What is data detection and response (DDR)?

Unlike other data loss prevention (DLP) tools that monitor network infrastructure and endpoints for signs of suspicious activity, DDR tools focus on the data itself, tracking data movement and activity.

Designed as a proactive approach to cloud security, DDR detects cyberthreats to data that is at rest or in motion in real time. It also automates the response to cyberattacks so that data breaches, ransomware attacks and other attempted exfiltrations can be contained as they happen.

DDR solutions are important because they help address the vulnerabilities of cloud data distributed across multiple platforms, applications, data stores and software as a service (SaaS) environments.

The open and interconnected nature of cloud computing can place sensitive information such as customer data, personally identifiable information (PII) and financial data at risk.

The IBM Cost of a Data Breach Report found that 40% of data breaches involve data stored across multiple environments. Data stolen from public clouds incurred the highest average breach cost at USD 5.17 million.

With data privacy regulations expanding and global data breach costs at an all-time high, effective cloud data security strategies are a business imperative.

Security solutions such as endpoint detection and response (EDR), extended detection and response (XDR) and firewalls protect against data threats at the network and device levels. However, because network perimeters are often porous in cloud-connected networks, these security measures provide limited protection when data travels or exists simultaneously across multiple systems.

In contrast, DDR operates beyond network perimeters. It monitors and protects the data itself regardless of location.

Using data discovery and data classification, DDR pinpoints the location of sensitive data. DDR then tracks the data's movement and usage across multicloud environments.

Advanced analytics and anomaly detection capabilities enable DDR tools to identify malicious data activity or user behavior. For example, unauthorized access, massive downloads of information, late-night data transfers or an IP address from an unusual location might signal a cyberattack.

DDR is typically deployed as one part of a data security posture management (DSPM) system. DSPM provides a centralized view of potential threats across an organization’s cloud environments. DDR provides real-time data protection to detect and respond to those threats.

Organizations might also integrate DDR with other security tools such as cloud security posture management (CSPM); security orchestration, automation and response (SOAR); security information and event management (SIEM) and risk management solutions.

There are four primary components to a data detection and response solution:

Data exfiltration is the unauthorized transfer of information from an organization’s internal systems. For example, an employee might attempt to download intellectual property or trade secrets before leaving the company for a competitor. Or a cybercriminal might steal personal data that can be used to commit credit card fraud.

DDR prevents exfiltration by monitoring and detecting suspicious data activity in real time. Its automated response functionality can block malicious data downloads before they happen and alert security teams to take further action.

Insider threats can be difficult to detect because they originate with an organization’s authorized users, such as employees, contractors and business partners. Sometimes, legitimate credentials can be stolen and used by cybercriminals.

The longer an insider threat goes undetected, the greater the damage that can be inflicted through stealing or manipulating data for malicious purposes.

DDR offers an advantage for detecting insider threats faster than traditional solutions. Instead of detecting data theft after it takes place, it can spot the early warning signs of insider threats. Through behavioral analytics and anomaly detection, DDR identifies suspicious behavior from authorized users, triggers security alerts and responds to threats before or as they happen.

Ransomware is malware that encrypts an organization’s sensitive data and holds it hostage until a ransom is paid. It is one of the most common forms of malicious software and can cost affected organizations millions of dollars. According to the Cost of a Data Breach Report, ransomware attacks cost organizations USD 4.91 million on average.

DDR can mitigate ransomware attacks by monitoring and identifying anomalies in data access and data activity in real time.

For example, it can detect the unexpected encryption of large volumes of information, which often signals a ransomware attack. DDR can then automatically isolate the affected system to contain the attack and alert security teams to take further action.

Organizations are under pressure to comply with data protection regulations such as the Payment Card Industry Data Security Standard (PCI-DSS) and the General Data Protection Regulation (GDPR). Noncompliance with these mandates can bring fines, sanctions and damage to brand reputation.

DDR helps organizations manage data compliance by continuously monitoring data, performing data audits and tracking access logs. This functionality helps organizations map their data protection capabilities to regulatory requirements. Any gaps in protection or possible violations can be quickly addressed and corrected.