In any incident response effort, understanding the root cause of a threat through forensic analysis is key to enabling full remediation and recovery. SecOps and IR teams need to be able to gather and analyze forensic artifacts quickly to ensure the threat is fully eradicated. These artifacts, along with a full incident timeline, are pivotal to understanding the incident's root cause and scope, and devising an effective containment and remediation strategy.
However, extracting these artifacts in cloud environments presents a formidable challenge. The ephemeral nature of cloud resources, such as containers and serverless functions, means that crucial evidence can easily disappear before it can be captured. Multi-cloud architectures create further headaches, with each cloud service provider (CSP) offering different mechanisms for snapshot creation and data retrieval. These challenges can take up hours of responders’ time with tedious and error-prone manual processes at exactly the moment when they need to move fast to eradicate a threat.
To help streamline forensic investigation for the cloud and enable it as an automated go-to capability for SecOps teams, we’re excited to release Gem Cloud Forensics, an end-to-end solution for cloud forensics – from snapshot creation and artifact extraction to forensic timeline generation and investigation, plus preservation of forensic evidence for legal proceedings and compliance. Gem Cloud Forensics significantly reduces the time and effort required to perform forensics in the cloud, enabling it to be executed with just a few clicks.
Gem's Innovative Approach to Cloud Forensics – Combining Volume Data with Rich Cloud Telemetry
After hearing about these challenges from many of our users, we developed a suite of cloud forensic capabilities to streamline the extraction and analysis of forensic artifacts, ensuring that critical forensic data is accessible, accurate, and actionable. Our solution is built from the ground up with security operations teams in mind, extending Gem's cloud detection and response (CDR) platform with additional cloud incident response automation (CIRA)Â capabilities. This integration ensures the transition from detection to investigation is both swift and frictionless, eliminating the need for incident responders to juggle multiple tools and interfaces.
Broad Data Depth and Accessibility
In the cloud, forensic analysis requires data from numerous sources – from audit logs to service-level logs, machine/container images, and other artifacts. Gem's platform supports the widest range of forensic data sources in the industry today, combining volume data acquired from machines and containers together with cloud-native telemetry covering the control, data, network, and compute planes (e.g. audit logs, VPC flow logs, k8s logs, data events, database logs, etc.) and findings from cloud-native security tools (AWS GuardDuty, Microsoft Defender for Cloud, Google SCC, etc.) – plus identity provider platforms like Okta, Azure AD, and Google Workspace.
Consider, for example, a crypto mining investigation on Microsoft Azure that involves an AKS cluster running on a virtual machine. To get a full picture of the attack, investigators would need detailed information from the Kubernetes audit logs and the Azure activity logs, as well as visibility into the workload. Our platform provides all of this at the responder’s fingertips, easily surfacing information about the malware executed by an attacker as well as data from the control plane related to the attacker’s identity (be it human or non-human). This depth of data is crucial for uncovering the root cause of an incident and understanding its full scope.
Enhanced Usability and Automation for SecOps Teams
Workflow ease-of-use is at the core of Gem's design philosophy. We understand that the pressure on security operations teams is immense, especially during a critical incident and even more so when this incident occurs in a cloud environment, where attackers can move from initial entry to privilege escalation and impact in just minutes.Â
Our platform abstracts the complexities of the cloud, bridging the cloud expertise gap and empowering analysts of all levels to perform forensic investigations with confidence.
Gem's forensic capabilities, combined with automation workflows and a range of automated containment actions – such as isolating compromised instances and rotating access keys – significantly reduce the Mean Time to Response (MTTR). This automation now extends to ephemeral resources, ensuring that evidence is captured before it vanishes, and allowing security teams to quickly narrow the scope of their investigation and focus their efforts where they’re most needed.Â
Every forensic artifact extracted by Gem is saved in a centralized immutable storage bucket, in order to maintain the chain of custody and prevent evidence tampering. This process follows the DFIR best practices published by every CSP and adheres to strict compliance standards.
Other capabilities such as a unified investigation timeline and entity-based context enable analysts to efficiently navigate evidence and hone in on critical details. Gem also delivers a series of recommendations to incident responders about next steps, including querying users about their actions, isolating compromised instances, creating snapshots for forensic analysis, and much more.
Providing incident responders with these capabilities also means significantly fewer support requests opened for the DevOps and DevSecOps teams, as incident responders can now access all the forensic data they need directly from the Gem platform, without any special permissions and without any risk to critical environments.
A Tailored Solution for Modern Cloud Incident Response
Gem's cloud forensic capabilities are specifically tailored to the needs of modern cloud incident response teams. Our forensics platform provides:Â
Complete forensic data capture from cloud logs to volume snapshots, ensuring your team has all the information it needs to uncover the root cause of an incident
Seamless automation to reduce repetitive, manual tasks, drive down the probability of costly mistakes, and reduce mean time to resolution (MTTR)
Out-of-the-box analysis of forensic data, providing automated forensic timelines to get to the root cause of a threat in minutes instead of hours
Whether it's virtual machines in Azure, Kubernetes clusters in GCP, or serverless architectures in AWS, our platform provides the visibility and tools necessary to conduct thorough investigations. This focus ensures that incident responders are not only prepared to respond to incidents but are also equipped to proactively identify and mitigate potential threats.
By offering a solution that combines depth of data, automation, and ease of use, Gem Security is redefining what is possible in the realm of cloud forensics. Our commitment to innovation ensures that Incident responders have the resources they need to stay ahead of cyber threats, making cloud environments safer and more resilient, and providing the tools and insights necessary for effective incident response in the cloud era.
Want to see it in action? We’d love to connect and show you a live demo of Gem and these new capabilities.
Learn more: