RSAC 2024 Innovation Sandbox | Mitiga: A New Generation of Cloud and SaaS Incident Response Solutions

RSAC 2024 Innovation Sandbox | Mitiga: A New Generation of Cloud and SaaS Incident Response Solutions

abril 29, 2024 | NSFOCUS

The RSA Conference 2024 is set to kick off on May 6. Known as the “Oscars of Cybersecurity”, RSAC Innovation Sandbox has become a benchmark for innovation in the cybersecurity industry.

Figure 1: Top 10 Finalists for the RSAC 2024 Innovation Sandbox Contest

Today let’s get to know the company Mitiga.

Company Introduction

Mitiga was established in 2019 and is headquartered in New York, USA. It provides Cloud Investigation and Response Automation (CIRA) solutions. In March 2023, Mitiga completed a 45 million Series A funding round led by ClearSky Security, with participation from Samsung Next, Blackstone, AtlanticBridge, and DNX. This funding round valued Mitiga at over 100 million [1,2].

Mitiga has brought together top experts in the fields of cybersecurity, software development, and the military. The team currently consists of approximately 50-100 people [3]. There are three co-founders of Mitiga[4], as shown in Figure 2.

Figure 2: Mitiga Co-founders (Left: Ariel Parnes, Middle: Ofer Maor, Right: Tal Mozes)

Ariel Parnes is a retired colonel who served for over twenty years in the renowned 8200 cyber unit of the Israeli Defense Forces. He has extensive expertise in offensive and defensive cyber warfare, intelligence, and information technology, and has received the Israel Defense Award [5]. Ariel Parnes currently serves as Mitiga’s Chief Operating Officer.

Ofer Maor has over twenty years of experience in the field of information security, from technical research to product construction and marketing, having been involved in the sale, merger, and acquisition of several companies. Ofer Maor has served as the founder and Chief Technology Officer of Seeker, the founder and Chief Technology Officer of Hacktics, the leader of the Imperva Application Defense Center Research Group, the chairman of OWASP Israel, and a member of the OWASP Global Membership Committee [6]. Ofer Maor currently serves as Mitiga’s Chief Technology Officer.

Tal Mozes was a partner at Ernst & Young. Tal Mozes co-founded two successful cybersecurity companies: Hacktics, which was acquired by Ernst & Young, and Seeker Security, an application security automated testing tool, which was acquired by Synopsys [7]. Tal Mozes currently serves as the Chief Executive Officer of Mitiga.

Background

The Security Operations Center (SOC) has long been a focal point of corporate security. It is a center that integrates people, processes, and technology, responsible for monitoring all activities of endpoints, servers, databases, network applications, websites, and other systems around the clock to detect potential threats in real-time; to prevent, analyze, and respond to cybersecurity incidents, improve the company’s cybersecurity posture, and maintain the security of core business operations [8].

With the rapid development of the cloud computing industry, more and more enterprises are increasing their investment in cloud and SaaS, and using them as the main workload to run core businesses. The introduction of cloud and SaaS has led to a transformation in the information system architecture of enterprises, and the traditional SOC is no longer suitable for the security of cloud and SaaS enterprises. The main reasons are [9]:

  • Reduced visibility and control over corporate assets

The introduction of IaaS, PaaS, and SaaS has made the enterprise network boundary blurred, making it difficult for the SOC team to have a comprehensive and clear understanding of corporate assets and exposure.

  • The risk brought by SSO has increased sharply

Multiple SaaS platforms allow access through the same single sign-on mechanism, which increases the potential attack surface. Investigating and responding to cybersecurity incidents across different cloud and SaaS platforms will become a pain point for traditional SOCs.

  • Difficulty in adapting to a highly dynamic infrastructure

Resources in Kubernetes start and stop quickly, and event data can be destroyed rapidly, which severely affects the investigation, forensics, and response to incidents.

  • Difficulty in managing high-value data on SaaS

SaaS platform logs may contain sensitive data, and traditional SOCs and Data Loss Prevention (DLP) platforms usually cannot handle this type of sensitive data well.

Solution Introduction

Mitiga’s Cloud Investigation and Response Automation (CIRA) solution includes an important platform – the IR2 platform, which consists of three parts: a Cloud Security Data Lake, Cloud Threat Hunting, and a Cloud Investigation Workbench. Figure 2 shows the workflow of this solution.

Firstly, the IR2 platform will use an agentless method to unify data collection through logs, configuration interfaces, or other means from different manufacturers. After collection, the platform cleans and transforms multi-source, heterogeneous data to build an event query index and loads it into the Cloud Security Data Lake. Once loaded, the Cloud Attack Scenario Analysis Engine will perform threat analysis on the event data in the data lake to achieve threat hunting and incident response. In addition, external Mitiga experts can also assist the SOC team with incident analysis, investigation, and response [9,10,11].

Figure 3: Mitiga Integrated Solution

Cloud Security Data Lake

The Cloud Security Data Lake is built on the Databricks service, using interfaces provided by different cloud and SaaS manufacturers to collect logs and configuration data across clouds and platforms. This type of data is usually referred to as “investigation data,” which is also the core data to be analyzed in Mitiga’s solution. The Cloud Security Data Lake will unify and format the multi-source heterogeneous investigation data, achieving unified analysis and management of multi-platform investigation data.

Figure 4: Mitiga Cloud Security Data Lake

Cloud Threat Hunting

Mitiga analyzes global security event IOAs (Indicators of Attack) to build a threat scenario analysis engine and a cloud attack scenario database, which can also achieve four types of threat hunting:

  • Continuous

Continuously monitor threats to the enterprise and discover potential threats in the cloud and SaaS environment.

  • Event-driven

Monitor global network security events, analyze event characteristics, and investigate risks and vulnerabilities that exist within the enterprise.

  • Policy

Use the self-developed cloud attack scenario database to match threat events that may occur within the enterprise.

  • Customized

Customized threat hunting based on enterprise characteristics, such as data assets, infrastructure, and security requirements.

Figure 5: Mitiga Cloud Threat Hunting Cloud

Investigation Workbench

The Cloud Investigation Workbench aggregates events based on network event metadata (such as activities performed, resources accessed, authorization status, etc.), contextual information, and user information to generate a timeline related to the event. Through the event timeline, it simplifies the SOC team’s process of analyzing and responding to threat events, and narrows the impact range of threat events.

Figure 6: Mitiga Cloud Investigation Workbench

Competitor Comparison

In addition to Mitiga, many security vendors have expanded the capabilities of SOC to the cloud or SaaS. Below are two representative manufacturers and their products or solutions.

Palo Alto Networks’ Cortex platform is a cloud detection and response platform. Cortex integrates analysis of cloud hosts, cloud traffic, and audit logs by deploying lightweight agents, providing the SOC team with complete event investigation and response and threat hunting for the entire digital domain [12].

Fortinet’s FortiSIEM is a Security Information and Event Management platform that achieves enterprise asset analysis, log analysis, compliance detection, and threat hunting through lightweight agents. In addition, FortiSIEM provides a generative AI-assisted event detection and response mechanism that can be applied to on-premises, multi-cloud, and hybrid environments [13].

Compared with the above platforms, Mitiga’s IR2 platform helps enterprises achieve lightweight and efficient security operations in an agentless and “zero intrusion” manner. Moreover, the platform also has the following three distinct advantages:

  • Achieving unified processing of multi-source, heterogeneous event data in an agentless situation.
  • A concise and efficient threat event processing and response process.
  • A rich cloud attack scenario database and diversified threat hunting mechanisms.

However, we believe that there may be areas for improvement in Mitiga’s IR2 platform:

  • Due to the agentless mode, compared to the agent mode, it has weaker runtime security capabilities for the enterprise information system. Therefore, an “agentless + lightweight agent” approach can help the SOC team achieve comprehensive enterprise security operations.
  • With the rapid development of AI technologies such as large language models, it would be better for Mitiga to introduce advanced AI technologies into the SOC platform to help enterprises achieve more intelligent security operations.

Conclusion

In the past, the focus of corporate security was usually on preventive technologies that resist network security threats through boundary protection. However, with the rapid development of cloud computing, the boundaries of corporate networks have become increasingly blurred, and simple boundary prevention technologies can no longer cope with the complexity of cloud and SaaS threats. Therefore, the focus of enterprises should shift towards security operations and response.

Additionally, under the trend of cloudification, traditional security technologies should evolve towards adapting to cloud characteristics, efficiency, and intelligence. Only by innovating traditional security technologies can we address the emerging threats in complex multi-factor environments.

Reference links:

[1] https://techcrunch.com/2023/03/14/mitiga-raises-45m-for-cloud-security/

[2] https://www.prnewswire.com/news-releases/mitiga-named-rsa-conference-2024-innovation-sandbox-finalist-302105726.html

[3] https://www.linkedin.com/company/mitiga-io

[4] https://www.mitiga.io

[5] https://www.linkedin.com/in/arielparnes/

[6] https://www.linkedin.com/in/ofermaor/

[7] https://www.linkedin.com/in/talmozes/

[8] https://info.support.huawei.com/info-finder/encyclopedia/zh/SOC.html

[9] https://go.mitiga.io/Supercharging_Cloud.html

[10] https://www.mitiga.io/solutions/cloud-threat-detection-investigation-response-automation-platform

[11] https://www.mitiga.io/mitiga-ir2-platform-description

[12] https://www.paloaltonetworks.com/cortex/cloud-detection-and-response

[13] https://www.fortinet.com/cn/products/siem/fortisiem

More RSAC 2024 Innovation Sandbox Finalist Introduction: