Block Attackers in Your Apps and APIs With Datadog Application Security Management | Datadog

Block attackers in your apps and APIs with Datadog Application Security Management

Author Thomas Sobolik
Technical Content Writer

Last updated: February 15, 2023

Securing modern-day production systems is complex and requires a variety of measures—from secure coding practices and security testing to network protection and vulnerability scanning. Scaling these solutions to keep pace with the speed of development teams can be difficult, resulting in sprawling workflows and disparate sets of tooling. Datadog Application Security Management helps DevOps and security teams centralize and streamline application security, leveraging Datadog’s distributed tracing to track suspicious requests, visualize the full scope of an attack, and show which parts of the code are being targeted.

We’re pleased to announce that this year, Datadog will expand the functionality of ASM with ASM Protect, a new set of capabilities empowering teams to take direct action against attackers—supplementing ASM’s risk management and threat detection. With ASM Protect’s public beta release, you can now block suspicious IP addresses with high confidence directly in Datadog, so you can track, triage, and take steps to block potential threats for further investigation and remediation in a single, unified platform.

In this post, we’ll show you how to use ASM Protect to:

Block attackers to thwart or contain a breach

ASM’s Security Signals provide detailed, actionable data about ongoing attacks against your application. ASM generates these signals automatically by evaluating your application’s behavior against the platform’s built-in detection rules, which use known patterns of attacker behavior alongside distributed traces and error logs to identify malicious activity in your environment with high accuracy. The combination of security context with distributed trace data—such as the attack type, the flow of affected services, and user metadata (ID, location, etc.)—allows you to accurately track the origin IP addresses of suspicious requests.

ASM Protect now enables you to immediately block any and all IPs associated with a signal directly within the Datadog UI—for any length of time between an hour and indefinitely. This IP blocking can slow down attackers, buying your AppSec engineers time to investigate the suspicious requests. It can also help limit the scope of an attempted breach before the impact becomes more widespread.

For example, let’s say your application is targeted by a SQL injection attack. In the screenshot below, we see a Security Signal indicating that multiple SQL injection attempts have triggered a high volume of errors.

ASM signal sidepanel showing attacking IPs

From the signal sidepanel, we can observe all 10 IP addresses where the malicious requests originated from. With ASM Protect, you can permanently block or snooze access for any or all of these IP addresses directly from the sidepanel using the button labeled “Block All Attacker IPs.” With the attackers’ access to your application revoked, your team now has time to limit the attack’s spread and determine what remediating actions to take.

In addition to tracking and blocking malicious requests via ASM’s Security Signals, you can also use the Security View in the APM Service Catalog to monitor for suspicious activity and potential vulnerabilities in your services. In the example below, we can observe a service called auth-dotnet in the Service Catalog, which has received a high volume of suspicious requests labeled as Log4Shell remote code execution (RCE) attempts.

View attacks and track attacker IPs from the Service Catalog

The Service Catalog surfaces the request IPs in the service’s sidepanel, and we can easily pivot directly from this view to ASM to filter request traces by any of the IPs we’re concerned about. We can examine the traces further to learn more about this attacker’s activity—and in the meantime, we can nip this attempted exploit in the bud by quickly blocking the suspicious IP from making any further requests.

Get code-level context to avoid false-positive blocking

ASM helps you better understand the attack and its scope by drilling into detailed traces for each of the requests associated with this signal and visualizing the full attack flow to see how the malicious requests are propagating across your services. This added context gives incident responders the insight they need to confidently block IPs that pose a legitimate threat to your application. Following the SQL injection attack in our previous example, we can drill into traces for the suspected attackers’ requests to investigate the threat.

View forensics from attackers' requests within distributed traces.

As we can see in the screenshot above, the traces surface key information such as the user attribution, request headers, and related logs, so investigators can quickly determine whether malicious users were authenticated, view the content of their requests, and understand how the application responded. By providing actionable insights along with the ability to block the malicious actors, ASM enables you to quickly secure your application with high accuracy and confidence—without context-switching between platforms.

Of course, you may discover that what appeared to be attackers searching for new exploits in your application is in fact a benign security scanner, or legitimate users making malformed or unintentional requests. The ASM Denylist page provides an easy way to manage all currently blocked IP addresses from a consolidated view. The Denylist provides an overview of each blocked IP’s request history, providing the option to immediately unblock a user you’ve determined to be benign—or extend the blocking period for a confirmed attacker.

Manage all yiour blocked IPs from the Denylist

With the ability to quickly identify suspicious requests, drill into traces and other code-level insights to investigate, and revoke the requesters’ access on demand, ASM enables your teams to stop attackers from accessing your application before they’re able to exploit a critical vulnerability.

Move beyond detection to fight threats

ASM Protect empowers your team members to not only detect and triage threats but also to take immediate action to mitigate attackers’ access to your systems. ASM is built on top of Datadog’s best-of-breed APM platform, so your teams can correlate threat intelligence with robust distributed traces and code-level security insights. Now, using ASM Protect, you can take swift action against potential attackers with a high degree of confidence that the IPs you’re blocking are actual attackers, which reduces the risk that you might damage customer relationships or lose revenue by blocking legitimate users.

ASM Protect is currently available in a public beta, at no additional cost to existing ASM customers. To allow ASM to take action in your services, you must first enable remote configuration. For more information about ASM, see our documentation. Or, if you’re brand new to Datadog, sign up for a to get started.