Recently, Gartner released its latest Hype Cycle report on Workload and Network Security authored by Charlie Winckless and Feng Gao.
This year, for the first time, Cloud Investigation and Response Automation was included on the Hype Cycle. So what is it about CIRA that has the industry talking? At Gem, we believe CIRA’s inclusion is a strong indication of this emerging market need. Gem was recognized as a Sample Vendor for Cloud Investigation and Response Automation in the report. Below, we’ll outline the main capabilities of CIRA technology and discuss why they’re needed today.
Why The Market Needs CIRA Tooling
The cloud has introduced significant new complexities into the threat detection, investigation, and response workflow.
Cloud Detection Engineering is Time-Consuming, Manual and Partial
In the cloud, security data volumes are significantly higher than in traditional environments. The cloud generates abundant telemetry, and storing and processing all that data can be extremely costly for teams today.
Plus, the cloud not only generates more data, but also more complex data. Cloud threat modeling also requires new skills, as attacker tactics, techniques, and procedures (TTPs) are very different in the cloud compared to traditional environments. Detection engineering for cloud environments requires deep domain-specific knowledge that’s in very short supply.
The result is that security operations teams today often spend too much time building detection rules manually only to wind up with partial threat coverage.
Modern malware and data breaches in cloud environments are often fileless and operate either solely in memory without leaving any trace on disk, or via APIs or integrated SaaS offerings, making it increasingly difficult or impossible to properly investigate with traditional forensic methods and tooling. Gartner, Emerging Tech: Security — Cloud Investigation and Response Automation Offers Transformation Opportunities, Lawrence Pingree & Mark Wah, June 5, 2023
Threat Investigation is Too Slow
When teams do receive alerts in the cloud, they often struggle to respond. Tools today generate extremely noisy, low-fidelity alerts, and teams struggle to prioritize which threats really matter.
Plus, cloud alerts are often contextless - when security operators need to get a deeper picture of an emerging threat, they often have nowhere to go other than to query raw logs in a SIEM solution or a generic tool like AWS Athena.
Forensic Analysis is Too Difficult
When the worst inevitably happens, forensic analysis of cloud resources is extremely challenging. Despite the fact that regulatory requirements often require that forensic evidence be preserved, cloud resources are often ephemeral, and critical data can easily be lost. Even if all the relevant data are available, extracting forensic artifacts and piecing together timelines is extremely manual and time consuming.
Key CIRA Capabilities
CIRA is designed to address these problems. CIRA tools automate much of the manual work that’s involved in responding to cloud-native threats today, and help to bridge the cloud knowledge gap with purpose-built tooling.
CIRA enables security operations team to eliminate or significantly reduce the amount of time they spend on detection engineering. CIRA technologies detect threats based on data from from cloud-native sources, including telemetry like AWS CloudTrail, Azure NSGFlow logs, and GCP audit logs.
CIRA tools fuse this information from information gathered from cloud service provider APIs and numerous integrations including identity providers, ticketing systems, and more. CIRA tools build detection on top of this rich data, and deliver comprehensive cloud threat coverage to teams out-of-the-box.
When alerts do trigger, CIRA technology enables significantly faster investigation and response. To investigate threats in the cloud, security teams need to be able to pivot into a purpose-built product that can provide the context they need to investigate. This is a key differentiator for CIRA tools as compared to CSPM or other cloud security products that are not built for the SOC: without an integrated investigation interface, these tools struggle to deliver the outcomes teams need in terms of efficient response.
Critically, CIRA platforms provide all these capabilities for a multi-cloud environment. This enables security teams adopting CIRA tools to solve cloud-native threat detection and response use cases once, rather than struggle to build separate solutions for each of the major cloud providers.
How Gem Delivers CIRA Outcomes for Teams Today
Gem provides all the key capabilities that teams need to respond to cloud threats faster today. Gem provides out-of-the-box threat coverage to eliminate manual detection engineering, layering detection rules for hundreds of proprietary TTPs with advanced behavioral analytics that lower noise and increase alert fidelity. When alerts trigger, Gem provides all the response and forensics tools that teams need to investigate.
Gem’s CIRA functionality is delivered as part of a broader Cloud Detection and Response (CDR) platform, and Gem’s solution goes beyond the capabilities identified as part of CIRA. For example, Gem provides teams with a continuous, comprehensive incident response readiness assessments, enabling security operations teams to ensure that they always have the visibility they need to respond when threats occur.
Users considering a CIRA capability should: Favor SIEM/SOAR, CSPM, CDR or XDR platforms that offer a roadmap for multicloud CIRA capabilities without requiring the purchase of a third-party solution Gartner, Hype Cycle for Workload and Network Security, 2023. Charlie Winckless & Feng Gao, July 31, 2023
Gem also goes beyond forensics, enabling novel cloud-native containment capabilities that allow teams to stop threats before they become breaches. Gem containment provides built-in functionality that enables teams to gather more information from users, isolate endpoints, or take forensic snapshots - all through the control plane. This significantly accelerates alert triage and investigation before full-fledged forensic investigation takes place.
As the hype around CIRA continues to increase, we’re proud that Gartner has included Gem as a Sample Vendor in the Gartner Hype Cycle for Workload and Network Security. As enterprises continue to move more workloads to cloud, we anticipate that the need for CIRA tooling will only grow. If you’re interested in learning more, we’d love to chat - reach out to us or book a demo here.
Gartner, Emerging Tech: Security — Cloud Investigation and Response Automation Offers Transformation Opportunities, 5 June 2023. Gartner, Hype Cycle for Workload and Network Security, 2023, Charlie Winckless & Feng Gao, July 31, 2023. Gartner and Hype Cycle are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.