My colleagues Andras Sir, Jeff Pollard, and I recently published new research on a hot topic: cloud detection and response. In our report, The Comprehensive Guide to Cloud Detection and Response, we define cloud detection and response as:
Detect and respond to cyberattacks across the detection planes at the cloud control plane, data plane, and management plane. This includes one or more cloud-native tools that prioritize security analyst expertise for high-quality detection, full investigation, and rapid, effective response to cloud attacks.
This definition is important for several reasons: First, it points out that cloud D&R products are not a single tool or service. There are many tools that integrate cloud D&R as part of their work, but the vast majority of them started from the structural awareness side with configuration and vulnerability management.
Cloud discovery and response is not a market category—it is a feature of existing cloud tools, including cloud workload security (comprised of cloud security posture management, cloud infrastructure rights management, cloud workload protection, container security, infrastructure-as-code scanning, and other solutions).
Cloud detection and response is divided into three detection planes:
Control plane. The control plane provides the functionality used to create, read, update, delete, and insert (CRUDL) resources. Cloud discovery and response at this plane relies on the tools provided by the cloud infrastructure service provider in IaaS or PaaS. Discoveries at this plane come from built-in tools like AWS Guard Duty, Microsoft Defender for Cloud, and Google Cloud Security Command Center, or from discovery engineering on AWS CloudTrail, Microsoft Azure, or Google Cloud Audit logs. Data plane. The data plane provides the core functionality of the service. It is what the end user actually manages. Discoveries at this plane come from a workload deployed on a cloud service, such as an operating system, virtual machine, container, or data store, which can be done via logs or through tools like Cloud Workload Security. Management plane. The management plane provides the higher-level aspects of data and configuration. It is what is actually managed within a third-party application (such as a SaaS application). Detections on this surface come from third-party applications, such as commonly used enterprise tools like Duo Security, GitLab, Microsoft 365, Okta, or Salesforce.
This framework helps security professionals determine what control they have based on the type of cloud service they are being provided. At different levels, there are different detection surfaces, different levels of visibility are available, and different response actions can be taken. Without this perspective, it can be difficult to appropriately categorize detection techniques and response activities.
We cover more details in the full report, which Forrester customers can read here. Forrester customers can also chat with Andras, Jeff, or me via an inquiry or mentoring session.
