We use it mainly for detection and response purposes. We have also started using Lacework as our vulnerability management tool, which is most important for our organization. We don't have any kind of security layer for all our cloud infrastructure so we are using Lacework as a security product for our cloud infrastructure.
When I joined this organization, Lacework was being onboarded. It was in setup mode. If I compare the visibility I have had over those last 10 months with Lacework, with what visibility was like before, I now have complete visibility into my entire infrastructure. If anything happens, Lacework will definitely catch it. That is very efficient and I'm able to react before the attack.
An advantage that Lacework gives us in our environment is that it covers a vast majority of use cases, which helps us to detect things based on severity, and it helps us to have more focus on those issues. For example, last week we had an alert that said that there was an external connection made from an internal server, and our internal servers are not supposed to communicate with the external, because it's behind the VPN and it's behind the firewall. That should not happen, but it was happening. A good detection rule helped us.
In terms of seeing things from an attacker's point of view, a couple of weeks back I received an alert that a user with root permission had logged in and tried to do something he is not supposed to do, which means he didn't have admin permission. I also received an alert about policy changes. I got the user ID and did a reverse lookup in my database to find out who the user was and his department. I reached out to him and I asked him about it, and it turned out he was doing a red team activity and testing Lacework. Red team activity is very difficult to detect, but Lacework did a very good job on that.
And for continuous monitoring, we have created a kind of dashboard, although not a complete dashboard. Lacework has a better dashboard. Our major priority is to look into critical, high, and medium alerts, which we never miss. We continuously monitor for high-priority alerts. It shows us those by default in the Lacework dashboard. That helps in our daily monitoring.
With Lacework, the alert flow has been reduced a little bit, about 6 percent, but attackers never sleep. We have a lot of alerts coming in, day in and day out. It's now Christmas time and this is the perfect time for attackers to try to target an organization because as they know the response team will be outnumbered. In addition, Lacework has reduced the time it takes us in an investigation by 70 to 80 percent because it keeps complete information. That means we don't have to verify where the information came from. Rather, we can use that information in our investigation.
It helps free us up to work on other tasks. We can create custom rules to eliminate false positive alerts. These are the gray areas that we have started exploring and that gives us time to work on other stuff.
There are many valuable features that I use in my daily work. The first are alerts and the event dossier that it generates, based on the severity. That is very insightful and helps me to have a security cap in our infrastructure.
The second thing I like is the agent-based vulnerability management, which is the most accurate information. It helps us to know what the security gaps or weaknesses are in the systems and to patch them. Finding a critical weak spot is one of the best features, with the agent-based scanner. We can check it out, based on a filter of the host or container, get the vulnerability report for that particular host, and just share it with the DevOps team to patch.
For anomalous activities, Lacework has a good set of rules for detection and it gives super-informative alert information. For example, when an issue is detected that results in an alert, it doesn't just give the details. It also explains clearly what is happening, with "WH" questions. In the alert, if you click on "Why this alert has been detected," there is a clear explanation for it. Next, you can click on, "When," and it gives the time range of the detection time. The next is "What has been impacted?" That kind of accurate information means we don't have to look around or worry about the source of the information or the legitimacy of the alert.
I would like to see a remote access assistance feature. And the threat-hunting platform could be better.
We have been using Lacework for about 10 months.
It's a stable product compared to the initial days that we had it. They are doing much better because they are also conducting frequent webinars on how to use new features whenever an update comes out.
We haven't faced any issue, like a Google outage, in the last 10 months. It's really good. I do see a little lag but it could be because of my internet connection since I'm working from home.
We use all the cloud environments, Azure, GCP, and AWS, and have deployed Lacework for all three. We have approximately 50 people who use it, on and off.
Even though here and there there are some problems with the solution, whenever we address the issues with the Lacework team, they're always ahead of it in their response and they always are supportive.
We have a community channel as well. CSP is partnered with us and we have frequent communications with them. We have a conversation with them on a day-to-day basis on a Slack channel. Their technical team is connected all the time. The moment we post a question on that channel, we will get a response within five or 10 minutes. That is a much faster resolution than any other solution that I have used.
Positive
We have a separate DevOps that takes care of Lacework deployment, uploading and installing the agent. My job is to make sure that we have visibility into all our containers and host-based cloud infrastructure. Lacework has a feature called resource that completely shows how many containers or instances are running with Lacework and without Lacework. I just pull that data and give it to the DevOps team. They go in and do the config of hosts that don't have a Lacework agent.
There is some maintenance involved with Lacework, but in most scenarios it isn't a problem. We always want to have visibility into everything, so we need to make sure that things are working fine.
There are very few solutions out there for cloud infrastructure. When it comes to physical infrastructure, there are already many tools. But the cloud industry is just beginning. I have worked with a few of the cloud solutions and I found Lacework is the most useful one because it has various categories of alerts.
The security team is the most important part of any organization because they are the people who help protect your organization. For them to protect you, they need better visibility into the environment and infrastructure and certain tools to help do their jobs more easily. As an analyst, I think Lacework is much better.
When an analyst gets an alert, time becomes very crucial. His response time should be 30 minutes. In the first 15 minutes, he should be able to understand what type of attack it is, exactly what is happening, and how to stop it. And he also should come to a method of remediation to stop the attack for the short term. For all these aspects, Lacework is really much better. Any analyst, when working on an alert, will initially have the five questions: why, when, what, how, and where. That's what Lacework provides. These questions are the template for any analyst and with them, it takes me about 15 minutes to understand an alert. In the next 15 minutes, I will work on contacting the team, et cetera. From a time perspective, Lacework is much better.
Give Lacework a try. It's one of the best tools in the market that I have used so far. Except for the RTR response, the rest is fine. It is really doing a pretty good job. It will never disappoint you.
