Solved: Re: Is Dynatrace capable of monitoring Security Vulnerability and DDOS attacks?

bchintapalli · ‎03 Sep 2021

Is Dynatrace capable of monitoring Security Vulnerability and DDOS attacks?

If a hacker access our server in DMZ location?
Any unusual activity can be tracked from an unusual location?

Using features in an unexpected sequence?

Types and amounts of transactions

Using features not typically used etc.

What can dynatrace do if the above anomalies are detected?

Log and alert

Log with no alert

Prevent the activity from moving forward.

AntonioSousa · ‎03 Sep 2021

@bchintapalli

I'm CTO at a Dynatrace partner, and we also work in security projects. I can tell you that despite Dynatrace not specifically having a security offering around the scenarios you mentioned, it can be used in those scenarios. I'm going to reference two cases where we have had such "close" encounters:

In one case, Davis alerted us to a problem in a site with several failures. On close inspection, we figured out that those requests were clearly a security scan. On a more detailed inspection, we figured out that the server had been compromised! This was all done with Dynatrace data alone. Given the RUM data we were able to follow everything the hacker did from his hacking console, that he uploaded to the site. We were also able to pinpoint the backdoors that he left behind, including all the hacking console code. Unfortunately, we didn't have the time to setup Session Replay, as that would give us a video of what the hacker had seen!!! This case is particularly special for us, as in this client we only do Dynatrace; security is done by another company and they were absolutely clueless about what was going on.
In another case, we were asked to track down something that was bringing some site down. In this case we discovered a very big bot that was making so many requests, that it represented more than half of the total requests to the site. It was particularly easy to track it down, and ACL the bot. It then "mutated", but Davis (the AI) tracked it immediately when it came back 🤣 Some more interactions ensued, but eventually the bot left... This is not a typical DDOS, but Dynatrace will certainly catch it!

I would say that most of the questions you make will be alerted by the AI engine, but it will not track it down as a security incident, at least by now. But I expect some of this knowledge being incorporated into Davis in the near future.

Antonio Sousa

gilgi · ‎10 Sep 2021

One of the anomalies that can be looked for are traffic spikes and drops for both services and applications. This means you can turn it on and when there are much more attempts to invoke anything on your services, you will have a problem opened immediately at the service/application level.

If you suspect some entry points have greater chances to be attacked, you can also mark them as key requests and the traffic anomaly detection will be also done for them specifically.

c_schwarzbauer · ‎12 Nov 2021

Right now, Dynatrace Application Security is capable of detecting security vulnerabilities in Java, .NET, Node.js and PHP libraries and Kubernetes. No attacks are detected right out-of-the-box at the moment.

However, as already said by the others, you can already monitor various security-relevant scenarios with the means that Dynatrace gives you right now. In addition to that, we're already working on new features which will help with even more AppSec use cases.

So stay tuned to learn more about those features in the future, e.g. at Dynatrace Perform 2022.

joseph_bannert · ‎17 Jun 2022

With Dynatrace Azure integration you can ingest the metric "IfUnderDDoSAttack", which says if Under DDoS attack or not and has unit Count. Metrics described here https://www.dynatrace.com/support/help/shortlink/azure-public-ip#available-metrics & https://docs.microsoft.com/en-us/azure/ddos-protection/telemetry#metrics.