Mitigate Infrastructure Vulnerabilities With Datadog Cloud Security Management | Datadog

Mitigate infrastructure vulnerabilities with Datadog Cloud Security Management

Author Rajat Luthra
Author Max Gebhardt

Published: November 27, 2023

Cloud environments comprise hundreds of thousands of individual components, from infrastructure-level containers and hosts to access-level user and cloud accounts. With this level of complexity, continuous and end-to-end visibility into your environment is vital for detecting, prioritizing, and fixing vulnerabilities before attackers can take advantage of them.

That’s why we’re excited to announce Vulnerability Management in Datadog Cloud Security Management (CSM), which leverages infrastructure observability and security research insights to continuously scan your containers and hosts for vulnerabilities, so you can detect, prioritize, and manage vulnerabilities across your environment. It leverages deep observability context and industry insights to help you remediate vulnerabilities that are most important to you at a given point in time.

In this post, we’ll show you how CSM Vulnerability Management provides context-based prioritization of vulnerabilities, as well as capabilities that help you triage issues and improve your security posture.

Continually scan your container images and hosts for vulnerabilities

With the sizable number of containers and hosts running in a cloud environment, each operating with different libraries and versions of code, it can be challenging to continually track existing and new vulnerabilities. Identifying them is not enough to keep an environment safe—you also need insights into which vulnerabilities to prioritize. Without this visibility, your security and DevOps teams risk spending time fixing the less urgent issues and overlooking more serious ones.

CSM Vulnerability Management continually scans your container images and hosts for vulnerabilities, surfacing them in the same views that your security and infrastructure teams already use.

The CSM Vulnerability Explorer shows a complete list of vulnerabilities detected across your infrastructure, ordering them based on their severity and offering grouping, filtering, and triaging capabilities so you can investigate, assign, and remediate problems.

CSM Vulnerability Explorer

Get context-based prioritization for more effective remediation

CSM Vulnerability Management prioritizes vulnerabilities by using the Datadog Severity Score. This value factors in the vulnerability’s original severity, its exploitability, along with the usage and criticality of your underlying infrastructure. The Datadog Severity Score is calculated using the Common Vulnerability Scoring System (CVSS). Here’s an example of the Datadog Severity Score breakdown.

Datadog Severity breakdown

You can select a particular vulnerability for more details, such as a description of the issue, its severity score, remediation steps, and a list of all affected infrastructure. CSM Vulnerability Management also provides recommended steps for resolving the issue.

You can also view vulnerabilities in your container images on the Container Images page, which shows you the number of vulnerabilities that exist in each container image. Additionally, you can sort any container image by source, image tag, repo digest, and more, as well as view more details by clicking on an image and reviewing the Vulnerabilities tab.

Container Images view

CSM Vulnerabilities Explorer also offers triaging options for managing detected vulnerabilities. You can assign vulnerabilities to individual owners for remediation and tracking, and use the “Status” facet to sort issues based on where they are in the remediation process.

Vulnerabilities list with varying statuses

In addition, you can use the “Teams” grouping to view vulnerabilities by team.

Vulnerabilities list with team selector

Because Datadog CSM is deeply integrated with the rest of the Datadog platform, you can quickly pivot between the Security view and Infrastructure view. Key information like infrastructure tags and ownership metadata are automatically included, without the need for exporting and importing sensitive data. This provides your DevOps and Security teams seamless, end-to-end visibility into infrastructure vulnerabilities as they work on the same information.

Secure your environment with Datadog Cloud Security Management

Datadog CSM Vulnerability Management is now generally available—check out our documentation to get started, or head to the Vulnerabilities Explorer. You can also check out the CSM documentation for more information about getting started with Datadog Cloud Security Management. If you don’t already have a Datadog account, you can sign up for a 14-day today.