What is our primary use case?
It is a daily visibility and alerting tool for both general security as well as SOX compliance. We use it to monitor privilege escalation, access to our AWS environment, EC2 instances, spotting of EC2 instances, etc., as well as vulnerability and patch management.
We have the standard threat visibility dashboard and alerting platform and we also have their assisted service they launched mid last year, a monthly threat evaluation/vulnerability assessment which they send.
How has it helped my organization?
The capacity to respond to evidence requests from the SOX auditors has significantly improved because of this tool.
It has also provided us with the ability to gain actionable insight into our cloud infrastructure. We have a long list. The vulnerability and patch-management components allow us to see what our most severe and actionable items are for platform OS, our EC2 instances, our golden images. We're able to see what instances have the greatest need for assessment and remediation and we move down the list on those. Over time, that's going to substantially improve our overall security structure.
We're also seeing the ability to respond to things in real time, particularly Sev 1 Alerts. We don't have any delay. We get the alert, we can immediately jump in. We use Threat Stack to do some forensics on it, figure out what's actually going on, and resolve the situation very quickly. Fortunately, we've not had any true penetrations, but we've had things that have happened and we've been able to alert on those and make adjustments.
It's given us another 50 percent in terms of the time it takes for us to be aware of something. Threat Stack is a great tool for that because it makes you aware more quickly, as opposed to CloudWatch or CloudTrail. The time-to-awareness is significantly decreased because it's an alerting platform. By comparison, it's arduous to write rules that really apply well in CloudTrail or CloudWatch.
In terms of the time needed to investigate potential attacks, the data that's available in the single pane of glass probably knocks half the time off because we don't have to jump over to AWS. We've got it all there.
What is most valuable?
It has been quite helpful to have the daily alerts coming to my email, as well as the Sev 1 Alerts. Anything that pops a Sev 1 comes directly to my email. Most recently we started getting those monthly evaluations and that's definitely helped us with our overall security stack, as far as how we're dealing with things in AWS. The dailies have been most helpful. We just went through a SOX audit and those were pivotal.
We're using it on container to see when activity involving executables happens, and that's great. We're not using a Kubernetes at this stage.
As far as alerts go, we can write our own rules. I continue to tweak rules, modify rules, etc. That's a big deal for us so that we're getting relevant information, but not miss other information. It is fairly easy to tune. The ability to fine-tune rules and write new rules is very straightforward. It doesn't take much learning at all.
What needs improvement?
It certainly has a lot of capabilities and we're not using much of what it can do. That's something that, as we mature as an organization, we'll expand into.
The one thing that we know they're working on, but we don't have through the tool, is the application layer. As we move to a serverless environment, with AWS Fargate or direct Lambda, that's where Threat Stack does not have the capacity to provide feed. Those are areas that it's blind to now, so that's the biggest area for improvement. They're currently looking at changing that with an acquisition, but as it stands right now, that's the only spot that I consider weak.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
The stability of Threat Stack has been very good. I've had no impact from it being down when I needed it.
What do I think about the scalability of the solution?
The issue for us was understanding how the scalability works, because we do have these bursts during Black Friday when we go about 30 or 40 average EC2 instances to several hundred. Once we figured out how to manage that, we found it scales brilliantly.
How are customer service and technical support?
Their technical support is very good. I have found them to be extremely responsive and accurate. They've been excellent to work with.
Which solution did I use previously and why did I switch?
I believe the only thing the company used before Threat Stack was the incumbent AWS logging: CloudWatch, CloudThreat, CloudTrail. The switch was made for the ability to have a single pane of glass to view all of the aggregate log information.
How was the initial setup?
I was not part of the initial setup. I was secondary to that. It was already installed when I was hired. I helped configure and flush it out for full use. But it had already been installed and the primary Sarbanes-Oxley rules had been built.
My interaction with it was easy, but I would assume the setup was fairly straightforward because nobody came warning me that this was a complex tool.
My strategy was to take it from a purely compliance-alerting and rule tool and turn it into a more security-centric tool. I implemented additional rules that were specific to actual security threats and created actionable lists on those. We needed to start paying more attention to the vulnerability-management piece.
What was our ROI?
The ease of audit tracking for Sarbanes-Oxley audit was a dramatic change from last year. That's a key win. I don't know that it paid for itself there, but it certainly contributed to paying for itself there.
What's my experience with pricing, setup cost, and licensing?
Pricing seems to be in line with the market structure. It's fine. There's not a problem with it. It seems to fit well within the current pricing structures that are out there.
What other advice do I have?
One of things that was dropped here that I picked up and have been running with is that Threat Stack should be implemented and comprehensively applied to security for security's sake, as well as for compliance. It was initially bought here as a compliance tool to help with Sarbanes-Oxley. So a lot of the security stuff was ignored. If you are is looking at Threat Stack, you need to look at it as the comprehensive solution that it is. It can certainly be used very effectively for compliance elements. But it has excellent security elements.
We have a software security architect who utilizes it. I utilize it as the Director of Information Security. And our CIO utilizes it just for oversight to see what's going on. He doesn't have a lot of interaction with it. So we have two functional, active users of the tool. As far as maintenance goes, it's really the two of us. We do involve another member of the infrastructure team, an infrastructure developer, if we deploy agents to new EC2 instances that are not already golden-imaged with the instance, or we update images, or update the agents on the instances.
Regarding the capacity that Threat Stack has, we're probably using half of it. The goal is to certainly implement many other elements into Threat Stack and then cross-feed the Threat Stack data itself into other tools like SIEM for the enterprise side, so that we get correlation. The plan is to continue to maximize Threat Stack as our AWS primary visibility tool.
I would rate the product at seven out of ten. If they can solve that application layer side of it, it would take them up to a very solid nine.