Last week, the US Securities and Exchange Commission adopted new regulations which require public companies to disclose any material cybersecurity incident to regulators. While the new regulations serve to increase transparency and standardize reporting requirements for businesses, they also place more pressure on security teams to move very quickly after an incident.
The new regulations may prove especially challenging for teams operating in cloud environments, where lack of visibility and manual threat investigation processes already slow down alert response. Below, we’ll outline the major changes introduced by the legislation, assess the major issues teams will face with compliance, and discuss how cloud detection and response technology may be able to help.
What Changed?
On July 26th, the SEC formalized new requirements that public companies disclose “material cybersecurity incidents.” Companies will additionally need to “describe the material aspects of the nature, scope, and timing of the incident,” and also assess the “material impact of the incident on the registrant, including its financial condition and results of operations.”
Importantly, the disclosures will be due only four days after the company determines that an incident is material. This means that when faced with an incident, teams will very quickly need to address two key questions:
Where did the threat come from?
Organizations need to understand the full picture of the incident, and quickly drill down to the root cause of the threat to understand the potential impact. Without understanding the cause of the threat, responders will be unable to contain it.
What is the blast radius of the incident?
When an incident is detected, analysts need to immediately understand the entire scope of the compromise. To determine materiality, security teams need to be able to “zoom out” to assess the full picture of which assets are either known to have been or may have been compromised.
Challenges in Cloud Environments
Answering these two questions can be quite challenging even in traditional environments. Often, legacy threat detection and incident response can take days to weeks for investigation: teams need to significantly accelerate that process to meet the new regulations.
Cloud complexity makes this process even more challenging. In cloud environments, answering simple questions like “who did what” and "what's the impact" can be extremely difficult. Today, triage processes like these, as well as deep forensic investigation, are extremely manual, requiring significant amounts of time spent trying to operationalize traditional SIEM solutions or legacy forensic tools. Analysts frequently struggle to build the context they need to get to the bottom of a threat. Determining the possible actions a particular entity could have taken and which other cloud assets might be affected in a timely manner is nearly impossible without purpose-built tooling.
The new regulations are relatively expansive in what they require. Organizations need to disclose not only that the breach occurred, but also tell the story of how it occurred. Within only four days of a breach being discovered, this story is likely still being pieced together, but organizations need to understand and describe the entire incident to stay compliant.
How Cloud Detection and Response Can Help
Cloud Detection and Response (CDR) automates the incident response process, and capabilities like those that Gartner have labeled Cloud Incident Response Automation (CIRA) allow for significantly accelerated response timelines.
At Gem, incident response readiness functionality ensures that organizations are always prepared with the relevant data they need to respond to a threat. When the inevitable attack happens, Gem’s automatic investigation and response functionality shortcuts manual querying and allows organizations to condense thousands of individual events into a holistic timeline that presents an overall view of the threat.
In a world where companies are on a four-day clock to report material breaches, faster triage and response processes in the cloud become key. This is the outcome that CDR delivers - to learn more, reach out. We'd love to chat.