When an attack is underway, you don’t wait around to see what additional damage can be done. You take action.
Unfortunately for many companies, the ability to detect a data breach can take weeks, months, or even years. According to IBM, the average time to detect a breach is 277 days, or roughly 9 months. This delay in detecting an incident gives attackers ample time to explore the vastness of an environment that they’ve gained access to and discover what other valuable data abounds.
It took T-Mobile, the second largest wireless carrier in the United States, over a month to discover that a data breach had occurred. And by then, data of over 37 million customers were stolen.
Predictably, attackers won’t stop once they’ve stumbled across the initial data throve. They’ll continue exfiltrating data as long as the access remains opened. Toyota Motor Corporate discovered that an access key was made publicly available for nearly five years, exposing customer PII during that time.
Introducing Multi Cloud Data Detection and Response
While posture management and prevention are essential focus areas, you’ll also want to be prepared to react and to do so quickly. Enter multi cloud data detection and response (DDR).
The reason why you have multi cloud DDR is to enable protection against data exposures, configuration changes, non-sanctioned data access, and data exfiltration events as they occur. All of these events could indicate a data breach.
Early detection is key to helping you minimize the blast radius of a data breach. Once attackers obtain credentials to get inside, they need time to find, extract, and monetize their efforts, should they decide to sell the credentials or the data itself.
Why Multi Cloud DDR matters
Balancing proactive and reactive approaches
We combine the best of both worlds that enables both proactive and reactive approaches.
Data Security Posture Management (DSPM) is about being proactive by identifying vulnerabilities, exposures, and other risks to data across your data landscape. Once you have a complete picture of your data risks, you’re positioned to reduce the attack surface before issues start bubbling up.
But prevention isn’t always possible.
Think of a data store that has just been restored from a snapshot. The data store contains sensitive data but the data is missing encryption. Or sensitive data in a SharePoint, meant only for internal consumption, is shared externally with an unapproved third party or personal gmail. As these events unfold, multi cloud DDR can quickly flag the incident for investigation and remediation.
Expanding the coverage
You can only protect the data that you see. We take a holistic and unified approach to multi cloud DDR. That is why we monitor events across SaaS, IaaS, and PaaS environments.
Cloud platforms are highly scalable, enabling users from virtually anywhere to access their resources, including the vast amounts of sensitive data they store. Consequently, there can be vulnerabilities that expose sensitive data from misconfigurations and overly permissive access. Multi cloud DDR can flag when there is a misconfiguration that allows for public access or when logging is turned off that could leave security incidents undetected.
Contextualizing incidents
Multi cloud DDR works by analyzing events generated across cloud environments. On the surface, an event may not tell us much. But this is why data context matters. Context gives us the story behind the event so that we can more accurately determine its risk and reduce noisy alerts.
Let’s say a data store with diagnostic data becomes widely accessible. Is there risk associated with the increased exposure and should that trigger an alert?
Context about the environment tells us information about the data store–that it is widely exposed, but that it’s also owned by the data scientist leader. We can deduce data scientists will likely need to run models on this data.
Context about the data tells us that the data is in fact, synthetic. It was generated to mimic real data without exposing actual customer data, in order to train more accurate AI models.
The context about the owner of the data (data scientist) and representation of data (synthetic data) suggests that the diagnostic data is not high risk. As a result, it shouldn’t trigger an alert.
Operationalizing end-to-end detection and response
A growing data landscape correlates with an increase in tools, processes, and people required to manage it. When siloed tools generate shallow alerts, it ends up creating noise that distract SOC teams from critical issues. The lack of visibility and communication across people and processes delay mean-time-to-respond (MTTR).
This is why a required capability of multi cloud DDR is interoperability among your existing tech stack.
Credentials are considered highly sensitive information and should be encrypted. However, credentials can be exposed when it is stored in plaintext. With an encryption policy in place, multi cloud DDR can flag when the policy violation occurs. It provides an alert of the incident, along with information to expedite the investigation process.
The workflow can issue a ticket in Jira or pass the alert to a SOAR/SIEM tool, along with information aggregated by Cyera such as description of the issue, at-risk data stores, volume and type of data impacted, data owner, user access, and more. Once you’ve reviewed the information, you can utilize the remediation guidance provided by Cyera to quickly resolve the incident.
Benefits of Multi Cloud DDR
The advantage of multi cloud DDR is its ability to enable you to rapidly identify and respond to incidents:
- Rapid detection: The ability to quickly identify when an incident occurs is vital to reducing the damage attackers can inflict. When customer data is accidentally moved to a publicly accessible data store, you can move quickly to close off access before outsiders discover the exposed data.
- Reduction in false positives: With prioritized alerts, you can focus on the incidents that matter and have actionable context about the risks and blast radius of your sensitive data.
- Streamlined incident response: Information about the incident and remediation guidance are all available at your fingertips. With a few clicks, a workflow can delegate responsibilities to the right team through the channels they prefer, whether it’s through Jira or Slack for example.
Kickoff Multi Cloud DDR with Cyera
Safeguarding data is complex. Data is always moving and changing. The environments housing the data must accommodate the users and services that require access. Those responsible for responding to data incidents data cannot afford to wait around until the threat grows.
That is why multi cloud DDR has increasingly become a vital part of the conversation when it comes to formulating your data security strategy.
Cyera’s data security platform provides deep context on your data, applying correct, continuous controls to assure cyber-resilience and compliance.
Cyera takes a data-centric approach to security, assessing the exposure to your data at rest and in use and applying multiple layers of defense. Because Cyera applies deep data context holistically across your data landscape, we are the only solution that can empower security teams to know where their data is, what exposes it to risk, and take immediate action to remediate exposures and assure compliance without disrupting the business.
Come see how multi cloud DDR can work for you by scheduling a demo today.
