What is cloud detection and response (CDR)?
Cloud detection and response (CDR) is an emerging strategy focused on securing cloud environments. CDR monitors for and responds to threats to those cloud environments, be they with large service providers, such as Microsoft, Google or AWS, or in smaller clouds, such as those provided by Vultr and DigitalOcean.
The primary goal of CDR is to provide a deep understanding of a cloud environment and to detect threats. Products and services offered by CDR vendors intend to provide users with answers to questions such as the following:
- Which application programming interfaces are being used?
- Is the multi-cloud environment healthy from a security perspective?
- What are the security thresholds for everything from containers to virtual machines (VMs) to serverless?
Cloud computing can involve everything from endpoints to fully operational networks to large infrastructure -- even on-premises cloud and hybrid infrastructure. Securing resources across such a vast attack surface is difficult. And, because cloud environments are less fixed than traditional IT resources, detection must be more active.
CDR fits within the broader category of threat detection and response tools. It combines the thought processes behind extended detection and response (XDR), network detection response (NDR) and endpoint detection response (EDR).
This article is part of
What is threat detection and response (TDR)? Complete guide
These potential points of overlap with XDR, NDR and EDR, as well as cloud security tooling available elsewhere, have led some in the security industry to question whether CDR ought to be a distinct product category. Analysts at Forrester Research, for example, consider CDR to be a feature found within other cloud tools, such as cloud workload protection platforms, cloud infrastructure entitlement management, container security and the like.
The value of cloud detection and response tools
Cloud computing has changed how and where organizations run workloads. As a result, security teams must pay more attention to threat detection and related activities that aren't as closely tied to their on-premises resources as in the past. It is increasingly important to make cloud security management a priority.
CDR could be looked at as being similar to NDR, which views a network holistically and asks, "Does this traffic look normal?" CDR looks at a cloud environment and asks, "Does this environment conform to best practices?"
The goal for any CDR tool is to help answer important questions, including the following:
- Who has access? One of the easiest things to do in any cloud-based environment is to give a user or a group too much access. And, with on-premises environments, you usually need a virtual private network if you weren't in the local area network to access servers. Now, most cloud-based servers have public Internet Protocol addresses. Proper credentials are required to access them, but this arrangement certainly makes server access much easier.
- Is there room for privilege escalation? This question is especially relevant in the container and Kubernetes realm. Say, for example, you have a Kubernetes pod that has root-level access. If the service account that deployed the pod has root access and it becomes compromised, so does the entire Kubernetes cluster.
- Can an attacker use one form of authorization or authentication and access another workload? Let's say you create an identity and access management (IAM) role. The role has access to manage VMs, and during tests, you set up the IAM role to also have a policy for serverless workloads. Consequently, if someone compromises the account that has the IAM access, multiple cloud-based services are compromised. In the cloud, it is especially important to think about the principle of least privilege, privilege creep and additional tactics to bolster defense in depth.
Best practices for choosing a cloud detection and response tool
Certain features and best practices are important in your evaluation of a CDR tool.
First, ensure that the CDR is compatible with a multi-cloud environment. Even if you use just one cloud service now, at some point, you'll add one or more providers. You want to make sure your CDR tool can handle that.
The second is to know which sources a vendor uses to gather information about security threats. For example, with Kubernetes, the Center for Internet Security Benchmarks for Kubernetes, National Vulnerability Database, Mitre and a few other sources provide important security guidance. Still, that doesn't mean all Kubernetes security tools call upon all those databases. When considering a CDR tool, make sure it uses the back-end databases that align with your organization's security concerns and priorities.
Also, determine whether you want to select a CDR product that's open source or one you pay for. This might have a lot to do with budget considerations.
Examples of open source tools are Aqua Security Trivy, CloudSploit by Aqua, CloudMapper, OSSEC and Open Vulnerability Assessment Scanner. For paid enterprise tools, examples include CrowdStrike Falcon, Darktrace/Cloud and Microsoft Defender for Cloud.