Don’t Believe Incident Response is Different in the Cloud? Let Us Count the 9 Ways


Your organization may well have already realized the improved technological efficiencies and reduced overhead promises of cloud migration — regardless of whether that move was designed as a phased model involving discrete workloads or services, a larger-scale transition, or a strategy based on using a mix of cloud providers across multiple geographies.

For organizations of any size or sector, these cloud transitions also present game-changing challenges for IT Operations leadership (CSOs and CISOs, for example) and personnel (including Cybersecurity, Incident Response,Security, and Network Operations). In terms of a baseline tactical response, since the attack surface now includes cloud-based workloads, cross-IT teams benefit from improved visibility that allows them to monitor service quality. As a result, more-frequent scanning of the overall attack surface environment (including cloud services) may be in order. However, a recent ESG Survey tells us the majority of IT teams are missing the mark — only 52% of organizations polled were committed to scanning their external attack surface beyond a once-weekly interval.

Conversely, while your organization may have a mature cloud modernization strategy, securing a cloud breach remains time-consuming. The IBM Data Breach Report 2021 notes that even those organizations with advanced cloud modernization strategies took 59 days to contain a cloud breach – with that timeframe measuring 77 days faster than those in formative cloud transformation.

Moving beyond traditional incident response practices in the cloud

Beyond the same-day responsiveness required for an effective Incident Response effort, the near-limitless cloud-based threat surface has further challenged traditional vendor efforts to deliver effective solutions to impacted customers.

Traditional IR vendors face distinct challenges with cloud-based cyber-attacks, including:

  • Lacking cloud-specific IR subject matter expertise
  • Working in a reactive model, without proactively readying their customer in advance of a near-inevitable breach attempt
  • Using time-consuming data access and cloud log collection processes that unnecessarily delay the investigation phase. Depending on the incident, these vendors may also have trouble collecting logs that yield sufficient back-in-time data necessary for conclusive forensics investigation.

In ransomware attacks with 48-hour response windows, such approaches leave customers in an untenable position – insufficient time to start the investigation or assess the criticality of the targeted data, which can lead to a decision to pay the ransom.

As a result, essential elements of incident readiness planning and rapid response must include:

  • Readiness activities offering value in advance of a breach, including situational awareness, breach readiness assessment, and data acquisition
  • The industry’s fastest cloud IR response approach
  • Continuous, proactive breach investigation

9 ways incident response is different in the cloud

Global organizations must rethink their IR processes in today’s cloud-heavy service environments based on the following differentiators as compared to traditional on-premises approaches:

  1. Business processes are increasingly SaaS-based
  2. Increased dependence in cloud infrastructure, with less IT oversight, may impact organizational security postures and raise the likelihood of a breach
  3. SaaS integrations expose third-party risks
  4. Complexities of cloud technologies foster new risks
  5. Cloud Service Providers (CSPs) own the data needed by incident response teams
  6. CSP data retention of 30-180 days is insufficient for effective breach investigations
  7. Cloud breaches involve unique techniques, tactics, and procedures (TTPs) that differ from those used in on-premises attacks
  8. Threat containment is far more complicated
  9. Security solutions do not provide required visibility

As a result, in considering today’s expanded cloud-based Incident Response landscape and those IR vendors truly equipped to offer potential solutions to you, here’s an important differentiator: Mitiga’s solutions were born cloud-ready and not a mere transition from an on-premises engagement model. Additionally, proactive breach investigation provides value before an incident occurs and lowers the impact of cyber breaches, while optimizing readiness for cloud and hybrid incidents. ​

Learn more about Mitiga’s Cloud IR differentiators in  9 Fundamental Ways Incident Response is Different in the Cloud

Don't miss these stories:

Want to see the future of IR for cloud and SaaS? Request a demo of IR2