Why is CIRA (Gartner) all the Hype for Cloud Incident Response?

With the rapid shift of systems to the cloud across all sectors, over 60% of corporate data is now stored in the cloud. The appeal of migrating to the cloud is clear – greater speed, agility, flexibility, cost savings, and more. But with increased adoption also comes increased risk of cyber attacks and breaches. Further, leveraging the cloud introduces new security challenges, especially when it comes to forensics and incident response. Cloud Investigation and Response Automation (CIRA) is the solution to allow security teams to keep up with the rapidly evolving cloud threat landscape and ensure timely risk mitigation.

Cloud Investigation and Response Automation (CIRA) Explained      

Cloud Investigation and Response Automation (CIRA) is an emerging category within cloud security. CIRA technologies enable security teams to automate the collection and analysis of forensic data in cloud environments to expedite response. The category was first coined by Gartner® earlier this year in an Emerging Tech Report: Security — Cloud Investigation and Response Automation Offers Transformation Opportunities and most recently included in the latest Hype Cycle for Workload and Network Security, in which Cado Security was named a sample vendor. 

The rapidly evolving attack methods observed in cloud environments coupled with the growing number and scope of regulatory requirements has increased urgency among organizations to adopt a modern approach to incident response. CIRA technologies deliver key capabilities to enable organizations to thoroughly understand and respond to cloud risk. Core capabilities of CIRA technologies include:

• Forensic data collection and analysis across multi-cloud environments
• Ability to preserve evidence acquired across dynamic and ephemeral resources such as containers 
• Seamless investigation of various data sources acquired from both cloud resources and logs
• Automated remediation actions to enable rapid response

Why is the Implementation of CIRA so Important?

There are three key reasons why implementing CIRA for incident response is critical to ensure proper security measures are extended to cloud environments. 

The Cloud is Complex and Dynamic

The cloud introduces a new level of complexity that security teams haven't dealt with when performing forensics and incident response in traditional on-premises environments. Because of this, organizations are now increasingly demanding a new approach (and technologies) for incident response in the cloud. Cloud VMs, containers and serverless functions can be difficult or impossible to access and investigate in the event of a security incident. Worse, critical evidence can simply disappear before security teams are even ready to take a closer look. Further, the volume of data in the cloud and the number of services and data sources further exasperates the cyber security skills gap, leaving organizations vulnerable to greater risk and increased response times. 

Growing Scope and Number of Reporting Regulations

New and existing reporting regulations create a significant challenge for CISOs. For example, new legislation from the SEC states that publicly traded companies will soon have a four day time limit to disclose breaches they suffer to the SEC. These disclosures are then made public by the SEC. Further, in the EU, GDPR has long since had a 72 hour reporting requirement for data breaches – either to your customer if you’re processing their data or to a Data Processing Authority (DPA). There is also the aspect of collecting evidence in such a way that it is admissible in court and useful to law enforcement, data must be collected and stored in such a way that its full chain of custody can be accounted for. Without the right tools all of this can be very complicated.  

Cloud Threats are on the Rise 

Development teams aren't the only ones moving to the cloud. Threat actors have also matured their tools and techniques to take advantage of new blindspots in cloud environments. The recent Microsoft compromise by Chinese threat actors is a good example of how far reaching and damaging cloud attacks can be. At Cado, we’ve observed a number of novel cloud-based threat techniques such as Denonia, the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment.  While the first sample was fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure. By applying traditional forensics methods and approaches to the cloud, security teams are struggling to keep up with attackers.

How Cado Delivers CIRA 

The Cado Platform was specifically designed to empower organizations to effectively manage the unique challenges of cloud environments in the context of incident response. Cado delivers CIRA by leveraging the scale and speed of the cloud to automate as much of the incident response workflow as possible – from data capture and processing to root cause analysis and attack containment. The platform enables security teams to gain immediate access to forensic-level data in multi-cloud, container, and serverless environments. Evidence items extracted from cloud-provider logs, disk, memory and more, are processed in parallel to drastically reduce time to investigation. The platform was built to empower security analysts of all levels by automatically highlighting the most important events related to an incident including its root cause, scope and impact. Cado also supports remediation actions so that organisations can quickly contain active attacks. 

 With Cado’s CIRA capabilities security teams can: 

• Automate the end-to-end incident investigation and response process – from processing the alert, to collecting and preserving the evidence, analyzing the data, containing the threat and limiting its impact.
• Prepare comprehensively for an incident, setting up accesses, automation rules, and integrations with third party systems (like incident management platforms, XDR, SOAR, CNAPP, and SIEM) to make sure they have a robust, comprehensive and defensible process and architecture.
• Test the organization's preparedness and understand its risk posture, knowing where your gaps are and where they need to invest to reduce exposure.

Interested in learning more? Contact our team to see a demo. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.