Detect, Prioritize, and Fix Exploitable Infrastructure Vulnerabilities With Datadog Cloud Security Management | Datadog

Detect, prioritize, and fix exploitable infrastructure vulnerabilities with Datadog Cloud Security Management

Author Cyril Bouchiat
Author Rajat Luthra

Last updated: 12月 4, 2024

Running an efficient vulnerability management program has become increasingly challenging as deployment pace accelerates, technologies diversify, and ephemeral resources multiply. This makes it harder for organizations to keep up with vulnerabilities, improve their security posture, and meet compliance standards like SOC 2, PCI, HIPAA, and FedRAMP. DevOps and security teams often find themselves overwhelmed, spending days fixing non-exploitable issues while lacking visibility into the exploitable and zero-day vulnerabilities that legitimately threaten their production environments.

From CI/CD pipelines to live production resources, Datadog Cloud Security Management (CSM) continuously scans your containers, hosts, and serverless functions for vulnerabilities. CSM Vulnerability Management employs runtime observability to help teams prioritize and remediate exploitable vulnerabilities within their daily workflows, making Datadog the single pane of glass for both infrastructure and security teams.

In this post, we’ll discuss how Cloud Security Management can help you:

Continuously scan resources for vulnerabilities

With the sizable number of containers and hosts running in a cloud environment, each operating with different packages and versions, it can be challenging to continually track existing and new vulnerabilities. Many vulnerability management programs miss the full picture by focusing only on the build phase and neglecting vulnerabilities in production. With updates being constantly pushed to production and critical CVEs emerging daily, effective vulnerability management requires continuous detection—from CI/CD pipelines to live environments—to obtain the full picture.

CSM Vulnerability Management provides complete end-to-end visibility by continuously scanning hosts, host images, container images, and serverless functions for vulnerabilities across live production resources, container registries, and CI/CD pipelines, using either Agentless scanning or the Datadog Agent. Because you can’t protect what you can’t see, Datadog provides a real-time inventory of your container images, host images, hosts, serverless, and infrastructure packages, so you can globally review your coverage and identify vulnerable assets.

CSM Vulnerability Explorer Container Image Catalog.

The CSM Vulnerability Explorer provides a centralized view as a starting point so you can deep-dive into vulnerabilities across your entire infrastructure. Each team can filter and investigate vulnerabilities affecting their hosts and container images using infrastructure tags for deeper visibility.

CSM Vulnerability Explorer Container Image Catalog.

Prioritize exploitable vulnerabilities with runtime observability context

CSM Vulnerability Management helps you prioritize exploitable vulnerabilities first, fast-tracking their remediation while keeping teams’ velocity up. This also helps security teams assess the blast radius of a critical emerging vulnerability in seconds.

Datadog assigns exploitable vulnerabilities a Datadog Severity Score, which combines the vulnerability’s Common Vulnerability Scoring System (CVSS) base severity with several risk factors, including:

  • Availability of a fix
  • Public exposure
  • Access to sensitive data
  • Elevated permissions
  • Environment sensitivity, focusing on production
  • Exploit availability, according to sources like CISA, KEV, NIST, and ExploitDB
  • Threat intelligence, such as EPSS

Combining these factors helps you accurately identify the top 5 percent of exploitable critical vulnerabilities, so your team can remain productive while addressing highest risk.

Datadog Severity breakdown.

You can select a particular vulnerability to access more details, such as a description of the issue, its severity score, and a list of affected infrastructure. CSM Vulnerability Management also provides recommended steps for resolving the issue.

You can also quickly identify the teams, resources, and packages with the most exploitable vulnerabilities, helping you prioritize your remediation efforts.

Container Images view by team.

CSM also offers triaging options for managing detected vulnerabilities. You can assign vulnerabilities to individual owners for remediation and tracking, and use the “Status” facet to sort issues based on where they are in the remediation process.

Vulnerabilities list with varying statuses.

Take impactful actions to remediate multiple vulnerabilities in minutes

CSM significantly reduces time to remediation with guided, one-click remediation steps, empowering DevOps engineers to resolve multiple exploitable vulnerabilities in minutes. CSM pinpoints which container base image, container layer, or host image introduces vulnerabilities and recommends the image or package version you should upgrade to in order to remediate most issues at once.

To remediate even faster, CSM uses deployment context to identify hosts deployed in the same autoscaling group that are using the same image. In the example below, CSM recommends upgrading the host image for an autoscaling group, enabling you to fix 975 vulnerabilities across all affected hosts at once. Fixes can be deployed with a single click, using auto-generated PRs through Infrastructure-as-Code.

Vulnerabilities list with varying statuses

Scale your vulnerability management with automated operations and reporting

With CSM, you can steer your vulnerability management program towards autopilot by automating most tasks and using out-of-the-box reporting.

CSM uses Automation Pipelines to automate the vulnerability remediation process while helping you meet the requirements of the most demanding compliance frameworks.

Automation Pipelines supports:

  • Auto-creation of Jira tickets for DevOps teams
  • Alerts in Slack, Microsoft Teams, or your preferred collaboration tool
  • Enforcement of SLAs to remediate vulnerabilities on time
  • Webhooks for further custom automations

CSM Automation Pipelines is now in Preview—to sign up, fill out this form.

CSM Vulnerability Explorer Automation Pipelines.

CSM also offers an out-of-the-box dashboard that makes it easy to track the progress of your vulnerability management program and report to stakeholders.

CSM Vulnerability Explorer OOTB dashboard.

All vulnerabilities, software bills of materials (SBOMs), and coverage data are accessible via our public API, allowing you to easily integrate CSM Vulnerability Management in your existing flows.

Secure your environment with Datadog Cloud Security Management

Using runtime observability, Cloud Security Management enables you to secure your infrastructure by detecting, prioritizing, and providing tools to efficiently remediate the most critical exploitable vulnerabilities throughout your pipelines and production environment. To learn more about using Datadog CSM, check out the CSM documentation. If you don’t already have a Datadog account, you can try CSM by signing up for a 14-day today.