Mitiga Appoints Charlie Thomas as CEO READ THE RELEASE

Mitiga Announces $30M Series B Led by SYN Ventures READ THE NEWS

It isn’t just anti-virus blind spots that hinder cybersecurity team efforts to safeguard organizational assets from threat actors. Veteran incident management analysts will tell you many detection tools also have blind spots that can lead to incomplete investigations and incorrect conclusions.

At the same time, it is unreasonable to expect the guardians at your enterprise gate – XDR and SIEM amongst them – to help continually detect all cyberattacks at all times. As the saying goes, a threat actor need only be successful one time.  

When it comes to visibility, there’s another consideration in the threat detection solution space: many organizations are upgrading their MSSP solutions to MDR models, which leaves some cybersecurity teams in transition.

These detection tools are an important part of today’s cybersecurity ecosystem, but when these solutions fall short, another approach that improves cyber resilience with richer forensic data may be in order.

Combatting Rising Cloud IR Costs

The July 2022 IBM Cost of a Data Breach Report notes that lost business costs associated with a breach are now surpassed by expenditures associated with detection and escalation. In addition, 45% of reported breaches are associated with the cloud. That leaves us with a few related questions:

  • What’s driving those internal detection and escalation costs? The IBM report finds that reactive incident response activities, such as forming an IR team, can run more than $250,000 per breach.  
  • Other factors, including “third party involvement,” also approach that same $250,000 breach expenditure. How do third-party costs related to a cloud incident climb that quickly?
  • Another subject for discussion: How much overlap is factored between IR team formation and third-party involvement, since so many organizations use an IR partner to assist in-house investigation efforts?

Those questions aside, we can share a few of our own notes regarding the costs associated with a breach:  

  • In a standard IR model, investigations are handled as time and materials engagements involving hourly consulting fees.  
  • In this reactive approach, the early stages of cloud and software-as-a-service (SaaS) breach investigations involve downloading logs from cloud service providers (CSPs) and other sources.  
  • So, while the IR retainer may be free, the meter runs fast whenever a breach occurs.

Proactive forensic data management reduces IR complexity, costs

With the IBM Report informing us that cloud breaches in hybrid environments now approach the volume of successful on-premises cyberattacks, some organizations are looking to better prepare themselves to handle the next incident. Since the accepted notion is that every organization will be breached, organizations looking to build cyber resilience “before the next boom hits” are focused on IR elements under their control.  

Atop this list: proactively collecting CSP and SaaS log data before the next incident occurs. However, there is a “catch” with this proactive process: most CSPs only store logs for 90 days, but attackers are typically not identified until months after they have gained access – up to 200 days or longer according to current reporting.  

As a result, it is time for IR vendors to upfront forensic data collection before the time & materials phase of their retainers. For enterprise cybersecurity teams looking to reduce IR complexity and better manage costs when the next cloud or SaaS breach occurs, here are some forensic data management features that assist those efforts:

  • Increase the number of CSP and SaaS log sources being collected – beyond pervasive AWS, Google Cloud, and Microsoft Azure cloud logs, the forensic data baseline should include continuous collection of SaaS audit logs (including those from Microsoft 365, Okta, and Slack, for example)
  • Expand the sources of data collection to include unified data platforms (like MongoDB Atlas) and cloud data warehousing platforms (such as Snowflake)
  • Once forensic data is collected from these CSP and SaaS sources, aggregate, enrich, and organize that data in a manner that promotes proactive investigation to identify potential threat actor activities before the next breach occurs

For more information about how Mitiga’s Incident Readiness & Response solution enhances proactive Forensic Data Acquisition for your organization, visit:  Incident Readiness & Response (IR²).

LAST UPDATED:

August 6, 2024

Don't miss these stories:

The Rising Threat of AI-Enabled Adversaries: Preparing for the Next Wave of Cloud and SaaS Attacks

Learn how adversaries weaponize AI technology and strategies to defend against AI-enabled threats.

Cyber Trends for 2024: What Security Leaders Should be Executing Next

As we hurtle into this new year, it’s already clear that there is an evolving set of cyber risks that organizations will need to contend with successfully to manage threats and grow their organizational resilience in 2024. Below, I’ll outline three of the biggest ones, sharing recommendations and execution checklists that can help enterprises enhance their threat readiness and elevate security postures as the threat landscape continues to evolve.

How to Protect Your Business From the Most Dangerous Cyberthreats

Ransomware attacks are on the rise, and it now more important then ever to be prepared. Be prepared by having an up-to-date incident response plan. Learn more.

Stop Ransomware Attackers From Getting Paid to Play Double-Extortionware Games

In the past, many companies relied on backups to get back to business quickly if they were attacked. Reliable, secure backups separated from the primary environment made it much more difficult for an attacker to access and encrypt them. That long-standing process no longer deters double-extortionware actors — instead, today’s attackers not only encrypt the data but also exfiltrate it.

SEC Cyber Disclosure Rule FAQ: What Leaders are Asking Us

The U.S. Securities and Exchange Commission (SEC) recently implemented a new rule mandating stringent cybersecurity incident reporting and disclosure requirements for public companies.

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.