Home
»
Blog Main
August 1, 2022

Just What is “Proactive Forensic Data Acquisition” Anyway?

By

It isn’t just anti-virus blind spots that hinder cybersecurity team efforts to safeguard organizational assets from threat actors. Veteran incident management analysts will tell you many detection tools also have blind spots that can lead to incomplete investigations and incorrect conclusions.

At the same time, it is unreasonable to expect the guardians at your enterprise gate – XDR and SIEM amongst them – to help continually detect all cyberattacks at all times. As the saying goes, a threat actor need only be successful one time.  

When it comes to visibility, there’s another consideration in the threat detection solution space: many organizations are upgrading their MSSP solutions to MDR models, which leaves some cybersecurity teams in transition.

These detection tools are an important part of today’s cybersecurity ecosystem, but when these solutions fall short, another approach that improves cyber resilience with richer forensic data may be in order.

Combatting Rising Cloud IR Costs

The July 2022 IBM Cost of a Data Breach Report notes that lost business costs associated with a breach are now surpassed by expenditures associated with detection and escalation. In addition, 45% of reported breaches are associated with the cloud. That leaves us with a few related questions:

  • What’s driving those internal detection and escalation costs? The IBM report finds that reactive incident response activities, such as forming an IR team, can run more than $250,000 per breach.  
  • Other factors, including “third party involvement,” also approach that same $250,000 breach expenditure. How do third-party costs related to a cloud incident climb that quickly?
  • Another subject for discussion: How much overlap is factored between IR team formation and third-party involvement, since so many organizations use an IR partner to assist in-house investigation efforts?

Those questions aside, we can share a few of our own notes regarding the costs associated with a breach:  

  • In a standard IR model, investigations are handled as time and materials engagements involving hourly consulting fees.  
  • In this reactive approach, the early stages of cloud and software-as-a-service (SaaS) breach investigations involve downloading logs from cloud service providers (CSPs) and other sources.  
  • So, while the IR retainer may be free, the meter runs fast whenever a breach occurs.

Proactive forensic data management reduces IR complexity, costs

With the IBM Report informing us that cloud breaches in hybrid environments now approach the volume of successful on-premises cyberattacks, some organizations are looking to better prepare themselves to handle the next incident. Since the accepted notion is that every organization will be breached, organizations looking to build cyber resilience “before the next boom hits” are focused on IR elements under their control.  

Atop this list: proactively collecting CSP and SaaS log data before the next incident occurs. However, there is a “catch” with this proactive process: most CSPs only store logs for 90 days, but attackers are typically not identified until months after they have gained access – up to 200 days or longer according to current reporting.  

As a result, it is time for IR vendors to upfront forensic data collection before the time & materials phase of their retainers. For enterprise cybersecurity teams looking to reduce IR complexity and better manage costs when the next cloud or SaaS breach occurs, here are some forensic data management features that assist those efforts:

  • Increase the number of CSP and SaaS log sources being collected – beyond pervasive AWS, Google Cloud, and Microsoft Azure cloud logs, the forensic data baseline should include continuous collection of SaaS audit logs (including those from Microsoft 365, Okta, and Slack, for example)
  • Expand the sources of data collection to include unified data platforms (like MongoDB Atlas) and cloud data warehousing platforms (such as Snowflake)
  • Once forensic data is collected from these CSP and SaaS sources, aggregate, enrich, and organize that data in a manner that promotes proactive investigation to identify potential threat actor activities before the next breach occurs

For more information about how Mitiga’s Incident Readiness & Response solution enhances proactive Forensic Data Acquisition for your organization, visit:  Incident Readiness & Response (IR²).

5 Ways to Reduce the Threat Posed by Cloud Aware Ransomware

Don't miss these stories:

Mitiga at the 34th Annual FIRST Conference 2022

Thank you for joining Mitiga at the 34th Annual FIRST Conference 2022, which took place June 26 to July 1, 2022 in Dublin, Ireland

10 Recommendations for Your Organization to Increase Readiness Following the Okta Breach

Okta, an industry leader in identity and access management, was breached and the potential impact for the industry may be very high. Here are 10 actionable recommendations you can use to increase your breach readiness.

Cyber Week Israel 2022

Thank you for visiting Mitiga at Cyber Week, an expert-driven content and high-level networking in Israel, the high tech industry's Start Up Nation!

Want to see the future of IR for cloud and SaaS? Request a demo of IR2
SOLUTIONSBLOGABOUTworking at mitigaCONTACT
Copyright ©️ Mitiga Security Inc. All rights reserved | Terms of Use | Privacy Policy