Challenges with Scaling Threat Detection Workflows

Identifying fraudulent and malicious activity is crucial when it comes to meeting service level objectives. At PedidosYa, the security team encountered a new challenge when the company introduced free food vouchers for new users. Users were creating several accounts from different IP addresses in order to receive multiple vouchers, but this behavior was difficult to pinpoint and prevent at scale. The team’s threat detection workflow at the time involved manually creating firewall detection rules for every domain they operate, which was grueling, time-consuming, and required lots of maintenance. And as fraudulent activity increased, it became impossible to create individual rules for every IP address that needed to be blocked. This process led to a month-long delay in detection, which gave the malicious actors enough time to achieve their goal.

“ In the last week we identified 37,000 unique users. We would not have been able to detect this fraudulent activity in real time in such an effective manner without Datadog Security Monitoring.”

Santiago Rosenblatt
Head of Information Security, PedidosYa

PedidosYa’s Requirements for a Real-Time Security Monitoring Solution

The security team at PedidosYa realized they needed to speed up and automate security detection and analysis in order to prevent fraudulent activity. So, they started looking for a flexible security solution that detects outliers, automates detection rules, and gives quick visibility into the user’s security posture.

PedidosYa ultimately selected Datadog because it offers customizable, out-of-the-box threat detection rules that facilitate comprehensive security analysis of malicious patterns across the entire tech stack. To do so Delivery Hero was able to integrate the Datadog Cloud SIEM with AWS CloudFront, and correlate the access log data to the application logs from their AWS EC2 instances to detect the malicious activity. These flexible detection rules identify a wide range of attacker techniques in real time and are mapped to the MITRE ATT&CK framework. And because Datadog Security Monitoring is fully integrated with the rest of the Datadog platform, users can correlate a potential threat with relevant application and infrastructure monitoring data in order to quickly triage security alerts.

Additionally, Datadog’s extensive tagging system allows users to group security signals in logical ways, such as by service, region, or IP address. For example, users can view high-level metric data for a particular security signal, and then use tags to zero in on a security group or region. These tags can also be used to create graphs based on filtered or aggregated metrics. This ability to group and visualize security data streamlines the threat detection process for complex systems, such as the one at PedidosYa.

Datadog Security Monitoring is part of the Datadog Cloud Security Platform, which protects an organization’s production environment with a full-stack offering providing threat detection, posture management, workload security, and application security. Security Monitoring also comes equipped with expert-built, out-of-the-box dashboards that provide overviews of all security-related data. The IP address overview dashboard is particularly useful for troubleshooting malicious activity patterns like the one identified at PedidosYa, as it enables users to correlate IP addresses with security signals, events, and a variety of log types in a single pane of glass.

Security at PedidosYa Today

Datadog played an important role in securing PedidosYa by detecting outliers and malicious patterns in real time. The security team was able to create customized rules in our simple rules editor—without using a query language. These rules require minimal setup and maintenance, and they also apply to all of PedidosYa’s domains automatically, which has dramatically accelerated their workflow.

Datadog’s tagging system has also enabled the PedidosYa team to filter and group security signals by specific attributes, such as a URL path. This ensures that PedidosYa is able to identify which user accounts could be connected to a brute force attack or fraudulent activity—and to block the associated IP addresses at the same time. They are then able to triage the security signal to the owner of the service, who can investigate further.

“ Datadog’s remediation includes blocking offensive IPs and fraudulent users at the edge, and with the help of Datadog Security Monitoring, we have been able to create more effective detection rules that automate the process and catch malicious activity.”

Santiago Rosenblatt
Head of Information Security, PedidosYa

By using Datadog, PedidosYa eliminated the month-long detection delay that was hampering their efforts to curb fraudulent activity in their large-scale system. After implementing Datadog Security Monitoring, PedidosYa’s Head of Information Security, Santiago Rosenblat, said, “Datadog was a complete upgrade from our previous security tools. We are able to work with DevOps now in a unified monitoring and security platform.” Single users can no longer create multiple accounts in order to redeem multiple free food vouchers, and PedidosYa is able to focus on what matters most.