Regulatory requirements seeing a spike in cloud forensics, reveals Darktrace

While Darktrace has been focused on its ActiveAI Security Platform, Mike Beck, Global CISO at Darktrace believes regulatory requirements are seeing a spike in demand for cloud forensics among organizations.

Darktrace recently announced a wave of innovations across its ActiveAI Security Platform to protect organizations from increasingly complex, multi-vector and novel attacks. While the innovations provide a new level of understanding across an organization’s digital footprint, the reality is that many businesses, especially in Asia, are still challenged in dealing with modern and evolved threats.

The increased adoption of AI by organizations has led to complexities in not only managing cybersecurity but also users, especially in how they use data and the different AI solutions for work. Given this, as one of the early adopters of AI in cybersecurity, the vendor understands best how they can help customers enhance their cybersecurity options.

Currently, the Darktrace ActiveAI Security Platform delivers a proactive approach to cyber resilience to secure the business across the entire digital estate, all the way from network to cloud to email. It provides pre-emptive visibility into the customer’s security posture, transforms operations with a Cyber AI Analyst, and detects and autonomously responds to threats in real-time.

According to Mike Beck, Global CISO at Darktrace, conversations with customers in the US, Europe and even in Asia is relatively focused on how can CISOs wrap their heads around the use of AI agents, the use of AI in everyday activities of their business, the use of foundational models coming in to employees and how that changes how they're thinking about it.

“For us at Darktrace, we've only ever built cybersecurity on top of machine learning and AI. It's what we started 12 years ago from Cambridge University, and we developed it out. And in those first five years, nobody believed you could use AI in machine learning, and now where we are today, right? I think for us, it's making sure that you can catch novel attacks,” said Beck.

For Beck, what's been proven over the last number of years is organizations can now use signature-based, heuristic-based defenses, and they have a very good signal to true positive. But the reality is that the attacker can bypass those super easily now, especially at an APT level.

“I think a lot of the reason why our customers are using AI in their stack is to use AI to sniff out attackers hiding in normal activity. So, reusing credentials, reusing identity, being able to live off the land, being able to mimic IT teams, all of those sorts of attacks are really how APTs will play out. If somebody breaks through your outer defences, if they get through the WAF, they get through an identity check, they get through EDR, they conduct an EDR bypass, then they start to try and move laterally and do what they need to do. But they're not going to wave a massive flag to a signature-based attack. They're going to be stealthy,” explained Beck.

As such, for Darktrace in terms of innovation, the focus is spreading across the digital estate.

“Most of my conversations are around the network and cloud are merging. I think that's everything I hear from people I've spoken to, is unless you're in a government or defense contractor type of environment, it’s really that network and cloud are merging. And the attacker, if they get a physical point of presence, they're going to go through the O365 workspace; they're going to go into SharePoint, they're going to try and move between those places. So, for us, there's been a lot of R&D focus across the whole platform,” he added.

Beck also pointed out that cloud and email are big-ticket items right now for Darktrace as a lot of customers move to the cloud.

“So, for us, being able to look at the runtime environment, the posture of how DevOps are working in cloud, and being able to spot anomalies at runtime is becoming really important. The reality is that DevOps, they're really fast. Whereas in a traditional network space, IT teams were much more rigid in how they operated; DevOps moves super quick. So that shift as well is playing into the attacker's hands because it's really hard to use a signature base or a heuristic base in cloud. So, AI becomes far more important in that cloud space to spot how attackers are playing out in the runtime,” said Beck.

The rise in cloud forensics

At the same time, Beck also believes that in the last couple of years, most governments, financial institutions, manufacturing and healthcare companies have started to come up with an understanding of the importance of how they deal with a threat.

“There are a lot of frameworks nowadays. There are a lot of government frameworks that help kind of set standards and tones. I see CISOs very much aligning to that. For instance, our cloud forensics offering is heavily driven by regulation,” said Beck.

Beck pointed out that cloud forensics wasn't something heavily sort after a year ago, whereas all of a sudden, it's really become important because the regulators are making it mandatory for organization to know how they are going to be able to show during an attack in ephemeral systems for example, what went up and down and what they did or what they lost.

“You need to have cloud forensics now. It's starting to become a standardized component. So I think when you look at how organizations are thinking about how they build those things together, I think a lot of it is coming from the standard set from the top, from regulatory bodies that are becoming much better at thinking about what those threat actors are going to do, how they're going to look at what's been taken, how are they going to do risk assessment on data or processes that have gone down,” explained Beck.

He also sees CISOs are very much welcoming about this because it's setting up the tone, especially when they need to go to the board level to get the budget. Now, because it's set in the context of regulatory environments and what governing bodies are doing, it becomes a more important conversation with the board.

In September this year, Darktrace unveiled the Darktrace / Forensic Acquisition & Investigation tool which transforms cloud investigations by capturing, processing, and analyzing forensic evidence of cloud workloads, instantly, even from time-restricted ephemeral resources. Triggered by a detection from any cloud security tool, the entire process is automated, providing accurate root cause analysis and deep insights into attacker behavior in minutes rather than days or weeks.

Cybersecurity in Asia

Echoing Beck’s sentiments is Sumit Bansal, Darktrace’s Asia VP. For Basal, what’s interesting in the Asian region is the level of cyber maturity which varies both by country and also by market segment.

Bansal explained that in conversation with customers, he found that banks and financial services have a more mature understanding of what the threats are and how to mitigate those ones.

“Whereas if you go down to manufacturing and other industries which are not critical, they have a less understanding of what the threats are and probably more tolerant to taking that if a breach happens. Whereas critical infrastructure industries, like banks, telcos and utilities, are much more aware of what are the risks out there and there's always something in the news about a breach happening,” said Bansal.

He also pointed out that currently, from a geopolitical point of view as well, any allies of the UK and US are also being targeted in this region. And so, their cyber resiliency has been under stress, and that's something that Darktrace is hoping to address with a lot of these customers with government agencies.

“Us being a UK origin company, even the UK High Commission is getting involved and helping us connect with the right people in the critical industries to help them,” said Bansal.

An interesting point Beck also highlighted is that Darktrace has a high FedRAMP approval in the US. This means Darktrace products can be sold to the US government.

“I think that has changed a lot of our government conversations globally because a lot of companies including UK-based ones, will follow the lead on how the US government is thinking about cyber defence. So that's been useful to us as well on the innovation side, being able to sell into the US government,” he added.