Cloud environments comprise hundreds of thousands of individual components, from infrastructure-level containers and hosts to access-level user and cloud accounts. With this level of complexity, it’s important to establish and maintain end-to-end visibility into your environment for many reasons—not least among them to efficiently identify, prioritize, and mitigate security threats.
Datadog Cloud Security Management (CSM) offers comprehensive visibility, real-time threat detection, and continuous configuration audits across your entire cloud infrastructure. With Datadog CSM’s unified platform, your security and DevOps teams have shared context for quickly identifying and resolving security risks. Equipped with observability telemetry alongside security data, teams have access to rich contextual information that gives the full picture of the impact of a threat by tracing its end-to-end attack flow and identifying the owner of the resource where the threat was triggered.
We’re excited to announce the public beta of two new cloud security capabilities within CSM: Datadog Cloud Infrastructure Entitlement Management (CIEM) and CSM Vulnerability Management. Datadog CIEM enables you to identify and address identity risks in your IAM configurations before a threat actor can exploit them. CSM Vulnerability Management leverages infrastructure observability and security research insights to continuously scan your containers and hosts for vulnerabilities, providing context-based insights into which threats need to be prioritized.
In this post, we’ll show you how:
- Datadog CIEM enables you to secure your infrastructure from IAM-based attacks
- CSM Vulnerability Management detects and helps you address infrastructure vulnerabilities
Identity and access management (IAM) systems are necessary for authenticating and authorizing access to your environment. However, their mismanagement is one of the leading causes of breaches and insider threats today. Engineering teams must rapidly provision identities and permissions to keep pace with infrastructure growth—consequently, the ratio of non-human or machine identities to every human identity also increases at a substantial rate. This complexity makes it difficult to keep IAM configurations up to date and protect your environment against IAM-based attacks.
Datadog CIEM enables you to efficiently identify and address identity risks, such as permission gaps and administrative privileges, and reduce their impact radius. It accomplishes this by leveraging your environment’s current IAM configuration and resource usage—along with the latest industry best practices and attack vectors—to automatically detect and prioritize identity risks, including the following:
- IAM user or role has a large permissions gap, administrative privileges, or access to a large number of resources
- IAM role with administrative privileges has a cross-account trust relationship
- IAM group has access to a large number of resources
Datadog’s internal security team routinely updates the list of identity risks that Datadog CIEM detects so that our users can remain proactive in their defenses as new identity-based risks are identified.
Using Datadog CIEM, you can methodically review individual at-risk resources and their associated identity risks. Or, you can address one identity risk at a time by grouping all resources (e.g., users, roles, groups, policies) that carry that risk, as seen in the following screenshot.
For every identified risk, Datadog CIEM provides a detailed description of the issue and suggested remediation steps. In the following screenshot, Datadog CIEM has identified several IAM roles with unused permissions, which a threat actor can leverage to gain access to your services and resources.
Datadog CIEM also provides advanced insights for each identified risk, providing you with additional context for understanding its scope. For example, the following screenshot shows a list of all provisioned permissions for an IAM role that Datadog CIEM has identified as unused.
In this example, you can see that several permissions have not been used in the last 15 days. In these cases, you may want to remove the permissions that are no longer necessary for that role. Roles should be assigned permissions based on the principle of least privilege, which recommends granting only the set of permissions that are needed to accomplish a specific task. If you find that a role doesn’t need a particular permission, you can navigate directly to your AWS console from this view by clicking the “Fix in AWS” button and following the suggested remediation steps.
With the sizable number of containers and hosts running in a cloud environment, each operating with varying libraries and versions of code, it can be challenging to continually keep track of existing and new vulnerabilities. Identifying them is not enough to keep an environment safe—you also need insights into which vulnerabilities to prioritize. Without this visibility, your security and DevOps teams risk spending time fixing the less urgent issues and overlooking more serious ones.
CSM Vulnerability Management continually scans your container images and hosts for vulnerabilities, surfacing them in the same views that your teams already use. For example, they can use the Container Images view to see a list of all container images and their vulnerabilities that Datadog has identified, as shown below.
Container image and host vulnerabilities are also surfaced in the CSM Vulnerabilities view, enabling your teams to quickly pivot from a particular resource to a list of all associated vulnerabilities.
CSM Vulnerability Management prioritizes vulnerabilities by using the Datadog Severity Score. This value factors in information like the vulnerability’s original Common Vulnerability Scoring System (CVSS) score and its exploitability, along with the usage or business criticality of your underlying infrastructure.
You can select a particular vulnerability for more details, such as a description of the issue, its severity score, remediation steps, and a list of all affected container images. CSM Vulnerability Management will also provide recommended steps for resolving the issue.
Because Datadog CSM is deeply integrated with the rest of the Datadog platform, you can quickly pivot back to the Container Images view for more details about all of the container images that are affected by a particular vulnerability. Key information like infrastructure tags and ownership metadata are automatically included, without the need for importing additional—potentially sensitive—data. This provides your DevOps and security teams with seamless end-to-end visibility into infrastructure vulnerabilities.
Datadog CIEM and CSM Vulnerability Management are now available in public beta—check out their documentation to get started. You can also check out the CSM documentation for more information about getting started with Datadog Cloud Security Management. If you don’t already have a Datadog account, you can sign up for a free 14-day trial today.