Detect and respond to threats across hybrid cloud environments.
Cloud detection and response (CDR) is the process of security experts building out systems that detect and respond to potential threats across ephemeral hybrid environments inclusive of on-premises and cloud systems.
Due to the hybrid nature of this type of environment – the new normal in today’s digital transformation-minded world – both the private and public-facing assets that exist on this dynamic infrastructure can be incredibly challenging to secure.
Indeed, Forrester’s Comprehensive Guide to Cloud Detection and Response says “detection and response on cloud infrastructure differs from traditional infrastructure in fundamental ways that make it challenging for security operations teams.”
In a separate Forrester article, Principal Analysts Allie Mellen, Andras Cser, and Jeff Pollard explain how cloud detection and response is split into three detection surfaces:
Cloud detection and response works by prioritizing action on alerts that derive from various runtime resources and cloud service providers (CSPs) to enable faster intelligence risk analysis.
The ideal state of an effective CDR solution would be to consolidate all runtime threat detections by obtaining better security context. Those findings could then be associated with affected cloud resources and their properties. This type of context-driven risk management provides deep visibility into every layer of a cloud environment to help prioritize risk and determine likelihood of exploitation.
As developers are tasked with leveraging the greater efficiencies offered by cloud environments, workloads will be spun up at an ever greater pace. Taking a more holistic approach to runtime security in the cloud will – among other things – necessitate shifting security left and forming a true DevSecOps organization. Beware of a potential increase in friction between teams as security becomes more tightly integrated into software processes.
It then becomes critical to implement a dynamic CDR solution when working to that extent in and across cloud environments. This type of solution should be able to:
Capabilities should also include consolidating native and third-party runtime threat detections – as well as enrichment functions mentioned above – to enable faster detection and analysis of potential threats.
Cloud infrastructure is particularly dynamic. Between constantly changing virtual assets and the complexity of cloud configurations, it can quickly become prohibitive for an unprepared organization to pinpoint and respond to threats effectively.
Additionally, the vast amount of data generated can obscure malicious activities, necessitating advanced monitoring and analysis tools. Therefore, as more businesses move IT infrastructure and development operations into a cloud, multi-cloud, or hybrid environment, it becomes paramount for security organizations to be able to detect potential threats before they can affect real damage. Let’s take a look at some of the benefits of an effective CDR solution.
This may seem like a catch-all cybersecurity term, but it’s important to reiterate the point that, as an organization moves to cloud-based operations, its risks exponentially increase almost immediately.
An effective CDR solution should be able to grant improved visibility and control with capabilities like continuous discovery of container images and cloud-deployed workloads as well as the resources that helped launch those workloads. CDR can help to quickly reduce the risks that can come from just one of these moving parts not functioning correctly and potentially creating new network security vulnerabilities.
Infrastructure-as-Code (IaC) security is incredibly important as crucial customer-facing workloads are transposed to cloud environments and deployed at an ever-faster rate in service of customers. A CDR solution should be able to automatically scan and detect anomalies in IaC templates.
This will help remediate misconfigurations and policy violations by using a consistent set of security checks throughout the continuous integration/continuous delivery (CI/CD) pipeline.
From standard components to newer and evolving aspects of a cloud security platform, let's cover some key capabilities a modern CDR solution should include to effectively protect workloads as they do their thing.
This CDR capability should be able to present a user with a complete view of runtime threat detections from multiple customer resources and CSPs. This cloud-native application protection platform (CNAPP) capability enables faster intelligence analysis, risk detection, and remediation prioritization.
Another key component of a CDR solution is one that is critical to the future of a security operations center (SOC): learning the tactics, techniques, and procedures (TTPs) leveraged by threat actors so that the organization doesn't become a regular target of the same attackers. The automated process of learning those TTPs and signatures over time is a nice lead-in to the next capability.
Leveraging AI to detect cloud anomalies is becoming more widespread by the minute. It’s no longer optional to have AI as part of a security arsenal – it’s a must.
AI-assisted cloud anomaly detection can accelerate the effectiveness of a SOC by automatically searching for behavioral anomalies and quickly prioritizing potential risks based on historical data. False-positive alerts can typically be reduced by focusing on detecting malicious activity without relying on specific pre-configured attack indicators.
An AI engine of this type can also consider the context of suspicious activity, taking into account recent actions by the same principal and automatically adapting to changes in overall activity profiles and the cloud environment.
A CDR service is one in which a provider of cybersecurity services partners with a customer to perform a portion of or the bulk of that customer's cloud security needs. A provider of this type can reasonably be expected to provide the following services:
As people and devices hop onto and off a network, relationships between these assets constantly change. And in that ephemeral state, new vulnerabilities can quickly be created – and exploited.
That’s why a CDR service provider should be able to leverage all of its powerful capabilities to create effective network detection and response (NDR) protocols that protect the integrity of a hybrid network by monitoring real-time user and entity behavior analytics (UEBA).