Between Legacy Limits and Real-Time Demands: The New Cloud Defense Equation

Crystal Morin, Senior Cybersecurity Strategist at Sysdig, explains how defenders can secure cloud-native environments and adapt to an increasingly complex digital battlefield. Morin brings over a decade of intelligence and defense experience, spanning the U.S. Air Force and Utah Air National Guard.

She advocates real-time detection and reiterates that operating with an ‘assume breach’ mindset would help defenders stay proactive. With each cyber incident, security teams must refine their tools, processes, and playbooks to improve speed and resilience.

Morin aptly puts its together that the goal of AI is to free defenders so they can focus on higher-value and human-driven decisions. 

Discover how real-time visibility, automation, and an “assume breach” mindset redefine cloud defense.

Vishwa: Modern attacks unfold in minutes while enterprise defenses still react in hours. How can organizations realistically close this speed gap to prevent small intrusions from escalating into full cloud breaches?

Crystal: Cloud workloads are ephemeral and autonomous, meaning there is only a small window for security teams to detect activity and respond before a threat moves or disappears with their data. 

Operating with an “assume breach” mindset helps keep defenders alert and proactive. It also means that organizations must monitor and detect at runtime, in real time.

The 555 Benchmark for Cloud Detection and Response is based on real cloud attacks analyzed by the Sysdig Threat Research Team. It encourages defenders to stay ahead of threats and minimize the potential blast radius by moving from detection and triage to response in 10 minutes or less. 

Unfortunately for teams operating in days or hours, their data is likely long gone. Manual hand-offs from alert and ticket to analysis and response introduce dangerous delays. 

Closing the human latency gap requires integrated real-time security tooling and automation – or at least semi-automated processes – to accelerate security actions.

Vishwa: Many cloud security platforms fail to match the pace of today’s threats. What structural or architectural limitations keep detection and response cycles so far behind attacker speed?

Crystal: Legacy processes like static vulnerability scanning, as well as periodic log aggregation, asset discovery, and misconfiguration checks, are useful but insufficient when working with cloud-native speeds. IOC-based and centralized detection analytics must evolve into behavioral detections that identify attacks as data is processed and moved.

Siloed data between tools adds roadblocks as well. Today’s cloud-native environments require integrated security stacks. Data must also be correlated in real time for cloud-native visibility, which requires runtime monitoring.

Ultimately, modern security is a team sport that requires timely collaboration across developer, security, operations, and executive teams.

Vishwa: Data breaches often start small and then widen as new data exposure is uncovered days later. What specific incident-response practices or technologies can compress this window and stop escalation early?

Crystal: With an “assume breach” mindset and the right proactive strategies, organizations can shrink the blast radius before an attack even happens. Businesses should build, maintain, and rehearse well-defined incident playbooks for common techniques, like credential abuse, lateral movement, and resource consumption. 

Tabletop drills also don't have to be time-consuming to help teams establish the tempo required for incident response in the cloud.

It’s also crucial for teams to leverage automation and AI wherever possible to help speed up triage and context enrichment, and to initiate containment or isolation.

Vishwa: Faster detection often depends on automated triage. Are AI-driven or real-time behavioral analytics tools now capable of matching attacker velocity? How should enterprises decide where to integrate them?

Crystal: Attackers can spin up hundreds of cryptomining instances in a very small window, and real-time behavioral detections can equip teams to detect that change at speed. AI-driven detection has become increasingly capable, and some tools can even reduce noise and surface priorities more effectively than the manual analysis and triage process. 

For example, customers using our agentic AI analyst, Sysdig Sage, have reduced their mean time to respond by 76%. With that said, AI is only as powerful as the data on which it’s built. That needs to be a key consideration when choosing where and how to integrate AI-driven processes, and which AI tools to use. 

There’s ample application for these AI tools where manual processes are tedious, employees are limited or burning out, or there are bottlenecks. The goal for AI, as I see it, is to free people up to focus on high-value requirements.

Vishwa: From an organizational standpoint, what cultural and operational factors most influence how quickly an organization can detect, contain, and respond to security incidents?

Crystal: The way that organizations approach risk prioritization, continuous improvement, and collaboration is central to improving the speed of threat detection and response.

Organizations that prioritize finding and fixing the risks that matter most for their operations and security accelerate remediation and contain potential damage. Likewise, every incident should lead teams to refine their tools, processes, and playbooks so they can maximize efficiency and speed. 

Also, organizations that encourage security collaboration and share priorities move faster and respond more effectively when it matters most. 

After all, security is a responsibility that falls on everyone’s shoulders – not just the security team’s.

Vishwa: Many cloud protection tools still run on outdated monitoring schedules. From your firsthand observations, why do these legacy models persist? What practical steps can accelerate modernization?

Crystal: Legacy tool use persists because they are comfortable and familiar. Organizations often see changing a tech stack as more challenging an endeavor than it's worth, so they choose to build their cloud security programs around existing tools. Budget, staffing, and skill limitations can also contribute to a board or executives’ perceived risk of modernization.

To accelerate modernization, organizations should put the reins in the hands of technical leaders who can properly prioritize risks, adopt the right tools, and establish measurable targets based on benchmarks. 

These benchmarks can all be lifted and shifted over a phased transition plan, too. It’s incumbent upon those technical leaders, however, to build influence and trust across their organization so they can influence change.

Vishwa: Between those first two minutes and the two-hour mark, what chain of detection, escalation, and containment actions typically occurs? What additional insights or trends has Sysdig uncovered in that response window?

Crystal: An attack typically looks something like this: Initial access and reconnaissance, privilege escalation, lateral movement and additional reconnaissance, then exploitation.

Successful defenders must be able to detect anomalous behavior in seconds within identities, workloads, networks, and the like. They need to be able to immediately triage and investigate data while simultaneously doing initial containment. 

Once a threat or exploited vulnerability is identified, remediation must happen quickly. And afterward, teams should conduct a post-mortem feedback loop to improve processes and tooling.Attackers operate at cloud speed, often completing their objectives in under 10 minutes.

Those at the two-hour mark are chasing down the damage that’s already been done. With real-time visibility, automated response, AI-driven insights, and cross-team collaboration, organizations can stop threats before they escalate.