Threat Stack Review

It is a cost-effective choice versus other solutions on the market but has some features that do not work as expected


What is our primary use case?

The primary use case of Threat Stack, is the file integrity monitoring. If any change happens at the file level on the net server, then it should send us a report back.

How has it helped my organization?

Threat Stack is pretty easy tool because their integration with AWS instances and everything, that's easy. So you build up a Threat Stack server, if you go to their AWS instances one at a time and then later on, if a new instance gets added or removed, it will keep an eye on that. It acts as a traditional IPS, so whatever, when it is introduced at the first time, that data is the normal state.

In addition, you can do all the integration, and the ticketing becomes very easy, because command is a secure orchestration tool.

What is most valuable?

The configuration part was pretty easy, because if you're a agent, then you start getting the alert. That is the one thing. Then obviously, like any other SIEM tool, whether it is an install or a cloud-based architecture, the kind of alerts which you are getting. For example, if I have to suppress any specific alert in Splunk, then I have to be very well versed with the Splunk Processing Language, SPL, or I have to go to the CIM and then change.

In addition, Threat Stack has connectivity. A good example is Docker containers and AWS. This is one of the major things which makes it one of the prime tools for cloud security companies.

What needs improvement?

Firstly, it shoots back a lot of alerts. Secondly, there are some drawbacks which we have found. Sometimes, they say that the servers is down and up, but that thing is not coming up. This happens repeatedly.  Thirdly, the solution should have hash calculation. 

In addition, from a security point of view, they go to file level. That's pretty nice. But they are running completely onto AWS instances and Linux boxes most of the time, so a file can be modified, but what is happening on the process level? That should be the thing on which we should shoot alerts, not on basis of files.

What do I think about the stability of the solution?

Yes, there is an issue with stability. There is a search lag in GUI (graphical user interface). 

What do I think about the scalability of the solution?

It is scalable. It deploys easily with curl and yum.

How was the initial setup?

Installation is easy. But, there must be a good understanding of Linux. 

What's my experience with pricing, setup cost, and licensing?

It is a cost-effective choice versus other solutions on the market. 

Which other solutions did I evaluate?

We considered McAfee and Trend Micro, but we chose this instead. 

What other advice do I have?

An important feature of this solution is monitoring. Specifically, container monitoring.  

Disclosure: I am a real user, and this review is based on my own experience and opinions.
1 Comment
author avatarSkylerCain
TOP 10Real User

I have not noticed any of my ThreatStack agents going up and down. Have you upgraded to the latest version of the agent and/or reinstalled on those instances? Was it specific to certain instances or was it random? Also do you utilize their SecOps program as I found that to be super helpful in tweaking and adjusting the alerts as I am not as experienced nor have the time to manage the alerts.

Guest
Sign Up with Email