Data Detection & Response (DDR): From Noise to Signal to Solution

An often-heard concern in cybersecurity is the amount of tools a single organization has to manage to protect its environment from malicious actors, both internal and external. The environments cybersecurity professionals need to secure have grown a lot more complex over the years, as we have adopted new architectural principles and hybrid and multi-cloud infrastructures in the race for a competitive edge. This has led to the emergence of many specialized security tools to specifically address this multitude of systems. According to Ponemon Institute’s Cyber Resilient Organization Report 2020, the average number of security solutions and technologies used by enterprises is 45, and people struggle to get the signal from the noise all these separate tools generate. 

Not only does this increase the toil on our security teams, as they are inundated with alarms from every angle and are left to figure out an appropriate response, but it is also highly ineffective, as according to the Ponemon Institute's 2023 Cost of a Data Breach Report, only one-third of companies discovered the data breach through their own security teams, highlighting a need for better threat detection. 67% of breaches were reported by a benign third party or by the attackers themselves. 

In the world of data security specifically, we see an ever-increasing number of data locations, across on-premises, SaaS applications, and multiple public clouds. Gaining visibility and understanding the security posture of all those different islands of data is becoming a superhuman problem, as each location's specific data security capabilities are being weighed against the productivity needs of the business and the eagerness of employees to move fast. 

To address this, Rubrik recently acquired Data Security Posture Management (DSPM) leader Laminar, which focuses on providing data security for a cloud-first world. The concept of DDR (Detection and Response) was recently introduced in the Laminar platform to help security and IT teams move past the noise, clearly see the signal, and respond immediately to data security threats. DDR, brings real-time monitoring, detection, and response to the field of DSPM.
 

Laminar’s DDR capabilities detect data breaches as they occur by identifying anomalous data access and suspicious behavior – alerting you on data exfiltration, unusual third-party access, insider threats, accidental data leaks, data misuse, and other threats, and allowing you to respond immediately to those threats. The response part can be automated, which is key in addressing the noise of potential incidents, so you can prevent the relevant incidents from turning into data breaches. This response can be in the Laminar platform itself, via native tools within cloud stores, or by automating mitigation workflows for your incident response tools, including via SOAR, SIEM, or ITSM platforms.

The solution in action.

Laminar Data Threat Alerts trigger a critical priority alert on the basis of suspicious activity in your environment. What is important to point out is that you did not have to tell Laminar what behavior to look out for, or what constitutes expected versus malicious activity. The system automatically determines this using behavioral analytics. 

The event timeline shows how the suspicious user has maneuvered themselves through your data estate, allowing you to easily validate the findings. 

If you are inclined to leverage existing tools and processes for remediation, you can (automatically) create a ticket in an external system, like Jira in the example below, so the appropriate action can be taken immediately. Alternatively, you can leverage Laminar itself to remove access for that user account (there are integrations with Okta and other IDPs). 

Furthermore, you can easily determine the potential blast radius of this threat by looking at the data access governance details of the user and additional context in terms of data accessible by this particular user, so you can take appropriate and necessary action.  Conversely, you can determine which users have access to sensitive data to proactively increase their security posture.

While DSPM empowers you to increase the security posture of your distributed data estate, DDR allows you to respond to real-time data threats with appropriate action immediately. The combination of both capabilities makes the Laminar solution a perfect companion, and indeed enabler on your multi-cloud data security journey.