Request a DemoEmergency Assistance
SNOWFLAKE CUSTOMERS

Find out fast if you are impacted by this active threat campaign. >>

SNOWFLAKE CUSTOMERS
Find out fast if you are impacted by this active threat campaign. >>
Home
»
Resource Library

What is Cloud Incident Response? Cyber Terms Explained

Featuring: Tal Mozes, CEO & Co-Founder, Mitiga

Cloud incident response, process-wise, is not very different than a regular incident response—which is the process once we realize we have been breached. We need to start investigating what has happened, what is the impact, when did it happen, and what we need to return to business as usual as soon as possible.

The problem in the cloud, unlike in the on-prem technologies, is that we rely on a lot of logs and system settings that we can query, and a lot of data might not be accessible to us for those investigations. When we talk about old-school on-prem incident response, usually we can take images from endpoints, we can find logs from operating systems, and so on.

But again, when we go to the cloud, if we didn't make sure that we have the right data in advance and keep it, in most scenarios, we won't be able to recreate this data, and we won't have the complete picture to do the investigation and to do a thorough and productive incident response.

So, for some of the SaaS applications that we might have in our organization, we won't have logs at all. For some of them, we might be able to ask for those logs. For example, if you are running on Office 365 and you're investigating a business email compromise, which is very common, not necessarily the Office 365 could be G Suite.

With all Office 365 applications, they only give you the logs from seven days back. But if you just discovered that it happened, I don't know, 10 months ago, and you would like to download those logs from Microsoft, Microsoft will throttle the download; and you might wait several weeks to download the right logs so you can start investigation, and that will slow you down.
 
Therefore, keeping all those logs in advance and defining the right logs to have, also capturing security configuration and settings for cloud accounts and subscription that might not be exist while you start investigation, is key to have an effective and quick incident response.

Learn how Mitiga’s platform enables swift cloud incident response.

Video

Get to Know Mitiga: Cloud and SaaS Threat Detection, Investigation, and Response Leader

After 25 years of experience in cybersecurity, we came to a conclusion that in cloud detection, investigation, and response, there is still no single good solution that can oversee the entire landscape of the digital footprint.

Video

What is Cloud Ransomware? Cyber Terms Explained

So, if we start with ransomware and then go to cloud ransomware, in cloud there will be two different types: ransomware and extortionware.

Video

What is CIRA? Cyber Terms Explained

CIRA refers to cloud investigation and response automation, which is a way to describe that there's a lot of challenges in the cloud versus on-prem environments.