Golden Time

In the Army, we defined “Golden Time” not only as the period around sunrise or sunset, but also as the time when the watch changes shift, or when one unit replaces another.

“Golden Time” was always a time when increased vigilance and readiness were imperative because most attacks occur during this time.  

Typically, sunrise and sunset are the times of day when people – whether in the military or in civilian life – tend to be less alert. Such a lapse in alertness can easily happen when one army force replaces another.  

The departing force’s duties and responsibilities are transitioning a new force. They’re tired and ready to leave. The replacements are still getting used to the base; learning more about their new duties and schedules; and can be less attuned to potential danger. Fortunately, experienced command and planning units prepare and execute meticulously to make sure each force turnover happens efficiently, vigilantly, and with the least amount risk.

Risks During Transitions to the Cloud

Similar scenarios play out for many of today’s businesses during digital transformation and in particular, during the transition to the cloud.  

In cloud transitions, the goal is move business processes from an on-premises environment to a cloud-based environment. Inevitably, as the transition progresses, some business processes are fully transferred while others are still in flux. It’s during this period of the turnover that incident response playbooks are no longer relevant.  Reality has changed.  The new environment doesn’t reflect the one the playbook was written for, and the threats to the new digital footprint are not addressed.  

Also, while it is the case that most of the company’s IT/security resources are proficient with the on-prem environment, they most likely will not yet fully understand the new technology within IaaS, PaaS and SaaS, making it very hard to respond efficiently to incidents.  

Additionally, while in transition teams might not have the right event logs connected to the SIEM and/or understand how to correlate between the events to monitor suspicious activity. And given that there will be a lot of duplicated business process on-prem and on-cloud for a period of time, it will be complicated to understand if a breach happened and impossible to track lateral movement as any breach could start on-prem and move to the cloud and vice versa.  

This is the ‘best’ time for attackers to make a move against an organization. Most organizations transitioning to the cloud do it over a year or more, leaving a lot of opportunities for adversaries to act.

What should you do?

Times like cloud transition require extra caution and precise tracking of business processes that are migrating to the cloud. It is necessary to validate if a process still exists on-prem or not. Care must be taken to ensure security settings don’t open new holes and breaches. Information (logs) being saved and monitored must be validated for completeness, so that when something happens, there is enough to run an investigation. Training and evaluation is essential to ensure that cloud security and hybrid incident response skills are present in the organization and among suppliers. This is vital now more than ever before since it is very hard to hire new resources with cloud security knowledge.  

What are the top five new security challenges in cloud environments?

LAST UPDATED:

May 3, 2024

Don't miss these stories:

From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security

Solutions Platform Helios AI Cloud Security Data Lake Cloud Threat Detection Investigation and Response Readiness (TDIR) Cloud Detection and Response (CDR) Cloud Investigation and Response Automation (CIRA) Investigation Workbench Managed Services Managed Cloud Detection and Response (C-MDR) Cloud Managed Threat Hunting Cloud and SaaS Incident Response Resources Blog Mitiga Labs Resource Library Incident Response Glossary Company About Us Team Careers Contact Us In the News Home » Blog Main BLOG From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security In this premiere episode of Mitiga Mic, Mitiga’s Co-founder and CTO Ofer Maor joins host Brian Contos to share the journey behind Mitiga’s creation—and how it became the first purpose-built platform for cloud, SaaS, and identity detection and response. Ofer discusses why traditional incident response falls short in modern environments, how Mitiga built its platform from real-world service experience, and the crucial role of automation and AI in modern SOC operations.

Helios AI: Why Cloud Security Needs Intelligent Automation Now

Mitiga launches Helios AI, an intelligent cloud security solution that automates threat detection and response. Its first feature, AI Insights, cuts through noise, speeds up analysis, and boosts SecOps efficiency.

Hackers in Aisle 5: What DragonForce Taught Us About Zero Trust

In a chilling reminder that humans remain the weakest component in cybersecurity, multiple UK retailers have fallen victim to a sophisticated orchestrated cyber-attack by the hacking group known as DragonForce. But this breach was not successful using a zero-day application vulnerability or a complex attack chain. It was built on trust, manipulation, and a cleverly deceptive phone call.

No One Mourns the Wicked: Your Guide to a Successful Salesforce Threat Hunt

Salesforce is a cloud-based platform widely used by organizations to manage customer relationships, sales pipelines, and core business processes.

Tag Your Way In: New Privilege Escalation Technique in GCP

GCP offers fine-grained access control using Identity and access management (IAM) Conditions, allowing organizations to restrict permissions based on context like request time, resource type and resource tags.

Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs – Part 2

This second part of the blog series continues the path to understanding principals and identities in Google Cloud Platform (GCP) Audit Logs. Part one introduced core concepts around GCP logging, the different identity types, service accounts, authentication methods, and impersonation.