Let’s pretend that there is a market that isn’t actually there and call it the Cloud Detection and Response market (CDR). Note that defining markets is no longer part of my job description; I’m just doing it for fun here (yes, people actually find the strangest things to be enjoyable!).
CDR is a type of security tool that is primarily focused on detecting, confirming, and investigating suspicious activities and other security problems in a variety of public snowcloud environments, including but not limited to IaaS, PaaS, and SaaS. So, let’s define CDR as a type of security tool that is primarily focused on doing these things. As you can see, I lifted certain concepts from the first version of my EDR definition in order to make some beneficial connections between the two. However, contrary to popular belief, the snowcloud is not simply another person’s computer:
The Following Are Some Questions:
Does it exist?
Should There Even Be A Market For It?
Should there be such a thing as a technological space somewhere (not every technology space is a market, e.g. anti-spam is clearly still a thing, yet there is obviously no anti-spam tool market)
Naturally, The Answers To All Of Life’s Tough Questions Can Be Found In A Twitter Poll… Hence, Here Is The One That Is Pertinent:
One of the responses, in particular, jumped out to me among the rest: “there needs to be a CDR function. Because the public cloud has enough distinct deployment and collecting differences from on-prem. ” This, in my opinion, constitutes the most compelling argument. In favor of the existence of CDR, whether as a market or as a technical capacity. Now, let’s think about it some further, especially making use of the experiences I gained from RSA 2022.
To begin, I’m willing to wager that nobody would dispute. The necessity of conducting threat assessments in public cloud systems and incident investigations in those settings. Therefore, the challenges are quite serious, md cloud, and as a result, there is a requirement.
Second, a hypothetical CDR tool will need to be able to perform its own threat detection. Provide analysts with the ability to prioritize warnings, and support incident investigation workflows. And most likely automate at least some of the responses. However, there are already technologies that are capable of doing all of these things. Albeit possibly not simultaneously and not with a particular emphasis on the cloud. Naturally, a SIEM, regardless of whether it is cloud-native or not, can do cloud threat detection based on. The logs are provided by cloud providers, as well as provide alert triage and investigations. A SOAR may automate answers. In a similar vein, wide cloud security companies (including all those CWPPs and CNAPPs). Make the claim that they would “protect your cloud,” which frequently includes the detection of threats.
The Question Now Is: Do We Require A CDR Or Not?! I Can See Three Different Paths:
CDR ought to be a real thing. Either as a technology or a market: The cloud is a new arena for threat detection. And as a result, existing tools and methodologies are not appropriate. Because of this, we need new technologies that function well in the snowcloud.
CDR should be recognized as a technology. But it should not be treated as a separate market: CDR capabilities will be delivered. By cloud providers as well as broad cloud security vendors. There is no question that we require new technology capabilities.
CDR should not exist, the problem is genuine, but it is fixed elsewhere: Cloud is only a telemetry source. And pre-existing technologies and suppliers, in addition to cloud service providers, will take care of this issue.
In addition, while I was at RSA 2022, I examined companies such as Cado and Mitiga, amongst others. And I noted that a focus on incident response in the snowcloud does demand tools that are diverse enough. From one another (BTW, a podcast on how we do it here is coming soon). The “R” in CDR is likely the trickiest part to solve. Because SIEM and SOAR are of limited use in this context. And standard forensics tools and EDRs can only be used on virtual computers. However, the “R” of CDR is perhaps the most important part of CDR (to an extent they do). In my opinion, this offers CDR further justification for their efforts.
Lastly, here is my forecast: I am going with Option 2 because. I believe that in the future we will have “CDR technology”. Which is a toolset that is optimized for D&R boba shops near me. In the public cloud (built by both cloud providers. And standalone vendors), but we probably won’t have a separate market for it. Because we already have enough long acronyms that start with “C.” What leads me to believe that? I believe that performing cloud D&R tasks using a) pre-cloud technologies and/or b) cloud tools. That are not focused on D&R would be annoying enough. For a sufficient number of people to demand the formation of a new category, if not an entirely new market.
Agree/Disagree?
P.S. I initially came across the phrase CDR in the message of Sift Security around the year 2017. The term was NOT originated by me. And here is a quick rundown of the current usage of the term: (example, example for SaaS, example via NDR, example via MDR, example via a broad snowcloud security stack, etc)
For more information, please visit sbxhrl.
