Your organization may well have already realized the improved technological efficiencies and reduced overhead promises of cloud migration — regardless of whether that move was designed as a phased model involving discrete workloads or services, a larger-scale transition, or a strategy based on using a mix of cloud providers across multiple geographies.
For organizations of any size or sector, these cloud transitions also present game-changing challenges for IT Operations leadership (CSOs and CISOs, for example) and personnel (including Cybersecurity, Incident Response,Security, and Network Operations). In terms of a baseline tactical response, since the attack surface now includes cloud-based workloads, cross-IT teams benefit from improved visibility that allows them to monitor service quality. As a result, more-frequent scanning of the overall attack surface environment (including cloud services) may be in order. However, a recent ESG Survey tells us the majority of IT teams are missing the mark — only 52% of organizations polled were committed to scanning their external attack surface beyond a once-weekly interval.
Conversely, while your organization may have a mature cloud modernization strategy, securing a cloud breach remains time-consuming. The IBM Data Breach Report 2021 notes that even those organizations with advanced cloud modernization strategies took 59 days to contain a cloud breach – with that timeframe measuring 77 days faster than those in formative cloud transformation.
Moving beyond traditional incident response practices in the cloud
Beyond the same-day responsiveness required for an effective Incident Response effort, the near-limitless cloud-based threat surface has further challenged traditional vendor efforts to deliver effective solutions to impacted customers.
Traditional IR vendors face distinct challenges with cloud-based cyber-attacks, including:
- Lacking cloud-specific IR subject matter expertise
- Working in a reactive model, without proactively readying their customer in advance of a near-inevitable breach attempt
- Using time-consuming data access and cloud log collection processes that unnecessarily delay the investigation phase. Depending on the incident, these vendors may also have trouble collecting logs that yield sufficient back-in-time data necessary for conclusive forensics investigation.
In ransomware attacks with 48-hour response windows, such approaches leave customers in an untenable position – insufficient time to start the investigation or assess the criticality of the targeted data, which can lead to a decision to pay the ransom.
As a result, essential elements of incident readiness planning and rapid response must include:
- Readiness activities offering value in advance of a breach, including situational awareness, breach readiness assessment, and data acquisition
- The industry’s fastest cloud IR response approach
- Continuous, proactive breach investigation
9 ways incident response is different in the cloud
Global organizations must rethink their IR processes in today’s cloud-heavy service environments based on the following differentiators as compared to traditional on-premises approaches:
- Business processes are increasingly SaaS-based
- Increased dependence in cloud infrastructure, with less IT oversight, may impact organizational security postures and raise the likelihood of a breach
- SaaS integrations expose third-party risks
- Complexities of cloud technologies foster new risks
- Cloud Service Providers (CSPs) own the data needed by incident response teams
- CSP data retention of 30-180 days is insufficient for effective breach investigations
- Cloud breaches involve unique techniques, tactics, and procedures (TTPs) that differ from those used in on-premises attacks
- Threat containment is far more complicated
- Security solutions do not provide required visibility
As a result, in considering today’s expanded cloud-based Incident Response landscape and those IR vendors truly equipped to offer potential solutions to you, here’s an important differentiator: Mitiga’s solutions were born cloud-ready and not a mere transition from an on-premises engagement model. Additionally, proactive breach investigation provides value before an incident occurs and lowers the impact of cyber breaches, while optimizing readiness for cloud and hybrid incidents.
Learn more about Mitiga’s Cloud IR differentiators in 9 Fundamental Ways Incident Response is Different in the Cloud