When agile cyber-attackers don’t stop, but pivot  

When he first joined this leading financial services provider, it was clear to the CISO that email security needed to be a top priority. The organization provides transfer services to millions of consumers via a network of thousands of agent locations across the US. Those agents are connected to hundreds of thousands of global payers to complete consumer transfers, ranging from leading financial institutions to small local businesses.

With this vast network of agents and payers, the provider relies on email as its primary communications channel. Transmitting billions of dollars every year, the organization is a prime target for cyber criminals looking to steal credentials, financial assets, and sensitive data.

Vulnerable to attacks with gaps in email security and visibility

The CISO discovered that employees were under constant attack by phishing emails impersonating his company’s own executives. The business email compromise (BEC) attacks were designed to deceive employees into sharing credentials or clicking on malicious links.

Upon discovering that their Microsoft 365 tenant lacked secure configuration, the CISO implemented necessary changes to strengthen the service, including enabling authentication controls. While his efforts significantly reduced BEC attacks, cyber criminals changed their tactics, sending employees malicious phishing emails from seemingly valid email accounts from trusted domains like Google and Yahoo. The emails passed through the organization’s native email filters without detection.

The CISO also sought to strengthen defenses against third-party supply chain attacks that could originate with any of the hundreds of thousands of third-party agents and payers the company works with around the world. While the larger institutions typically have sophisticated email security strategies in place, the smaller businesses may lack the cybersecurity expertise needed to effectively secure and manage their data, putting the organization at risk.

While the CISO knew the company was vulnerable to phishing and third-party threats, he didn’t have visibility across the flow of email. Without access to key metrics and valuable data, he couldn’t get the crucial insights needed to quickly identify possible threats and adjust security protocols.  

Skilled analysts bogged down with low-level tasks

Like many enterprise organizations, this leading financial services provider relied on a crew of highly skilled analysts to respond to alerts and analyze and triage emails most of their workday. “That shouldn’t be how we operate,” said the CISO. “My role and the role of my staff should be to focus on more strategic projects, support the business, and work on important new product development.”

Balancing user experience with mitigating threats

Enabling greater email security measures without negatively impacting the business, user experience, and customer satisfaction was a daunting challenge the CISO and his security team faced. Imposing restrictions that are too stringent could restrict communication, delay the delivery of important messages, or block legitimate emails – potentially slowing down money transfers, frustrating customers, affecting employee productivity, and impacting revenue. However, maintaining controls that are too permissive could result in serious outcomes like data theft, financial fraud, operational disruption, compliance penalties, and customer attrition.  

Self-Learning AI is a game changer

After conducting a thorough POC with several modern security solution providers, this global financial services provider chose the Darktrace / EMAIL an AI-driven email security platform. The CISO said they chose the solution for two key reasons:

First, Darktrace / EMAIL offers modern capabilities

• Self-Learning AI uses business data to recognize anomalies in communication patterns and user behavior to stop known and unknown threats
• Secures the organization’s entire mailflow across all inbound, outbound, and lateral email
• Protects against account takeover attacks by identifying subtle anomalies in cloud SaaS
• Catches sophisticated threats like impersonations, session token misuse, adversary-in-the-middle attacks, credential theft, and data exfiltration

Second, they pointed to Darktrace’s experience, innovation, and expertise

• Deep cybersecurity and industry knowledge
• Demonstrated customers successes worldwide
• At the forefront of innovation and research, establishing new thresholds in cybersecurity, with technology advances backed by over 200 patents and pending applications

Moreover, and most importantly, this organization trusted Darktrace to deliver on its promises.  And according to the CISO, that’s just what happened.

Significantly reduced phishing threats and business risk

Since implementing Darktrace / EMAIL, the threat posed by BEC attacks has dropped sharply. “Phishing is not an issue that concerns me anymore. I estimate we are now identifying and blocking more than 85% of threats our previous solution was missing,” said the CISO. The biggest factor contributing to this success? The power of AI.

With Darktrace / EMAIL, this leadingglobal financial services provider is identifying and blocking more than 85% ofthe phishing email threats its previous solution missed.

AI wasn’t originally on the financial service provider’s list of criteria. But after seeing AI in action and understanding its potential to vastly scale their detection and response capabilities–without adding headcount, the CISO determined AI wasn’t an option but an imperative. “AI is essential when it comes to email security, it’s an absolute necessity,” he said.  

Darktrace / EMAIL’s Self-Learning AI is uniquely powerful because it learns the content and context of every internal and external user and can spot the subtle differences in behavioral patterns that point to possible social engineering attacks. Through patented behavioral anomaly detection, Darktrace / EMAIL continuously learns about the organization’s business and users, based on its own operations and data, adjusting security protocols accordingly.  

For example, when clients are transferring large amounts of money, they are required to send photos of their driver’s licenses and passports via email to the organization for verification – accounting for a large percentage of its’ inbound email. Darktrace / EMAIL recognizes that it’s normal for customers to send this sensitive information, and it also knows that it’s not normal for that same sensitive information to leave the organization via outbound mail. In addition, Darktrace identifies patterns in user behavior, including who employees communicate with and what kind of information they share. When user behavior falls outside of established norms, such as an email sent from the CFO to employees the CEO would not typically communicate with, Darktrace can take the appropriate action to remove the threat.  

“After the implementation, we gave the solution two weeks to ingest our data and learn the specifics of our business. After that, it was perfect, just amazing,” said the CISO.  

Boosted team productivity and elevated value to the business

With Darktrace / EMAIL, the organization has successfully scaled its detection and response efforts without scaling personnel. The security team has reduced the number of emails requiring manual investigation by 90%. And because analysts now have the benefit of Darktrace / EMAIL’s analytics and reporting, the investigation process is much easier and faster. “The impact of this solution on my team has been very positive,” said the CISO. “Darktrace / EMAIL essentially manages itself, freeing up time for our skilled analysts–and for myself–to focus on more important projects.”  

The security team has scaled its detection and response efforts without scaling personnel,reducing the number of emails it manually investigates by 90%

Increased visibility delivers business-critical insights

You can’t control what you can’t see, and with zero visibility into critical data and metrics, this financial services provider was at a serious disadvantage. That has all changed. “Something that I love about Darktrace / EMAIL is the visibility that it provides into key metrics from a single dashboard. We can now understand the behavior of our email flow and data traffic and can make insight-driven decisions to continuously optimize our email security. It’s awesome,” said the CISO.  

An efficient user interface also improves productivity and reduces mean time to action by enabling teams to easily visualize key data points and quickly evaluate what actions need to be taken. Darktrace / EMAIL was developed with that experience in mind, allowing users to access data and take quick action without having to constantly log into the solution.

Keeping the business focused on cybersecurity

The leadership of this global organization takes information security very seriously, understanding that cyber-attacks aren’t just an IT problem but a business problem. When it came to evaluating Darktrace, the CISO said numerous stakeholders were involved including C-level executives, infrastructure, and IT, which operates separately from information security. The CISO initially identified the need, conducted the market research, engaged the target vendors, and then brought the other decision makers into the process for the solution evaluation and final decision. “Our IT group, infrastructure team, CTO and CEO are all involved when it comes to making major cybersecurity investments. We always try to make these decisions jointly to ensure we are taking everything into consideration.”

The organization has reached a higher level of maturity when it comes to email cybersecurity. The ability to automate routine email detection and investigation tasks has both strengthened the organization’s cyber resilience and enabled the CISO and his team to contribute more to the business. His advice for other IT leaders facing the same email security and visibility challenges he once experienced: “For those companies that need greater insight and control over their email but have limited resources and people, AI is the answer.”  

Secure Your Inbox with Cutting-Edge AI Email Protection

Discover the most advanced cloud-native AI email security solution to protect your domain and brand while preventing phishing, novel social engineering, business email compromise, account takeover, and data loss.

• Gain up to 13 days of earlier threat detection and maximize ROI on your current email security
• Experience 20-25% more threat blocking power with Darktrace / EMAIL
• Stop the 58% of threats bypassing traditional email security

‍

The rapid adoption of cloud technologies has brought significant security challenges for organizations of all sizes. According to recent studies, over 70% of enterprises now operate in hybrid or multi-cloud environments, with 93% employing a multi-cloud strategy^[1]. This complexity requires robust security tools, but opinions vary on the best deployment method—agent-based, agentless, or a combination of both.

Agent-based and agentless cloud security approaches offer distinct benefits and limitations, and organizations often make deployment choices based on their unique needs depending on the function of the specific assets covered, the types of data stored, and cloud architecture, such as hybrid or multi-cloud deployments.

For example, agentless solutions are increasingly favored for their ease of deployment and ability to provide broad visibility across dynamic cloud environments. These are especially useful for DevOps teams, with 64% of organizations citing faster deployment as a key reason for adopting agentless tools^[2].

On the other hand, agent-based solutions remain the preferred choice for environments requiring deep monitoring and granular control, such as securing sensitive high-value workloads in industries like finance and healthcare. In fact, over 50% of enterprises with critical infrastructure report relying on agent-based solutions for their advanced protection capabilities^[3].

As the debate continues, many organizations are turning to combined approaches, leveraging the strengths of both agent-based and agentless tools to address the full spectrum of their security needs for comprehensive coverage. Understanding the capabilities and limitations of these methods is critical to building an effective cloud security strategy that adapts to evolving threats and complex infrastructures.

Agent-based cloud security

Agent-based security solutions involve deploying software agents on each device or system that needs protection. Agent-based solutions are great choices when you need in-depth monitoring and protection capabilities. They are ideal for organizations that require deep security controls and real-time active response, particularly in hybrid and on-premises environments.

Key advantages include:

1. Real-time monitoring and protection: Agents detect and block threats like malware, ransomware, and anomalous behaviors in real time, providing ongoing protection and enforcing compliance by continuously monitoring workload activities.  Agents enable full control over workloads for active response such as blocking IP addresses, killing processes, disabling accounts, and isolating infected systems from the network, stopping lateral movement.

2. Deep visibility for hybrid environments: Agent-based approaches allow for full visibility across on-premises, hybrid, and multi-cloud environments by deploying agents on physical and virtual machines. Agents offer detailed insights into system behavior, including processes, files, memory, network connections, and more, detecting subtle anomalies that might indicate security threats. Host-based monitoring tracks vulnerabilities at the system and application level, including unpatched software, rogue processes, and unauthorized network activity.

3. Comprehensive coverage: Agents are very effective in hybrid environments (cloud and on-premises), as they can be installed on both physical and virtual machines.  Agents can function independently on each host device onto which they are installed, which is especially helpful for endpoints that may operate outside of constant network connectivity.

Challenges:

1. Resource-intensive: Agents can consume CPU, memory, and network resources, which may affect performance, especially in environments with large numbers of workloads or ephemeral resources.

2. Challenging in dynamic environments: Managing hundreds or thousands of agents in highly dynamic or ephemeral environments (e.g., containers, serverless functions) can be complex and labor-intensive.

3. Slower deployment: Requires agent installation on each workload or instance, which can be time-consuming, particularly in large or complex environments.  

Agentless cloud security

Agentless security does not require software agents to be installed on each device. Instead, it uses cloud infrastructure and APIs to perform security checks. Agentless solutions are highly scalable with minimal impact on performance, and ideal for cloud-native and highly dynamic environments like serverless and containerized. These solutions are great choices for your cloud-native and multi-cloud environments where rapid deployment, scalability, and minimal impact on performance are critical, but response actions can be handled through external tools or manual processes.

Key advantages include:

1. Scalability and ease of deployment: Because agentless security doesn’t require installation on each individual device, it is much easier to deploy and can quickly scale across a vast number of cloud assets. This approach is ideal for environments where resources are frequently created and destroyed (e.g., serverless, containerized workloads), as there is no need for agent installation or maintenance.

2. Reduced system overhead: Without the need to run local agents, agentless security minimizes the impact on system performance. This is crucial in high-performance environments.

3. Broad visibility: Agentless security connects via API to cloud service providers, offering near-instant visibility and threat detection. It provides a comprehensive view of your cloud environment, making it easier to manage and secure large and complex infrastructures.

Challenges

1. Infrastructure-level monitoring: Agentless solutions rely on cloud service provider logs and API calls, meaning that detection might not be as immediate as agent-based solutions. They collect configuration data and logs, focusing on infrastructure misconfigurations, identity risks, exposed resources, and network traffic, but lack visibility and access to detailed, system-level information such as running processes and host-level vulnerabilities.

2. Cloud-focused: Primarily for cloud environments, although some tools may integrate with on-premises systems through API-based data gathering. For organizations with hybrid cloud environments, this approach fragments visibility and security, leading to blind spots and increasing security risk.

3. Passive remediation: Typically provides alerts and recommendations, but lacks deep control over workloads, requiring manual intervention or orchestration tools (e.g., SOAR platforms) to execute responses. Some agentless tools trigger automated responses via cloud provider APIs (e.g., revoking permissions, adjusting security groups), but with limited scope.

Combined agent-based and agentless approaches

A combined approach leverages the strengths of both agent-based and agentless security for complete coverage. This hybrid strategy helps security teams achieve comprehensive coverage by:

• Using agent-based solutions for deep, real-time protection and detailed monitoring of critical systems or sensitive workloads.
• Employing agentless solutions for fast deployment, broader visibility, and easier scalability across all cloud assets, which is particularly useful in dynamic cloud environments where workloads frequently change.

The combined approach has distinct practical applications. For example, imagine a financial services company that deals with sensitive transactions. Its security team might use agent-based security for critical databases to ensure stringent protections are in place. Meanwhile, agentless solutions could be ideal for less critical, transient workloads in the cloud, where rapid scalability and minimal performance impact are priorities. With different data types and infrastructures, the combined approach is best.

Best of both worlds: The benefits of a combined approach

The combined approach not only maximizes security efficacy but also aligns with diverse operational needs. This means that all parts of the cloud environment are secured according to their risk profile and functional requirements. Agent-based deployment provides in-depth monitoring and active protection against threats, suitable for environments requiring tight security controls, such as financial services or healthcare data processing systems. Agentless deployment complements agents by offering broader visibility and easier scalability across diverse and dynamic cloud environments, ideal for rapidly changing cloud resources.

There are three major benefits from combining agent-based and agentless approaches.

1. Building a holistic security posture: By integrating both agent-based and agentless technologies, organizations can ensure that all parts of their cloud environments are covered—from persistent, high-risk endpoints to transient cloud resources. This comprehensive coverage is crucial for detecting and responding to threats promptly and effectively.

2. Reducing overhead while boosting scalability: Agentless systems require no software installation on each device, reducing overhead and eliminating the need to update and maintain agents on a large number of endpoints. This makes it easier to scale security as the organization grows or as the cloud environment changes.

3. Applying targeted protection where needed: Agent-based solutions can be deployed on selected assets that handle sensitive information or are critical to business operations, thus providing focused protection without incurring the costs and complexity of universal deployment.

Use cases for a combined approach

A combined approach gives security teams the flexibility to deploy agent-based and agentless solutions based on the specific security requirements of different assets and environments. As a result, organizations can optimize their security expenditures and operational efforts, allowing for greater adaptability in cloud security use cases.

Let’s take a look at how this could practically play out. In the combined approach, agent-based security can perform the following:

1. Deep monitoring and real-time protection:

• Workload threat detection: Agent-based solutions monitor individual workloads for suspicious activity, such as unauthorized file changes or unusual resource usage, providing high granularity for detecting threats within critical cloud applications.
• Behavioral analysis of applications: By deploying agents on virtual machines or containers, organizations can monitor behavior patterns and flag anomalies indicative of insider threats, lateral movement, or Advanced Persistent Threats (APTs).
• Protecting high-sensitivity environments: Agents provide continuous monitoring and advanced threat protection for environments processing sensitive data, such as payment processing systems or healthcare records, leveraging capabilities like memory protection and file integrity monitoring.

2. Cloud asset protection:

• Securing critical infrastructure: Agent-based deployments are ideal for assets like databases or storage systems that require real-time defense against exploits and ransomware.
• Advanced packet inspection: For high-value assets, agents offer deep packet inspection and in-depth logging to detect stealthy attacks such as data exfiltration.
• Customizable threat response: Agents allow for tailored security rules and automated responses at the workload level, such as shutting down compromised instances or quarantining infected files.

At the same time, agentless cloud security provides complementary benefits such as:

1. Broad visibility and compliance:‍

• Asset discovery and management: Agentless systems can quickly scan the entire cloud environment to identify and inventory all assets, a crucial capability for maintaining compliance with regulations like GDPR or HIPAA, which require up-to-date records of data locations and usage.
• Regulatory compliance auditing and configuration management: Quickly identify gaps in compliance frameworks like PCI DSS or SOC 2 by scanning configurations, permissions, and audit trails without installing agents. Using APIs to check configurations across cloud services ensures that all instances comply with organizational and regulatory standards, an essential aspect for maintaining security hygiene and compliance.
• Shadow IT Detection: Detect and map unauthorized cloud services or assets that are spun up without security oversight, ensuring full inventory coverage.

2. Rapid environmental assessment:

• Vulnerability assessment of new deployments: In environments where new code is frequently deployed, agentless security can quickly assess new instances, containers, or workloads in CI/CD pipelines for vulnerabilities and misconfigurations, enabling secure deployments at DevOps speed.
• Misconfiguration alerts: Detect and alert on common cloud configuration issues, such as exposed storage buckets or overly permissive IAM roles, across cloud providers like AWS, Azure, and GCP.
• Policy enforcement: Validate that new resources adhere to established security baselines and organizational policies, preventing security drift during rapid cloud scaling.

Combining agent-based and agentless approaches in cloud security not only maximizes the protective capabilities, but also offers flexibility, efficiency, and comprehensive coverage tailored to the diverse and evolving needs of modern cloud environments. This integrated strategy ensures that organizations can protect their assets more effectively while also adapting quickly to new threats and regulatory requirements.

Darktrace offers complementary and flexible deployment options for holistic cloud security

Powered by multilayered AI, Darktrace / CLOUD is a Cloud Detection and Response (CDR) solution that is agentless by default, with optional lightweight, host-based server agents for enhanced real-time actioning and deep inspection. As such, it can deploy in cloud environments in minutes and provide unified visibility and security across hybrid, multi-cloud environments.

With any deployment method, Darktrace supports multi-tenant, hybrid, and serverless cloud environments. Its Self-Learning AI learns the normal behavior across architectures, assets, and users to identify unusual activity that may indicate a threat. With this approach, Darktrace / CLOUD quickly disarms threats, whether they are known, unknown, or completely novel. It then accelerates the investigation process and responds to threats at machine speed.

Learn more about how Darktrace / CLOUD secures multi and hybrid cloud environments in the Solution Brief.

References:

1. Flexera 2023 State of the Cloud Report

2. ESG Research 2023 Report on Cloud-Native Security

3. Gartner, Market Guide for Cloud Workload Protection Platforms, 2023