Cloud environments today continue to grow in size and complexity, which increases the demand for improved security coverage in order to protect an organization’s assets, data, and reputation. This growth has also created significant and complex challenges in identifying insider or external threats, compromised accounts, and anomalous behavior across environments. Many organizations adopt SIEM solutions to detect, investigate, and respond to these threats, but determining which security risks to prioritize remains challenging. Datadog Cloud SIEM addresses this issue by introducing essential context and correlation across user attributes, paired with a heuristic risk score to prioritize investigations.
Datadog Cloud SIEM Risk-based Insights and AWS Entity Analytics are now available in Preview and incorporate behavioral and environmental context into security risk insights. These capabilities correlate Cloud SIEM signal context with insights from Datadog Cloud Security Management (CSM), such as misconfigurations, identity risks, and configuration risk attributes to escalate potential threats. Users can view a heuristic score associated with each entity, which is generated by an opinionated risk model. Combined, Risk-based Insights and AWS Entity Analytics help security teams streamline and increase their investigative efficiency.
In this post, we’ll walk through how Datadog Cloud SIEM Risk-based Insights and AWS Entity Analytics help security teams:
- Prioritize and focus on the highest alerts and risks
- Correlate activity with misconfigurations and identity risks in AWS and reduce signal volume
Start investigations with Risk-based Insights
SIEMs that centralize third-party security data from complex IT environments can generate a high volume of alerts. This makes it challenging for security analysts to focus on the most pressing risks and understand where to begin investigating.
We’ll explore how Risk-based Insights can help security teams increase investigation efficiency across a wide variety of attacks. Let’s say you are a security analyst investigating a possible attack in your AWS environment. You can start with the Entities Explorer and review an ordered list of risky entities, along with each corresponding aggregated risk score. The Datadog Cloud SIEM Entity Risk Score takes into account a number of variables but heavily weighs the associated signals and how long they have been an imminent threat. The risk score is also categorized into severity thresholds in order to provide a general understanding of threats in your environment.
By leveraging Datadog’s advanced alerting mechanisms and risk prioritization frameworks, security teams can swiftly identify these potential threats amidst the noise of numerous benign activities. This targeted approach allows them to focus on high-risk insights, which enhances their ability to respond promptly and effectively to real threats. This capability ultimately reduces investigation time and effort.
Get deeper context with AWS Entity Analytics
In today’s monitoring landscape, SIEM solutions often lack seamless integration with observability and security platforms. In order to conduct efficient investigations, it’s essential that these solutions provide adequate context and correlation across user attributes and their entity models. Let’s continue exploring more about a particular entity to show how Datadog Cloud SIEM accomplishes this.
After navigating to the Entities Explorer, you can use simple filters or the search bar to drill down into entity attributes. Once you find the entity you need to investigate, you can select it to open the Entity Side Panel, which provides additional metadata, such as its Entity Risk Score, risk change, and entity type. You can also view existing, correlated signals in order to get a better understanding of associated misconfigurations and identity risks.
With this information, you have better context to understand what happened and determine next steps based on the risk score. For example, you can quickly take action by creating a case to collaborate across cross-functional teams and investigate further—you can either assign the selected signals to yourself or escalate and reassign them to teammates.
Alternatively, if you’ve determined that the entity is not a risk, you can close the signals and review the automatically adjusted risk score.
Increase investigation efficiency with Datadog Risk-based Insights and AWS Entity Analytics
In today’s complex security landscape, efficient threat detection and response are paramount. Our risk-score prioritization system ensures that the most severe threats are addressed promptly, while AWS Entity Analytics offers deeper insights into misconfigurations and identity risks. This dual approach creates higher fidelity stories of threats, which drives a reduction in alert and signal volume and enhances overall investigative efficiency. To get started, you can check out our documentation or sign up for the Preview. If you don’t already have a Datadog account, you can sign up for a 14-day free trial.