How Datadog Security Inbox Prioritizes Security Risks | Datadog

How Datadog Security Inbox prioritizes security risks

Author Jean-Claude Kuo
Author Mallory Mooney

Published: August 26, 2024

In November 2023, Datadog announced the launch of Security Inbox, a solution that equips security and engineering teams with valuable insights for mitigating security risks. Security Inbox takes the guesswork out of addressing the most pressing security risks by automatically organizing them into an actionable list for remediation. As of today, Security Inbox has already served thousands of security and engineering teams, giving them the right context at the right time for protecting their environments.

Not all security risks are created equal, and some attack attempts only generate noise. With the significant volume of logs, signals, and alerts that security and observability platforms generate in cloud environments, teams often risk losing time on investigating benign issues while serious security risks threaten their applications. That’s why timely, accurate, and context-rich data is critical for mitigating issues efficiently.

In this post, we’ll look at how Datadog Security Inbox cuts through the noise to help your teams:

A multi-tiered system for prioritizing security risks

Security Inbox significantly improves the quality of investigations by factoring in an organization’s unique environment. This means that it brings focus to the most pressing issues by looking at their impact on an environment and the likelihood that an attacker can take advantage of a vulnerability or misconfiguration.

To accomplish this, Security Inbox looks at several different types of findings, which are generated by either Datadog Application Security Management (ASM) or Cloud Security Management (CSM). ASM findings cover vulnerabilities from application and third-party libraries while CSM findings look at misconfigurations, identity risks, attack paths, and infrastructure vulnerabilities. Together, they provide the breadth and depth of coverage necessary to mitigate the security risks that have the greatest impact on your environments. To ensure accuracy, Datadog has dedicated security research and engineering teams that continuously monitor and curate findings as well as assess threats.

In the following screenshot, you can see a list of findings that Security Inbox surfaced. Each finding is prioritized based on three key factors: severity level, followed by the number of correlated risks, and then the number of impacted resources or services.

Datadog Security Inbox prioritizes the most pressing issues

Analyze severity levels for each finding

Datadog assigns each finding with either a Critical, High, Medium, or Low severity level, and these levels are determined by two scoring systems. For application and infrastructure vulnerabilities, Security Inbox uses the Common Vulnerability Scoring System (CVSS) 3.1 standard. For misconfigurations, identity risks, and attack paths, Security Inbox uses the Datadog Security Scoring Framework, which looks at the likelihood of an attacker taking advantage of the identified risk and its impact on your environment if exploited.

The breakdown of these components is illustrated in the following Severity Scoring matrix:

LikelihoodImpact
LowMediumHighCritical
ImprobableLowLowMediumMedium
PossibleLowMediumHighHigh
ProbableMediumHighHighCritical
Highly ProbableMediumHighCriticalCritical

To better understand how the matrix assigns severity levels to issues, let’s look at the first example in the following list of findings for attack paths:

Datadog Security Inbox prioritizes attack paths

Security Inbox discovered that a publicly accessible application running on a privileged Kubernetes node had one or more exploitable vulnerabilities. Because the application is publicly accessible and has a vulnerability, the likelihood of exploitation is “probable.” Additionally, because the privileged access gives it a “critical” impact on the environment, Security Inbox assigned the finding with a CRITICAL severity level. You can view these factors in context with your infrastructure by selecting the finding, as seen below:

Datadog Security Inbox provides insights into the attack path

For other examples of how the matrix assigns severity levels to findings, you can check out our documentation.

Review correlated risks for additional severity context

Security Inbox also takes several detected risks into consideration when prioritizing a finding, such as whether a resource or application is running in production. This added context enables Security Inbox to more accurately assess a finding’s overall risk to your environment, so you can see which issues require immediate attention.

Let’s look at how Security Inbox considers risk factors for an application library vulnerability and how they influence a finding’s overall severity score and level. As seen below, the finding has a base CVSS score of 9.8 but a final Datadog Severity Score of 7.4:

Datadog Security Inbox severity score breakdown

Factors like “exploit not available” and “low exploitation probability,” the latter of which is calculated using the Exploit Prediction Scoring System (EPSS), lowers the overall score and severity level. You can also review a particular finding’s final Datadog Severity Score breakdown using the National Vulnerability Database CVSS Calculator for a better understanding of how the standard assesses vulnerabilities.

Security Inbox takes these scores into account when prioritizing them. For example, if two findings have the same severity level, then the finding with the most correlated risks will be prioritized first.

Understand the impact of an issue

The final aspect of Security Inbox’s prioritization system looks at how many resources are affected by a finding. For example, if two findings have the same severity level and number of correlated risks, then Security Inbox will place a higher priority on the finding that affects more resources. You can see how this system works for the following list of attack path findings:

Datadog Security Inbox looks at the most impacted resources

In this example, the top three findings also have the same number of correlated risks. But since the first finding impacts eight resources instead of two, Security Inbox makes it a higher priority.

Focus on the most critical risks with Security Inbox

Security Inbox automatically prioritizes and alerts on risks based on a curated, multi-tiered ranking system that enables you to focus on the most pressing issues. Check out our documentation to learn more about Security Inbox’s capabilities, or navigate to your Security Inbox to get started. If you don’t already have a Datadog account, you can sign up for a .