Available for:
Cloud Security Management
|
Application Security Management
Security Inbox provides a consolidated, actionable list of your most important security findings. It automatically contextualizes and correlates insights from Datadog security products across vulnerabilities, signals, misconfigurations, and identity risks into a unified, prioritized view of actions to take to strengthen your environment.
Types of findings in Security Inbox
The findings that appear in Security Inbox are generated from Application Security Management (ASM) and Cloud Security Management (CSM). By default, these include the following types of findings:
- A curated set of misconfigurations for CSM Misconfigurations, compiled by Datadog Security Research.
- A curated set of identity risks for CSM Identity Risks, compiled by Datadog Security Research.
- Application library vulnerabilities for Software Composition Analysis(SCA). All high and critical application library vulnerabilities on production services under attack appear in the inbox.
- Application code vulnerabilities for Code Security vulnerabilities. All high and critical application code vulnerabilities appear in the inbox.
- Attack Paths. An attack path outlines a series of interconnected misconfigurations, container image, host, and application vulnerabilities that malicious actors could leverage to gain unauthorized access, escalate privileges, or compromise sensitive data in your cloud environment. All attack paths are listed in Security Inbox by default.
Security Inbox also takes the following detected risks into consideration when determining which findings appear in the inbox:
- Public accessibility: Publicly exposed resources carry elevated risk, especially if they contain vulnerabilities or misconfigurations. To learn more, see How Datadog Determines if Resources are Publicly Accessible.
- Privileged access: Resources with privileged access carry elevated risk as they grant elevated permissions that can expand the attack surface.
- Under attack: Resources that are seeing suspicious security activity carry elevated risks. Resources are flagged as “Under Attack” if a security signal has been detected on the resource in the last 15 days.
- Exploit available: Vulnerabilities with public exploits available carry elevated risks. The availability of a public exploit is verified with different exploit databases, such as cisa.gov, exploit-db.com, and nvd.nist.gov.
- In production: Vulnerabilities in production environments carry elevated risks. The environment is computed from the
env
and environment
tags.
How Security Inbox prioritization works
Security Inbox ranks issues by considering the severity of a finding first, followed by the number of correlated risks, and then the number of impacted resources and services.
- Severity (Critical, High, Medium, and Low): Severity is determined by the Datadog Security Scoring Framework for cloud misconfigurations and identity risks, and by CVSS 3.1 for vulnerabilities.
- Number of detected risks: When two findings have the same severity, the one with a greater number of detected risks is given higher priority.
- Number of impacted resources and services: If two findings share both the same severity and the same number of detected risks, the finding that impacts a greater number of resources and services is prioritized higher.
Note: The type of finding, detected risk, or impacted resource does not influence prioritization.
Use the security context map to identify and mitigate vulnerabilities
The security context map for Attack Paths provides a comprehensive view to help identify and address potential breach points. It effectively maps interconnected misconfigurations, permission gaps, and vulnerabilities that attackers might exploit.
Key features include:
- Risk assessment: The map enables security teams to assess the broader impact of vulnerabilities and misconfigurations. This includes evaluating whether security policies—such as access paths and permissions—need updating, and understanding the compliance implications of exposure, particularly when sensitive data is at risk within the blast radius.
- Actionable context for immediate response: The map includes service ownership information and other relevant context, allowing teams to make informed, real-time decisions. Teams can take action directly from the map by running integrated workflows, sharing security issue links, and accessing the AWS console view of resources for efficient remediation, all without switching tools.
Customize Security Inbox to highlight crucial issues
Join the Preview!
Vulnerability Pipeline is in Preview. To enroll in the Preview for Add to Security Inbox rules, click Request Access.
Request AccessVulnerability Pipeline enables you to configure rules that customize your Security Inbox, allowing you to highlight issues that are critical to your organization. By setting up these automated rules, you can streamline the management of newly discovered vulnerabilities, enhancing triage and remediation efforts at scale. Leveraging both the Vulnerability Pipeline and Add to Security Inbox rules, you can optimize your security operations in the following ways:
- Resurface issues not captured by default: Highlight issues that might be missed by default or custom detection rules, ensuring no critical issue is overlooked.
- Strengthen compliance and address key system concerns: Address concerns affecting regulatory compliance or important business systems, regardless of severity.
- Prioritize current risks: Focus on immediate threats, such as identity risks after an incident or industry-wide vulnerabilities.
For more information, see Vulnerability Pipeline and Add to Security Inbox Rules.
Further Reading
Additional helpful documentation, links, and articles: