What is Cloud Detection and Response?

Cloud detection and response (CDR) solutions provide security professionals with the comprehensive visibility they need to detect, investigate, and mitigate threats in the cloud by continuously collecting, normalizing and analyzing large volumes of state and activity data from SaaS and cloud services.

Existing cloud security solutions such as Cloud Access Security Brokers (CASBs) provide preventive security controls. They help to protect against data loss and exfiltration and malware exposure by blocking access as and when they occur. CASBs act as mediators between an organization’s infrastructure and the cloud services used by the organization, examining all traffic going to and from the cloud. But preventive controls are not enough.

Even with the best preventive security solutions in place, attackers can still penetrate defenses and gain access to cloud assets. This is because attackers are successfully masquerading as users and service accounts, utilizing legitimate access to resources in the cloud services through a variety of techniques such as credential stuffing, social engineering, spear phishing and brute force password guessing. Account compromise and insider threat are on the rise, yet the data needed for security professionals to hunt and investigate these attacks breaks down as the attacker, and company data, move from the endpoint to the cloud.

Cloud detection and response solutions give security teams ongoing consolidated visibility into activity in their cloud environments, augmented with rich user context. With this continuous visibility, security teams can mitigate identity risk early, as well as detect, investigate and respond to threats such as account compromise and malicious insider activity. CDRs continuously collect, record, normalize and enrich data about service configurations, accounts, privileges, and activity from SaaS, PaaS and IaaS cloud services. CDRs bring a new capability to the cloud security stack.

Security professionals, threat hunters, and security operations center (SOC) teams can use the consolidated activity stream to uncover access patterns that reveal new threats or indicate compromise. In addition, CDRs also have machine learning-powered analytics to automate detection of anomalous or dangerous activity and to uncover misconfigurations and identity risk. Going beyond prevention, these Cloud detection and response capabilities help security teams of all sizes identify threats and investigate incidents preemptively.

Cloud Detection and Response Capabilities

  1. Consolidated Visibility: Cloud detection and response solutions provide continuous and consolidated visibility into who has access to what in the different cloud services, and what users are doing across these services. CDRs provide an inventory of accounts, access, and privileges, as well as a view of activity. In the world of multiple SaaS applications and cloud services, this entails aggregating state and activity information, normalizing the data based on an understanding of the identity and authorization models of the different services, resolving accounts to identities, and enriching the data with threat intelligence and context (locations, devices, browsers, etc.) This visibility enables security teams to detect risks and threats, proactive hunt for emerging security issues, and to investigate and respond to incidents quickly.
  2. Automated Detections Built on Rules and Analytics: CDRs analyze vast amounts of data across different cloud services to identify patterns that signal risk and threats. The problem with modern cloud environments is that threats are drowned in a sea of irrelevance. By alerting on policy violations and risky behavior informed by machine learning analytics and rules, CDRs help SOCs distill the signal from the noise so they can prioritize their efforts. 
  3. Detection Extended to Risk Monitoring: Best-in-class CDRs go beyond detection capabilities to identify signs of a weak security posture, such as unused and stale privileges and poorly configured services. With these  insights, security administrators are able to continuously enforce a robust security posture and preempt attacks from happening.