Wiz
All articles

What is Cloud Detection and Response (CDR)?

Cloud detection and response is the process of identifying and mitigating security threats or incidents in cloud environments through monitoring, analysis, and automated or manual actions.

Greg Zemlin
5 min read

What is cloud detection and response?

Cloud detection and response (CDR) is the new standard for fast identification, analysis, and response to potential cloud security threats. CDR can also be referred to as cloud-native detection and response (CNDR) or cloud threat detection and response (CTDR).

CDR focuses specifically on cloud environments, setting it apart apart from other detection and response approaches. While CDR shares some of the features of workload-focused endpoint detection and response (EDR), network detection and response (NDR), and extended detection and response (XDR), it comes with many more features tailored to the cloud.

Through threat detection and analysis, CDR provides deep visibility into complex cloud and multi-cloud environments, services, APIs, and every type of workload. This includes VMs, containers, and serverless, along with cloud networking, storage nodes, Kubernetes clusters, and much more.

Why you need cloud detection and response

Organizations face an overwhelming number of vulnerabilities in the cloud due to misconfigurations and lack of visibility across complex environments, with many interconnected applications, short-lived cloud assets, and a changing identity access layer. In addition, IT teams managing these environments may lack the necessary cloud security expertise.

And while there is no shortage of detection and security tools on the market, they fail to provide the deep visibility needed to identify and remediate threats in cloud environments. Wiz data reveals that enterprises have, on average, 200 critical cloud issues that could cause a breach if exploited.

Leading security experts understand that the unique complexity of the cloud necessitates cloud-specific D&R solutions. Following a poll he conducted on the need for CDR, Google Cloud security advisor Anton Chuvankin cited the following comment as the strongest argument in favor: “Public cloud has enough special deployment and collection differences from on-prem that there has to be a CDR function.

In short, cloud-native resources are dynamic, complex, and highly distributed in ways that render other D&R solutions ineffective. Of many examples, containers and Kubernetes clusters—where scalability and deployment parameters change fast and often—demonstrate where traditional D&R solutions fall short. The dynamic nature of the cloud explains why traditional security solutions struggle to keep track of security configurations and reduce false alerts.

Reducing alert fatigue

Alerts are key for determining threat prioritization and where to focus remediation efforts. However, many of the available solutions come with a high rate of false positives, with SOC teams spending an average of 32% of their time on false incident investigations and validations.

Cloud detection and response solutions can prioritize alerts based on criticality while eliminating false positives. By providing full transparency and visibility into complex cloud environments, CDR solutions analyze alert severity based on business data and workload priorities to proactively identify lateral movement attacks via context-aware security intelligence.

Quick threat analysis and remediation

Manual threat analysis across cloud configurations, network exposures, identity access technologies, and other cloud architecture aspects is far too time consuming. CDR triggers automated actions such as quarantining workloads, delivering network-access control adaptability, creating asset- and network-isolation zones, or using approved images to rebuild workloads.

How does CDR work?

CDR offers continuous in-depth analysis of configurations, services, and assets to determine the best threat response.These solutions are either agent based (agents installed on workloads) or agentless (the snapshot-scanning approach) for data collection from block storage and retrieval of cloud configuration metadata contained within APIs. An effective CDR solution should be able to:

  • Identify complex exposure chains and lateral movement paths that lead to primary assets (e.g., administrator identities or intellectual property (IP)/personal identifiable information (PII)). An optimal CDR solution will use a single GUI integrated with a continually updated database. This database gathers all cloud environment changes to enable accurate identification of exploitable cross-account pathways and even cross-cloud threats.

  • Simulate potential network exposures discovered via the continuously updated cross-cloud environment database to provide deeper levels of risk validation. Using evidence such as response content and status code supports granular attack-vector identification.

  • Detect cloud events through monitoring and detection rules that are constantly informed by the cross-cloud and pathways threat database, thereby providing malware scans with custom threat-intelligence feeds. This capability should be bolstered by continuous monitoring for attacks across cloud services and accurate, prioritized alerting capabilities.

  • Respond using cloud-threat identification and containment via auto-remediation or by notifying security teams. Security events should be collected and prioritized from workloads at scale. This should include workload protection across VMs, containers, and serverless for cloud-specific attack pattern detection. Examples include IAM, cloud API, or other threat-vector manipulation points.

The ideal CDR solution incorporates these aspects into an end-to-end cloud security platform that can be tailored to any cloud ecosystem.

wiz blog

Intro to forensics in the cloud: A container was compromised. What’s next?

Learn what tools and data sources you need to use in cloud forensics investigation and how they come into practice in a real-life example.

Read more

Features to look for in a cloud detection and response solution

Every business has its unique cloud strategy, ecosystem, and priorities. Together with the dynamic nature of complex cloud environments, this requires an automated CDR tool capable of meeting today’s needs—and tomorrow’s:

  • Real-time monitoring and detection across the entire cloud ecosystem. The ability to detect known/unknown threats and suspicious activity, including remote-code execution, malware, cryptomining, lateral movement, privilege escalation, and container escape is essential.

A CDR tool should collect cloud events and alerts via integrations with services like AWS CloudTrail, Azure Activity Logs, GCP Cloud Audit Logs

  • End-to-end visibility for threat correlation across real-time signals, cloud activity, and audit logs to uncover attacker movement in the cloud and drive rapid response and threat remediation.

An visualization of how CDR can give you end-to-end visibility into an attack path

  • Out-of-the-box detection for the latest attacks and complex environments, including applications, servers, networking services, runtime cloud, VMs, serverless, containers, Kubernetes clusters, and APIs, among other cloud-environment architecture components. In addition, heuristics-based rule sets should provide transparent and consistent identification of threats.

Example detection of a data exfiltration attempt

  • Attacker simulations that analyze external-environment exposure points (e.g., applications and APIs from outside the cloud environment) to provide a deeper understanding of an attacker's behavior. Simulations can validate port- and IP-address exposure status based on current network configurations or API misconfigurations that allow unauthenticated requests or secret/sensitive data exposure.

A CDR tool can give you an understanding of an attacker's behavior by analyzing external exposure of applications from the outside

  • Integration with existing tools, systems, and environments: A vendor-neutral CDR solution that seamlessly integrates across all CSPs and multi-cloud environments, including systems, CI/CD pipelines, and security tools within the ecosystem. This allows for streamlined data collection; reduces infrastructure complexity; ensures continuity; and helps maintain a consistent, gap-free, infrastructure-wide security posture.

As an essential foundation for a comprehensive cloud security strategy, a CDR solution should constantly and easily adapt to each organization’s cloud ecosystem and the changing threat landscape.

How to Build a Strategic Cloud Security Program

Download this guide to learn how to prioritize cloud security with your C-Suite.

Download Now

Can your organization perform forensics at scale for workloads?

Performing cloud threat forensics at scale is a massive undertaking, and it starts with a full understanding of your current cloud strategy and the need to adapt over time to meet new business and market needs. This is a direct result of the business outcome and operational adjustments as well as the growing data and workloads of an evolving cloud ecosystem. A CDR solution must be capable of accommodating dynamic cloud environments, new threat vectors, and changing security strategies.

Wiz offers an intuitive CDR solution that enables complex processes and threat forensics at scale to keep your cloud environment secure. 

Wiz CDR enables us to not only see where there’s a threat, but also to understand how worried we should be about it – this feature is all about effective prioritization.

Igor Tsyganskiy, President & CTO, Bridgewater Associates

Learn how you can correlate threats across real-time signals and cloud activity in a single platform by scheduling a personalized demo today.

See Your Cloud Activities Come to Life

Schedule a demo to learn how Wiz can detect and analyze threats in context so that you can prioritize, investigate, and respond quickly to the right risks.

Get a demo

Cloud detection and response FAQs

Continue reading

Credential Stuffing Explained

Wiz Experts Team

Credential stuffing is a type of cyberattack where automated tools are used to repeatedly inject stolen username/password combinations into various services to gain access to legitimate users’ accounts in addition to those that were originally breached.

Container Orchestration

Nicolas Ehrman

Container orchestration involves organizing groups of containers that make up an application, managing their deployment, scaling, networking, and their availability to ensure they're running optimally.

Native Azure Security Tools

Wiz Experts Team

This blog explores the significance of security in Azure environments and provides an overview of native as well as third-party security tools available to improve an organization’s Azure security stance.

Cross-site scripting

Wiz Experts Team

Cross-site scripting (XSS) is a vulnerability where hackers insert malicious scripts inside web applications with the aim of executing them in a user’s browser.