Welcome!

Release Management Authors: David H Deans, Liz McMillan, Jnan Dash, Lori MacVittie, Gilad Parann-Nissany

Related Topics: @CloudExpo, Agile Computing, Cloud Security

@CloudExpo: Article

The Impact of the Cloud on Digital Forensics - Part 2

Looking at potential tools that can contribute to the cloud security perimeter

As mentioned in  Part 1 of this article, one of my functions is to research current and up and coming solutions within the technology realm, particularly that of distributed computing and cloud computing.

It is a strong possibility that malicious users will eventually identify and exploit potential flaws within the cloud computing model. CSPs, in their pursuit to secure market share may have underestimated the possibilities of attack and misuse of their cloud resources by a malicious user or users.

The likelihood that the creation, storage, processing and distribution of illicit material will present major legal issues, is also a grave reality [4]

Digital Forensic Examiners also know that any effective forensic system has to have an effective means of monitoring and collecting a wide range of data as; there is no directive which states what may be pertinent to any one case a priori.

With regard to possibility of insider attacks, collecting data at the entry points of a network will not contribute to tracing insider attacks.

When our admin director signed me up to attend the webinar, The Case for Network Forensics - from Solera Networks a few weeks ago; to be honest I thought that it would be a variation of some tools already in use by another start-up.

The synopsis of this webinar had me recall a paper I read a while ago by a Gartner consultant [5] which stated, "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centres," then, I figured it was only a matter of time before a start-up proved this statement wrong.

Enter Solera's discussion on network forensics. One takeaway was that the core nature of this product is that it is like a Security camera - and it records everything.

Ok I thought, digital forensics examiners typically have vast amounts of data to sift through in a traditional system anyway; how will this company's tools expedite the sorting and analysis to output what we need that is specific to an investigation within the cloud; which will be accepted in a court of law?

Also digital evidence by itself can be extremely fragile, in that it can be altered, damaged, or destroyed by improper handling or examination. As forensic examiners we know how critical it is to ensure that precautions are taken to document, collect, preserve and examine evidence. As you know any failure in this process can render a case inadmissible in court.

I took my questions to Peter Schlampp VP Marketing and Product Management and Alan Hall Director Marketing [6] from Solera, who provided insight as follows.

Within the cloud Solera's tools does not use a typical custom silicate, but rather will see packets as they are seeing it as if on a traditional system NIC.  Integrated into a cloud service providers environments this system claims to ensure that the customer are the only one seeing aspects of their data and no one else.

Of course I wondered about the VM managers at the cloud service provider (CSP) who manages the VMs at this point, as they can see customers' data.

The response, I received was as follows: Data tracks on the customer view, will be that of who interacted with their system in the cloud and what types of connections came in to the system hosted in the cloud. In other words it records traffic between virtual host on a physical host.

The system also has an integration with Sourcefire's defense center, although I haven't conducted a PEN-TEST in over a year, I still keep updated on current processes and technologies within the IT Security - Pen-Testing world; knowing that SNORT is utilized, was an immediate plus for me.

In the event of an incident, an investigator can drill down to event level which shows the frame of traffic; an alert from a Sourcefire event will then go directly to a Solera networks device.

Data provided from this can provide answers to: How did the connection get initiated? How do you know what happened afterwards? And for a host that was compromised one can potentially follow paths.

Despite this I still express some concerns with regard to levels of assurance for data held within the cloud amongst others. In order to get objective feedback, I approached one of my mentors Mark Pollitt for his sage input. Although he expressed his concern regarding the Solera's pitch of "network forensics for amateurs," he did state that "anything that will make analysis easier and capable of being done (even just as triage) by less skilled operators is very useful."

Whilst not an endorsement, it put my mind at ease in the sense that: the company had a vision which was on track with regard to a direction for virtualization, the cloud and forensic examination.

As a technologist there is nothing like more data and case study results to satisfy my reserve, so I presented these concerns to Schlampp and Hall, who responded with food for thought as follows:

Advanced Solera Networks network forensics technology now gives the ability to make data more understandable to a common individual. Packet detail is now rendered as web pages, emails, IMs, MS Office docs, etc. That means we can utilize support staff that can interpret this "human visible" or "human readable" data and clearly understand that the data obviously contain information we don't want leaked from our organization. With the advances Solera Networks makes, users have more front line incident response personnel that can determine if the appropriate triage requires escalation to those limited personnel that possess the in-depth skills. Those skills, combined with a complete forensics record from Solera Networks appliances, can uncover exactly what happened and more importantly, help determine the proper course of action and do so quickly to close the gap in response time between incident and remediation.

In a perfect world, effective network forensics requires the ability to "capture it all, all of the time." When we don't know what we don't know, capturing it all is the only way to ensure we have the complete data to interrogate and create the accurate story of what happened. However, what we end up with in practical use is usually something short of "everything."

We have to factor in things like amount of storage at our disposal, how fast our networks are running, what data or systems we have determined as most valuable in our organization, data protection regulations, etc. Accounting for these and other factors, Solera Networks has real-time network forensics technology that lets you make choices on what to capture - all data on every segment; selective segments of data based on port, specific applications, protocols, IP addresses, etc.; or, even get as granular as analyzing every packet for specific information like a hex pattern and only retaining those packets.

Selective capture requires a trade-off between creating more manageable "haystacks of data" and "missing the needle" altogether because it is in a different haystack of data that we didn't have the foresight to capture. Because of Solera Networks approach network forensics technology has evolved to the point where we can stick with one haystack and have the tools to find the exact needle in near real-time.

With any new product only time can tell the benefits it will provide. With regard to digital forensics and the drive to adopt cloud computing systems, any tool that will improve results, reduce false positives and give an investigator data that is relevant, factual and which can be presented and accepted in a court of law will be valued. I believe that these tools combined with a system such as that of ForNet [7] could chart a part for forensics investigations within the cloud ecosystem.

Accordingly ForNet :"helps with the postmortem of any security incident including insider attacks. It can also store potential evidence for months, which is much longer than any existing solution. With an integration of its XML based query routing protocols, coalescing of synopses, and a user interface, an analyst can locate evidence relating to an incident efficiently and transparently."

References

1.Politt MM. Six blind men from Indostan. Digital forensics research workshop (DFRWS); 2004.

2.Digital Forensics:Defining a Research Agenda -Nance,Hay Bishop 2009;978-0-7695-3450-3/09 IEEE

4. Cloud Computing Storms: Biggs, Vidalis; IJICR Vol 1, Issue 1, March 2010

5. GARTNER. 2008. Tough questions: Gartner tallies up seven cloud-computing security risks.

6.Peter Schlampp VP Marketing and Product Management,Alan Hall Director Marketing - Solera Networks

7.ForNet: A Distributed Forensic Network, Kulesh Shanmugasundaram - Project ForNet NYU Polytechnic University.

More Stories By Jon Shende

Jon RG Shende is an executive with over 18 years of industry experience. He commenced his career, in the medical arena, then moved into the Oil and Gas environment where he was introduced to SCADA and network technologies,also becoming certified in Industrial Pump and Valve repairs. Jon gained global experience over his career working within several verticals to include pharma, medical sales and marketing services as well as within the technology services environment, eventually becoming the youngest VP of an international enterprise. He is a graduate of the University of Oxford, holds a Masters certificate in Business Administration, as well as an MSc in IT Security, specializing in Computer Crime and Forensics with a thesis on security in the Cloud. Jon, well versed with the technology startup and mid sized venture ecosystems, has contributed at the C and Senior Director level for former clients. As an IT Security Executive, Jon has experience with Virtualization,Strategy, Governance,Risk Management, Continuity and Compliance. He was an early adopter of web-services, web-based tools and successfully beta tested a remote assistance and support software for a major telecom. Within the realm of sales, marketing and business development, Jon earned commendations for turnaround strategies within the services and pharma industry. For one pharma contract he was responsibe for bringing low performing districts up to number 1 rankings for consecutive quarters; as well as outperforming quotas from 125% up to 314%. Part of this was achieved by working closely with sales and marketing teams to ensure message and product placement were on point. Professionally he is a Fellow of the BCS Chartered Institute for IT, an HITRUST Certified CSF Practitioner and holds the CITP and CRISC certifications.Jon Shende currently works as a Senior Director for a CSP. A recognised thought Leader, Jon has been invited to speak for the SANs Institute, has spoken at Cloud Expo in New York as well as sat on a panel at Cloud Expo Santa Clara, and has been an Ernst and Young CPE conference speaker. His personal blog is located at http://jonshende.blogspot.com/view/magazine "We are what we repeatedly do. Excellence, therefore, is not an act, but a habit."

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
In order to meet the rapidly changing demands of today’s customers, companies are continually forced to redefine their business strategies in order to meet these needs, stay relevant and continue to see profitable growth. IoT deployment and development is integral in this transformation, and today businesses are increasingly seeing the value of investing their resources into IoT deployments. These technologies are able increase ROI through projects such as connecting supply chains or enabling sm...
SYS-CON Events announced today that Progress, a global leader in application development, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Enterprises today are rapidly adopting the cloud, while continuing to retain business-critical/sensitive data inside the firewall. This is creating two separate data silos – one inside the firewall and the other outside the firewall. Cloud ISVs ofte...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
SYS-CON Events announced today that DivvyCloud will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. DivvyCloud software enables organizations to achieve their cloud computing goals by simplifying and automating security, compliance and cost optimization of public and private cloud infrastructure. Using DivvyCloud, customers can leverage programmatic Bots to identify and remediate common cloud problems in rea...
SYS-CON Events announced today that Outscale, a global pure play Infrastructure as a Service provider and strategic partner of Dassault Systèmes, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2010, Outscale simplifies infrastructure complexities and boosts the business agility of its customers. Outscale delivers a secure, reliable and industrial strength solution for its customers, which in...
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists will examine how DevOps helps to meet th...
SYS-CON Events announced today that A&I Solutions has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 1999, A&I Solutions is a leading information technology (IT) software and services provider focusing on best-in-class enterprise solutions. By partnering with industry leaders in technology, A&I assures customers high performance levels across all IT environments including: mai...
Every successful software product evolves from an idea to an enterprise system. Notably, the same way is passed by the product owner's company. In his session at 20th Cloud Expo, Oleg Lola, CEO of MobiDev, will provide a generalized overview of the evolution of a software product, the product owner, the needs that arise at various stages of this process, and the value brought by a software development partner to the product owner as a response to these needs.
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software in the hope of capturing value in IoT. Although IoT is relatively new in the market, it has already gone through many promotional terms such as IoE, IoX, SDX, Edge/Fog, Mist Compute, etc. Ultimately, irrespective of the name, it is about deriving value from independent software assets participating in an ecosystem as one comprehensive solution.
SYS-CON Events announced today that EARP will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. "We are a software house, so we perfectly understand challenges that other software houses face in their projects. We can augment a team, that will work with the same standards and processes as our partners' internal teams. Our teams will deliver the same quality within the required time and budget just as our partn...
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
SYS-CON Events announced today that Tappest will exhibit MooseFS at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. MooseFS is a breakthrough concept in the storage industry. It allows you to secure stored data with either duplication or erasure coding using any server. The newest – 4.0 version of the software enables users to maintain the redundancy level with even 50% less hard drive space required. The software func...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
SYS-CON Events announced today that Systena America will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Systena Group has been in business for various software development and verification in Japan, US, ASEAN, and China by utilizing the knowledge we gained from all types of device development for various industries including smartphones (Android/iOS), wireless communication, security technology and IoT serv...
SYS-CON Events announced today that Outscale will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Outscale's technology makes an automated and adaptable Cloud available to businesses, supporting them in the most complex IT projects while controlling their operational aspects. You boost your IT infrastructure's reactivity, with request responses that only take a few seconds.
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @CloudExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...