Towards incident handling in the cloud: challenges and approaches

Security incident handling, an integral part of security management, treats detection and analysis of security incidents as well as the subsequent response (i.e., containment, eradication, and recovery.) Existing processes and methods for incident handling are geared towards infrastructures and operational models that will be increasingly outdated by cloud computing. This paper examines, how the changes introduced by cloud computing influence the incident handling process. It identifies problems that cloud customers encounter in each of the incident handling steps and provides possible approaches and corresponding challenges. The identified approaches provide guidance for cloud customers and cloud service providers towards effective incident handling in the cloud; the identified challenges may serve as basis for a research agenda in cloud incident handling.

[1]  Nevil Brownlee,et al.  Expectations for Computer Security Incident Response , 1998, RFC.

[2]  P. Mell,et al.  SP 800-145. The NIST Definition of Cloud Computing , 2011 .

[3]  Christoph Meinel,et al.  Infrastructure as a service security: Challenges and solutions , 2010, 2010 The 7th International Conference on Informatics and Systems (INFOS).

[4]  Robin M. Ruefle,et al.  Handbook for Computer Security Incident Response Teams (CSIRTs) , 2003 .

[5]  Christoph Meinel,et al.  Intrusion Detection in the Cloud , 2009, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing.

[6]  Daniele Sgandurra,et al.  Cloud security is not (just) virtualization security: a short paper , 2009, CCSW '09.

[7]  Yanpei Chen,et al.  What's New About Cloud Computing Security? , 2010 .

[8]  Bernd Grobauer,et al.  Understanding Cloud Computing Vulnerabilities , 2011, IEEE Security & Privacy.

[9]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[10]  Common Event Expression , 2008 .

[11]  Tom Killalea,et al.  Guidelines for Evidence Collection and Archiving , 2002, RFC.

[12]  Yuri Demchenko,et al.  The Incident Object Description Exchange Format , 2007, RFC.

[13]  Dave Crocker,et al.  Mailbox Names for Common Services, Roles and Functions , 1997, RFC.

[14]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[15]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[16]  Ian Sommerville,et al.  Research Challenges for Enterprise Cloud Computing , 2010, ArXiv.

[17]  Timothy Grance,et al.  Computer Security Incident Handling Guide | NIST , 2004 .

[18]  Daniele Sgandurra,et al.  Cloud Security Is Not (Just) Virtualization Security , 2009 .

[19]  W. Marsden I and J , 2012 .

[20]  Nicolas Ruff,et al.  Windows memory forensics , 2008, Journal in Computer Virology.

[21]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[22]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..