In this article:- The limits of traditional security tools: Legacy on-premises and point solutions fail to protect dynamic, ephemeral cloud environments, leaving dangerous visibility gaps in detection, response, and forensics.
- A need for unified security: Effective cloud protection requires an integrated, cloud-native platform that unites real-time detection, automated response, forensic investigation, and proactive exposure management built to operate at cloud speed and scale.
It's no secret that
cloud computing creates environments that are fundamentally different from on-premises network architectures and endpoint deployments.
In the cloud, servers, databases and other assets can be spun up or wound down in a matter of minutes. Architectures can be completely restructured in a couple of hours. Web and
SaaS applications live online, and the only software that needs updating is the browser used to access them.
So then why do organizations continue to use tools designed for on-prem environments when scanning, analyzing, and securing cloud assets? Why are point solutions applied to different aspects of cloud computing, when the entire cloud or hybrid environment should be viewed holistically?
And how can
digital forensics and incident response (DFIR) tools, designed to painstakingly image physical disks, be expected to properly collect evidence from ephemeral cloud assets that may disappear at any moment?
The straight truth is: On-prem scanning, detection, remediation and investigation tools are at best an awkward fit for cloud environments. Meanwhile, the coverage gaps between point solutions, even cloud-native ones, ensure that some data, evidence, misconfigurations and
vulnerabilities will fall between the cracks.
The solution is to implement a cloud-based, cloud-native unified solution that brings together continuous monitoring and anomaly detection, rapid response and remediation, instantaneous forensic collection and analysis, and proactive
exposure detection and risk reduction.
"Just as security teams once had to evolve beyond basic firewalls and antivirus into network and endpoint detection, response, and forensics," writes
Adam Stevens, Senior Director of Product, Cloud at Darktrace in a recent blog post, "cloud security now requires its own next era: one that unifies detection, response, and investigation at the speed and scale of the cloud."
Why point solutions and traditional DFIR don't work for the cloud
In a recent
survey commissioned by Darktrace of 300 organizations across the United States and United Kingdom that used public cloud service providers, 89% of respondents said they had suffered damage before they were able to contain and investigate cloud-based breaches.
Eighty-two percent said they used multiple tools when performing forensic investigations on cloud-based threats.
These may be because they're using the wrong tools, argues Darktrace Director of Product Management
Paul Bottomley in another blog post.
"Traditional DFIR tools were built for static, on-prem environments, rather than dynamic and highly scalable cloud environments, containing ephemeral workloads that disappear in minutes," Bottomley points out.
"The result," he adds, "is a broken model: alerts are closed without a complete understanding of the threat due to a lack of visibility and control, investigations drag on, and attackers retain the upper hand."
This goes beyond incident response, writes his colleague Stevens.
"Most tools still rely on traditional models of logging, policy enforcement, and posture management," Stevens says, adding that these are "approaches that provide surface-level visibility but lack the depth to detect or investigate active attacks."
That's a near-guarantee that an organization won't be able to keep up with innovative attackers who are "exploiting vulnerabilities, delivering cloud-native exploits, and moving laterally in ways that posture management alone cannot catch fast enough," Stevens adds, even as "SOC teams are left buried in alerts without actionable context."
The difference a unified solution can make
An answer to these problems may be a single cloud-native platform such as Darktrace/CLOUD, Stevens argues.
"What's needed," he writes, "is a unified approach that combines real-time detection and response for active threats with automated investigation and cloud posture management in a single workflow."
The idea, Stevens explains, is to cover all aspects of cloud security, from proactive discovery of
misconfigurations and vulnerabilities to reactive threat detection, remediation and forensic analysis — all of which can be augmented by automation and AI.
For example, the Darktrace platform's threat-detection feature promises to spot "enumeration and probing activity post-compromise," "suspicious attempts to gain elevated access" and "crypto mining or spam operations," while the proactive scanning "provides deep visibility into cloud workloads."
Another useful feature among such platforms might be cloud topology mapping, which can be used to create a model of the client's cloud environment. That, in turn, can serve as a baseline against which anomalous behavior can be compared. The model can also be used to trace potential and post-incident attack paths.
AI-based analysis could likewise observe network activity to create a picture of normal behavior so that aberrant actions might more easily stand out.
Tracking down every trace of the intruders
The automated investigation and DFIR aspects of Darktrace's cloud platform can also be obtained as a stand-alone product called Darktrace/Forensic Acquisition & Investigation, which integrates with other providers'
SIEM,
SOAR and
XDR tools as well as Darktrace's own.
An automated cloud-specific DFIR product, once it's triggered by an alert, should be able to quickly capture data from cloud assets before they disappear, and then process and analyze that evidence.
Ideally, it should also work with the Big Three cloud service providers — Amazon Web Services, Google Cloud Platform and Microsoft Azure — as well as Kubernetes and OpenShift containers, SaaS providers such as Microsoft 365, Microsoft Entra ID, and Google Workspace, and hybrid and on-prem environments.
With Darktrace's own automated cloud forensic analysis tool, writes Bottomley, "SOC and DFIR teams no longer have to rely on manual processes, snapshots, or external responders. They can now leverage the scale and elasticity of the cloud to accelerate triage and investigations."
Stevens argues that in total, a unified cloud security platform "delivers a more holistic approach to cloud defense, uniting real-time detection, response, and investigation with proactive risk reduction."
"The result," he adds, "is a single solution that helps security teams stay ahead of attackers while reducing complexity and blind spots."
