Let’s play a game and define a hypothetical market called Cloud Detection and Response (CDR). Note that it is no longer my job to define markets, so I am doing it for fun here (yes, people find the weirdest things to be fun!)
So, let’s define CDR as a type of a security tool primarily focused on detecting, confirming and investigating suspicious activities and other security problems in various public cloud environments, including, but not limited to IaaS, PaaS, SaaS. As you can see, I stole some ideas from my original EDR definition so that some useful similarities come out. But, no, the cloud is not just somebody else’s computer 🙂
Now, the questions:
Naturally, all hard problems in life are solved with a Twitter poll… so here is the relevant one:
Among all the responses, one stood out to me: “public cloud has enough special deployment and collection differences from on-prem that there has to be a CDR function.” This to me represents the strongest logic in favor of CDR existence, whether as a market or a technical capability. Now let’s think about it a bit more, especially using my RSA 2022 experiences.
First, I bet nobody would contest that we need to detect threats in public cloud environments and we need to investigate incidents there. So the problems are real hence there is a need.
Second, a hypothetical CDR tool will need to do its own threat detection, enable the analysts to triage alerts, support incident investigative workflows and probably do some response automation too. However, there are already tools that do all these things, but perhaps not all at once and not focused on the cloud. Naturally, a SIEM (cloud-native or otherwise) can do cloud threat detection off cloud provider logs, support alert triage and investigations. A SOAR may automate responses. Similarly, broad cloud security vendors (all those CWPPs and CNAPPs) promise to “secure your cloud” and that often includes detecting threats.
So, do we need a CDR or not?! Three roads I see:
Furthermore, at RSA 2022, I have looked at vendors like Cado and Mitiga (among others) and I noticed that focus on incident response in the cloud does call for tools that are different enough (BTW, a podcast on how we do it here is coming soon). The “R” of CDR is perhaps the harder nut to crack as SIEM and SOAR are of limited value here, and traditional forensics tools and EDRs only work on virtual machines (to an extent they do). To me, this provides additional motivation for CDR.
Finally, my prediction: I am voting Choice 2: we will probably have “CDR technology,” a tool set optimized for D&R in public cloud (built by both cloud providers and standalone vendors), but perhaps won’t have a separate market (we have enough long acronyms starting with “C” already….). Why do I think so? I think doing cloud D&R with a) pre-cloud tools and/or b) cloud tools not focused on D&R would be irritating enough for enough people to necessitate a new category creation, if not a whole new market.
Agree/disagree?
P.S. I first saw the term CDR in Sift Security messaging around 2017. I did NOT invent the term. And here is a quick review who uses the term now (example, example for SaaS, example via NDR, example via MDR, example via a broad cloud security stack, etc)
Related blog posts:
Does the World Need Cloud Detection and Response (CDR)? was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/does-the-world-need-cloud-detection-and-response-cdr-ea184e6df9f3?source=rss-11065c9e943e------2
Authors/Presenters: *Shradha Neupane, Grant Holmes, Elizabeth Wyss, Drew Davidson, Lorenzo De Carli Many thanks to USENIX for publishing their outstanding…
What really is cyber security and why doesn't the traditional CIA triad of confidentiality, integrity, and availability work? And what's…
The widespread adoption of cloud services has introduced cybersecurity challenges and compliance complexities due to various privacy regulations in different…
The RSA Conference 2024 is set to kick off on May 6. Known as the “Oscars of Cybersecurity”, RSAC Innovation…
Last week, we hosted Michael Tapia, Chief Technology Director at Clint ISD in Texas, and Kobe Brummet, Cybersecurity…
Authors/Presenters: Binbin Zhao, Shouling Ji, Xuhong Zhang, Yuan Tian, Qinying Wang, Yuwen Pu, Chenyang Lyu, Raheem Beyah Many thanks to…