What is cloud detection and response?

Cloud detection and response (CDR) is similar to managed detection and response (MDR) and extended detection and response (XDR) services, both of which rapidly detect, analyze, investigate, and actively respond to threats. Cloud detection and response monitors activity in the cloud environment, and identifies threats and suspicious activities in real time, including remote code execution, malware, crypto-mining, lateral movement, privilege escalation, and container escape. CDR is often included in managed detection and response (MDR) solutions.

Why are CDR solutions needed?

Online attackers see value in sneaking into cloud environments, given that enterprises place valuable data there. Attackers can gain access to login credentials, increasing the likelihood of cloud infrastructure incidents. Many MDR solutions primarily focus on endpoint protection and security information and event management (SIEM) with secondary focus on other surfaces, leaving SecOps teams to secure cloud workloads and infrastructure on their own.

In addition to the sharp uptick in cloud threats, the prevalence of multi-cloud and multi-platform cloud environments creates bigger workloads for security teams. Not every company has the expertise needed to properly manage cloud security. Given the deluge of alerts cloud providers often generate and send to SOC teams, it’s easy to get overwhelmed, fall behind, and potentially miss an important alert.

How does CDR work?

A cloud detection and response solution uses several technologies to identify, analyze, and respond to threats in cloud environments, including the following:

Cloud security platforms

The platforms provide central dashboards for the management of security across cloud services and environments. They also often offer features like threat detection, security configuration management, and incident response orchestration.

Cloud access security brokers (CASBs)

CASBs are intermediaries between users and cloud service providers, monitoring and controlling access to cloud applications. They improve visibility into cloud usage, enforce security policies, and detect anomalies or suspicious activities.

Security information and event management (SIEM)

A SIEM system captures data and alerts from numerous security tools and IT systems. Operators can define complex logic to correlate and alert in response to events relevant to their organization. Keep in mind that an organization might not need a SIEM, particularly if other existing tools or partnerships are handling these tasks. For example, if the business has no regulatory requirements and limited log sources, it may not be necessary to invest in a SIEM.

User and entity behavior analytics (UEBA)

UEBA tools analyze user and entity behavior across cloud environments to detect abnormal or risky activities. By creating baselines of normal behavior, UEBA tools can identify deviations that may indicate security threats.

Cloud-specific threat intelligence feeds

These data feeds are tailored for cloud environments and provide valuable insights into emerging threats, vulnerabilities, and attack techniques targeting cloud services and infrastructure.

API security

Many cloud environments rely on APIs for integration and automation. API security solutions help ensure the security of API communications, protecting against API abuse, injection attacks, and unauthorized access.

Incident response automation

Automation tools streamline incident responses by automatically detecting, analyzing, and remediating security incidents in the cloud. This process helps reduce response times and minimizes the impact of security breaches.

Compliance and governance tools

Compliance management and governance solutions help organizations ensure that their cloud deployments adhere to industry regulations and internal security policies. They provide visibility into compliance status, automate audit processes, and enforce security controls.

How to choose a CDR provider

Ask cloud detection and response providers these questions:

Can the provider close your skills and knowledge gaps?

Why ask it? Cloud platforms are constantly changing and evolving, making it difficult to be proficient across multiple cloud environments. Also, your CDR team should know how to avoid errors and proactively suggest fixes. For example, requiring peer review on change requests is an excellent way to reduce the likelihood of mistakes happening, especially when it comes to policy changes.

Can your provider audit the differences across cloud providers?

Why ask it? Combing through audit logs can feel like learning a different language as you move from cloud environment to cloud environment. Auditing coverage reflects the service’s maturity, indicating skilled CDR providers. Providers should be able to advise customers on enabling and configuring necessary logs, distinguishing between those managed by the customer and the cloud provider.

Can your provider act quickly when new clouds and platforms are needed?

Why ask it? Say the business started with one cloud platform and finally organized all users and groups and also defined policies for least privilege. Suddenly the VP of engineering wants to add a second cloud platform with a slightly different business use case and slightly different business requirements. Now the onsite security team must manage identity and access management (IAM) in Amazon Web Services (AWS) and IAM in Google Cloud. The services are similar, but all of the role names are different and extend slightly different levels of privilege. This should be an easy task for an experienced CDR provider.

How does the CDR provider handle data overload?

Why ask it? Literally trillions of logs are now generated across multiple cloud environments. The big questions are: What does the provider do with the logs? And how do they decide what’s important? Even if you put the logs into a centralized SIEM system, the security team still has to wrestle with too many audit logs in different schemas. That’s where the CDR provider can provide expert help.