Enable incident response across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud environments
While the public cloud enables agility by empowering users to create, modify, and scale storage, network and compute resources on-demand, this often occurs without any security oversight. As a result, security teams lack the context necessary to respond quickly when incidents occur. The following are barriers to effective incident response in public cloud environments:
Without context, the severity of alerts are hard to ascertain which makes it tough to prioritize response. For example, investigation of an incident involving a database that is receiving suspicious traffic should be prioritized over an incident involving a database that is associated with an open security group. Risk severity must be algorithmically quantified by assessing context.
The ephemeral nature of cloud resources makes it challenging to perform investigations in constantly changing public cloud environments. A current or point-in-time snapshot of the environment is required to perform a thorough analysis.
In the cloud, multiple users that have elevated privileges and changes to resources occur rapidly and constantly which makes it difficult to pinpoint the root cause of an incident. An audit trail is necessary to quickly pinpoint the responsible user and action that led to an incident.
The rapid pace of change in cloud environments can inundate the security team with alerts. In order for security to keep pace, alerts must support auto-remediation or integrate with existing incident response tools and DevOps workflows.
The RedLock Cloud 360™ platform provides the necessary context on risks by using AI to correlate disparate data sets including resource configurations, user activities, network traffic, host vulnerabilities/activities, and threat intelligence. This contextual understanding of the cloud environment reduces incident response time from weeks or months to seconds.
Similar to a credit score, the RedLock Cloud 360 platform computes risk scores for every cloud resource based on the severity of business risks, violations, and anomalies. This enables you to prioritize remediation for the riskiest resources first.
The RedLock Cloud 360 platform’s graph analytics enables quick investigations of current or past issues and analysis of downstream impact. For example, you can search for all databases that were receiving traffic from suspicious IP addresses last month and subsequently drill down on each resource to determine which other resources are connected to it.
The platform provides you with a DVR-like capability to view time-serialized activity for any given resource. You can review the history of changes for a resource and better understand the root cause of an incident, past or present.
The RedLock Cloud 360 platform enables you to quickly respond to an issue based on contextual alerts. You can perform auto-remediation, orchestrate policy, or send alerts via email or to third-party tools such as Slack, Demisto, and Splunk.