Cloud Detection and Response

Definition

A security capability focused on detecting and responding to threats across cloud infrastructure by correlating cloud-native logs, API events, and control plane activity to identify attacks, misconfigurations, and lateral movement.

Technical Details

CDR platforms ingest cloud-native telemetry — AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs, Kubernetes audit logs — and apply behavioral analytics, threat intelligence, and graph-based correlation to detect attacks like IAM privilege escalation, data exfiltration, cryptomining, and cloud-specific TTPs from MITRE ATT&CK Cloud matrix. CDR complements EDR by covering the cloud control plane that traditional endpoint tools miss.

Practical Usage

Security operations teams should ensure cloud audit logging is enabled across all accounts and regions, and feed logs into a CDR or SIEM platform with cloud-specific detection rules. Key detections include: impossible travel in API calls, new IAM admin role assignments, unusual data egress to external storage, and cryptocurrency mining workload behavior.

Examples

CDR platform detects an AWS access key used from two geographically impossible locations within minutes, triggering automatic key revocation.
Kubernetes audit log analysis identifies a service account performing unexpected API calls to the secrets endpoint, indicating post-compromise enumeration.
A cloud security platform correlates an S3 bucket policy change with a subsequent mass GetObject operation, detecting an exfiltration incident.

Related Terms

Security Information and Event Management Incident Response Cloud Security Kubernetes RBAC Misconfiguration MITRE ATT&CK

← Back to Glossary