Add Security Context to Observability Data With Datadog Cloud Security Management | Datadog

Add security context to observability data with Datadog Cloud Security Management

Author Mallory Mooney
Author Prashant Prahlad

Published: October 19, 2022

Organizations are rapidly migrating their infrastructure to the cloud, enabling them to modernize their applications and deliver more value to their customers. But this transition creates significant security risks that they may be unable to keep pace with. For example, cyber attacks on cloud resources are becoming more sophisticated and prevalent. Additionally, organizations often rely on legacy, disjointed security tools that don’t integrate well with cloud-native infrastructure. This disconnect makes it more difficult for them to trace the path of an attack and collaborate with DevOps to remediate the vulnerability.

To address these problems, we are excited to announce Datadog Cloud Security Management, a unified solution that bridges the gap between security teams and DevOps. Datadog Cloud Security Management brings together data from Datadog Cloud Security Posture Management and Datadog Cloud Workload Security to instantly add security context to the infrastructure that teams already monitor. This means that they can leverage their existing observability data to surface risks, prioritize vulnerabilities, and easily collaborate on mitigating suspicious activity across all of their mission-critical cloud resources.

A unified view for proactive, collaborative investigations

Datadog Cloud Security Management provides teams with key insights into their infrastructure’s vulnerabilities and active threats via a comprehensive Security Overview Page (shown below). DevOps and security teams can use this page to review a high-level summary of security findings, such as active threats and misconfigurations across resource types.

Cloud Security Management Dashboard view

With this information, teams can quickly determine which parts of their infrastructure are most vulnerable. They can also see at a glance how many cloud configurations have failed one of Datadog’s built-in posture management rules, which check configurations against major compliance frameworks and benchmarks.

In addition to providing a high-level summary of misconfigurations, Datadog Cloud Security Management automatically surfaces active threats in an organization’s infrastructure. As shown below, teams can identify risks based on key trends, such as how often they are occurring in an environment.

Cloud Security Management view

This visibility not only allows security teams to monitor the environment for attacks but also work with DevOps to quickly correlate an active threat with a misconfiguration in an underlying resource. For example, security teams can trace suspicious activity in a container, such as new file creation, back to a misconfiguration in a Kubelet server that allowed anonymous requests.

Comprehensive inventory and risk management

Simple misconfigurations in cloud resources can lead to costly data breaches if they are not identified in time. But finding these vulnerabilities is more difficult when teams do not have an efficient way to track all of their resources’ configurations, especially in large-scale cloud environments. Datadog Cloud Security Management solves this issue by providing insights into who owns specific resources as well as details about their overall security health via the Resource Catalog.

As seen below, the catalog enables teams to assess their environment’s most urgent vulnerabilities and drill down to specific resources for further investigation.

Review security risks for a particular resource with the Resource Catalog

This visibility also gives DevOps complete ownership over their resources. For example, they can proactively monitor the resources they own to determine which ones have failed one of Datadog’s posture management rules and group them by category to assess the scope of their risk.

Review security risks per resource via the Resource Map

This practice has historically been designated to security teams, but Datadog Cloud Security Management enables engineers to proactively monitor for misconfigurations that violate their organization’s compliance benchmarks. If they find an issue, they can remediate it without needing to involve the security team.

Efficient threat detection

Collaboration between security and DevOps teams can be difficult if they use disjointed security and monitoring tools. For example, without enough context, DevOps may not be able to determine if a newly spawned child process for a workload is a part of a larger attack. Conversely, security teams may risk disrupting production workloads by blocking traffic from a legitimate source. On top of that, disparate tools often generate false positive notifications for authorized activity, creating alert fatigue.

Datadog Cloud Security Management reduces an organization’s alerting signal-to-noise ratio by using Workload Security Profiles, which create a baseline out of a workload’s typical behavior in order to surface unusual activity. For example, an attacker may attempt to launch a new cron job on a host in order to execute malicious code. Datadog Cloud Security Management can automatically flag this kind of activity as suspicious behavior in the Security Overview Page.

As seen in the example below, security teams can quickly pivot from the overview page to the generated signal in order to view the Security Profile and troubleshoot further.

Review a Security Profile directly within a signal

They can also view more information about the generated profile by clicking the View Security Profile button. The Security Profile view provides deep insights into all the process, file, and network activity associated with the new cron job. As seen below, this information includes a commonality score that indicates whether or not a particular resource, process, or request is part of a typical workflow.

Review the Security Profile and Behavior Commonality Score

If the team can’t confirm that the new cron job is legitimate, they can declare an incident directly from the signal and collaborate with engineers on a solution via Slack. This enables organizations to be sure they are focusing their efforts on legitimate threats rather than wasting time sifting through spurious alerts. Sign up for the private beta of Workload Security Profiles today to get started!

Get started with Datadog Cloud Security Management

With Datadog Cloud Security Management, organizations now have complete visibility into the security health of their cloud-native infrastructure. Datadog Cloud Security Management adds instant security context to existing observability data, enabling security teams and DevOps to collaborate on identifying and mitigating the most significant risks in their environment. Check out our documentation to learn more about Datadog Cloud Security Management. If you don’t already have an account, you can sign up for a today.