Just What is “Proactive Forensic Data Acquisition” Anyway?

By

It isn’t just anti-virus blind spots that hinder cybersecurity team efforts to safeguard organizational assets from threat actors. Veteran incident management analysts will tell you many detection tools also have blind spots that can lead to incomplete investigations and incorrect conclusions.

At the same time, it is unreasonable to expect the guardians at your enterprise gate – XDR and SIEM amongst them – to help continually detect all cyberattacks at all times. As the saying goes, a threat actor need only be successful one time.  

When it comes to visibility, there’s another consideration in the threat detection solution space: many organizations are upgrading their MSSP solutions to MDR models, which leaves some cybersecurity teams in transition.

These detection tools are an important part of today’s cybersecurity ecosystem, but when these solutions fall short, another approach that improves cyber resilience with richer forensic data may be in order.

Combatting Rising Cloud IR Costs

The July 2022 IBM Cost of a Data Breach Report notes that lost business costs associated with a breach are now surpassed by expenditures associated with detection and escalation. In addition, 45% of reported breaches are associated with the cloud. That leaves us with a few related questions:

  • What’s driving those internal detection and escalation costs? The IBM report finds that reactive incident response activities, such as forming an IR team, can run more than $250,000 per breach.  
  • Other factors, including “third party involvement,” also approach that same $250,000 breach expenditure. How do third-party costs related to a cloud incident climb that quickly?
  • Another subject for discussion: How much overlap is factored between IR team formation and third-party involvement, since so many organizations use an IR partner to assist in-house investigation efforts?

Those questions aside, we can share a few of our own notes regarding the costs associated with a breach:  

  • In a standard IR model, investigations are handled as time and materials engagements involving hourly consulting fees.  
  • In this reactive approach, the early stages of cloud and software-as-a-service (SaaS) breach investigations involve downloading logs from cloud service providers (CSPs) and other sources.  
  • So, while the IR retainer may be free, the meter runs fast whenever a breach occurs.

Proactive forensic data management reduces IR complexity, costs

With the IBM Report informing us that cloud breaches in hybrid environments now approach the volume of successful on-premises cyberattacks, some organizations are looking to better prepare themselves to handle the next incident. Since the accepted notion is that every organization will be breached, organizations looking to build cyber resilience “before the next boom hits” are focused on IR elements under their control.  

Atop this list: proactively collecting CSP and SaaS log data before the next incident occurs. However, there is a “catch” with this proactive process: most CSPs only store logs for 90 days, but attackers are typically not identified until months after they have gained access – up to 200 days or longer according to current reporting.  

As a result, it is time for IR vendors to upfront forensic data collection before the time & materials phase of their retainers. For enterprise cybersecurity teams looking to reduce IR complexity and better manage costs when the next cloud or SaaS breach occurs, here are some forensic data management features that assist those efforts:

  • Increase the number of CSP and SaaS log sources being collected – beyond pervasive AWS, Google Cloud, and Microsoft Azure cloud logs, the forensic data baseline should include continuous collection of SaaS audit logs (including those from Microsoft 365, Okta, and Slack, for example)
  • Expand the sources of data collection to include unified data platforms (like MongoDB Atlas) and cloud data warehousing platforms (such as Snowflake)
  • Once forensic data is collected from these CSP and SaaS sources, aggregate, enrich, and organize that data in a manner that promotes proactive investigation to identify potential threat actor activities before the next breach occurs

For more information about how Mitiga’s Incident Readiness & Response solution enhances proactive Forensic Data Acquisition for your organization, visit:  Incident Readiness & Response (IR²).

5 Ways to Reduce the Threat Posed by Cloud Aware Ransomware

Don't miss these stories:

Want to stay up to date on the latest Mitiga news and research? Subscribe to our blog!