Secure Your Infrastructure in Real Time With Datadog Runtime Security | Datadog

Secure your infrastructure in real time with Datadog Runtime Security

Author Nick Davis
Author Jonathan Epstein

Published: November 23, 2020

From containerized workloads to microservice architectures, developers are rapidly adopting new technology that allows organizations to scale their products at unprecedented rates. To make sense of these complex deployments, many teams are abstracting applications away from the environments in which they run. Because of this trade-off, developers and security teams lose the access to the unified context from infrastructure to application needed to fully secure their services. Complementing log-based security monitoring with a solution that can provide infrastructure-based threat detection allows teams to focus on threats holistically, without any gaps that might arise using only one or the other.

Datadog’s Runtime Security (now in beta) detects threats to your production workloads in real time, as a part of your broader observability platform. Complementing Datadog Security and Compliance monitoring, Datadog Runtime Security monitors file and process activity across your environment, meaning that it can detect threats to your infrastructure (like AWS EC2 instances) and workloads (like Kubernetes clusters) in real time at the kernel level, helping catch infrastructure-based attacks before they propagate into downstream logabble events.

Runtime Security uses the unified Datadog Agent, so if you’re already using Datadog to monitor your environment, there’s no need to provision additional resources or introduce new agents. And, as a part of the Datadog platform, you can easily combine real-time threat detection with metrics, logs, traces, and other telemetry from over 450 technologies so that you can see the full context surrounding a potential attack on your workloads, letting you quickly investigate and respond to active threats in your cloud environment.

Datadog Runtime Security seamlessly integrates with your integrated cloud services.

Find threats deep in your infrastructure

Runtime Security monitors every system call made by your Linux hosts and combines those calls with metadata such as tags from across your containers, instances, and Kubernetes clusters. Datadog analyzes this rich dataset against out-of-the-box Detection Rules, which detect potential malicious activity. This makes it ideally suited for catching threats that exist on your cloud instances and containers. Runtime Security Detection Rules look for malicious activity such as the presence of a web shell in your system, or an attacker leveraging system processes to gain persistence in your production environment. And, because Runtime Security is integrated with Datadog’s other security and monitoring tools, you can follow attacks from their inception to determine the source of the problem and take the proper steps to stop them—even if an attacker has attempted to cover their tracks.

For example, consider a web shell exploitation in your application. A web shell is an attack that exploits a vulnerability in application code to gain an interactive shell within the underlying host or container. Web shells are notoriously hard to catch using application logs alone. Maybe the API call in question is not instrumented properly, or the attacker obfuscates their command so that it’s difficult (or impossible) to spot with the human eye. Datadog Runtime Security detects web shells by monitoring process executions in your workloads for suspicious and malicious actions. In other words, Runtime Security can detect the web shell as soon as your web server spawns a malicious process usually leveraged by attackers, such as bash or curl.

Inspect Security Signals to determine root causes

Whenever Datadog ingests data that matches a Detection Rule, it creates a Security Signal that contains system-level information, such as the context of a file change, the path of the executable, the full process tree, and the workload context of the host or container on which the action was performed, like container mount paths, image IDs, and hostnames.

Security Signals contain a wide range of information on the detected threat.

Signals map the MITRE ATT&CK tactic and technique detected and offer tips on how to triage and resolve it. In our web shell example, the resulting Security Signal includes all of the information you need to investigate this activity, including parent/child relationships, command-line arguments, and more. You can use these details to determine which process implemented the remote code execution, gain visibility by correlating across the application’s logs, traces, and system metrics, and, finally, take the proper steps to make sure that the attacker no longer has access to your computing resources.

The Security Signals Explorer aggregates all of your signals so you can easily triage them and inspect their underlying factors like related events and active processes.

The Security Signals Explorer lets you view the signals generated in-context with other threats in your environment.

And, in order to keep all of your teammates in the loop and make sure you’re tackling threats as soon as possible, you can edit any Detection Rule to send threat notifications across popular collaboration tools like Slack and Jira, or send notifications directly to email.

Investigate and respond faster with cross-stack correlation

Datadog’s out-of-the-box Runtime Security dashboard provides a full-picture perspective on the security posture of your workloads and lets you visually track Security Signals across their life cycle. The dashboard comes with visualizations of key metrics like the rate at which signals based on Runtime Security threats have been created and the IDs of the host instances or containers that have most frequently been the target of runtime attacks. Once you find a useful visualization, you can zoom in on its specifics and quickly pivot to any related logs, traces, and processes. You can also easily customize the dashboard with visualizations of application usage metrics, such as user logins and API invocation rates.

The Datadog Runtime Security dashboard gives you a top-down view of your security alerts.

You can also use Datadog’s Log Explorer to track runtime events in-line with all of your other application and infrastructure logging, giving you a full timeline of activity across the entire stack. Datadog automatically correlates all runtime events with their associated workloads, letting you explore relationships between application logs and runtime events with the click of a button.

The Security Signals Explorer lets you view the signals generated in-context with other threats in your environment.

Start securing your infrastructure in real time

Datadog Runtime Security expands your security reach and closes the gaps between application testing, compliance configurations, and network perimeter monitoring. If you’re already a Datadog customer, you can start using the Runtime Security beta now. Otherwise, get started today with a .