Detect & Respond Functions
- Detect: Continuously monitor to identify potential cybersecurity events before they materialize into their full potential impact. This includes practices such as threat detection and alerting on suspicious activity.
- Respond: Take action once a threat is detected. This involves analyzing threats, containing and eradicating them.
Application, Cloud, and Workload Detection & Response
Modern attacks in cloud environments often span multiple layers: initial compromise at the application layer, pivot to the workload layer, and then access or exfiltration at the cloud layer. As a result, new categories of detection and response have emerged:
- Application Detection & Response (ADR): Focuses on detecting and blocking exploits at the application layer. ADR is critical for runtime protection but is still a new and evolving field with limited vendor support.
- Cloud Detection & Response (CDR): Correlates telemetry from containers and cloud resources to provide workload-to-cloud attack visibility. CDR tools may lack deep application context.
- Cloud Application Detection & Response (CADR): An emerging approach that aims to provide integrated detection and response across application, workload, and cloud layers, correlating events and alerts to provide actionable context for security operations teams.
Limitations:
- Most current security tools, including CNAPPs, do not provide complete visibility across all layers, making it difficult to detect and respond to complex, multi-stage attacks.
- Application security features (such as SAST, DAST, and code analysis) are often treated as superficial add-ons in broader cloud security platforms.
Key trends:
- The future of cloud security will depend on making alerts actionable by providing full attack context, enabling security teams to respond quickly and effectively to cloud incidents.
- Key emerging vendors in the CADR space include ARMO, Sweet, Upwind, Oligo, Operant, and Raven.