Best in Breed Data Security With Satori and Datadog

Data breaches and unauthorized data access pose significant business threats – the importance of proactive security measures cannot be overstated. One way to accomplish this is by having an alert system for access to sensitive data. Given the large volume of data that organizations collect, it is difficult, first of all, to locate sensitive data and, second, to control access to this data. Failing to complete either of these tasks leaves the organization open to both security and compliance risks. 

A solution to this problem is to provide real time alerts whenever specific access to sensitive data occurs. It is even more important that this alert is automated, reducing the likelihood of human error and reducing the burden on data engineering and DevOps teams. The integration between Satori and Datadog creates this robust mechanism that significantly bolsters data security. 

Data-driven organizations use Datadog across various industries and sectors that want to gain insight into the performance and health of their digital infrastructure. Datadog collects and aggregates data from various sources, including servers, containers, applications, and cloud providers. This allows users to visualize and analyze metrics, logs, and traces in a centralized and intuitive dashboard. This unified view provides visibility into the entire technology stack, empowering teams to detect and resolve issues quickly, improve system performance, and ensure a seamless end-user experience. However, one area that is particularly challenging for Datadog is storing and managing individual SQL queries that are run against a wide and disparate number of data sources and from a wide and numerous number of data clients. 

Datadog is easily integrated with popular cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), as well as numerous other tools and services. Datadog provides real-time monitoring and customizable alerting through email, SMS, chat applications, and collaboration tools.

Satori enables organizations to take a proactive approach to sensitive data access. Satori’s open-source Universal Data Permissions Scanner scans all data stores providing information about where and who can access sensitive data. This capability ensures that organizations always know where all of its sensitive data is located.

Satori centralizes and adds metadata about identity and security policies to access logs providing detailed information about sensitive data access which organizations can use to create customizable reports and identify behavior anomalies.

Combining Satori’s detailed access logs with Datadog’s real-time alerts provides organizations with enhanced security and compliance; organizations can now receive real-time alerts of specific access to sensitive data. 

Real-time alerts regarding specific access to sensitive data are crucial for ensuring the privacy and security of sensitive data. Satori empowers organizations to set up precise and customizable triggers that notify security teams when specific access patterns or events occur. In particular, unauthorized attempts to access sensitive databases, unauthorized data exfiltration, unusual data access activities, or any access that violates defined security policies or compliance regulations. 

Satori sets up a customizable trigger that tags any unauthorized data access or queries. If any unauthorized access occurs this trips the “Datadog Specific” access log and sends an alert directly to Datadog admin. This empowers the security team to take immediate action. 

Satori enhances the auditing and monitoring capabilities of Datadog by sending Satori audit data downstream into your Datadog account. The ultimate outcome is a Datadog event line item for each Satori audit record you have chosen to export. 

The ability to learn where and when sensitive data queries occur and get a real-time notification gives organizations comprehensive visibility and control over their data. This reduces the potential security and compliance consequences enabling the organization to take proactive measures to protect sensitive data.

The integration between Satori and Datadog is particularly useful to answer three use cases:

1. Detecting bad actors connecting to sensitive data in near-real time.
2. Correlating bad actors connecting to sensitive data with other events that occur in Datadog.
3. Correlating sql queries connecting to sensitive data with general performance issues observed in Datadog.

1. “Satori always logs SQL queries as Satori Audit entries”

The first and most important observation we can make is that the byproduct of the above list results in Satori always logging every single query as an audit entry in the Satori platform. Failures, successes, blockages, access… all of it. Who, what, where, when, and even why. It is this valuable audit data that we want to send to Datadog. 

2. “You don’t have to send all Satori Audit data to another system”

Satori does such a great job showing SQL audit data using our built-in reporting and dashboards, that in production you don’t have to even consider sending this data outside of Satori. However, there may be situations related to compliance/regulatory requirements that require this, or, you may want some of the Satori audit data integrated into your SIEM data topology. And for this, we recommend a partial export of Satori Audit data using the Satori Rest API.

3. “Don’t kitchen-sink copy your audit data around your network; instead, make meaningful integrations based upon meaningful business decisions”

A good business use case for sending Satori audit data to Datadog is for real-time alerting of specific access to specific pieces of sensitive data. Otherwise you are just junking up your environment with multiple copies of the same massive data sets.

There are a variety of ways to integrate Satori and Datadog. A typical integration requires a very small amount of API code to connect the Satori API and Datadog API. 

In the following example we use AWS Lambda and Python, but you could replace this with any cloud provider and modern programming language that works with rest APIs. 

Requirements

• Satori account where you, as an admin, can create new datastores, security policies, and masking profiles; and use the Satori Rest API. 
• If you don’t have an account, you can use our free test drive which includes several sample data sets.
• A Datadog account and the ability to create a Datadog API and Application Key.

While Satori audit data is “eventful” in nature it is not associated with any one machine or server, but rather, with an end user, using a data client or BI tool, and connecting to some data source using SQL. Therefore, we use Datadog Events API for this example. 

We create the integration using AWS Lambda and Python using the following gist: 

https://gist.github.com/northwestcoder/0eb9c8008a345ae84364345b0aba2c4f

However, there are a few key points to consider: 

1. This is a small, stateless integration solution. We are reading from Satori via Rest API, and writing to Datadog via Rest API.
2. We filter “the last 1 day” (line 23)
3. We filter for Satori Classifiers of type “custom_classifier” (line 26). This classifier was already created in Satori  and already tagged on some data using the Satori Data Inventory. 
4. We create a customized Datadog message (lines 83-104)

In this example, the integration is timed and data polled from Satori on a periodic basis and sent to Datadog.  

As a side note and out of convenience, we also leverage a particular Lambda layer for Python that AWS provides, “AWSDataWrangler” (learn more about this AWS integration here):

We set our AWS EventBridge poll interval to every 15 minutes, for internal purposes. Since the Python code retrieves Satori Audit data daily, we need to reconcile the time differences. There are three options:

• change the Python code to retrieve 15 minutes of Satori Audit data;
• change the AWS Event Bridge periodicity to 1 day;
• change these periods however you see fit.

Here is what a sample event might look like inside Datadog:

1. Using the Lambda function the Python code now retrieves any Satori audit entry containing a specific Satori Classifier called “custom_classifier.” 
2. A warning alert, which we defined in the Python code “WARNING! SENSITIVE QUERY RUN BY: …” is sent to Datadog. 

This integration lets you use Datadog’s excellent reporting and “saved views” features, as well as correlate Satori audit events with other activities recorded in Datadog. 

Some possible alerts and questions the integration can help answer are:

• Did a bad actor attempt to pull down a large email list, if so, when, and from where and by whom? 
• Are there SQL queries impacting our database performance? 

There are countless opportunities to integrate Satori’s valuable audit data with the rest of your SIEM ecosystem!

The integration between Satori’s Data Security Platform and Datadog with a combination of audit data and real-time alerting provides a proactive and dynamic data security strategy. It empowers organizations to identify and mitigate security risks swiftly, safeguarding sensitive data and maintaining the trust of customers and stakeholders.

To Learn more book a consulting call with one of our experts.