Cloud Security and Cyber Insurance Experts Help Organizations Learn How to Mitigate Cloud and SaaS Threats


Featuring:
Shay Simkin,
Global Head of Howden Cyber

Tal Mozes,
CEO and Co-founder of Mitiga

Shay Simkin:
We really need to define and understand “Where is the border between our security or what we invest in cybersecurity as a client, and between the infrastructure?” And sometimes because they're so big and because they are, we trust that they have everything, is that a right presumption from our side?

Tal Mozes:
I think first we need to understand the shared responsibility model with the public cloud vendors, which is what we like to call a “split responsibility model” actually. It's not shared. They are providing us with everything we need in order to defend ourselves properly and detect breaches. But if we don't use it well and we are being breached, this is not their responsibility. This is ours.

So with split responsibility, their responsibility is to provide us with the tools and the means, it’s their responsibility to provide their own infrastructure, security and assurance. It's our responsibility to use it well. To know how to use it, to monitor it, and respond to incidents that happen on this infrastructure that they're not necessarily related to the vendor, but it relates to our specific use of their infrastructure.

Shay Simkin:
I'm being asked by a lot of our clients globally, what is best for them? Is it better for them… is it more protected for them to be on the cloud or to keep the systems on-prem? Maybe a hybrid model like we see in some places? I know it's not a white or black question, but what would you say being so many years in this industry and seeing so many claims?

Tal Mozes:
I would say that really depends on the specific needs of the specific customer. So the question is not really what is more secure. It is “What are my needs and do I know how to use it? Do I have the right skills? Do I understand the magnitude or the impact of a breach on this infrastructure? What is the risk that I'm taking versus the risk of not using it and keep maintaining my on-prem infrastructure?” And also, to understand how to provide my employees with the right training to enable them to use it properly.

Shay Simkin:
And can you explain to us a little bit about what is “good” cloud security, you know, we know in our industry, you know, we have the EDR and MFA, and SIEM, SOC, or whatever… and then maybe we look at cloud clients and on-prem clients as if they were the same.

So can you highlight to us what are the important things when you are on cloud as far as security products and the visibility that you are getting as a company from those products that you are seeing on the cloud?

Tal Mozes:
So first of all is making sure that we have good posture management for all the cloud infrastructure. The second of all is to gain visibility and to know who is accountable for each one of the digital footprints in the cloud. Who is accountable for your AWS or Azure or GCP? Who is accountable for Active Directory? Who is accountable for the different environments like Snowflake or Databricks?

When we talk about security, we want to make sure that we know what to do when our protection or defense lines are failing. One of the challenges, but also an opportunity in the cloud, is that unlike on-prem technology, even if you know how to make sure it's fully protected to the best that you can, and it's being breached, when you want to investigate something, you need to investigate logs.

And those logs could be security logs. It could also be behavioral logs like network traffic for example.

Shay Simkin:
Is it my responsibility to collect the logs or is it the vendor's responsibility? Or is it the shared responsibility?

Tal Mozes:
It's your sole responsibility to be aware of what logs are out there and to collect them and to make good use of those logs. Unfortunately, there's not a lot of knowledge out there even when you go to a specific vendor and you ask what's in the log, you will not get good answers. This is one of the things that we're doing for our customers. We're helping them to understand what logs they need to collect and also what's in the logs and how to use it.

You will have an amount of data which is two or three orders of magnitude larger from the data you collected into your Security Operations Center (SOC) before, and that could be very expensive to collect. If you want to collect it, usually to your SIEM which is connected to your Security Operations Center (SOC) so you can monitor it, you will usually pay per volume of data and that could cost you millions of dollars per year. If for on-prem you paid 1 ½ million, now for the cloud you'll pay 3, 3 ½ million dollars.

What most organizations will do is A. Not collect everything and B. Even if they collected, they won't keep it for more than 30, 60 or 90 days usually, because it takes a lot of space to keep the data and also a lot of processing power to process the data, which makes it very, very expensive.

One of the things that we have done is to make this process very simple and very cost efficient so we can collect all this data for our customers into a security data lake we built just for this purpose. It's a proprietary security data lake that can run on any data lake that you already have, like Snowflake or Databricks, and it keeps all this data in one place in a very, very cheap manner.

It's so cheap that we don't even charge our customers per volume because we want to encourage them to send as much data as possible and then there's the logic layer on top of that to make sense of this data as well.

Shay Simkin:
If the client doesn't keep the logs, then you're somewhere lost and because you said that a lot of the clients don't keep it because of the cost, I think it's a very, very good point that our clients need to understand that when the day of the claim comes, it's going to be very difficult to do a forensic report and therefore move on and remediate the events. So, very interesting point.

Tal Mozes:
Some of those vendors will provide you logs, so if you want to investigate a Business E-mail Compromise (BEC) on Office 365. Microsoft will give you the last seven days of logs very easily, but anything older than that you can still get it from them, but the download is very, very slow. The throttling the download of this data, it's a huge amount of data and it could take you two to three weeks just to download the data you need to start investigating it.

And then you might figure out you need more data and wait for another week or two, so it will take you over a month only to start investigation for the breach that happened.

And both you and I know that when there is a breach, speed is everything. And the quicker you can recover, the lower is the damage and the cost of the breach.

Shay Simkin:
You know, how can we as clients or brokers or an industry understand if the IR has the expertise to deal with the events on the cloud?

Tal Mozes:
So I think Incident Response (IR) in the cloud is very specific and different than on-prem incident response. I think on-prem is old school. You have a lot of smart people, very skilled that know how to do the job and it's easier to work with the right vendors.

When it comes to the cloud, you need to see that they have the right tooling to extract the data from the cloud. They know how to understand it, they understand the specifics of the services that you're using.

They can trace your identity across all those different environments and they have enough experience dealing with cloud incidents before that have not finished with “We cannot investigate because we don't have enough logs.”

Do you know if your team has the right logs to investigate cloud and SaaS breaches seamlessly and quickly? Book a demo with a Mitiga representative to see how cloud and SaaS threat detection, investigation, and response is different from your on-prem strategy and how you can equip your organization with the right tools and expertise.

Video

Get to Know Mitiga: Cloud and SaaS Threat Detection, Investigation, and Response Leader

After 25 years of experience in cybersecurity, we came to a conclusion that in cloud detection, investigation, and response, there is still no single good solution that can oversee the entire landscape of the digital footprint.

Video

What is Cloud Ransomware? Cyber Terms Explained

So, if we start with ransomware and then go to cloud ransomware, in cloud there will be two different types: ransomware and extortionware.

Video

What is CIRA? Cyber Terms Explained

CIRA refers to cloud investigation and response automation, which is a way to describe that there's a lot of challenges in the cloud versus on-prem environments.