Rajat Luthra
Deep Desai
Mallory Mooney
Cloud environments comprise hundreds of thousands of individual components, from infrastructure-level containers and hosts to access-level user and cloud accounts. With this level of complexity, it's important to establish and maintain end-to-end visibility into your environment for many reasons—not least among them to efficiently identify, prioritize, and mitigate security threats.
Datadog Cloud Security offers comprehensive visibility, real-time threat detection, and continuous configuration audits across your entire cloud infrastructure. With Datadog Cloud Security's unified platform, your security and DevOps teams have shared context for quickly identifying and resolving security risks. Equipped with observability telemetry alongside security data, teams have access to rich contextual information that gives the full picture of the impact of a threat by tracing its end-to-end attack flow and identifying the owner of the resource where the threat was triggered.
We're excited to announce two new cloud security capabilities within Cloud Security: Cloud Security Identity Risks and Cloud Security Vulnerabilities. Cloud Security Identity Risks enables you to identify and address identity risks in your IAM configurations before a threat actor can exploit them. Cloud Security Vulnerabilities leverages infrastructure observability and security research insights to continuously scan your containers and hosts for vulnerabilities, providing context-based insights into which threats need to be prioritized.
In this post, we'll show you how:
- Cloud Security Identity Risks enables you to secure your infrastructure from IAM-based attacks
- Cloud Security Vulnerabilities detects and helps you address infrastructure vulnerabilities
Secure your infrastructure from IAM-based attacks
Identity and access management (IAM) systems are necessary for authenticating and authorizing access to your environment. However, their mismanagement is one of the leading causes of breaches and insider threats today. Engineering teams must rapidly provision identities and permissions to keep pace with infrastructure growth—consequently, the ratio of non-human or machine identities to every human identity also increases at a substantial rate. This complexity makes it difficult to keep IAM configurations up to date and protect your environment against IAM-based attacks.
Leverage identity best practices and security research recommendations
Cloud Security Identity Risks enables you to efficiently identify and address identity risks, such as permission gaps and administrative privileges, and reduce their impact radius. It accomplishes this by leveraging your environment's current IAM configuration and resource usage—along with the latest industry best practices and attack vectors—to automatically detect and prioritize identity risks, including the following:
- IAM user or role has a large permissions gap, administrative privileges, or access to a large number of resources
- IAM role with administrative privileges has a cross-account trust relationship
- IAM group has access to a large number of resources
Datadog's internal security team routinely updates the list of identity risks that Cloud Security Identity Risks detects so that our users can remain proactive in their defenses as new identity-based risks are identified.
Prioritize work based on identity risks or at-risk resources
Using Cloud Security Identity Risks, you can methodically review individual at-risk resources and their associated identity risks. Or, you can address one identity risk at a time by grouping all resources (e.g., users, roles, groups, policies) that carry that risk, as seen in the following screenshot.
Get better insights to efficiently mitigate every identity risk
For every identified risk, Cloud Security Identity Risks provides a detailed description of the issue and suggested remediation steps. In the following screenshot, Cloud Security Identity Risks has identified several IAM roles with unused permissions, which a threat actor can leverage to gain access to your services and resources.
Cloud Security Identity Risks also provides advanced insights for each identified risk, providing you with additional context for understanding its scope. For example, the following screenshot shows a list of all provisioned permissions for an IAM role that Cloud Security Identity Risks has identified as unused.
In this example, you can see that several permissions have not been used in the last 15 days. In these cases, you may want to remove the permissions that are no longer necessary for that role. Roles should be assigned permissions based on the principle of least privilege, which recommends granting only the set of permissions that are needed to accomplish a specific task. If you find that a role doesn't need a particular permission, you can navigate directly to your AWS console from this view by clicking the "Fix in AWS" button and following the suggested remediation steps.
Protect your environment from infrastructure vulnerabilities
With the sizable number of containers and hosts running in a cloud environment, each operating with varying libraries and versions of code, it can be challenging to continually keep track of existing and new vulnerabilities. Identifying them is not enough to keep an environment safe—you also need insights into which vulnerabilities to prioritize. Without this visibility, your security and DevOps teams risk spending time fixing the less urgent issues and overlooking more serious ones.
Continually scan your container images and hosts for vulnerabilities
Cloud Security Vulnerabilities continually scans your container images and hosts for vulnerabilities, surfacing them in the same views that your teams already use. For example, they can use the Container Images view to see a list of all container images and their vulnerabilities that Datadog has identified, as shown below.
Container image and host vulnerabilities are also surfaced in the Cloud Security Vulnerabilities view, enabling your teams to quickly pivot from a particular resource to a list of all associated vulnerabilities.
Get context-based prioritization for easier remediation
Cloud Security Vulnerabilities prioritizes vulnerabilities by using the Datadog Severity Score. This value factors in information like the vulnerability's original Common Vulnerability Scoring System (CVSS) score and its exploitability, along with the usage or business criticality of your underlying infrastructure.
You can select a particular vulnerability for more details, such as a description of the issue, its severity score, remediation steps, and a list of all affected container images. Cloud Security Vulnerabilities will also provide recommended steps for resolving the issue.
Because Datadog Cloud Security is deeply integrated with the rest of the Datadog platform, you can quickly pivot back to the Container Images view for more details about all of the container images that are affected by a particular vulnerability. Key information like infrastructure tags and ownership metadata are automatically included, without the need for importing additional—potentially sensitive—data. This provides your DevOps and security teams with seamless end-to-end visibility into infrastructure vulnerabilities.
Secure your environment with Datadog Cloud Security
Cloud Security Identity Risks and Cloud Security Vulnerabilities are now available—check out their documentation to get started. You can also check out the Cloud Security documentation for more information about getting started with Datadog Cloud Security. If you don't already have a Datadog account, you can sign up for a free 14-day trial today.
