Just What is “Proactive Forensic Data Acquisition” Anyway?

It isn’t just anti-virus blind spots that hinder cybersecurity team efforts to safeguard organizational assets from threat actors. Veteran incident management analysts will tell you many detection tools also have blind spots that can lead to incomplete investigations and incorrect conclusions.

At the same time, it is unreasonable to expect the guardians at your enterprise gate – XDR and SIEM amongst them – to help continually detect all cyberattacks at all times. As the saying goes, a threat actor need only be successful one time.

When it comes to visibility, there’s another consideration in the threat detection solution space: many organizations are upgrading their MSSP solutions to MDR models, which leaves some cybersecurity teams in transition.

These detection tools are an important part of today’s cybersecurity ecosystem, but when these solutions fall short, another approach that improves cyber resilience with richer forensic data may be in order.

Combatting Rising Cloud IR Costs

The July 2022 IBM Cost of a Data Breach Report notes that lost business costs associated with a breach are now surpassed by expenditures associated with detection and escalation. In addition, 45% of reported breaches are associated with the cloud. That leaves us with a few related questions:

What’s driving those internal detection and escalation costs? The IBM report finds that reactive incident response activities, such as forming an IR team, can run more than $250,000 per breach.
Other factors, including “third party involvement,” also approach that same $250,000 breach expenditure. How do third-party costs related to a cloud incident climb that quickly?
Another subject for discussion: How much overlap is factored between IR team formation and third-party involvement, since so many organizations use an IR partner to assist in-house investigation efforts?

Those questions aside, we can share a few of our own notes regarding the costs associated with a breach:

In a standard IR model, investigations are handled as time and materials engagements involving hourly consulting fees.

In this reactive approach, the early stages of cloud and software-as-a-service (SaaS) breach investigations involve downloading logs from cloud service providers (CSPs) and other sources.
So, while the IR retainer may be free, the meter runs fast whenever a breach occurs.

Proactive forensic data management reduces IR complexity, costs

With the IBM Report informing us that cloud breaches in hybrid environments now approach the volume of successful on-premises cyberattacks, some organizations are looking to better prepare themselves to handle the next incident. Since the accepted notion is that every organization will be breached, organizations looking to build cyber resilience “before the next boom hits” are focused on IR elements under their control.

Atop this list: proactively collecting CSP and SaaS log data before the next incident occurs. However, there is a “catch” with this proactive process: most CSPs only store logs for 90 days, but attackers are typically not identified until months after they have gained access – up to 200 days or longer according to current reporting.

As a result, it is time for IR vendors to upfront forensic data collection before the time & materials phase of their retainers. For enterprise cybersecurity teams looking to reduce IR complexity and better manage costs when the next cloud or SaaS breach occurs, here are some forensic data management features that assist those efforts:

Increase the number of CSP and SaaS log sources being collected – beyond pervasive AWS, Google Cloud, and Microsoft Azure cloud logs, the forensic data baseline should include continuous collection of SaaS audit logs (including those from Microsoft 365, Okta, and Slack, for example)
Expand the sources of data collection to include unified data platforms (like MongoDB Atlas) and cloud data warehousing platforms (such as Snowflake)
Once forensic data is collected from these CSP and SaaS sources, aggregate, enrich, and organize that data in a manner that promotes proactive investigation to identify potential threat actor activities before the next breach occurs

For more information about how Mitiga’s Incident Readiness & Response solution enhances proactive Forensic Data Acquisition for your organization, visit:  Incident Readiness & Response (IR²).

LAST UPDATED:

August 6, 2024

Don't miss these stories:

Why Visibility Drives Everything in Modern Cybersecurity with Sevco’s Greg Fitzgerald

In this episode of Mitiga Mic, Brian Contos sits down with Greg Fitzgerald, co-founder of Sevco Security, for a candid conversation on the real state of asset visibility, prioritization, and the evolving challenges facing security teams. With nearly three decades in the industry, Fitzgerald brings perspective on how cybersecurity has shifted from endpoint tools to orchestration-wide awareness. And why that shift is critical for cloud, SaaS, AI, and identity defense. Watch the episode or read the full transcript below.

How Threat Actors Used Salesforce Data Loader for Covert API Exfiltration

In recent weeks, a sophisticated threat group has targeted companies using Salesforce’s SaaS platform with a campaign focused on abusing legitimate tools for illicit data theft. Mitiga’s Threat Hunting & Incident Response team, part of Mitiga Labs, investigated one such case and discovered that a compromised Salesforce account was used in conjunction with a “Salesforce Data Loader” application, a legitimate bulk data tool, to facilitate large-scale data exfiltration of sensitive customer data.

God-Mode in the Shadows: When Security Tools and Excessive Permissions Become Cloud Security Risks

By the time the alarms go off, it’s often too late. A trusted third-party security tool, one that promised to protect your cloud and SaaS environments, has been operating with unchecked ‘god-mode’ privileges. These tools, usually classified as SaaS Security Posture Management (SSPM) or Data Security Posture Management (DSPM), have been granted near-unrestricted access to your data, configurations, and secrets.

How AI Is Transforming Cybersecurity: Detection, Response & Threat Evolution with Mitiga’s Ofer Maor

In this episode of Mitiga Mic, Brian Contos, Field CISO at Mitiga, sits down once again with Ofer Maor, CTO and Co-founder, to break down one of today’s most urgent cybersecurity challenges: the intersection of Artificial Intelligence (AI) and Detection & Response. From the Automated SOC to AI-powered attackers and cloud-based AI infrastructure threats, Ofer outlines the three pillars of AI-DR (AI Detection and Response) and what organizations need to know now and in the near future.

Meet Mitiga in Las Vegas at Black Hat, DEF CON, and BSides

From August 4 to 11, Mitiga will be on the ground in Las Vegas for Black Hat USA, DEF CON, and BSides Las Vegas. If you’re responsible for cloud security, SaaS threat detection, or incident response, this is your opportunity to connect directly with our team.

Why Wi-Fi Isn’t Enough: Joseph Salazar on Wireless Airspace Security

In this episode of Mitiga Mic, we sit down with cybersecurity veteran Joseph Salazar, now with Bastille Networks, to uncover the vast and often invisible world of wireless attack surfaces. From Bluetooth-enabled coffee mugs and smart thermostats to malicious USB cables that launch attacks from parking lots, Joseph walks us through real-world threats that operate outside your firewall and beyond traditional security tools.