As financial services companies, such as banks, hedge funds, and stock exchanges, move to the cloud, sensitive data often unintentionally moves with them. To help avoid costly breaches and address governance, risk, and compliance (GRC) requirements such as PCI-DSS, GDPR, and SOC 2, these organizations may need to identify where in the cloud sensitive data can leak and be able to redact it at scale.

On April 19, 2024, Datadog’s US5 website (app.us5.datadoghq.com) started experiencing elevated error rates, though they were low enough that most of our users didn’t notice them. For the next few days, we worked around the clock responding to multiple episodes of this mysterious attack, which gradually unfolded as we investigated. We also implemented several measures to reduce the impact on our customers.

In November 2023, Datadog announced the launch of Security Inbox, a solution that equips security and engineering teams with valuable insights for mitigating security risks. Security Inbox takes the guesswork out of addressing the most pressing security risks by automatically organizing them into an actionable list for remediation. As of today, Security Inbox has already served thousands of security and engineering teams, giving them the right context at the right time for protecting their environments.

Akamai is a cloud content delivery and security platform that helps organizations secure their applications, APIs, network access, and credentials that workforces and customers use every day. Akamai Zero Trust provides enhanced security for users, devices, and data across an organization by securing access to the corporate network, SaaS applications, email, and other resources.

Snowflake is a fully managed data platform that enables users to store, process, and analyze large volumes of data across their cloud environments. Recently, Datadog’s Security Research Team posted a threat hunting guide to help defenders ensure the security of their Snowflake instances.

APIs can be vulnerable to a wide variety of attacks, such as poor inventory management and access controls, making them a primary target for attackers. Server-side request forgery (SSRF) is one type of attack that has become more prominent with the rising use of public clouds. This is primarily due to new development practices like using Instance Metadata Services (IMDS) to access valuable information about deployed instances, such as credentials.

Cloud security teams are faced with an ever-increasing number of challenges. Attackers are focusing on more cloud-native attacks than ever. Meanwhile, the number of cloud service offerings—and by extension, the number of misconfigurations in them—is only growing. And there is always the risk that a sophisticated adversary could abuse a vulnerability in a cloud service provider to target cloud customers.

Cloud environments today continue to grow in size and complexity, which increases the demand for improved security coverage in order to protect an organization’s assets, data, and reputation. This growth has also created significant and complex challenges in identifying insider or external threats, compromised accounts, and anomalous behavior across environments.

Every security engineer has experienced this issue: after spending a lot of time creating a new SIEM alert to catch malicious behavior, you deploy it, only to find there are over 100 service accounts triggering false positives. Your SIEM is suddenly flooded with false alerts, and your team is overwhelmed as a result. You then spend hours or even days investigating these alerts and fixing your detection rule, hoping it will work better next time.

With the alarming number of data breaches and vulnerabilities today, security is now a primary concern for organizations and their customers, but knowing how to efficiently develop and scale secure applications is still a problem. Tackling this challenge requires considering the potential security risks of a new feature or service much earlier in the development cycle, an idea that is foundational to the Secure by Design approach.