Data Detection & Response (DDR) refers to how organizations discover and respond to threats affecting their data. Having clear processes to address security threats is critical for preventing sensitive data exfiltration and ensuring that the organization’s data is secure.
DDR provides continuous monitoring of activity logs (ex. AWS CloudTrail) to identify new or emerging threats to your data. It can alert to suspicious activity (unusual accesses, atypical volume or data movement activity, first time accesses, new 3rd party accesses, etc.) which may require further investigation. It provides early warning to possible data breach or inadvertent disclosures. These requirements can be met by tools that monitor data events through the logs provided by the cloud vendor within the customer's cloud account. DDR complements Data Security Posture Management (DSPM), by providing near real-time alerting to suspect or malicious activity - to ensure comprehensive protection of your sensitive data.
Differences Between Data Detection and Response (DDR) and Cloud Detection and Response (CDR)
AttributeCDRDDR
Monitored environment
Cloud assets and infrastructure
Data repositories within the cloud environment
Threat detection method
Log analysis, anomaly detection, machine learning
Data-aware detection rules and behavioral analysis based on data access
Presence requirement
Typically agentless, can have agents on cloud resources
Typically agentless, Data collection from various sources, not limited to endpoint
Example Vendor
Wiz, Rapid7 InsightIDR, FireEye Helix
Sentra DDR, Exabeam, Securonix, LogRhythm
A successful solution empowers organizations to detect incidents earlier, preventing catastrophic data loss or minimizing its impact. Integration of Data Detection and Response (DDR) with Security Information and Event Management (SIEM) / Security Orchestration, Automation and Response (SOAR) tools helps mitigate "notification overload", enabling security teams to consolidate all alerts in a single location.