediation. Post-incident, a post-mortem analysis shared between you and your CSP can review the causes of an incident and identify areas for possible improvement.  With shared responsibility or shared fate in the cloud, your organization isn't acting alone when responding to a cybersecurity incident — and with proper coordination, a security incident can be quickly identified and resolved. 

Read more Partner Perspectives from Google Cloud

Read more about:

Partner Perspectives

About the Author

Anton Chuvakin

Security Advisor at Office of the CISO, Google Cloud

Dr. Anton Chuvakin works for the Office of the CISO of Google Cloud, where he arrived via Chronicle Security (an Alphabet company) acquisition in July 2019. Before that, Anton was a Research Vice President and Distinguished Analyst at Gartner for Technical Professionals (GTP) Security and Risk Management Strategies team.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights