Today, straight from Jack’s desk, I confess: I thought I knew CDR front to back (I didn’t).
What I Used to Think About CDR
Cloud Detection and Response (CDR)? Ugh. I’d roll my eyes. “Another acronym,” I’d groan with arrogance to a friend in the industry. They would typically roll their eyes too. Maybe they were rolling their eyes at me. I live in a world where Acronyms are precious to me and when CDR dropped, I thought it was just a cute new term for a “CSPM.” I thought it analyzed public cloud configurations to highlight risks, and then analyzed a few additional signals to determine if something nefarious had happened (not real-time, to be clear).
What I Think About CDR Now–And Why
What makes this all even more embarrassing is that it’s simple. Well, let’s call it elegant. It’s one of those innovations that just makes sense. It pops. It provokes my “why didn’t I think of that,” internal monologue.
I’m the Technology Evangelist at Uptycs. Before that, I had a 27-year career, and spent ten of those years in CISO/CSO roles. When my team decided to do a piece on CDR, I surveyed them to see what they thought CDR meant. I didn’t know if the claims they made were true. So I went down the research rabbit hole.
I’d summarize CDR myself, but Laura, a fellow Up-Shifter, said it perfectly in her blog:
"CDR, or Cloud Detection and Response, is a security approach designed to protect cloud applications and infrastructure by providing visibility, analytics, and threat detection capabilities within cloud environments. CDR tools integrate with various cloud service providers and their native security services to detect and respond to cloud-specific threats and vulnerabilities."
She went further, but this piece is for my fellow CISOs out there on the battlefield, being bombarded by acronyms from all sides. Short and sweet: The problem: Hackers scan the cloud attack surface, looking for weaknesses that are caused by cloud-configuration vulnerabilities. Some of these vulnerabilities are ephemeral, and many CSPMs don’t detect configuration changes immediately. The sans are working, and hackers are breaking in.
The solution: CDRs function just like other detection and response tools. The strategies CDR use are specific to the unique architecture of the public cloud. Some of these techniques include:
Analysis of cloud logs to identify anomalies. Perhaps there was a large transfer of data from an S3 bucket, or someone added several privileged accounts. This could be picked up easily in the cloud logs.
Monitoring for atypical data exfiltration from the endlessly-growing number of proprietary cloud storage solutions.
Enumerating cloud architecture. Often overlooked, and potentially complicated, enumeration is discovery of cloud… stuff. Some examples are, finding data stores, assessing which regions serve production traffic, or even mapping the architecture of the entire cloud.
Correlation with historical CSPM / configuration data to estimate risk with more signal inputs. CDRs go far beyond just configuration data, but configuration data is a common baseline.
Doing weird things (seriously). A great CDR detects behavior through analysis of whatever signals are available in the cloud. And if you’ve built anything in AWS lately, you’ll agree, there are a TON of signals.
It Feels Good to Learn
I was wrong about CDR. But that’s OK. I’m sure I don’t have a perfect understanding of it now. Nor will I ever. But that’s still OK. Because in this industry, this always-changing industry, not only do we get to continuously learn, we have to. It was exciting to learn about CDR in a new light. I always say, “trust, but verify.” This includes my bias and assumptions. Do you know what Uptycs has been up to? Trust, but verify your understanding about Uptycs by taking a tour of our CDR features.
About Uptycs CDR
Threat actors are increasingly becoming cloud security experts, making it crucial for businesses to establish a strong cloud security posture. Uptycs Cloud Detection and Response (CDR) offers a comprehensive solution for organizations looking to bolster their cloud security.
Uptycs CDR addresses key challenges in cloud security by detecting malicious activities within your environment, and alerting the appropriate response teams.
Uptycs CDR not only alerts you to these security threats, but also provides simplified explanations and actionable steps to remediate the issues. By partnering with Uptycs, businesses can ensure a robust cloud security posture without needing in-house expertise, allowing them to focus on their core operations.