If you want to take the turmoil out of cloud-based cybersecurity forensics, consider these 13 hard-won lessons:

  1. Remember the first rule of coding: Self-document the code and create documentation on its proper usage.
  2. A publicly facing SFTP server will accommodate customer uploads with a sufficiently tweaked SFTP engine, but your chosen VM can dramatically influence the maximum throughput and IO. Consider automated hashing, logging and analyst notification, and upload into engagement-specific object storage for a read-only, evidentiary copy. Then take the pipeline further and automatically process artifacts into a format readily suitable for analyst consumption.
  3. Note that by default, rerunning a template deployment will not alter existing resources including VMs.
  4. Write your scripts assuming they’ll run multiple times. If you are concatenating text to a file, you may end up with those entries added many times.
  5. Write error-check routines to avoid errors from unexpected inputs or unsuccessful API calls.
  6. Generate system logging from your function calls, but omit sensitive information.
  7. Over time, try to use the console only as a means of learning how to generate the same result using your code. Strive for 99 percent automated deployment.
  8. For multiple cloud vendors, write functions to address each vendor; your main code can stay generic. For example, object storage permission request, VM build, and public-IP generation.
  9. Regularly check-in your code to provide a revision history. GitHub is the most popular, and end users of the IaC can simply "git pull" for all updates.
  10. Keep in mind that Azure AD can accommodate your IAM needs on all operating systems, but utilize multi-factor authentication on all accounts.
  11. Like Chef and Puppet for system management, Salt can perform post-provisioning setup and ongoing maintenance for Windows® and Linux™.
  12. Native cloud services can perform regular patch updates paired with graphical dashboards.
  13. See tip 1. Your deployment admins need one level of detail; analysts need a second.

With a management-supported, cloud-developer-nurtured solution, your IR team can grow to have an extensible solution to fit the modern age.

Need additional information? Contact a member of our CIFR team 24/7/365 by phone 888-RISK-411 or email CIFR.hotline@accenture.com.

 

About Accenture

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions – underpinned by the world’s largest delivery network – Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 425,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture help organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.

This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.

Copyright © 2020 Accenture. All rights reserved. Accenture and its logo are trademarks of Accenture.

Want cloud-based forensics with less turmoil? Here are the top tech tips.

The first of this three-part blog series about how to implement and get the most from cloud-based cybersecurity forensics

Suggested steps for a turnkey deployment of cloud-based forensics

The second of this three-part blog series about how to implement and get the most from cloud-based cybersecurity forensics

Mark McCurdy

Security Analyst

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog