Why the Implementation of CIRA is So Important for Incident Response

Originally published by Mitiga.

Written by Tal Mozes.

Incident response for cloud and SaaS (Software as a Service) requires new capabilities. Gartner® has released its recent report entitled “Emerging Tech: Security — Cloud Investigation and Response Automation Offers Transformation Opportunities.” The report shares the Critical Insights and Impacts for Cloud Investigation and Response Automation and offers recommendations for product leaders interested in emerging technologies in data forensics and incident response.

If you’re a security leader these days, you’re probably wrestling with the question of how to ensure that your team is enabled to respond and recover in the cloud as effectively as they do on prem. Because while you’ve likely spent a good deal of time, energy, and budget on the prevention side of your cloud security strategy, you may not yet have all the solutions you need in place to effectively manage cloud breaches.

But what gaps does CIRA (Cloud Investigation and Response Automation) solve in a cybersecurity landscape that is already filled with novel solutions? There are several important ones, actually.

4 Gaps CIRA Helps Enterprises Overcome

1. Filling in skills and experience gaps in cloud and SaaS incident response (IR)

Many IR and security teams are adept and seasoned in responding to breaches on-premises. They have the procedures and controls in place. However, far fewer know how to look for and respond to the ever-broadening variety of cloud and SaaS exploits that exist . So, when a breach happens, they may not be prepared to respond at the same level. This cloud IR knowledge—for better or worse will develop over time. But for now, augmenting your team’s cloud IR capabilities is one way CIRA solutions fill a crucial need.

2. Assuring the right cloud and SaaS investigation telemetry is collected

Even when mature organizations already have the right people in place and are blessed with the specialized talent needed to investigate your cloud and SaaS breaches, or even if they have the right vendor that truly understand breaches in SaaS and Cloud environments, they may not know whether they're continually gathering the needed data to fuel comprehensive investigations. The cloud is dynamic and ever changing. The velocity is huge. It’s hard for a security team tasked with so many other responsibilities to keep up with the cloud’s pace. This collection and analysis of those cloud forensics is another area where CIRA solutions can provide immense support.

3. Making sure your IR solutions are effective for cloud

Once you have the right telemetry and you have capable people, and you have the practices—how do you test your solutions? Do you know if when you put everything together, it works? If you took the same tools and methodologies that you add on prem, how are those practices holding up to cloud and SaaS incidents? Should you even conduct your practices at the same frequency that you do on prem? All of these are questions that you do not want to find answers to after a breach. There is too much at stake in today’s cloud- and SaaS-driven enterprise. This is another place where CIRA fills a gap. The technology and tools are designed fit-for-purpose, to ensure teams are enabled specifically for the needs and realities of cloud breaches.

4. Taming the challenges of SaaS

In modern enterprises, it’s a rare thing to have all SaaS apps managed by central IT. On the contrary, it’s much more typical that business units across the enterprise are often spinning up and managing their own SaaS applications—from Workday in HR to SaaS based CRM, marketing automation or collaboration tools like Salesforce or box.com or Marketo in marketing or sales units. Establishing the needed visibility and enforcing controls becomes an issue. And so does compliance. Because while enterprises can, and do, try to make policies for their SaaS—how do you as a security leader make sure that those policies are being followed?

If there's one thing worse than not having a policy, it is having a policy, not complying with it. Many big organizations have already faced hard lessons on this topic and know this first-hand. CIRA makes sure that while you're working to manage expansive SaaS environment and getting better and thinking of how together if anything happens, you will be ready to respond, and be able to recover. It doesn't replace securing it and applying policies, but it gives you much more visibility and some peace of mind knowing that you are doing something to manage those SaaS-based risks.