In Part 1 of our cloud security research and guide roundup, we looked at our contributions to helping you manage cloud infrastructure, data, identities, and access. In Part 2, we share our research, insights, and guides from Datadog Security Labs and The Monitor that support the NSA’s cloud mitigation strategies in the following areas:
- DevSecOps practices: Integrate security into existing DevOps workflows
- Threat detection and response: Proactively detect vulnerabilities in the cloud
We’ll also go beyond these common strategies to look at how security plays a role in working with LLMs.
DevSecOps practices
With the migration to the cloud, many organizations are integrating security into their existing development and operations workflows, creating a new DevSecOps discipline. The NSA’s list includes two key strategies for adopting a DevSecOps approach: defending CI/CD environments and using Infrastructure as Code (IaC) to secure deployments. Even with these recommendations, there are still challenges with maintaining secure code, pipelines, and deployments, which we’ve identified in our State of DevSecOps Report and key report findings.
Guides
Because of the challenges associated with integrating security with DevOps, we want to help organizations move in that direction. For example, we’ve developed a tool for assessing your organization’s DevSecOps maturity. We’ve also taken steps to adopt a DevSecOps approach at Datadog and have written several posts on managing the various aspects of it, such as securing code, CI/CD pipelines, and infrastructure:
- Using Datadog for Detection as Code
- Managing an inventory of software components (i.e., Software Bill of Materials)
- Using threat models to secure systems
- Creating security-focused chaos engineering experiments
- Detecting emerging vulnerabilities
Threat detection and response
Considering the size and complexity of cloud environments, it’s challenging to get adequate visibility into activity. As mentioned in the NSA’s strategy list, cloud authentication, audit, and activity logs provide a “source of truth” for threat detection. But even if you collect the appropriate logs, it’s difficult to fine-tune them to filter out the noise and surface legitimate threats.
Research
We’ve dedicated a significant amount of time researching ways to strengthen threat detection as well as discovering common threats and exploits in various cloud environments:
- Datadog threat roundup: top insights for Q4 2024
- An Adventure in Google Cloud threat detection
- Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild
- Tales from the cloud trenches: Using AWS CloudTrail to identify malicious activity and spot phishing campaigns
- Bypassing CloudTrail in AWS Service Catalog, and other logging research
To take it a step further, we’ve shown how to emulate threats in AWS environments and test detections for your container workloads to ensure the resilience of your threat detection strategies.
Guides
We’ve also written several posts about collecting and interpreting authentication, audit, and activity logs, including:
- Firewall logs
- Azure platform logs
- Key Kubernetes audit logs
- Authentication logs
- AWS CloudTrail logs
- Google Cloud audit logs
- Windows Event logs
Your logs are the foundation for efficient threat detection, but understanding how to turn those logs into valuable signals for cloud SIEMs can be challenging given the volume of logs that a cloud environment can generate. We’ve walked through how you can build sufficient security coverage and ensure that your cloud SIEMs are generating accurate, relevant signals.
These strategies can strengthen threat detection for your organization and ensure that you are generating valuable cloud SIEM signals for your cloud environment and its components.
Beyond the recommendations: AI security
In addition to addressing the common strategies for cloud security, we’ve also looked at where security plays a role in emergent technologies, like AI. For example, in our latest threat finding roundup, our security researchers noted an increase in the number of attempts to target Amazon Bedrock applications.
Guides
This finding highlights the need for understanding how LLMs operate and where they are susceptible to attacks, which we’ve addressed in the following posts:
- Monitor LLM prompt injection attack
- Troubleshooting RAG-based LLMs
- Machine learning model monitoring: best practices
- Instrument LLM chains
As teams become more familiar with how to efficiently monitor LLM applications, they can better prepare for misconfigurations that can lead to vulnerabilities and threats.
Secure your cloud environments with Datadog
In this post, we shared our research, expertise, and insights in several key areas of cloud security, which can help you adhere to the commonly shared strategies from sources like the NSA. To dig into our cloud security research, check out Security Labs, or read our blog and documentation to learn how Datadog’s security platform can help you monitor and secure your cloud environment. If you don’t already have a Datadog account, you can sign up for a free 14-day trial.
