What Is Cloud Investigation? Cyber Terms Explained

Featuring: Tal Mozes, CEO and Co-Founder, Mitiga

So, what is cloud investigation?

Maybe before we dive deep into cloud investigation, let's talk about what is the cloud that we're referring to in cybersecurity? Because the cloud has different parts in your organization.

One of them will be the infrastructure—and the usual suspects will be the GCP, AWS, and Azure. But also you have a lot of applications like your identity, if it's Okta or Active Directory or anything else. And you also have your productivity. It could be G-Suite, it could be Office 365. All of those SaaS applications have high visibility, usually by the security team or the CIO.

But there are a lot of other SaaS applications that are less visible, and they're usually under the control of the business units. And that could be GitHub, GitLab under R&D, Mercator, Salesforce under the GTM teams, and so on. And usually, it's hard to find who's holding the keys to those cloud applications, and the visibility over there is limited, and usually logs are not being collected.

Going back to the original question about cloud investigation: Cloud investigation is the ability or capability to be able to look back into different events and actions that have happened in those different cloud and SaaS environments, not just one day. It could be a year or two years.

Usually, it takes over 220 days on average to find out that you have been breached and to be able to investigate what has happened. It could be investigating a user, or a business process, and this investigation capability is what allows you to investigate through multiple cloud environments at the same time, and to correlate it, in most cases, with a hybrid environment that includes on-prem technologies.

Want to learn how modern enterprises are investigating in the cloud?
Check out Investigation Workbench.