SBN

Does the World Need Cloud Detection and Response (CDR)?

Let’s play a game and define a hypothetical market called Cloud Detection and Response (CDR). Note that it is no longer my job to define markets, so I am doing it for fun here (yes, people find the weirdest things to be fun!)

So, let’s define CDR as a type of a security tool primarily focused on detecting, confirming and investigating suspicious activities and other security problems in various public cloud environments, including, but not limited to IaaS, PaaS, SaaS. As you can see, I stole some ideas from my original EDR definition so that some useful similarities come out. But, no, the cloud is not just somebody else’s computer 🙂

Now, the questions:

  • Does it exist?
  • Should it exist as a market?
  • Should it exist as a technology space (not every technology space is a market, e.g. anti-spam is clearly still a thing, yet there is obviously no anti-spam tool market)

Naturally, all hard problems in life are solved with a Twitter poll… so here is the relevant one:

CDR poll by Anton

Among all the responses, one stood out to me: “public cloud has enough special deployment and collection differences from on-prem that there has to be a CDR function.” This to me represents the strongest logic in favor of CDR existence, whether as a market or a technical capability. Now let’s think about it a bit more, especially using my RSA 2022 experiences.

First, I bet nobody would contest that we need to detect threats in public cloud environments and we need to investigate incidents there. So the problems are real hence there is a need.

Second, a hypothetical CDR tool will need to do its own threat detection, enable the analysts to triage alerts, support incident investigative workflows and probably do some response automation too. However, there are already tools that do all these things, but perhaps not all at once and not focused on the cloud. Naturally, a SIEM (cloud-native or otherwise) can do cloud threat detection off cloud provider logs, support alert triage and investigations. A SOAR may automate responses. Similarly, broad cloud security vendors (all those CWPPs and CNAPPs) promise to “secure your cloud” and that often includes detecting threats.

So, do we need a CDR or not?! Three roads I see:

  1. CDR should exist as a technology and/or market: Cloud is a new realm for threat detection and so old tools/approaches are not ideal; so we need new tools that work well in this new realm.
  2. CDR should exist as a technology, but not as a separate market: Sure, we need new technical capabilities, but cloud providers and broad cloud security vendors will deliver CDR capabilities.
  3. CDR should not exist, the problem is real, but it is solved elsewhere: Cloud is just a telemetry source, and existing tools and vendors — and cloud providers — will take care of this.

Furthermore, at RSA 2022, I have looked at vendors like Cado and Mitiga (among others) and I noticed that focus on incident response in the cloud does call for tools that are different enough (BTW, a podcast on how we do it here is coming soon). The “R” of CDR is perhaps the harder nut to crack as SIEM and SOAR are of limited value here, and traditional forensics tools and EDRs only work on virtual machines (to an extent they do). To me, this provides additional motivation for CDR.

Finally, my prediction: I am voting Choice 2: we will probably have “CDR technology,” a tool set optimized for D&R in public cloud (built by both cloud providers and standalone vendors), but perhaps won’t have a separate market (we have enough long acronyms starting with “C” already….). Why do I think so? I think doing cloud D&R with a) pre-cloud tools and/or b) cloud tools not focused on D&R would be irritating enough for enough people to necessitate a new category creation, if not a whole new market.

Agree/disagree?

P.S. I first saw the term CDR in Sift Security messaging around 2017. I did NOT invent the term. And here is a quick review who uses the term now (example, example for SaaS, example via NDR, example via MDR, example via a broad cloud security stack, etc)

Related blog posts:


Does the World Need Cloud Detection and Response (CDR)? was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/does-the-world-need-cloud-detection-and-response-cdr-ea184e6df9f3?source=rss-11065c9e943e------2