A Year in the Life of Threat Stack’s Cloud Security Platform®

Before we get too far into 2017, we want to take a final look back at 2016 — specifically at some of the great enhancements we made to Threat Stack’s Cloud Security Platform®.

In the security world, 2016 was filled with major incidents, including massive data breaches, nation-state cyber interference, crippling DDoS attacks, and increased numbers of ransomware incidents — along with all the less glamorous, day-to-day security threats that had the potential to impact every cloud-based business in existence. So much for the bad news!

At Threat Stack, 2016 was the year we transformed our best-of-breed Host Intrusion Detection System into the industry’s first cloud-native, end-to-end Cloud Security Platform to deliver a unified view into workloads, infrastructure monitoring, vulnerability management, threat intelligence, and compliance reporting.

Throughout the year, we made numerous enhancements (including incident management integrations with Slack, PagerDuty, and VictorOps) that provide better data, increased automation, streamlined workflows, and decreased response times. While all of these enhancements have come about because they add value to the platform, the following three give end users the greatest power to audit, monitor, investigate, and remediate within their cloud environments, and so we felt a brief summary (or introduction if you’re new to Threat Stack) was in order:

  • AWS Configuration Auditing – The ability to baseline your AWS configurations against industry best practices.
  • Vulnerability Monitoring – The ability to detect and view all vulnerable software packages in your environment in one place.
  • Threat Intelligence – The ability to monitor your hosts for connections to and from known bad IP addresses.

AWS Configuration Auditing

Configuration Auditing enables Threat Stack users who are operating in AWS to implement AWS security best practices by automatically auditing current environments and providing an immediate, concise report of configurations that are non-compliant with best practices. Threat Stack then offers steps to remediate the issues and make the AWS environment more secure.

Whether the user is an Operations Engineer being tasked with handling more security demands or a seasoned Security professional who wants better insights into their AWS environment, Configuration Auditing immediately and easily enables them to:

  • Assess the current state of their security posture
  • Compare this baseline against security best practices (including CIS AWS Foundations Benchmark)
  • Identify and prioritize steps for remediation
  • Set up recurring scans and use these to maintain or improve their security posture over time

Vulnerability Monitoring

Our friends at Veracode reported that “more than half of all breaches involve web applications — yet less than 10 percent of organizations ensure all critical applications are reviewed for security before and during production.” That’s why automated vulnerability monitoring is so important: it enables security teams to examine package information in real time to determine whether vulnerable packages exist and if so, where they’re located.

When implemented at the host level, automated monitoring means vulnerabilities can be identified and fixed at every step of the application lifecycle and can protect an organization’s most visible attack surfaces — its website and its applications. This can drastically decrease the attack surface so breaches are less likely to occur, ensuring that intellectual property is protected and invisible to attackers.

Leveraging all two million CVEs from the National Vulnerability Database, Threat Stack ensures that every package in every host is analyzed against each CVE at the end of the day that the CVE is released. This means Threat Stack not only catches vulnerabilities in just-released packages, it can also detect vulnerabilities in packages that were released many years ago. On top of correlating CVEs with package information, Threat Stack also correlates results with information from security advisory pages published by each operating system vendor.

By pulling in data from many sources and normalizing it, Threat Stack provides users with refined vulnerability data that can be used for making effective decisions.

Threat Intelligence

When it comes to threat intelligence, it’s essential to monitor workload communication with bad hosts. To determine when their workloads are talking to active APT command and control servers (a.k.a. the bad guys), the security operations team needs to be monitoring for:

  • Outbound connections to a known botnet
  • Outbound connections to a known command and control server

If the security operations team is running a number of third-party services, with each service connecting to a corresponding backend, there is really no way to control or monitor the Command and Control part of the Cyber Kill Chain without manually comparing the IP addresses that the cloud environment is connecting to with known bad IP lists.

This is where Threat Stack’s Cloud Security Platform® comes in, gathering threat intelligence directly from workload communication with bad hosts and alerting the ops and security teams so they can take action before attackers go to town, so to speak. The Threat Stack Cloud Security Platform® automates the process of letting the security team:

  • Know when workloads are communicating to known bad hosts
  • Receive granular alerts about who servers are talking to

It collects every accept and connect from every host, so each time a connect or accept is detected, it compares the IP to several million IPs (and growing) on the bad IP list, which is curated and continuously updated from the top commercial and open sources to provide the most accurate threat intelligence.

This always-on approach to threat intelligence monitoring helps Threat Stack users quickly determine when a threat is present. To streamline the process, users can create threat intelligence-based alerts that  provide visibility into the complete Kill Chain, including Command and Control.

A Final Word . . .

Throughout 2016 we continued to evolve the Threat Stack Cloud Security Platform® so it delivers immediate and long-term value to companies of all sizes and maturity levels regardless of whether they are just starting out in the cloud or are looking to strengthen their existing cloud security.

As we enter 2017, we are continuing to add to Threat Stack’s breadth, depth, and usability based on our ongoing research and the valuable feedback provided by our customers and partners alike. Stay tuned for updates.