Shifting your Cyber Investment Strategy for Cloud

Cybersecurity has been with us for decades, yet it’s still a young and maturing industry—and not surprisingly. Every enterprise that cybersecurity supports is still moving along their own digital transformation journey. Some are in the early stages, lifting and shifting their on-prem workloads to the cloud. Others are well along the path, taking on new SaaS (Software as a Service) applications and developing their own cloud-native solutions to serve customers better, build efficiency into their operations, and transact with greater ease.

But all those advancements come with cyber risk. Increasingly, enterprises have recognized the new threats posed by operating in cloud and SaaS environments. However, to date, what most organizations have focused on is the protection aspect of their cloud security: keeping bad actors out. It may be a mindset left over from the on-prem days of establishing a strong perimeter. As the perimeter has dissolved as cloud and SaaS adoption has risen, it’s not only protection that enterprise must consider, but also response and resilience when those protective layers are breached.

Rebalancing Your Cyber Investment Strategy

Today, it’s likely that your organization has a cybersecurity investment strategy that is somewhere in the neighborhood of 90/10, with 90% being spent on prevention and 10% allocated to detection and incident response. At a time when enterprises hold more data than ever in the cloud (and out of their control) and cloud and SaaS attacks continue to increase in frequency and sophistication, it’s an equation that needs some rethinking.

The evolving perspective stems from a growing realization: In modern digital landscapes, cyber attacks are inevitable. Rather than pouring resources into the increasingly elusive goal of complete prevention, the focus is shifting towards minimizing the impact of these unavoidable breaches.

In today’s environment, instead of disproportionately favoring threat prevention, a more balanced allocation that allows for greater investment in detection and response is needed. A 70/30 split is a sensible starting point, but the exact figures will depend on each organization's unique needs and risk profile. Depending on the breadth of your cloud estate and the value it represents for your enterprise, over time that allocation may be 60/40.

It’s important for executive and security teams to come together to understand what cloud and SaaS represent in terms of value, agree on the enterprise’s level of risk tolerance, and plan forward. The goal should be to maximize the impact of cyber investment dollars, while working to protect the value held within the cloud, and your enterprise overall.

Redirecting Cyber Investment to Modern Solutions

As you reallocate investment toward a strategy that elevates incident response and organizational resilience, it’s not only the amount of resources given to these areas that needs to shift. The types of solutions you spend on should be reconsidered too. For example, up to now, IR (incident response) dollars were likely designated for a retainer, so that if a breach happened you had someone on call to address the problem.

However, with the attack landscape moving at cloud speed, it’s not enough to have a team on speed dial after the fact. Enterprises need solutions that enable a proactive incident response approach so that you’re gathering and analyzing all the data you need for forensic investigation continually, before being breached. It’s also important to gain continuous value from your investment dollars—focusing on methods that strengthen your visibility, hunting capabilities, and compliance at the times when you’re “at peace,” rather than directing your spend in ways that have mostly war time value.

CIRA Supports Modern Investment Strategies

Cloud Investigation and Response Automation (CIRA) is an emerging set of capabilities designed to support the detection and response needs of modern organizations. There is an obvious benefit of transitioning from the traditional retainer model to a SaaS-based solution that emphasizes continuous monitoring, preparation, and dramatically accelerated response. Leveraging a CIRA platform helps enterprises ensure that they are prepared for inevitable incidents, can respond to them quickly and effectively, and minimize impact. By turning potential crises into manageable occurrences, CIRA isn’t simply a risk mitigation investment, but an operating expense that supports business enablement and organizational resilience.

Learn more about what’s taking the place of traditional IR for cloud and SaaS.

LAST UPDATED:

April 23, 2024

Don't miss these stories:

Why Visibility Drives Everything in Modern Cybersecurity with Sevco’s Greg Fitzgerald

In this episode of Mitiga Mic, Brian Contos sits down with Greg Fitzgerald, co-founder of Sevco Security, for a candid conversation on the real state of asset visibility, prioritization, and the evolving challenges facing security teams. With nearly three decades in the industry, Fitzgerald brings perspective on how cybersecurity has shifted from endpoint tools to orchestration-wide awareness. And why that shift is critical for cloud, SaaS, AI, and identity defense. Watch the episode or read the full transcript below.

How Threat Actors Used Salesforce Data Loader for Covert API Exfiltration

In recent weeks, a sophisticated threat group has targeted companies using Salesforce’s SaaS platform with a campaign focused on abusing legitimate tools for illicit data theft. Mitiga’s Threat Hunting & Incident Response team, part of Mitiga Labs, investigated one such case and discovered that a compromised Salesforce account was used in conjunction with a “Salesforce Data Loader” application, a legitimate bulk data tool, to facilitate large-scale data exfiltration of sensitive customer data.

God-Mode in the Shadows: When Security Tools and Excessive Permissions Become Cloud Security Risks

By the time the alarms go off, it’s often too late. A trusted third-party security tool, one that promised to protect your cloud and SaaS environments, has been operating with unchecked ‘god-mode’ privileges. These tools, usually classified as SaaS Security Posture Management (SSPM) or Data Security Posture Management (DSPM), have been granted near-unrestricted access to your data, configurations, and secrets.

How AI Is Transforming Cybersecurity: Detection, Response & Threat Evolution with Mitiga’s Ofer Maor

In this episode of Mitiga Mic, Brian Contos, Field CISO at Mitiga, sits down once again with Ofer Maor, CTO and Co-founder, to break down one of today’s most urgent cybersecurity challenges: the intersection of Artificial Intelligence (AI) and Detection & Response. From the Automated SOC to AI-powered attackers and cloud-based AI infrastructure threats, Ofer outlines the three pillars of AI-DR (AI Detection and Response) and what organizations need to know now and in the near future.

Meet Mitiga in Las Vegas at Black Hat, DEF CON, and BSides

From August 4 to 11, Mitiga will be on the ground in Las Vegas for Black Hat USA, DEF CON, and BSides Las Vegas. If you’re responsible for cloud security, SaaS threat detection, or incident response, this is your opportunity to connect directly with our team.

Why Wi-Fi Isn’t Enough: Joseph Salazar on Wireless Airspace Security

In this episode of Mitiga Mic, we sit down with cybersecurity veteran Joseph Salazar, now with Bastille Networks, to uncover the vast and often invisible world of wireless attack surfaces. From Bluetooth-enabled coffee mugs and smart thermostats to malicious USB cables that launch attacks from parking lots, Joseph walks us through real-world threats that operate outside your firewall and beyond traditional security tools.