From containerized workloads to microservice architectures, developers are rapidly adopting new technology that allows organizations to scale their products at unprecedented rates. To make sense of these complex deployments, many teams are abstracting applications away from the environments in which they run. Because of this trade-off, developers and security teams lose the access to the unified context from infrastructure to application needed to fully secure their services. Complementing log-based security monitoring with a solution that can provide infrastructure-based threat detection allows teams to focus on threats holistically, without any gaps that might arise using only one or the other.
Datadog’s Runtime Security (now in beta) detects threats to your production workloads in real time, as a part of your broader observability platform. Complementing Datadog Security and Compliance monitoring, Datadog Runtime Security monitors file and process activity across your environment, meaning that it can detect threats to your infrastructure (like AWS EC2 instances) and workloads (like Kubernetes clusters) in real time at the kernel level, helping catch infrastructure-based attacks before they propagate into downstream logabble events.
Runtime Security uses the unified Datadog Agent, so if you’re already using Datadog to monitor your environment, there’s no need to provision additional resources or introduce new agents. And, as a part of the Datadog platform, you can easily combine real-time threat detection with metrics, logs, traces, and other telemetry from over 450 technologies so that you can see the full context surrounding a potential attack on your workloads, letting you quickly investigate and respond to active threats in your cloud environment.
Runtime Security monitors every system call made by your Linux hosts and combines those calls with metadata such as tags from across your containers, instances, and Kubernetes clusters. Datadog analyzes this rich dataset against out-of-the-box Detection Rules, which detect potential malicious activity. This makes it ideally suited for catching threats that exist on your cloud instances and containers. Runtime Security Detection Rules look for malicious activity such as the presence of a web shell in your system, or an attacker leveraging system processes to gain persistence in your production environment. And, because Runtime Security is integrated with Datadog’s other security and monitoring tools, you can follow attacks from their inception to determine the source of the problem and take the proper steps to stop them—even if an attacker has attempted to cover their tracks.
For example, consider a web shell exploitation in your application. A web shell is an attack that exploits a vulnerability in application code to gain an interactive shell within the underlying host or container. Web shells are notoriously hard to catch using application logs alone. Maybe the API call in question is not instrumented properly, or the attacker obfuscates their command so that it’s difficult (or impossible) to spot with the human eye. Datadog Runtime Security detects web shells by monitoring process executions in your workloads for suspicious and malicious actions. In other words, Runtime Security can detect the web shell as soon as your web server spawns a malicious process usually leveraged by attackers, such as
Whenever Datadog ingests data that matches a Detection Rule, it creates a Security Signal that contains system-level information, such as the context of a file change, the path of the executable, the full process tree, and the workload context of the host or container on which the action was performed, like container mount paths, image IDs, and hostnames.
Signals map the MITRE ATT&CK tactic and technique detected and offer tips on how to triage and resolve it. In our web shell example, the resulting Security Signal includes all of the information you need to investigate this activity, including parent/child relationships, command-line arguments, and more. You can use these details to determine which process implemented the remote code execution, gain visibility by correlating across the application’s logs, traces, and system metrics, and, finally, take the proper steps to make sure that the attacker no longer has access to your computing resources.
The Security Signals Explorer aggregates all of your signals so you can easily triage them and inspect their underlying factors like related events and active processes.
And, in order to keep all of your teammates in the loop and make sure you’re tackling threats as soon as possible, you can edit any Detection Rule to send threat notifications across popular collaboration tools like Slack and Jira, or send notifications directly to email.
Datadog’s out-of-the-box Runtime Security dashboard provides a full-picture perspective on the security posture of your workloads and lets you visually track Security Signals across their life cycle. The dashboard comes with visualizations of key metrics like the rate at which signals based on Runtime Security threats have been created and the IDs of the host instances or containers that have most frequently been the target of runtime attacks. Once you find a useful visualization, you can zoom in on its specifics and quickly pivot to any related logs, traces, and processes. You can also easily customize the dashboard with visualizations of application usage metrics, such as user logins and API invocation rates.
You can also use Datadog’s Log Explorer to track runtime events in-line with all of your other application and infrastructure logging, giving you a full timeline of activity across the entire stack. Datadog automatically correlates all runtime events with their associated workloads, letting you explore relationships between application logs and runtime events with the click of a button.
Datadog Runtime Security expands your security reach and closes the gaps between application testing, compliance configurations, and network perimeter monitoring. If you’re already a Datadog customer, you can start using the Runtime Security beta now. Otherwise, get started today with a 14-day free trial.