It isn’t just anti-virus blind spots that hinder cybersecurity team efforts to safeguard organizational assets from threat actors. Veteran incident management analysts will tell you many detection tools also have blind spots that can lead to incomplete investigations and incorrect conclusions.

At the same time, it is unreasonable to expect the guardians at your enterprise gate – XDR and SIEM amongst them – to help continually detect all cyberattacks at all times. As the saying goes, a threat actor need only be successful one time.  

When it comes to visibility, there’s another consideration in the threat detection solution space: many organizations are upgrading their MSSP solutions to MDR models, which leaves some cybersecurity teams in transition.

These detection tools are an important part of today’s cybersecurity ecosystem, but when these solutions fall short, another approach that improves cyber resilience with richer forensic data may be in order.

Combatting Rising Cloud IR Costs

The July 2022 IBM Cost of a Data Breach Report notes that lost business costs associated with a breach are now surpassed by expenditures associated with detection and escalation. In addition, 45% of reported breaches are associated with the cloud. That leaves us with a few related questions:

  • What’s driving those internal detection and escalation costs? The IBM report finds that reactive incident response activities, such as forming an IR team, can run more than $250,000 per breach.  
  • Other factors, including “third party involvement,” also approach that same $250,000 breach expenditure. How do third-party costs related to a cloud incident climb that quickly?
  • Another subject for discussion: How much overlap is factored between IR team formation and third-party involvement, since so many organizations use an IR partner to assist in-house investigation efforts?

Those questions aside, we can share a few of our own notes regarding the costs associated with a breach:  

  • In a standard IR model, investigations are handled as time and materials engagements involving hourly consulting fees.  
  • In this reactive approach, the early stages of cloud and software-as-a-service (SaaS) breach investigations involve downloading logs from cloud service providers (CSPs) and other sources.  
  • So, while the IR retainer may be free, the meter runs fast whenever a breach occurs.

Proactive forensic data management reduces IR complexity, costs

With the IBM Report informing us that cloud breaches in hybrid environments now approach the volume of successful on-premises cyberattacks, some organizations are looking to better prepare themselves to handle the next incident. Since the accepted notion is that every organization will be breached, organizations looking to build cyber resilience “before the next boom hits” are focused on IR elements under their control.  

Atop this list: proactively collecting CSP and SaaS log data before the next incident occurs. However, there is a “catch” with this proactive process: most CSPs only store logs for 90 days, but attackers are typically not identified until months after they have gained access – up to 200 days or longer according to current reporting.  

As a result, it is time for IR vendors to upfront forensic data collection before the time & materials phase of their retainers. For enterprise cybersecurity teams looking to reduce IR complexity and better manage costs when the next cloud or SaaS breach occurs, here are some forensic data management features that assist those efforts:

  • Increase the number of CSP and SaaS log sources being collected – beyond pervasive AWS, Google Cloud, and Microsoft Azure cloud logs, the forensic data baseline should include continuous collection of SaaS audit logs (including those from Microsoft 365, Okta, and Slack, for example)
  • Expand the sources of data collection to include unified data platforms (like MongoDB Atlas) and cloud data warehousing platforms (such as Snowflake)
  • Once forensic data is collected from these CSP and SaaS sources, aggregate, enrich, and organize that data in a manner that promotes proactive investigation to identify potential threat actor activities before the next breach occurs

For more information about how Mitiga’s Incident Readiness & Response solution enhances proactive Forensic Data Acquisition for your organization, visit:  Incident Readiness & Response (IR²).

LAST UPDATED:

August 6, 2024

Don't miss these stories:

From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security

Solutions Platform Helios AI Cloud Security Data Lake Cloud Threat Detection Investigation and Response Readiness (TDIR) Cloud Detection and Response (CDR) Cloud Investigation and Response Automation (CIRA) Investigation Workbench Managed Services Managed Cloud Detection and Response (C-MDR) Cloud Managed Threat Hunting Cloud and SaaS Incident Response Resources Blog Mitiga Labs Resource Library Incident Response Glossary Company About Us Team Careers Contact Us In the News Home » Blog Main BLOG From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security In this premiere episode of Mitiga Mic, Mitiga’s Co-founder and CTO Ofer Maor joins host Brian Contos to share the journey behind Mitiga’s creation—and how it became the first purpose-built platform for cloud, SaaS, and identity detection and response. Ofer discusses why traditional incident response falls short in modern environments, how Mitiga built its platform from real-world service experience, and the crucial role of automation and AI in modern SOC operations.

Helios AI: Why Cloud Security Needs Intelligent Automation Now

Mitiga launches Helios AI, an intelligent cloud security solution that automates threat detection and response. Its first feature, AI Insights, cuts through noise, speeds up analysis, and boosts SecOps efficiency.

Hackers in Aisle 5: What DragonForce Taught Us About Zero Trust

In a chilling reminder that humans remain the weakest component in cybersecurity, multiple UK retailers have fallen victim to a sophisticated orchestrated cyber-attack by the hacking group known as DragonForce. But this breach was not successful using a zero-day application vulnerability or a complex attack chain. It was built on trust, manipulation, and a cleverly deceptive phone call.

No One Mourns the Wicked: Your Guide to a Successful Salesforce Threat Hunt

Salesforce is a cloud-based platform widely used by organizations to manage customer relationships, sales pipelines, and core business processes.

Tag Your Way In: New Privilege Escalation Technique in GCP

GCP offers fine-grained access control using Identity and access management (IAM) Conditions, allowing organizations to restrict permissions based on context like request time, resource type and resource tags.

Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs – Part 2

This second part of the blog series continues the path to understanding principals and identities in Google Cloud Platform (GCP) Audit Logs. Part one introduced core concepts around GCP logging, the different identity types, service accounts, authentication methods, and impersonation.