Threat Stack Review

Ties together containers, Kubernetes, AWS, and instance monitoring, allowing us to take meaningful action

What is our primary use case?

We have multiple use cases of equal importance:

  • endpoint security
  • cloud platform monitoring 
  • orchestration security.

How has it helped my organization?

The most important example of how it has improved our organization is that we had a security incident that I can't give you a lot of details around. But about two months, ago an attacker compromised an internet facing system. We were able to detect, analyze, and remediate that in less than 60 minutes, on a Saturday.

When an attack compromises a system it changes the configuration of that system. Being able to detect that immediately and take action on it in an extremely short period of time is unbelievably valuable and pretty much mandatory.

The rules definitely give us more visibility and control over what's being triggered. We demo a lot of different security tools, especially cloud-specific security tools. So far, Threat Stack is the only one that we have found that ties all the relevant pieces together, so that we can take action in a meaningful way. Every other security tool we've looked is good at containers, or at Kubernetes, is good at AWS, or at instance monitoring. But nobody is good at tying all of those things together, and that's really where Threat Stack shines. They take endpoint security and these new technologies very seriously. That alone differentiates them from just about every other competitor in the market right now.

It has absolutely provided us with the ability to gain actionable insights into our cloud infrastructure. We use it as a configuration monitoring and alerting tool. The fact that we can tie 20 AWS accounts into a single view, or a single pane of glass, and monitor the security configurations of those 20 accounts in one setting, is just huge.

We have also used this solution as part of a SOC 2 audit, two years in a row, and it has saved us drastic amounts of time. Before Threat Stack, collecting endpoint evidence in, for instance, AWS configuration evidence, would take a team of three people about a month, in terms of total duration, not total time. Now, we're able to provide that evidence within an hour.

There has been a measurable decrease in the meantime to remediation, by 95 percent. It's a ridiculous level of change, I can't speak highly enough about it. When we had security incidents before, if we detected it - and that's "if" because we didn't have the same level of visibility - the remediation cycles could last weeks. The reason for that was trying to understand what the blast-radius of an attack was. It took a long time to figure that out because we were correlating information from multiple tools, trying to link data, and it turned into a big data problem that we had to solve very quickly. Each incident was different so the data sets were different. It was really hard to set up playbooks to do that quickly. But with Threat Stack, because we have so many different tech verticals already collated in one place, our ability to respond is drastically different than it used to be. It has also cut down the time to investigate potential attacks by the same amount, 95 percent.

What is most valuable?

The endpoint security monitoring, the AWS security monitoring, ties all of these things together in a way that we can make sense of data that, before, wasn't available or tied. For example, if we have a security event on an EC2 instance, we can correlate that to a security event on AWS on the management platform. 

The threat detection pieces of it are our most valuable resource, and right behind them is configuration monitoring. Those are the two highest risks to our environment. 

In terms of using this solution for container and Kubernetes monitoring, that's a pretty new feature and it's definitely coming along. I think they're very good at it right now, and they keep adding features, so we're pretty happy with that at the moment.

The tuning process is pretty straightforward. Their rule sets are easy to understand. The UI is set up in a way where it's really easy to modify false-positive alerting. It's one of the more low-stress tuning operations I've ever done, compared to other endpoint security products, or ITS-type engines.

What needs improvement?

The solution’s ability to consume alerts and data in third-party tools (via APIs and export into S3 buckets) is moderate. They have some work to do in that area. I'd like to see more on that side. I'd like to see much better reporting. The API does not mimic the features of the UI as far as reporting and pulling data out go. There's a big discrepancy there.

The other thing that would be really great - and I know this is something they might not want to get into as a business, but it's something I'd love to see - would be if we could bring in data from other tools, specifically AWS WAF. If we could bring in data from there, and include that with what they're already collecting, that would be a huge game-changer for us.

Finally, container vulnerability assessment is something they aren't doing right now.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It has been super-stable, we haven't had any downtime. We've had a couple of instances where agents stopped running, but that was because of interfering processes on an endpoint. They're like snowflakes, very unique circumstances. But stability has never been a problem.

What do I think about the scalability of the solution?

It scales to whatever we want to go to.

How are customer service and technical support?

Tech support is fantastic. We're a very advanced shop. We're not patting ourselves on the back, it's just that we find problems in products that a lot of other customers don't find. When we do have a problem, Threat Stack's response is immediate. They bring all hands on deck. They have even gone as far, in the past, as bringing their engineering staff, their development staff, to help solve problems in a quick way.

If you previously used a different solution, which one did you use and why did you switch?

We replaced CloudWatch for AWS configuration management with Threat Stack.

How was the initial setup?

The setup was very straightforward. It's built to run in the cloud so it doesn't require any infrastructure on our side. It's a very simple agent and its extremely easy to install. Even more importantly, it's wickedly simple to automate the deployment. They put a lot of thought into that when they designed the agent. One of the biggest problems we had with other vendors was that deploying was always a bit of a nightmare. With Threat Stack, it's ridiculously simple.

We were able to deploy to somewhere around 3,700 nodes in less than two weeks. Most of that time was writing the automation. The deployment itself took hours.

We use immutable infrastructure. So our implementation strategy was to include the Threat Stack agent installation into our initial instance configurations.

What was our ROI?

Return on investment with security tools is hard to gauge. It's not unique to us, but for some companies, security is a sales driver and we're definitely one of those companies. Having Threat Stack in place, being able to provide meaningful artifacts to our customers, has definitely shortened sale cycles for us.

Where we had to abstract ten different sets of data to create an artifact for an audit or customer review, we don't have to do that anymore. It's very easy for us to demonstrate our security controls. We've been able to pick up multi-million-dollar accounts from very large technology companies that have extremely strict security requirements because we have this tool in place.

What's my experience with pricing, setup cost, and licensing?

It's too expensive, but I'm always going to say that. It is very expensive compared to some other products. The pricing is definitely high.

Which other solutions did I evaluate?

We did a demo with Twistlock but we never actually implemented it because we had a ton of problems with it. We used OSSEC for a long time, and Trend Micro on a previous iteration. We're so picky about the products we choose. We've demoed polls from Palo Alto, Aqua Security, and a bunch of others. I'm having trouble keeping track of all of them. Threat Stack is the one we keep coming back to.

We've gone with Threat Stack for many reasons. It ties together these multiple technology verticals in one pane of glass, and cross-correlates security across those verticals. That's super-important, I can't overemphasize that. That's a big differentiator, as are the ease of deployment, ease of management, the reliability, and support we get. We keep coming back to them because all of our other experiences have had very negative portions to them.

We're paying a lot of money for a product, so we don't want to have to spend more money on infrastructure to support the product. A lot of other vendors require us to build dedicated servers inside our networks. They don't deal well with multi-AWS-account businesses. And the biggest thing is that a lot of products we're seeing in the space are really geared towards enterprises that are going to the cloud for the first time; greenfield-type applications. Threat Stack is flexible enough that it really does well in an environment where a company is already cloud-native. We're SaaS company, our demands are very unique to the SaaS world. We've been on the cloud our entire life. Having a tool that can work within that paradigm, and not necessitate greenfielding everything is super-important.

What other advice do I have?

Build very tight relationships with Threat Stack's sales, engineering, and onboarding teams. That is something that has saved us a good amount of pain. Also, spend a dramatic amount of time going through their documentation; really understand the product before you start deploying it.

We're using a combination of the 1.X and some of the 2.X agents. We're one of their more advanced, self-sufficient customers. We definitely do not buy any of their services.

It's only security and site reliability engineers who use the tool. We have 20 to 25 users. But that's for 3,700 endpoints and it's going to be close to 20,000 containers. Deployment and maintenance of Threat Stack require two people, security engineers. That's only for redundancy. I ran the product for about ten months by myself.

As our infrastructure grows, our usage of Threat Stack will grow with it.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Add a Comment

Sign Up with Email