There is an accepted notion in some corners of cybersecurity that maintains “there is no peacetime.” For many of us, that is a daunting premise — as it discounts extensive CISO efforts to extend multi-year investments in cybersecurity tools, innovation, and resources to address ongoing cyberattacks focused on business services transitioned to cloud and SaaS platforms.
In cloud- and SaaS-based Incident Response, however, there is an acknowledged “peacetime” that equates to the intervals occurring between real-world breach attempts and associated organizational investigations. So many IR vendors are front-and-center in assisting their organizational efforts to identify breach attempts and coordinate efficient investigative response activities, but their customers frequently question the value of their annual subscriptions with their contracted provider between firefights.
Organizations relying on large-scale cloud and SaaS investments should rightfully expect their IR vendor to provide a regular program of readiness activities that will assist security teams’ efforts to make their business better prepared to withstand the next cyberattack. In response to these customer expectations, here’s how IR vendors should respond.
Don’t delay forensic data acquisition and storage
Establishing IR peacetime value should actually begin during customer onboarding, with upfront cloud and SaaS log collection using established connectors into de facto sources like AWS, GCP, Azure, MongoDB, Snowflake, Okta, Salesforce, and Slack. Proactive forensic data acquisition reduces the risk, execution, and downtime associated with standard investigations by enabling cybersecurity teams to commence IR activities immediately after the breach is identified, leveraging securely stored, easily queried forensic data.
Don’t forget — the longer the data storage provided by the vendor, 1,000 days for example, the more successful your future incident response activities.
Establish a shared-responsibility model during onboarding
In addition to proactive data collection, look for IR solutions focused on establishing a shared-responsibility partnership that enables your organization to maximize your vendor’s IR personnel, technology, data, and recommended practices. This model helps organizations minimize critical incidents and quickly return to business as usual. Relying on the continuity of known IR vendor contacts across both investigations and peacetime activities resolves questions about associated third-party staffing availability and delays that can impede both incident response and building cyber resilience.
Expect incident response readiness programs to enhance organizational cyber resilience
Lessons-learned from recent, successful IR investigations are great – but why should they be limited to in-house activities? IR vendors should apply real-world cloud and SaaS threat analysis activities found “in the wild” or another account across the entire customer base, including yours. Proactive threat hunts dedicated to your organization’s environment should be provided on a regular cadence, quarterly, for example.
In complementing this focus on proactive threats, your organization’s IR resilience should involve vendor-provided Breach and Readiness Assessment programs that identify gaps and provide recommended-practices guidelines on how best to close them.
Leverage vendor automation to improve your cloud and SaaS IR investigation efficiencies
Hands-on expertise in maximizing your forensic data in successful IR investigations is a strong contributor to minimizing disruptions. So, too, is IR automation that reduces the investigative response process.
Derive more value from your stored forensic data
IR vendors should provide assistance in helping organizations overcome the challenging differences that exist in cloud/SaaS log collection versus an on-premises model by providing recommended-practices aligned with industry standards for forensic investigation, including logging formats, forensic gathering procedures, and default log retention. Customer demands for data lake access and management should apply to the cloud and SaaS forensic baseline, as well — ask IR vendors about their policies for providing direct customer access to collected logs.
