What is our primary use case?
Our primary use case is to validate our AWS configurations, as well as to provide endpoint protection to our hosts in the cloud. Our primary use of the tool is to gain actionable insights into our cloud infrastructure. The dashboard and daily audits of our environments give us a plan of action for items that we may need to remediate going forward, or for new resources which may need a configuration checkup.
How has it helped my organization?
Threat Stack allows us to quickly identify public AWS buckets across a large number of accounts, so we can validate what is within those public buckets and should be publicly accessible. That no buckets are being created incorrectly is probably a safe thing.
The ability to reconfigure alert rules allows us to ensure that what we are alerted on is a priority for us.
It provided valuable data in our recent SOC 2 type II audit, where it saved us time.
What is most valuable?
We enjoy the AWS Config audit within Threat Stack. This allows us to quickly score our AWS accounts against known, good configurations, then receive a letter grade which is easy to understand, as well as suggestions for plans to improve those scores and remediate issues.
What needs improvement?
I would like the following:
- Further support of Windows endpoint agents or the introduction of support for Windows endpoint agents.
- The ability to quickly templatize rule sets and share them.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
We've had no issues with the stability or availability of the product.
Deployment and maintenance can be managed by a single party. In our company, we are leveraging somebody in the security team to manage it.
What do I think about the scalability of the solution?
We have not hit any limits within the service. Talking with other customers, I have never run into anyone who has hit any form of service limit within Threat Stack.
We have approximately 12 users, which range from security, compliance, privacy, engineering, and development.
We are currently using Threat Stack across more than 20 AWS accounts and are beginning our deployment to several hundred hosts within the AWS system, nearly a thousand.
How are customer service and technical support?
I used the technical support on limited occasions. They were timely and quickly got me to resolution.
How was the initial setup?
The initial deployment was straightforward. It requires a simple key-pair configuration into AWS to gather the information that they need. Their endpoint agent deployment is done via script provided by Threat Stack.
The initial deployment was done in less than ten minutes.
Our original implementation strategy was to deploy Threat Stack into our production accounts to provide audit information as quickly.
What about the implementation team?
We deployed it ourselves.
What was our ROI?
With Threat Stack, we quickly identified some AWS accounts which had services that would potentially be exposed and were able to remediate them prior to release of products.
We have seen a measurable decrease in the mean time to remediation.
What's my experience with pricing, setup cost, and licensing?
We find the licensing and pricing very easy to understand and a good value for the services provided.
Purchase it as soon as you possibly can because the information it provides you is invaluable.
Which other solutions did I evaluate?
We tried a number of internal AWS tools, but that was all.
We went with Threat Stack because they provide the benchmarking against industry accepted known, good standards within the cloud. Their continuous audit and monitoring is something that we needed, along with their scoring overtime.
What other advice do I have?
The tuning process is easy to use given the preconfigured rule sets which are offered and the flexibility of the API to create more rule sets. It is very easy to silence alerts that you may deem unnecessary in your environment.
It is my understanding that the Threat Stack API is pretty consumable, and if you want to do exports, you may.
We haven't had an incident where we needed to investigate a potential attack.
We will be using this solution for container and Kubernetes monitoring in the future. We do not currently use it for that, but it is one of the primary reasons we selected their endpoint protection, because of their support for containers and specifically Kubernetes.