noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Olympus America Inc.

Olympus Launches New POWERSEAL™ Sealer/Divider 5mm Devices, Extends[...]
City of Pompano Beach, FL

Pompano Caribbean Fest
Pennsylvania Department of Banking[...]

September Consumer Financial Protection Events Announced

Finance

Datadog Inc.

08/26/2024 | News release | Distributed by Public on 08/26/2024 07:25

How Datadog Security Inbox prioritizes security risks

tips / security / appsec / csm

In November 2023, Datadog announced the launch of Security Inbox, a solution that equips security and engineering teams with valuable insights for mitigating security risks. Security Inbox takes the guesswork out of addressing the most pressing security risks by automatically organizing them into an actionable list for remediation. As of today, Security Inbox has already served thousands of security and engineering teams, giving them the right context at the right time for protecting their environments.

Not all security risks are created equal, and some attack attempts only generate noise. With the significant volume of logs, signals, and alerts that security and observability platforms generate in cloud environments, teams often risk losing time on investigating benign issues while serious security risks threaten their applications. That's why timely, accurate, and context-rich data is critical for mitigating issues efficiently.

In this post, we'll look at how Datadog Security Inbox cuts through the noise to help your teams:

A multi-tiered system for prioritizing security risks

Security Inbox significantly improves the quality of investigations by factoring in an organization's unique environment. This means that it brings focus to the most pressing issues by looking at their impact on an environment and the likelihood that an attacker can take advantage of a vulnerability or misconfiguration.

To accomplish this, Security Inbox looks at several different types of findings, which are generated by either Datadog Application Security Management (ASM) or Cloud Security Management (CSM). ASM findings cover vulnerabilities from application and third-party libraries while CSM findings look at misconfigurations, identity risks, attack paths, and infrastructure vulnerabilities. Together, they provide the breadth and depth of coverage necessary to mitigate the security risks that have the greatest impact on your environments. To ensure accuracy, Datadog has dedicated security research and engineering teams that continuously monitor and curate findings as well as assess threats.

In the following screenshot, you can see a list of findings that Security Inbox surfaced. Each finding is prioritized based on three key factors: severity level, followed by the number of correlated risks, and then the number of impacted resources or services.

Analyze severity levels for each finding

Datadog assigns each finding with either a Critical, High, Medium, or Low severity level, and these levels are determined by two scoring systems. For application and infrastructure vulnerabilities, Security Inbox uses the Common Vulnerability Scoring System (CVSS) 3.1 standard. For misconfigurations, identity risks, and attack paths, Security Inbox uses the Datadog Security Scoring Framework, which looks at the likelihood of an attacker taking advantage of the identified risk and its impact on your environment if exploited.

The breakdown of these components is illustrated in the following Severity Scoring matrix:

Likelihood	Impact
Low	Medium	High	Critical
Improbable	Low	Low	Medium	Medium
Possible	Low	Medium	High	High
Probable	Medium	High	High	Critical
Highly Probable	Medium	High	Critical	Critical

To better understand how the matrix assigns severity levels to issues, let's look at the first example in the following list of findings for attack paths:

Security Inbox discovered that a publicly accessible application running on a privileged Kubernetes node had one or more exploitable vulnerabilities. Because the application is publicly accessible and has a vulnerability, the likelihood of exploitation is "probable." Additionally, because the privileged access gives it a "critical" impact on the environment, Security Inbox assigned the finding with a CRITICAL severity level. You can view these factors in context with your infrastructure by selecting the finding, as seen below:

For other examples of how the matrix assigns severity levels to findings, you can check out our documentation.

Review correlated risks for additional severity context

Security Inbox also takes several detected risks into consideration when prioritizing a finding, such as whether a resource or application is running in production. This added context enables Security Inbox to more accurately assess a finding's overall risk to your environment, so you can see which issues require immediate attention.

Let's look at how Security Inbox considers risk factors for an application library vulnerability and how they influence a finding's overall severity score and level. As seen below, the finding has a base CVSS score of 9.8 but a final Datadog Severity Score of 7.4:

Factors like "exploit not available" and "low exploitation probability," the latter of which is calculated using the Exploit Prediction Scoring System (EPSS), lowers the overall score and severity level. You can also review a particular finding's final Datadog Severity Score breakdown using the National Vulnerability Database CVSS Calculator for a better understanding of how the standard assesses vulnerabilities.

Security Inbox takes these scores into account when prioritizing them. For example, if two findings have the same severity level, then the finding with the most correlated risks will be prioritized first.

Understand the impact of an issue

The final aspect of Security Inbox's prioritization system looks at how many resources are affected by a finding. For example, if two findings have the same severity level and number of correlated risks, then Security Inbox will place a higher priority on the finding that affects more resources. You can see how this system works for the following list of attack path findings:

In this example, the top three findings also have the same number of correlated risks. But since the first finding impacts eight resources instead of two, Security Inbox makes it a higher priority.

Focus on the most critical risks with Security Inbox

Security Inbox automatically prioritizes and alerts on risks based on a curated, multi-tiered ranking system that enables you to focus on the most pressing issues. Check out our documentation to learn more about Security Inbox's capabilities, or navigate to your Security Inbox to get started. If you don't already have a Datadog account, you can sign up for a free 14-day trial.

Sharing and Personal Tools

Please select the service you want to use: