Blog
/
Cloud
/
July 31, 2024

CDR is just NDR for the Cloud... Right?

As cloud adoption surges, the need for scalable, cloud-native security is paramount. This blog explores whether Cloud Detection and Response (CDR) is merely Network Detection and Response (NDR) tailored for the cloud, highlighting the unique challenges and essential solutions SOC teams require to secure dynamic cloud environments effectively.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Adam Stevens
Director of Product, Cloud Security
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
31
Jul 2024

The need for scalable cloud-native security

The cybersecurity landscape is undergoing a rapid transformation driven by the accelerated adoption of cloud computing, compelling organizations to reevaluate their security strategies. According to Forrester’s Infrastructure Cloud Survey, 2023, cloud decision-makers who are moving to a cloud computing infrastructure estimated they have already moved 39% of their application portfolio to the cloud and intend to move another 53% in the next two years [1].

This explosive growth underscores not only the increased dependency on cloud services, but also the evolving sophistication of cyber threats targeting these platforms, and the critical need for dedicated security measures tailored to cloud infrastructures — thereby making cloud security a pivotal focus for Security Operations Center (SOC) teams.

As organizations increasingly migrate to cloud environments and their reliance on cloud infrastructures deepens, they encounter new security challenges that require reevaluating their security strategies. Traditional measures like Network Detection and Response (NDR) are being reassessed in favor of more dynamic, scalable cloud-native solutions.

However, can we truly say that cloud detection and response (CDR) is fundamentally different? Or is it simply an evolution of NDR tailored for the cloud?

Cloud Detection and Response (CDR) vs Network Detection and Response (NDR)

Cloud Detection and Response (CDR) has emerged as a pivotal technology in the race against threat actors targeting cloud assets. CDR is typically centered around the same foundational principles as NDR. As such, NDR providers are well placed to provide these capabilities within dynamic cloud environments – particularly those providers that are built upon the foundation of understanding your business, its digital footprint, and leveraging that understanding to detect subtle deviations and highlighting anomalies as opposed to pre training or relying on rules and signatures.

However, there are unique challenges within cloud environments that require a wider, richer, context-aware approach.

Why SOC Teams Care

Widespread UseThe shift towards cloud services is no longer a trend but a standard practice across industries. Organizations increasingly rely on cloud infrastructures for essential operations across IaaS, PaaS, and SaaS platforms. According to Gartner, worldwide end-user spending on public cloud services is forecast to grow 20.4% to total $678.8 billion in 2024, up from $563.6 billion in 2023 [2]. This widespread adoption necessitates a security approach that can operate seamlessly across varied cloud environments, addressing both the scalability and the agility that these platforms offer.

Sophisticated AttacksCyber threats have evolved in sophistication, specifically targeting cloud platforms due to their growing prevalence. Attackers exploit the dynamic nature of cloud services, where traditional security measures often fall short. The cloud has emerged as a major target for threat actors who want to control access to, manipulate, and steal that data. This makes cloud resources a bigger target than ever for attackers. According to the IBM Cost of a Data Breach 2023 report, 82% of breaches involved data stored in the cloud [3]. Examples include data breaches initiated through misconfigured storage instances or through the exploitation of incomplete data deletion processes, highlighting the need for cloud-specific security responses.

Dynamic EnvironmentsCloud environments are inherently dynamic, characterized by the rapid provisioning and de-provisioning of resources, this fluidity presents a significant challenge for maintaining continuous security oversight, organizations need to be able to see what individual assets in the cloud look like at any given moment, who or what can access those, but also to be able to detect and respond to changes in real time. Unlike traditional infrastructure, detection and response in the cloud is challenging because of the ephemeral nature of some cloud assets and the velocity and volume of new app deployment – traditional signature-based detections will often struggle to work with such data.

What SOC Teams Need

Centralized VisibilityEffective security management requires a comprehensive, unified view spanning all operational environments including multi-cloud platforms and on-premises datacenters. Furthermore, in today's complex IT landscape, where organizations operate across both on-premises and various cloud environments, the need for centralized visibility becomes paramount. This comprehensive oversight is crucial for detecting anomalies and potential threats in real time, allowing SOC teams to manage security from a single source of truth, despite the dispersed nature of cloud assets and the heterogeneity of on-premises resources. By integrating these views, organizations can ensure a seamless security posture that encompasses all operational environments, enhancing their ability to respond swiftly to incidents and reduce security gaps.

AutomationGiven the vast scale and complexity of cloud operations, automation in detection and response processes is indispensable. Automated security solutions can instantly respond to threats, or adjust permissions across the cloud, enhancing both the efficiency and effectiveness of security measures.

Containment and RemediationThe capability for swift containment and remediation of security incidents is vital to minimize their impact on business operations. Automated response mechanisms that can isolate affected systems, revoke access, or reroute traffic until the threat is neutralized are essential components of modern CDR solutions.

Unpacking the Essentials: What Sets CDR Apart from NDR

While CDR and NDR share similar goals of threat mitigation, the context within cloud environments brings additional complexities:

Who: The identification of user roles and access patterns in cloud environments is crucial for detecting insider threats or compromised accounts. For example, an account behaving irregularly or accessing unusual data points may indicate a security breach.

What: Understanding what resources are deployed in the cloud (such as VMs, containers, and serverless functions) and the types of data they handle helps prioritize security efforts. Protecting data with varying sensitivity levels requires different security protocols.

Where: The geographic distribution of cloud datacenters affects regulatory compliance and data sovereignty. Security measures must consider these factors to ensure that data storage and processing comply with local laws and regulations.

How: Monitoring the configuration and usage of cloud services helps in identifying misconfigurations and anomalous usage patterns, which are common vectors for attacks. Tools that can automatically scan and rectify configurations in real time are particularly valuable in maintaining cloud security.

Key takeaways and benefits of CDR

As cloud adoption continues to surge, the strategic importance of CDR becomes increasingly evident. However, NDR vendors are well-positioned to provide these capabilities, especially those who deeply understand customer environments by learning the pattern of life of resources rather than relying on static rules and signatures.

Cloud environments, at their core, are still comprised of networks for communication. Interactions between cloud resources need to be monitored in real time, and access to these resources needs to be tracked and managed. As the cloud changes dynamically, the understanding and visualization of what is deployed and where needs to be updated quickly. Above all effective and proportional cloud-native response needs to be provided to mitigate threats and avoid business disruption.

Moreover, the ideal solutions will not only monitor network interactions but also bring in cloud contextual awareness. By combining these insights, SOC teams can gain a deeper understanding of permissions, assess risk vulnerabilities, and integrate all these elements into a single, cohesive platform. Importantly, SOC teams need to go beyond detection and response to actively mitigate potential misconfigurations and stay preventative. After all, proactive security is much better than reactive. By leveraging such comprehensive solutions, SOC teams can better equip themselves to tackle the modern cybersecurity landscape, ensuring robust, responsive, and adaptable defenses.

Learn more about Darktrace / CLOUD

Darktrace / CLOUD is intelligent cloud security powered by Self-Learning AI that delivers continuous, context-aware visibility and monitoring of cloud assets to unlock real-time detection and response​,​ and proactive cloud risk management. Read more about our cloud security solution here.

References

[1]  Gartner Forecasts Worldwide Public Cloud End-User Spending to Surpass $675 Billion in 2024

[2]  Public Cloud Market Insights, 2023 | Forrester

[3]  IBM Cost of a Data Breach 2023 Report

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Adam Stevens
Director of Product, Cloud Security

More in this series

No items found.

Blog

/

Identity

/

July 7, 2025

Top Eight Threats to SaaS Security and How to Combat Them

login screen for mutli factor authentication Default blog imageDefault blog image

The latest on the identity security landscape

Following the mass adoption of remote and hybrid working patterns, more critical data than ever resides in cloud applications – from Salesforce and Google Workspace, to Box, Dropbox, and Microsoft 365.

On average, a single organization uses 130 different Software-as-a-Service (SaaS) applications, and 45% of organizations reported experiencing a cybersecurity incident through a SaaS application in the last year.

As SaaS applications look set to remain an integral part of the digital estate, organizations are being forced to rethink how they protect their users and data in this area.

What is SaaS security?

SaaS security is the protection of cloud applications. It includes securing the apps themselves as well as the user identities that engage with them.

Below are the top eight threats that target SaaS security and user identities.

1.  Account Takeover (ATO)

Attackers gain unauthorized access to a user’s SaaS or cloud account by stealing credentials through phishing, brute-force attacks, or credential stuffing. Once inside, they can exfiltrate data, send malicious emails, or escalate privileges to maintain persistent access.

2. Privilege escalation

Cybercriminals exploit misconfigurations, weak access controls, or vulnerabilities to increase their access privileges within a SaaS or cloud environment. Gaining admin or superuser rights allows attackers to disable security settings, create new accounts, or move laterally across the organization.

3. Lateral movement

Once inside a network or SaaS platform, attackers move between accounts, applications, and cloud workloads to expand their foot- hold. Compromised OAuth tokens, session hijacking, or exploited API connections can enable adversaries to escalate access and exfiltrate sensitive data.

4. Multi-Factor Authentication (MFA) bypass and session hijacking

Threat actors bypass MFA through SIM swapping, push bombing, or exploiting session cookies. By stealing an active authentication session, they can access SaaS environments without needing the original credentials or MFA approval.

5. OAuth token abuse

Attackers exploit OAuth authentication mechanisms by stealing or abusing tokens that grant persistent access to SaaS applications. This allows them to maintain access even if the original user resets their password, making detection and mitigation difficult.

6. Insider threats

Malicious or negligent insiders misuse their legitimate access to SaaS applications or cloud platforms to leak data, alter configurations, or assist external attackers. Over-provisioned accounts and poor access control policies make it easier for insiders to exploit SaaS environments.

7. Application Programming Interface (API)-based attacks

SaaS applications rely on APIs for integration and automation, but attackers exploit insecure endpoints, excessive permissions, and unmonitored API calls to gain unauthorized access. API abuse can lead to data exfiltration, privilege escalation, and service disruption.

8. Business Email Compromise (BEC) via SaaS

Adversaries compromise SaaS-based email platforms (e.g., Microsoft 365 and Google Workspace) to send phishing emails, conduct invoice fraud, or steal sensitive communications. BEC attacks often involve financial fraud or data theft by impersonating executives or suppliers.

BEC heavily uses social engineering techniques, tailoring messages for a specific audience and context. And with the growing use of generative AI by threat actors, BEC is becoming even harder to detect. By adding ingenuity and machine speed, generative AI tools give threat actors the ability to create more personalized, targeted, and convincing attacks at scale.

Protecting against these SaaS threats

Traditionally, security leaders relied on tools that were focused on the attack, reliant on threat intelligence, and confined to a single area of the digital estate.

However, these tools have limitations, and often prove inadequate for contemporary situations, environments, and threats. For example, they may lack advanced threat detection, have limited visibility and scope, and struggle to integrate with other tools and infrastructure, especially cloud platforms.

AI-powered SaaS security stays ahead of the threat landscape

New, more effective approaches involve AI-powered defense solutions that understand the digital business, reveal subtle deviations that indicate cyber-threats, and action autonomous, targeted responses.

[related-resource]

Continue reading
About the author
Carlos Gray
Senior Product Marketing Manager, Email

Blog

/

Proactive Security

/

July 7, 2025

Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability

Woman on laptop in officeDefault blog imageDefault blog image

Vulnerabilities are weaknesses in a system that can be exploited by malicious actors to gain unauthorized access or to disrupt normal operations. Common Vulnerabilities and Exposures (or CVEs) are a list of publicly disclosed cybersecurity vulnerabilities that can be tracked and mitigated by the security community.

When a vulnerability is discovered, the standard practice is to report it to the vendor or the responsible organization, allowing them to develop and distribute a patch or fix before the details are made public. This is known as responsible disclosure.

With a record-breaking 40,000 CVEs reported for 2024 and a predicted higher number for 2025 by the Forum for Incident Response and Security Teams (FIRST) [1], anomaly-detection is essential for identifying these potential risks. The gap between exploitation of a zero-day and disclosure of the vulnerability can sometimes be considerable, and retroactively attempting to identify successful exploitation on your network can be challenging, particularly if taking a signature-based approach.

Detecting threats without relying on CVE disclosure

Abnormal behaviors in networks or systems, such as unusual login patterns or data transfers, can indicate attempted cyber-attacks, insider threats, or compromised systems. Since Darktrace does not rely on rules or signatures, it can detect malicious activity that is anomalous even without full context of the specific device or asset in question.

For example, during the Fortinet exploitation late last year, the Darktrace Threat Research team were investigating a different Fortinet vulnerability, namely CVE 2024-23113, for exploitation when Mandiant released a security advisory around CVE 2024-47575, which aligned closely with Darktrace’s findings.

Retrospective analysis like this is used by Darktrace’s threat researchers to better understand detections across the threat landscape and to add additional context.

Below are ten examples from the past year where Darktrace detected malicious activity days or even weeks before a vulnerability was publicly disclosed.

ten examples from the past year where Darktrace detected malicious activity days or even weeks before a vulnerability was publicly disclosed.

Trends in pre-cve exploitation

Often, the disclosure of an exploited vulnerability can be off the back of an incident response investigation related to a compromise by an advanced threat actor using a zero-day. Once the vulnerability is registered and publicly disclosed as having been exploited, it can kick off a race between the attacker and defender: attack vs patch.

Nation-state actors, highly skilled with significant resources, are known to use a range of capabilities to achieve their target, including zero-day use. Often, pre-CVE activity is “low and slow”, last for months with high operational security. After CVE disclosure, the barriers to entry lower, allowing less skilled and less resourced attackers, like some ransomware gangs, to exploit the vulnerability and cause harm. This is why two distinct types of activity are often seen: pre and post disclosure of an exploited vulnerability.

Darktrace saw this consistent story line play out during several of the Fortinet and PAN OS threat actor campaigns highlighted above last year, where nation-state actors were seen exploiting vulnerabilities first, followed by ransomware gangs impacting organizations [2].

The same applies with the recent SAP Netweaver exploitations being tied to a China based threat actor earlier this spring with subsequent ransomware incidents being observed [3].

Autonomous Response

Anomaly-based detection offers the benefit of identifying malicious activity even before a CVE is disclosed; however, security teams still need to quickly contain and isolate the activity.

For example, during the Ivanti chaining exploitation in the early part of 2025, a customer had Darktrace’s Autonomous Response capability enabled on their network. As a result, Darktrace was able to contain the compromise and shut down any ongoing suspicious connectivity by blocking internal connections and enforcing a “pattern of life” on the affected device.

This pre-CVE detection and response by Darktrace occurred 11 days before any public disclosure, demonstrating the value of an anomaly-based approach.

In some cases, customers have even reported that Darktrace stopped malicious exploitation of devices several days before a public disclosure of a vulnerability.

For example, During the ConnectWise exploitation, a customer informed the team that Darktrace had detected malicious software being installed via remote access. Upon further investigation, four servers were found to be impacted, while Autonomous Response had blocked outbound connections and enforced patterns of life on impacted devices.

Conclusion

By continuously analyzing behavioral patterns, systems can spot unusual activities and patterns from users, systems, and networks to detect anomalies that could signify a security breach.

Through ongoing monitoring and learning from these behaviors, anomaly-based security systems can detect threats that traditional signature-based solutions might miss, while also providing detailed insights into threat tactics, techniques, and procedures (TTPs). This type of behavioral intelligence supports pre-CVE detection, allows for a more adaptive security posture, and enables systems to evolve with the ever-changing threat landscape.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO), Emma Foulger (Global Threat Research Operations Lead), Ryan Traill (Analyst Content Lead)

References and further reading:

  1. https://www.first.org/blog/20250607-Vulnerability-Forecast-for-2025
  2. https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575
  3. https://thehackernews.com/2025/05/china-linked-hackers-exploit-sap-and.html

Related Darktrace blogs:

*Self-reported by customer, confirmed afterwards.

**Updated January 2024 blog now reflects current findings

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI