More often than not we’ll need to go beyond a Severity 1 alert to figure out what a user (including a potentially malicious attacker) was doing on a system. Host events in particular only show a small part of the picture, and a single alert can’t always give you the context necessary to make an escalation decision. This blog post explains how to pivot from a Host event to a user’s session and how to move from a single user-related alert to the user’s session using the data provided by your intrusion detection system. Read more “How to Track Agent-Based User Activity”
In this post we’ll try to develop an understanding of a typical attacker’s mindset and then show you how companies like yours can use this knowledge to enhance their security posture. Before we dive in, however, let’s ask a basic question: What is a cyber attacker?
A cyber attacker can be any entity — an individual, a group of individuals, a company, etc. — that tries to harm another entity via their cyber infrastructure. Attackers are often portrayed as ruthless entities that go to great lengths and use elaborate resources to attack state-of-the-art company defenses. Defending companies and individuals frequently view these entities as advanced attackers that challenge themselves by trying to break through fortified security controls by attacking them head on. That may be true in a few cases, but most attackers — especially the most seasoned (i.e., the smartest and most successful) — will try to find the path of least resistance and will also try to use the smallest number of resources when attacking. In other words, they use brains rather than brute force to achieve the biggest gain with the least effort. Let’s explore this in more detail below.
Read more “How to Understand Your Attacker’s Mindset”
Cost Savings and Business Benefits Enabled by Threat Stack
When investing in cloud security platforms and services, businesses naturally want to measure ROI beyond number of deterred attacks. After all, effective cloud security also protects customer data, intellectual property, organizational resources, organizational efficiency, and team productivity — all of which impact your bottom line.
Recently, we asked Forrester Research group to do a total economic impact study of Threat Stack. Their findings? Businesses that use the Threat Stack platform and services are saving more than $900,000 over three years due to reduced risk, improved productivity, and lowered hiring costs. The Threat Stack Cloud Security Platform® offers complete security observability across your infrastructure. So not only can you identify intrusions or threats, but you can also identify and change risky behavior to improve your baseline security posture, which leads to a greater ROI over time. In fact, Forrester found that Threat Stack customers had an average ROI of 178% over three years. Read more “The Economic Impact of Threat Stack – A Forrester Research Study”
This post explains how the PCI Security Standards Council has introduced its new PCI Software Security Framework to align PCI with modern software development and deployment practices such as DevOps, microservices, and containers.
Read more “New PCI Standards for New Ways of Building Software”
As we’ve pointed out in a couple of recent blog posts, Machine Learning (ML) has been billed as a savior for short-staffed security teams — a silver bullet that can single handedly identify and mitigate every security threat automatically. As we usually do with silver bullet solutions, we’ve cautioned readers to distinguish between the hype and reality. While ML has many strengths and is here to stay, it’s only a part of the solution in the world of cybersecurity — not the solution itself. Human input is still essential to draw meaningful conclusions and define appropriate action.
In today’s post, we’re continuing to advise readers that it’s essential to go below the surface, to distinguish between the hype and reality, when evaluating a cybersecurity solution. Remember: A beautiful package may open up to reveal a beautiful can of worms. Keep your eyes open, investigate below the surface, and avoid nasty surprises. Read more “How to Cut Through Vendor Claims & Marketing Hype When Evaluating New Security Tools”
— Joe Baker, Manager Software Engineering
From time to time the Engineering, Operations, and Security groups at Threat Stack contribute blog posts that share information on techniques and tools we’ve developed so we can do things faster, more accurately, and with fewer resources. These range from tips for using Scala in the real world, to improving our SOC 2 management process using a home-grown tool called sockembot, to insights into how we manage our on-call rotation using another home-built tool called Deputize (which we’ve since made available as open source).
Today’s post is by Alfredo Perez, one of our software engineers, and focuses on Scala Regex String Extraction.
One of my favorite Scala patterns that I’ve learned and used here at Threat Stack is Regex String Extraction with pattern matching. It’s a simple pattern but very powerful for extracting parts of a string and very readable. The power comes from the use of regular expression groups combined with the pattern matching of Scala. Read more “Scala Regex String Extraction”
Machine Learning (ML) has been around in one form or another for a long time. Arthur Samuel, started working in the field in 1949 and coined the term in 1959 while working at IBM. Over the years, ML applications have been developed in practically every industry sector.
Recently, we’ve been hearing a lot about “silver bullet” ML-based cybersecurity solutions that can single handedly and automatically enable short-staffed security teams to identify and mitigate every kind of security threat imaginable. Of course, silver bullet solutions are as old as security itself, and by definition, they’re almost always too good to be true. So is the current crop of ML-driven cybersecurity solutions real or hype?
Given that a lot of hype has a few grains of truth in it, let’s use this post to look at the promise, the marketing hype, and the reality — at what ML can do and cannot do in its current state (with a peek at what it might be able to do sometime down the road). (Spoiler Alert: The operative word in this blog’s title is “promise.”) Read more “The Promise of Machine Learning vs. The Reality of Human Assisted Learning”
For the second year in a row Threat Stack has achieved Type 2 SOC 2 Compliance in Security and Availability with zero exceptions. We’re justifiably proud of this accomplishment, which underscores our ongoing commitment to rigorous security standards and our ability to maintain them in our company’s technology, processes, and personnel along with the highest level of security and privacy for our customers.
To an outsider, there’s no apparent difference between our 2017 and 2018 results. Threat Stack is Type 2 SOC 2 compliant in Security and Availability. CHECK AND CHECK. But under the hood, there’s a lot more to the story. The differences between the processes we used in 2017 and the way we optimized these in 2018 are significant, as are the differences in the personnel who took part in the two SOC 2 initiatives. So in this post, we’re going to talk about some of the lessons we learned and the changes we made in order to achieve the same results in an even more rigorous and efficient manner. Read more “Threat Stack Successfully Completes Type 2 SOC 2 Examination With Zero Exceptions — Again!”
Now is a good time to review Threat Stack’s Docker integration in the wake of the recent runc CVE. The headline reporting gets a little hyperbolic, but I still think we should use this as an opportunity to reflect. Containers represent a powerful abstraction for a unit of software. The container abstraction provides some isolation, facilitation, and control, but also some opaqueness. Threat Stack’s solution adds security visibility to your deployment, and our Docker integration provides visibility into your Docker containers.
Threat Stack announced the release of its Docker integration during Amazon’s 2015 re:Invent Conference and has continued to maintain and expand its capabilities in subsequent releases. This feature augments detected host events with Docker information when the Threat Stack agent identifies the event as originating from a container. Augmented information consists of the Docker container ID and the image name. We collect that data with a host-based agent that does not stick some additional agent into each container. Per-container agents would cause performance issues for typically small footprint containers. Our daemon runs in user space and does not hook into the kernel, allowing us to stay lean and lightweight. Let me to explain a bit about how this all works. Read more “How to Identify Threats Within Your Docker Containers”
I like watching great football plays on YouTube, but I especially like watching trick plays where players sell some sort of deception so their opponents take their eyes off the ball. Trick plays make great video clips and can win a football game if deployed at the right moment, but there’s a reason “blocking and tackling” are the fundamental skills, tasks, and roles necessary to function. Trick plays might be able to help a team win a football game, but if you show up without “blocking and tackling,” you’re definitely going to have a bad day. I bring this up because sometimes we confuse the trick plays with the fundamentals, and we do so at our own peril. That does not mean trick plays are bad or not helpful; it just means we can’t forget about the “blocking and tackling.”
These days we hear a lot of hullabaloo about machine learning (ML), and with good reason. However, it’s quickly becoming the “trick play” of security, the flashy new toy that leads people to overlook the “blocking and tackling” fundamentals. Read more “The Difference Between Security Trick Plays and Security Fundamentals”