Ariel Parnes: [00:00:00] The attacks in the cloud look differently. They behave differently. Criminals behave differently when they leverage cloud. They don't necessarily need to follow the techniques, tactics, and procedures that they used to follow in the on-prem environments. So CSPM is not a security lake. CSPM collects and analyzes data, but for a specific purpose, for identifying gaps.

By showing coverage and by showing time to respond. You can create a formula or a way to present ROI in your investment in security operations in a way that resonates with the concerns of the boards and management nowadays in the industry. My strong recommendation is to conduct a tabletop exercise with focus on cloud.

Ashish Rajan: Are you thinking about building a security operations program in your cloud, but thinking of just is CSPM enough? Or is the idea that CSPM is just the prevention tool, not the detection tool. We've been talking about the fact that CSPM has been solving a lot of problems like finding what my broken window [00:01:00] looks like, or if I even have a broken window in my cloud environment.

However, for incident response, you probably need something more than that. And I'm grateful. We had a conversation with Ariel from Mitiga. He was talking to us about the way you can improve your security operation in the cloud, the things you require and why SIEM is just not the only thing you need for a cloud incident to be investigated from a forensic perspective, from containerizing perspective, from responding perspective.

We were talking about the whole readiness, that is specifically cloud incident readiness. How are you prepared for responding to an incident, detecting an incident, and containerizing the incident in the cloud and be able to do from forensic analysis on this. All that and a lot more in this conversation with Ariel.

And I'm so glad we had this conversation because we were able to talk about things like where does it make sense to have a data lake? What kind of information is required? For us to progress in improving, say, just the security operations in the cloud overall. As always, if you enjoyed this episode and know someone who is working on building some improvement in their security operations program, I would definitely love it if you [00:02:00] can share this episode with them.

But if you're here for the second or third time listening or watching, definitely give us a follow, subscribe on YouTube if that's where you're watching this. But if you're on iTunes or Spotify, definitely give us a review or rating. It lets the algorithm know that you enjoyed the content. It lets us know that you enjoyed the content and you want us to create more of these kind of conversations around the same topic because let me be honest, incident response in the cloud is not spoken about enough. So there's a lot more incident response conversation coming on Cloud Security Podcast throughout 2024. So watch out world, incident response in the world of cloud is going to get a lot more attention on Cloud Security Podcast which is the biggest community of cloud security people on the internet. With that said, thank you so much for your time. I hope you enjoyed this episode and I will see you next one. Peace.

Hello and welcome to another episode of Cloud Security Podcast. Today I have Ariel and we're talking about something interesting.

Something that I have felt we haven't spoken about enough. But before I dive into the whole incident response and the readiness behind incident response, Ariel, could you share a bit about yourself and your cybersecurity journey, man?

Ariel Parnes: Yeah, of course. Hi, Ashish. Great to be here. Thank you for having me here.

My background in cybersecurity [00:03:00] starts back about 25 years ago when I started my military service back in Israel in the Israel Defense Force. I joined a unit named 8200. Back then, it wasn't a very famous unit. Today, it's quite famous. This is a cyber elite unit in the IDF. And I had the privilege to serve there for 23 years.

Started as a security operator and retired as a colonel. And for most of the years, I've been dealing with operations, cyber operations, offensive cyber operations. My opponents were security operators. So I moved to the other side now. And through the years, I needed to build this expertise of understanding how security operators work, what their strengths are, what their gaps are capabilities, blind spots.

So I can go unnoticed or my team can go unnoticed when they're operating against this security operator. Bringing this insights in an industry nowadays,

Ashish Rajan: I always feel like investigation and responding to this investigation, like fundamental skillset, like most people would already be aware of. How has that changed in [00:04:00] the world of cloud?

Ariel Parnes: Yeah, I think several aspects of change when we think about the shift to the cloud and security operations, the first kind of obvious change is that we are adopting new technologies and in order to provide security operations solutions or security operation activities, we need to acquire this new knowledge of new technologies, cloud computing, infrastructures, platforms, SaaS, terms that people were not necessarily used to.

So a new technology is one of the things, one of the factors that are influencing here in this change. The second one is the variety and complexity. As we move to the cloud, I believe that while we are getting, a lot of benefits from the shift, the complexity and variety increases which poses a risk to security operators.

Third one is the introduction of a new concept. And this is fundamental. The move to the cloud introduced a new concept of shared responsibility. Now for security operators or security people in general, [00:05:00] the shared responsibility is quite a tricky concept, right? What does it mean that I'm sharing responsibility with Amazon, with Azure, or Microsoft, with Salesforce, you name it?

What does it mean? At the end, if something happens, is it going to be me fired or them? So what does it mean to share responsibility? This is new for practitioners, and didn't exist back then in the traditional on-prem environments. So a new concept that introduces new challenges and the last one is the fact that not only the technology is changing for us as defenders or users, but also for the attackers and the attacks in the cloud look differently.

They behave differently. Criminals behave differently when they leverage cloud. They don't necessarily need to follow the techniques, tactics and procedures that they used to follow in the on-prem environments, they can either implement them differently or add new TTPs and it means that the anatomy of an attack is different nowadays.

So the anatomy of an attack, new technology for us [00:06:00] that we need to adopt, a new concept of shared responsibility. And the fact that there is inherent variety and complexity in this new world.

Ashish Rajan: That definitely explains some of the security gaps we have. I guess just as we kind of transition from on premise to the world of cloud as well.

We started the conversation by talking about cloud incident preparedness. How do you define cloud incident preparedness? And as much as a mouthful, it is for a lot of people. I'm curious to at least simplify for people, because I think we talk about incident response. We talk about incident preparedness.

But what is cloud incident preparedness?

Ariel Parnes: Yeah, I think when we talk about incident preparedness or readiness, we can use both conceptually. It is a metric or set of metrics that allow us as defenders to assess how ready we are. to respond rapidly when a malicious activity happens. Now, let's talk about the overall world of security.

There is on one side, the effort to prevent cyber attacks from happening. And this is very important. And we're all invested in that. You assume that eventually [00:07:00] some of these attacks can be successful. Then you start thinking about the detection investigation response readiness or incident preparedness means how efficient or how ready you are to efficiently identify, investigate, remediate, contain, remediate and respond. The more you are ready, the more you will respond efficiently and effectively, the minimum, the less the impact will be. And so while with prevention, you're focused on reducing the probability of an attack to happen with a response, you're focusing on reducing the impact.

So preparedness is actually how effective you are in reducing the impact of a cyber attack when it happens, and then the question is, how do you measure preparedness? And there are different aspects of it. I think when it comes to the cloud, the two main factors for defining preparedness, the first one is visibility.

And what do I mean by visibility? So when it comes to responding to an incident, the first thing that you need to do is understand what happened or what is [00:08:00] happening, where it is happening when, and so you can make your decisions with regards to containment to remediation, et cetera, et cetera.

In order to understand what happens, you need to have the forensic data, the telemetry, the logs, so that they can look and extract the story. The logs are the places. So to say the places where the footprints of the attack, the traces of the attack. So you need to have this traces of the attack, in order to detect and investigate and response.

And readiness or preparedness means that you are well positioned in the fact that you, in the sense that you have the data. to investigate. So one of the components of preparedness is, do you have the right data in place?

Ashish Rajan: Otherwise, where do you even start if you don't even have the data to begin with? I love how you explained that, how people go down the path of just understanding , am I prepared for this? Can I detect it? Can I contain it? Can I respond to it? Each one of those components are pointless without the actual data being there in the first place. We start talking about hey, we've transitioned on from on-premise to the world of cloud. Is this easier to [00:09:00] do in the cloud world than compared to an on-premise world?

Ariel Parnes: So actually when we think about the readiness in the sense of having the right data in the on-prem environment, generally speaking you are the owner of your domain You are the owner of your data center the data that you need for an investigation If it is generated if it is there, so it's just a question of how Quickly, you can get access to that data.

This is not the case in cloud. And this is why the preparedness is so important. It's fundamentally different when it comes to cloud and SaaS environments. Because the telemetry, here is back to the shared responsibility concept. The telemetry that is generated, where the footprints or the traces of the attack are, when the attack happens, is not yours.

It is provided or generated by Microsoft in their environment, Office 365. In their logs or Azure or Amazon or Google or you name it, if you don't do certain things in advance, you do not have the data available when you need [00:10:00] it for investigation or for detection and a hunt. And, we have encountered more than a few cases where attacks happen in certain environments.

Investigators were deployed to conduct investigation, they realized that the data is not there and if during a crisis, you try to retrieve this data from the vendor, it's almost impossible. Either they're not storing it, or you need to go through a process of procurement, or they can't provide it in real time.

And so this is why preparedness is substantially different when it comes to cloud because of the shared responsibility.

Ashish Rajan: Would you say the shared responsibility is also, for lack of a better word, to what you said about there might be delay in how quickly you get the log from an incident as well?

Whatever the delay is based on the shared responsibility, even having an understanding of that. As a program for building incident response that goes a long way because your point about preparedness, Oh, I had the right skill set in the team, but you're still relying on your cloud service provider to give you the [00:11:00] information at the right time so we can make the right call.

The reason I say that is because most people would rely on a CSPM for this. They will look at, Oh, my CSPM was looking after my entire network, my entire cloud footprint. Shouldn't that solve the incident preparedness problem, like the, at least the preparation part.

Ariel Parnes: I think it doesn't. And I think there is a misconception in the industry with regards to what CSPM is supposed to do.

There are more than a few companies that are providing great products for CSPM. But CSPM conceptually, it is supposed to do, and it does. Is identifying the gaps in your posture, or in other words, understanding what could happen if a malicious actor would try to attempt to break into your system.

What could happen? Or, sometimes I use the allegory of, do you have an open window in your home or office, or is the lock broken? And so basically CSPM is focused on identifying these open windows, these broken locks or non existent locks or keys out there, which maps to can something bad happen to [00:12:00] you and then it is important to fix this holes or gaps so that you reduce the probability of an attack to happen.

This is what CSPM does for that purpose, they collect that data, but they collect security data focused on this specific problem, which is posture. But conceptually, when this is completed, there is still, an approach that says, okay, cyber attacks are inevitable. Assume breach. And then the question is, what do you do not to answer the question, whether something malicious could happen, but rather whether something did happen.

And if so, how, when, what happened? Exactly. This is A separate problem. This is not CSPM. This is where now Gartner in the cloud, Gartner calls this CIRA, Cloud Investigation Response Automation. CIRA starts where CSPM ends. So you do everything that you need to do to find the gaps in your posture.

You fix them, constantly fix them. But then when you need to detect, respond, and investigate, you need to collect a different type of data. You need to process it [00:13:00] differently. You need to store for, larger amount of timeframes. You need to investigate, you need to respond. It's a different problem and CSPM doesn't solve that.

Ashish Rajan: And do you find that, I think it is a problem being the fact that we are looking at CSPM as a tool to not just detect that there is a hole, there's a window open, but also we're trying to investigate that as well. And it's not an investigation tool. Is that what you're trying to say with CSPM?

Ariel Parnes: Yeah. And I don't think that they even, CSPM tries to fix it, to address this pain.

This is not an investigation tool. CSPM is a great tool to identifying and fixing posture gaps, which is, I would say, a phase number one in your cloud security maturity. Phase number one or zero is, okay, let's make sure that all my controls are in place and that I have anything open.

Now, this is not enough because eventually you're going to be breached. In order to have the full stack, you need to have the CIRA solution, the Cloud Investigation Response solution.

Ashish Rajan: So you can actually investigate end to end. Because the way I see that was traditionally people would use [00:14:00] a CSPM to make the call for, okay, I'm going to find out all my windows are open or if my door is broken or whatever and quickly fix that.

But the reality also is that a lot of people send logs to a SIEM provider. They don't really technically, you still store them in the cloud, but you are pushing it outside of the cloud to a SIEM provider to investigate. So there's almost like doubling up of that work for lack of a better word. Is the approach to sending logs to SIEM for cloud, is that wrong then?

Ariel Parnes: I think moving to SIEM or focusing on SIEM is not the right approach for cloud forensic or cloud detection investigation. And the main reason is that the original architecture of the SIEM wasn't necessarily designed for investigation, even in the ion-prem day, if you go to a forensic investigator, like the veterans of the industry, they never use a SIEM for an investigation.

When you need to go deep into the data, they go to the sources of the data, not through the SIEM. And so the SIEM basically was designed for triage and alerts near real time or real time [00:15:00] of on-prem telemetry. And now, expanded to cloud. The problem is that when it comes to cloud, the amount of data of telemetry that is generated is significantly bigger, larger than it is in on-prem. If you want to have the right visibility and you want to see all this data and collect it and also store it for a long period of time so it can go back in the history because we all know that several attacks take time to detect and to investigate.

If you're going to go back, so you need to store huge amount of data. This is where. SIEM doesn't scale up or it does scale up, but you need to pay a lot of money to store that. And so organizations are stuck. And what they basically do is some of them, they're investing a lot of money to store. And even then they're not storing all the data.

They need to make tough decisions. Most of them are making tough decisions with regards to what data they are storing and for how long, which means lower visibility. Which means lower preparedness for an incident.

Ashish Rajan: Most people look at SIEM [00:16:00] provider like, people do Splunk certification and a lot of that, assuming that, oh, my SOC team needs to be Splunk certified so they can do all these magical things with the Splunk logs.

But to what you said, whenever there's an incident, technically there's only so much you can do with the logs. You have to go back to the source and identify what's truly happening over there. So maybe a question then is, if SIEM is not good enough, then what's a good starting point?

Ariel Parnes: Yeah when I go back to the challenge of SIEM, I'm not saying that, it's not the right approach to invest in having a capable security team that knows how to operate with SIEM. But I want to say, if we look at the challenge of investigating, which is basically looking at a lot of data and figuring out what happened, there are different levels of depth that you can go to.

You can conduct certain levels of or certain phases of the investigation with your SIEM on one end, and it may be good enough for certain phases of the detection response, but you need to go deeper into either the source of the data or cross correlate with a lot of data or go back [00:17:00] in history and correlate with historic data.

This is where you need significantly more capabilities closer to data scientist capabilities or data engineering and science capabilities. And this is where the gap exists between what SIEM provides, in terms of the ability to investigate and, the other extreme, which is having a security team full of data scientists, which is great, but not feasible, there is a gap there that needs to be closed by providing solutions that can go in the middle and close this gap between the initial level and the expertise level. And this is one of the challenges that I think we were facing nowadays in the industry.

Ashish Rajan: I definitely understand the part of our deeper cloud visibility, because I guess a SIEM can only take you so far in terms of logging information.

And then there is a added context of you need to know what a service in Azure, Google cloud, or whatever the cloud is to even I understand the context of, is this a severe risk or , is it SEV1 or SEV2 or SEV3, whatever this is. I guess [00:18:00] the question I'm coming from, and I'm a hundred percent with you, that SIEM has that gap of, it will not give you a deep cloud visibility.

And then there is the other gap of that yes, you may have a SOC team, which may not be skilled enough to bridge that gap as well. Where do you think is a good starting point if there is a gap that is already in between that? I have a team of experts who probably know something about SIEM and Something about investigation.

I have a SIEM, which doesn't give me deep cloud visibility. How are you seeing people approach that gap at this point? I

Ariel Parnes: can share the way we at Mitiga, and I personally think that this gap needs to be addressed. The first component of this gap is having a security data lake, not necessarily replacing your SIEM, but having a security data lake where you can store.

And there is, a lot of debt in the word store, but basically collect and store data from your cloud sources, telemetry logs and forensic data so that you can store it for a long period of time. So you can use it. So the first component of it is. Make sure that you [00:19:00] have or build or prepare a forensic data lake or security data lake.

You still have your SIEM, maybe some of the data that you're storing in your SIEM, you can move it to that security data lake. You can save some costs in your SIEM, but you need both. Then the next step is integrating between these two and having this middle solution where you can continue to investigate using your SIEM, but get the full visibility, flexibility, and depth that Data Lake provides. And for that you need an interim solution, which is for Mitiga an expert tool integrate with SIEM and works on top of the forensic data lake and allows users to investigate deeper, to go deeper into the data without having the full expertise of data science and all that where you can't really build this expertise in every single company.

Ashish Rajan: Maybe it's worthwhile noting that companies like Netflix and others already hire for data scientists in their organization in the cybersecurity team because of the same thing that you called out that [00:20:00] a lot of people are looking at the fact that we need more deeper information than just what the logs may provide.

You need a bit more timeline or whatever else. And that's technically a data scientist. That's not a security person. That's already very evident. I would say at this point in time, but would you say? If you already have a CSPM, shouldn't that kind of be a start? I feel like that could be a data lake or a detection part as well.

Or is it, is a CSPM missing something? Do I still need another data security lake?

Ariel Parnes: Yeah. So CSPM is not as a security lake. CSPM collects and analyzes data, but for a specific purpose. For identifying gaps for identifying the open windows and the posture gaps that we talked about and we mentioned previously, and this is the purpose of the solution.

This is why this data is being collected and the problem in the industry nowadays is that there is no generic security data lake solution out there. There are many reasons why, but there is no generic security data lake solution there. There is data that is being stored by CSPMs for their purposes.

And now, solutions like Mitiga [00:21:00] and others are building a security data lake for the purpose of detection investigation response, which is again, different than the posture management. I think that in the future, maybe we will see some convergence there between these two areas because, they operate together nowadays, there is no single solution and then the best thing that you can do is to have integration between these two. So constantly, making sure that these two part sides of your program are integrated in terms of processes, people, and also technology.

Ashish Rajan: I think something interesting you said in that is the fact that the intent behind the data being stored in your CSPM is the intent is more prevention.

Whereas your security data lake would be more for, Hey, I want to respond to an incident. I need a deeper cloud visibility instead of just looking at how many broken windows do I have or is my broken window was picked up over there? But I love the way you answered it, which also makes me think that some of the people who are probably watching or listening to this, does everyone need a security data lake?

Or is it at a certain [00:22:00] maturity? I feel like a single small startup company might be an overkill, but I don't know where do you stand cause obviously you mentioned you have your personal preference for how the gap should be filled. At what stage should someone consider a secure

data lake?

I

Ariel Parnes: don't have a specific formula for, calculating it's the right time, but I would say it's a matter of maturity. The transition to the cloud, obviously the first need is to make sure that your posture is correct. And this is why the CSPM industry so evolved. But I think as soon as organizations start having a significant presence in the cloud.

And as soon as their business relies on cloud operationally, and as soon as the crown jewels are in the cloud, you need to address the question of what happens when the inevitable cyber attack happens. This is an approach, you can always say, okay, I'm going to invest 100 percent of my resources in preventing a cyber attack from happening.

But we are, veterans of the industry, we know that this is impossible. And so immediately when there is a level of maturity, when the [00:23:00] security team say, okay, now I need to make sure that I have a reasonable solution for responding, detecting and responding, not just preventing. This is where the question of having a security data lake starts to be relevant or security data lake for detection and response.

Ashish Rajan: So a security data lake for detection response cause you know how a lot of people at this point in time are not just in one cloud service provider, there are multiple cloud service providers these days. It's almost like uncommon to hear someone who's just using one cloud service provider.

Having a secure data lake, if it's available or not with the complexity of multiple cloud service providers does it make it easier or is it more like the same reason why a lot of people got their CSPM to start multiple cloud service providers at one point in time?

It was just initially AWS and no, like we want AWS Azure same with data lake as well. Do you find that task be also easier if we have multiple clouds and trying to manage incident response across the board

Ariel Parnes: so I want to dive into what it means to have a security data lake, because we are talking about that.

But there is more than just the idea or the [00:24:00] concept of storage. When we talk about security data lake for the context of detection, investigation response. It is about understanding the information that the cloud vendors. Be it infrastructure, platform or SaaS applications generate and being able to understand how to use it for investigation.

So the security data lake is just the output of this kind of effort in understanding what data is needed, how this data tells the story, how can I get the data? How do I parse it and pre process it so that it will be useful when I need to detect and investigate? And how do I store it in a cost effective cost efficient way?

This is the depth behind the word security data lake, when I use it at least. Now, to your question, if I need to just be the expert of one type of cloud, or one type of source of data, let's say that I want to have a security data lake, And, have all the forensic data for my Office 365. [00:25:00] So Office 365 have, I don't remember, three or four different sources of data.

All the trace logs and some other sources of data. So I need to be the expert of this, how these logs look like, and how to collect them, and how to store them, and pre process them. By the way, once I do that, Microsoft can easily change the way that telemetry looks, and I need to continue doing that.

So there is a huge effort. Now, if I wanna do that for Office 365 and Google Workspace, then the effort is bigger. And if I wanna do that, and for Salesforce and for Google, for GCP and Azure and AWS. The more I need to cover, the more I need the expertise in the logs. The more I need the research, the more I need to build the ability to collect the data, pre process it and store it.

So the simple answer to your question is yes, it's definitely more complicated or less complicated if I only focus on one specific cloud provider or application or platform.

Ashish Rajan: And to your point about the fact that Microsoft or Google or [00:26:00] even Amazon for that matter can decide to change the way the logging is done, goes back to what you were saying about the data security, is the output of what you want to be able to investigate rather than, Hey, I have collected all my logs in one location.

I'm glad you called it out because most people, and I'm sure I'm guilty of this as well in the past as well, when I hear data security, like I'm just thinking, Before my logs going to SIEM? They're not going to a data security lake. Why am I having both of them? But to your point, it's not, it's more for a deeper understanding, deeper visibility of it.

Based on what we have spoken about from a data security perspective to do security operations better in the cloud for leaders or VPs, directors who are listening to this conversation.

Yep. You sold me the idea that I can do security operations in the cloud better. What would be a good way to show ROI to the leaders for why is there a need for this, at least for me to even revisit this conversation?

Ariel Parnes: I think that there are two ways we focus on. Two ways to quantify the value of a solid security operation program.

The first and trivial one is time to respond, or, if we [00:27:00] go to the full flow, time to detect, investigate and response. And this is very trivial, if it wasn't until a few months ago, thanks to the SCC and new rules, the demand, a certain period of time for us to report on cyber breaches is clear now.

The time is of the essence when something happens, as time goes by, the damage increases, the cost of the breach increases. And there are many researchers out there with figures and facts about, the cost of a bridge. So it's easy to find the multipliers.

And so the first metric would be time to respond. How quickly can I detect, investigate, and respond? And associating this time to risk and cost. So the faster you do that. The higher the ROI is going to be on your investment because the damage of the incident is reduced and more so again with the new regulation.

The other metric is the coverage. So if the first metric was how fast I can detect and respond. The other one is [00:28:00] how broad is my coverage or my ability to identify different types of attacks. One of the metrics that we use and it's very common out there is a MITRE ATT& CK framework as a tool to communicate coverage.

And so by showing coverage and by showing time to respond, you can create a formula or a way to present ROI in your investment in security operations. In a way that resonates with the concerns of the boards and management nowadays in the industry.

Ashish Rajan: I think we've been focusing on the tool side for some time, obviously, on the SIEM and security data lake and how to build security operation.

I feel like there's a skills part to it as well. People are listening in from our perspective, what you called out that mean time to response, mean time to detect. And just understand the landscape of how broad this thing is. It requires a certain kind of, I'm curious how much of the human element needs to be considered into this as well from a team perspective.

And because the goal here from at least based on our conversation so far is to overall improve how security operations is done in the [00:29:00] cloud. How important is the human factor here as well?

Ariel Parnes: Yeah, I think the human factor in cloud security is super important. It was always important in the industry.

We all live in this constant feeling that there is a gap in security skill sets out there or in personnel, but when it comes to the cloud, it's even more significant. And the reason is that cloud is new, so we don't have veterans in cloud security as we do in other areas of security and even in, for us in Mitiga, when I need to hire investigators, there are only a few investigators that have the expertise or experience in the cloud, whereas there are many security experts with years of experience in on-prem.. So the human factor is extremely important when it comes to cloud security operations. This is why we specifically in Mitiga realized that it's not enough to provide a product because even if your product is great, there is always a need for someone to operate or use this product.

And this is where we are meeting the bottleneck in [00:30:00] the industry. And we decided, this is our decision to provide not only a product, but also the human expertise to our customers. So our customers can use our product, but also if they need support in terms of SMEs experts in the domain, they can press a button and get this layer of services on top of it.

I think the industry is going to that direction. I think there is no other way to close this gap. It's very hard for so many companies to hire cloud experts, it's easier for companies like Mitiga or others, we focus on that. And so security analysts that want to focus and want to do that for a living they're happy to be doing that in a company like Mitiga.

And this is where we try to find this combination of a product and a service to provide this comprehensive solution and augment the abilities of our customers with people as well.

Ashish Rajan: Awesome. And I've got one more question just to final one on this, because we've been focusing on how to improve the overall security operations in the cloud for people [00:31:00] who have listened in and watched this so far, are there any low hanging fruits that people can start building on or use to strengthen their cloud capabilities, maybe as an action point as they walk away from this conversation?

Ariel Parnes: I can give three bullets, but the first one is significantly more, I would say, easy to implement and valuable.

Cost effective is the tabletop exercise. Organizations usually conduct tabletop exercises every once in a while. Tabletop is a very cost effective tool to raise awareness, identify gaps and trigger improvement plans. My strong recommendation is to conduct a tabletop exercise with focus on cloud with injects or events that are related to the cloud. Also, I recommend to bring the cloud architects for the tabletop exercise. If you do these two things, I've seen that tens of times. If you do these two things, you conduct a tabletop exercise, you make sure that you have, you generate an incident, an imaginary incident related to your cloud, and you bring the cloud [00:32:00] architect to the table, you will immediately be able to identify your main gaps. which will lead to the other two recommendations of mine, which required some more effort. The first one is assessing your visibility is understanding what data you're collecting, how valuable this data is to detect investigating response. This is the second bullet. And the third bullet is to build a readiness plan as a result of the visibility assessment and result of what you found in your tabletop exercise focused on cloud.

Ashish Rajan: Awesome. I love it. So that's most of the technical questions I had. I've got three non technical questions. First one being, what do you spend most time on when you're not working on improving the security operations in cloud world problems?

Ariel Parnes: I can talk about several things that I do in my spare time, but my real passion is music. Oh, I'm a musician. I played saxophone. I used to play the trumpet and other instruments. Oh, wow. Multiple instruments from, very young age. I was always surrounded by [00:33:00] instruments and playing.

And been lucky enough to play with great musicians around the world. Nowadays I'm so busy with, cloud detection investigation response. I only have, a limited time to invest in this passion of mine, but this is part of who I am. I'm also a musician. Wow.

Ashish Rajan: So saxophone, trumpet, what else you play?

I

Ariel Parnes: play the keyboard sometimes guitar. Guitar was the first instrument I played.

Ashish Rajan: Okay. Four instruments. I need to find some inspiration for you. I think the only thing I have in response is like, what a harmonica someone gifted me. Oh, you've been there as well. Oh, okay. I need to up my game next time, Ariel.

All right. The second question then, what is something that you're proud of, but it's not on your social media?

Ariel Parnes: My family. Definitely. By far. My daughters, my wife. I'm so proud of them. I don't share that in social media, but I am extremely proud of who they are and who we are as a family.

Ashish Rajan: Awesome. I'll make sure I get this clip to your daughters as well, so they can actually see their dad talking about this.

All right. Final question. What is your favorite cuisine or restaurant that you can share with us?

Ariel Parnes: Oh, [00:34:00] Wow. You know what? I love every type of food, but since I was born in Argentina, I always go back to my origins with Argentinian food, specifically the asado, if you know what it is, which is the meat, the Argentinian meat.

It's an Argentinian barbecue. And it is not just about the food. It's about the memory. And, My first 12 years growing up in Argentina.

Ashish Rajan: Wow. I was looking at the pictures over there. That looks pretty I'm going to try and find a hotel or a restaurant in London.

Ariel Parnes: Unless you are a vegetarian, which doesn't work in Argentina.

Ashish Rajan: Yeah, fair. Maybe you can have pineapple, I'm sure they'll be able to find an option for that as well. But Ariel, this is a awesome conversation. Thank you so much for coming on the show. Where can people find and connect with you after this to talk more about the whole security operations in the cloud world?

Ariel Parnes: So we can do that through my LinkedIn, through our website, mitiga. io and social media, easy to connect. Ashish, thank you very much for this conversation. I really enjoyed that.

Ashish Rajan: Thank you for listening or watching this episode of Cloud Security Podcast. We have been running for the past five [00:35:00] years, so I'm sure we haven't covered everything cloud security yet. And if there's a particular cloud security topic that we can cover for you in an interview format on Cloud Security Podcast, or make a training video on tutorials on Cloud Security Bootcamp, definitely reach out to us on info at cloudsecuritypodcast. tv. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister podcast, which I run with former CSO of Robinhood, Caleb Seamer, where we talk about everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of chat, GPT, and everything else continues.

If you have any other suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.

‍