- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Accurate severity scores help security teams understand the risks that vulnerabilities pose to their environment. This guide explains how Cloud Security Management (CSM) uses different measures of severity to calculate the scores.
CSM Misconfigurations, CSM Identity Risks, and Security Inbox misconfigurations use the CSM severity scoring framework to determine the severity of a finding. The framework compares the likelihood that an adversary would take advantage of a misconfiguration to the risk posed to your environment. By weighting both of these aspects, findings can be prioritized more accurately by real-world risks. The matrices below show how a misconfiguration’s severity score is computed based on its likelihood of abuse and impact.
The likelihood component is made up of two subcomponents:
The attack vector is determined by the following criteria:
Attack Vector | Definition |
---|---|
Required Privileges | Requires specific privileges or access to abuse. |
Vulnerability | Requires a vulnerable component to abuse, such as a software vulnerability on a compute instance or a leaked password or access key. |
No Authorization | Requires no authorization or authentication to abuse. |
Accessibility is determined by the following criteria:
Accessibility | Definition |
---|---|
Private | The vulnerable component or resource is in a private network. |
Public | The vulnerable component or resource is accessible from the internet. |
Together, the attack vector and accessibility determine the Likelihood score:
Attack Vector | Accessibility | |
---|---|---|
Private | Public | |
Required Privileges | Improbable | Possible |
Vulnerability | Possible | Probable |
No Authorization | Probable | Highly Probable |
The impact component is how damaging the exploitation of the misconfiguration would be to the environment.
Impact | Definition |
---|---|
Low | This misconfiguration is related to security hardening, hygiene, resource metadata, or industry best practice configurations. By itself, this misconfiguration represents little to no impact to the environment. |
Medium | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component or its directly associated resources. |
High | Abusing this misconfiguration results in an impact to the confidentiality, integrity, or availability of the vulnerable component and impacts a significant number of other resources. For example, an identity with the S3FullAccess policy attached. |
Critical | Abusing this misconfiguration results in complete control of all resources in the account. For example, an identity with the AdministratorAccess policy attached. |
The likelihood and impact components are used to compute the overall severity score for a misconfiguration.
Likelihood | Impact | |||
---|---|---|---|---|
Low | Medium | High | Critical | |
Improbable | Low | Low | Medium | Medium |
Possible | Low | Medium | High | High |
Probable | Medium | High | High | Critical |
Highly Probable | Medium | High | Critical | Critical |
To explain how the framework is used here are a few examples.
The detection rule for SNS Topic should have access restrictions set for subscription checks if the SNS topic has a resource-based policy that contains a Principal
of *
, and an Action
with the sns:Subscribe
permission. This combination gives anyone the ability to subscribe to the SNS topic and receive its notifications.
Using the CSM severity scoring framework, the rule would be scored as follows:
*
. This wildcard grants anyone the ability to act on the resource. No authentication or authorization is required to exploit the misconfiguration.The detection rule for EC2 instances should enforce IMDSv2 checks if an EC2 instance is using the Instance Metadata Service Version 1 (IMDSv1), which is vulnerable to common web application attacks. If exploited, an adversary can obtain access to the IAM credentials stored in the IMDS and use them to access resources in the AWS account.
Using the CSM severity scoring framework, the rule would be scored as follows:
CSM Vulnerabilities uses Common Vulnerability Scoring System version 3.1 (CVSS 3.1) to determine a base score for a vulnerability. It then modifies the base score to take into account the following: