We're proud to be named a 2024 Publisher's Choice winner!

We're an RSA Conference 2024 Innovation Sandbox Finalist!

There is an accepted notion in some corners of cybersecurity that maintains “there is no peacetime.” For many of us, that is a daunting premise — as it discounts extensive CISO efforts to extend multi-year investments in cybersecurity tools, innovation, and resources to address ongoing cyberattacks focused on business services transitioned to cloud and SaaS platforms.  

In cloud- and SaaS-based Incident Response, however, there is an acknowledged “peacetime” that equates to the intervals occurring between real-world breach attempts and associated organizational investigations. So many IR vendors are front-and-center in assisting their organizational efforts to identify breach attempts and coordinate efficient investigative response activities, but their customers frequently question the value of their annual subscriptions with their contracted provider between firefights.

Organizations relying on large-scale cloud and SaaS investments should rightfully expect their IR vendor to provide a regular program of readiness activities that will assist security teams’ efforts to make their business better prepared to withstand the next cyberattack. In response to these customer expectations, here’s how IR vendors should respond.

Don’t delay forensic data acquisition and storage

Establishing IR peacetime value should actually begin during customer onboarding, with upfront cloud and SaaS log collection using established connectors into de facto sources like AWS, GCP, Azure, MongoDB, Snowflake, Okta, Salesforce, and Slack. Proactive forensic data acquisition reduces the risk, execution, and downtime associated with standard investigations by enabling cybersecurity teams to commence IR activities immediately after the breach is identified, leveraging securely stored, easily queried forensic data.  

Don’t forget — the longer the data storage provided by the vendor, 1,000 days for example, the more successful your future incident response activities.

Establish a shared-responsibility model during onboarding

In addition to proactive data collection, look for IR solutions focused on establishing a shared-responsibility partnership that enables your organization to maximize your vendor’s IR personnel, technology, data, and recommended practices. This model helps organizations minimize critical incidents and quickly return to business as usual. Relying on the continuity of known IR vendor contacts across both investigations and peacetime activities resolves questions about associated third-party staffing availability and delays that can impede both incident response and building cyber resilience.

Expect incident response readiness programs to enhance organizational cyber resilience

Lessons-learned from recent, successful IR investigations are great – but why should they be limited to in-house activities? IR vendors should apply real-world cloud and SaaS threat analysis activities found “in the wild” or another account across the entire customer base, including yours. Proactive threat hunts dedicated to your organization’s environment should be provided on a regular cadence, quarterly, for example.

In complementing this focus on proactive threats, your organization’s IR resilience should involve vendor-provided Breach and Readiness Assessment programs that identify gaps and provide recommended-practices guidelines on how best to close them.

Leverage vendor automation to improve your cloud and SaaS IR investigation efficiencies

Hands-on expertise in maximizing your forensic data in successful IR investigations is a strong contributor to minimizing disruptions. So, too, is IR automation that reduces the investigative response process.  

Derive more value from your stored forensic data

IR vendors should provide assistance in helping organizations overcome the challenging differences that exist in cloud/SaaS log collection versus an on-premises model by providing recommended-practices aligned with industry standards for forensic investigation, including logging formats, forensic gathering procedures, and default log retention. Customer demands for data lake access and management should apply to the cloud and SaaS forensic baseline, as well — ask IR vendors about their policies for providing direct customer access to collected logs.

LAST UPDATED:

April 17, 2024

Don't miss these stories:

Mitiga Wins Global InfoSec Award for Cloud Threat Detection Investigation & Response (TDIR)

We’re proud to report that at the open of today’s RSAC24, Mitiga was awarded the Publisher's Choice Cloud Threat Detection Investigation & Response (TDIR) from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.

Here's Why Traditional Incident Response Doesn’t Work in the Cloud

Traditional incident response (IR) learned from on-premises investigations doesn’t work in the cloud. Today's threat actors are finding misconfigurations and vulnerabilities to allow them to penetrate cloud environments.

Why Did AWS Replace My Role’s ARN with a Unique ID in My Policy?

After several years of working with AWS, IAM remains one of the most frequently used services in my daily routine. Yet, despite my familiarity with it, a recent production incident taught me that there’s always more to learn.