6 January 2025
Data detection and response (DDR) is a cybersecurity technology that monitors and protects data in any format and location across on premises, cloud and multicloud environments.
Unlike other data loss prevention (DLP) tools that monitor network infrastructure and endpoints for signs of suspicious activity, DDR tools focus on the data itself, tracking data movement and activity.
Designed as a proactive approach to cloud security, DDR detects cyberthreats to data that is at rest or in motion in real time. It also automates the response to cyberattacks so that data breaches, ransomware attacks and other attempted exfiltrations can be contained as they happen.
Strengthen your security intelligence
Stay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter.
DDR solutions are important because they help address the vulnerabilities of cloud data distributed across multiple platforms, applications, data stores and software as a service (SaaS) environments.
The open and interconnected nature of cloud computing can place sensitive information such as customer data, personally identifiable information (PII) and financial data at risk.
The IBM Cost of a Data Breach Report found that 40% of data breaches involve data stored across multiple environments. Data stolen from public clouds incurred the highest average breach cost at USD 5.17 million.
With data privacy regulations expanding and global data breach costs at an all-time high, effective cloud data security strategies are a business imperative.
Security solutions such as endpoint detection and response (EDR), extended detection and response (XDR) and firewalls protect against data threats at the network and device levels. However, because network perimeters are often porous in cloud-connected networks, these security measures provide limited protection when data travels or exists simultaneously across multiple systems.
In contrast, DDR operates beyond network perimeters. It monitors and protects the data itself regardless of location.
Using data discovery and data classification, DDR pinpoints the location of sensitive data. DDR then tracks the data's movement and usage across multicloud environments.
Advanced analytics and anomaly detection capabilities enable DDR tools to identify malicious data activity or user behavior. For example, unauthorized access, massive downloads of information, late-night data transfers or an IP address from an unusual location might signal a cyberattack.
DDR is typically deployed as one part of a data security posture management (DSPM) system. DSPM provides a centralized view of potential threats across an organization’s cloud environments. DDR provides real-time data protection to detect and respond to those threats.
Organizations might also integrate DDR with other security tools such as cloud security posture management (CSPM); security orchestration, automation and response (SOAR); security information and event management (SIEM) and risk management solutions.
There are four primary components to a data detection and response solution:
- Monitoring
- Detection
- Alerting
- Response
DDR performs real-time, continuous monitoring of data activity logs to identify and isolate security incidents as they happen.
As it tracks data flows and interactions across multiple cloud platforms, DDR relies on data lineage to monitor potential threats. Data lineage shows the origin, path, destination and transformation of different types of data. This information helps DDR determine when and if sensitive data might be at risk—for example, if data moves to an unexpected system or is altered in an unexpected way.
As a DDR tool monitors data, it applies machine learning and behavioral analytics to detect aberrations from baseline activities. For example, an unusual data access request, a large download of sensitive information or a spike in user activity might signal a risk.
This threat detection grows more accurate over time as DDR learns to recognize increasingly subtle deviations from normal patterns and behaviors.
When a potential breach or anomaly is detected, DDR triggers an alert to notify the appropriate security teams. Alert generation occurs on a priority basis so personnel are not overwhelmed with excessive notifications or false positives. Typically, only threats to sensitive data trigger an alert, so teams can quickly investigate and remediate the issue.
Incident response is the final component of data detection and response. DDR’s automated response capabilities can take immediate action to contain data breaches. These actions can include isolating affected systems, suspending network traffic and blocking user permissions.
DDR can also generate in-depth incident reports to help teams understand the causes of data breaches so they can update security policies accordingly.
Preventing data exfiltration
Data exfiltration is the unauthorized transfer of information from an organization’s internal systems. For example, an employee might attempt to download intellectual property or trade secrets before leaving the company for a competitor. Or a cybercriminal might steal personal data that can be used to commit credit card fraud.
DDR prevents exfiltration by monitoring and detecting suspicious data activity in real time. Its automated response functionality can block malicious data downloads before they happen and alert security teams to take further action.
Detecting insider threats
Insider threats can be difficult to detect because they originate with an organization’s authorized users, such as employees, contractors and business partners. Sometimes, legitimate credentials can be stolen and used by cybercriminals.
The longer an insider threat goes undetected, the greater the damage that can be inflicted through stealing or manipulating data for malicious purposes.
DDR offers an advantage for detecting insider threats faster than traditional solutions. Instead of detecting data theft after it takes place, it can spot the early warning signs of insider threats. Through behavioral analytics and anomaly detection, DDR identifies suspicious behavior from authorized users, triggers security alerts and responds to threats before or as they happen.
Mitigating ransomware attacks
Ransomware is malware that encrypts an organization’s sensitive data and holds it hostage until a ransom is paid. It is one of the most common forms of malicious software and can cost affected organizations millions of dollars. According to the Cost of a Data Breach Report, ransomware attacks cost organizations USD 4.91 million on average.
DDR can mitigate ransomware attacks by monitoring and identifying anomalies in data access and data activity in real time.
For example, it can detect the unexpected encryption of large volumes of information, which often signals a ransomware attack. DDR can then automatically isolate the affected system to contain the attack and alert security teams to take further action.
Monitoring and managing compliance
Organizations are under pressure to comply with data protection regulations such as the Payment Card Industry Data Security Standard (PCI-DSS) and the General Data Protection Regulation (GDPR). Noncompliance with these mandates can bring fines, sanctions and damage to brand reputation.
DDR helps organizations manage data compliance by continuously monitoring data, performing data audits and tracking access logs. This functionality helps organizations map their data protection capabilities to regulatory requirements. Any gaps in protection or possible violations can be quickly addressed and corrected.
Resources
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM X-Force threat intelligence index.
Data breach costs have hit a new high. Get essential insights to help your security and IT teams better manage risk and limit potential losses.
Protect your organization from global threats with IBM X-Force’s threat-centric team of hackers, responders, researchers and analysts.
Stay up to date with the latest trends and news about security.
