Scala Regex String Extraction

Introduction

— Joe Baker, Manager Software Engineering

From time to time the Engineering, Operations, and Security groups at Threat Stack contribute blog posts that share information on techniques and tools we’ve developed so we can do things faster, more accurately, and with fewer resources. These range from tips for using Scala in the real world, to improving our SOC 2 management process using a home-grown tool called sockembot, to insights into how we manage our on-call rotation using another home-built tool called Deputize (which we’ve since made available as open source).

Today’s post is by Alfredo Perez, one of our software engineers, and focuses on Scala Regex String Extraction.

If there’s anything you’d like to hear about, please Tweet us at @threatstack or contact us directly.

One of my favorite Scala patterns that I’ve learned and used here at Threat Stack is Regex String Extraction with pattern matching. It’s a simple pattern but very powerful for extracting parts of a string and very readable. The power comes from the use of regular expression groups combined with the pattern matching of Scala. Read more “Scala Regex String Extraction”

The Promise of Machine Learning vs. The Reality of Human Assisted Learning

Machine Learning (ML) has been around in one form or another for a long time. Arthur Samuel, started working in the field in 1949 and coined the term in 1959 while working at IBM. Over the years, ML applications have been developed in practically every industry sector.

Recently, we’ve been hearing a lot about “silver bullet” ML-based cybersecurity solutions that can single handedly and automatically enable short-staffed security teams to identify and mitigate every kind of security threat imaginable. Of course, silver bullet solutions are as old as security itself, and by definition, they’re almost always too good to be true. So is the current crop of ML-driven cybersecurity solutions real or hype?

Given that a lot of hype has a few grains of truth in it, let’s use this post to look at the promise, the marketing hype, and the reality — at what ML can do and cannot do in its current state (with a peek at what it might be able to do sometime down the road). (Spoiler Alert: The operative word in this blog’s title is “promise.”) Read more “The Promise of Machine Learning vs. The Reality of Human Assisted Learning”

Threat Stack Successfully Completes Type 2 SOC 2 Examination With Zero Exceptions — Again!

For the second year in a row Threat Stack has achieved Type 2 SOC 2 Compliance in Security and Availability with zero exceptions. We’re justifiably proud of this accomplishment, which underscores our ongoing commitment to rigorous security standards and our ability to maintain them in our company’s technology, processes, and personnel along with the highest level of security and privacy for our customers.

To an outsider, there’s no apparent difference between our 2017 and 2018 results. Threat Stack is Type 2 SOC 2 compliant in Security and Availability. CHECK AND CHECK. But under the hood, there’s a lot more to the story. The differences between the processes we used in 2017 and the way we optimized these in 2018 are significant, as are the differences in the personnel who took part in the two SOC 2 initiatives. So in this post, we’re going to talk about some of the lessons we learned and the changes we made in order to achieve the same results in an even more rigorous and efficient manner. Read more “Threat Stack Successfully Completes Type 2 SOC 2 Examination With Zero Exceptions — Again!”

How to Identify Threats Within Your Docker Containers

Now is a good time to review Threat Stack’s Docker integration in the wake of the recent runc CVE. The headline reporting gets a little hyperbolic, but I still think we should use this as an opportunity to reflect. Containers represent a powerful abstraction for a unit of software. The container abstraction provides some isolation, facilitation, and control, but also some opaqueness. Threat Stack’s solution adds security visibility to your deployment, and our Docker integration provides visibility into your Docker containers.

Threat Stack announced the release of its Docker integration during Amazon’s 2015 re:Invent Conference and has continued to maintain and expand its capabilities in subsequent releases. This feature augments detected host events with Docker information when the Threat Stack agent identifies the event as originating from a container. Augmented information consists of the Docker container ID and the image name. We collect that data with a host-based agent that does not stick some additional agent into each container. Per-container agents would cause performance issues for typically small footprint containers. Our daemon runs in user space and does not hook into the kernel, allowing us to stay lean and lightweight. Let me to explain a bit about how this all works. Read more “How to Identify Threats Within Your Docker Containers”

The Difference Between Security Trick Plays and Security Fundamentals

I like watching great football plays on YouTube, but I especially like watching trick plays where players sell some sort of deception so their opponents take their eyes off the ball. Trick plays make great video clips and can win a football game if deployed at the right moment, but there’s a reason “blocking and tackling” are the fundamental skills, tasks, and roles necessary to function. Trick plays might be able to help a team win a football game, but if you show up without “blocking and tackling,” you’re definitely going to have a bad day. I bring this up because sometimes we confuse the trick plays with the fundamentals, and we do so at our own peril. That does not mean trick plays are bad or not helpful; it just means we can’t forget about the “blocking and tackling.”

These days we hear a lot of hullabaloo about machine learning (ML), and with good reason. However, it’s quickly becoming the “trick play” of security, the flashy new toy that leads people to overlook the “blocking and tackling” fundamentals. Read more “The Difference Between Security Trick Plays and Security Fundamentals”

How to Defend Against the runC Container Vulnerability

Earlier this week security researchers Adam Iwaniuk and Borys Poplawski published details on a vulnerability in runC, the underlying container runtime for Docker, Kubernetes, cri-o, containerd, and other container-dependent programs. The vulnerability, CVE-2019-5736 allows malicious containers to overwrite the host runC binary and gain root-level code execution on the host. This would give attackers the ability to run any command as a root-level user including the ability to create new containers using an attacker-controlled image or attach executables into an existing container that they have write access to.

A patch has been issued for CVE-2019-5736, and all users should update to the latest version of all their container management programs as soon as possible.
Read more “How to Defend Against the runC Container Vulnerability”

Transforming Alert Fatigue Into Proactive Security Management

In a recent study, 72% of CISOs stated that their teams are facing alert fatigue, while 82% of respondents to a Threat Stack survey indicated that alert fatigue is having a negative impact on their organization’s well-being and productivity.

Traditional approaches to managing security alerts have often driven teams into a reactive mode where they’re overwhelmed by huge volumes of noisy alerts or spend far too much time gathering information and digging around in log files. If this proliferation of data is transformed into relevant and actionable intelligence, however, teams can overcome alert fatigue, identify and respond to critical issues in real time, and reduce risk continuously over time.

In this post, we’ll take a look at some best practices on how you can move away from reactive, ad hoc tactics and adopt a structured, proactive approach by making alerts a key element of your overall information security strategy. Read more “Transforming Alert Fatigue Into Proactive Security Management”

Machine Learning, Signatures, Rules, & Behaviors — Tips on Navigating Modern Cloud Security Solutions

Cloud security is one of the most rapidly changing technology landscapes out there. And naturally, the market for security tools is also constantly evolving as stakeholders continue to develop an understanding of how important a mature security posture is to the entire organization — from innovation to sales to ongoing brand and customer success.

Throughout the industry, different security solutions solve different problems for different types of businesses: There is no “one-size-fits-all-cloud-security-silver-bullet.” Being able to cut through the hype, promises, and buzz to figure out which solutions are actually suited to your specific use cases can be a challenge.

So in this post, we’re offering guidance on what some of the broader categories of cloud security solutions do and do not offer, and how they deliver security information and alerts to their end users. In turn, we’ll take a look at using Network IDS tools, using point solutions to build your own security stack, jumping into the emerging world of machine learning (ML), and deploying a comprehensive cloud security platform that not only provides a wide range of security functionality but also integrates security into your existing DevOps workflows and provides a foundation for constantly improving your security maturity. Read more “Machine Learning, Signatures, Rules, & Behaviors — Tips on Navigating Modern Cloud Security Solutions”

21 Developers & Docker Experts Reveal the Biggest Mistakes People Make When Switching to Docker Containers

Containerized environments are increasingly popular, and Docker remains the most popular container solution for developers. But the process of moving from virtual machines to containers is complex. If you’re just getting started with Docker, check out our list of 50 useful Docker tutorials for IT professionals, which includes tutorials for beginners, intermediate users, and advanced Docker pros.

It’s common to make mistakes during the transition from VMs to Docker containers, and it’s important to remember that Docker won’t fix all your problems in the cloud. There are also security issues you need to weigh in order to keep your environment fully secure both during and after the transition. Threat Stack’s Docker integration offers full visibility into your container environment, alerting you to internal and external threats — along with the context needed to understand what happened during a security event so you can take appropriate action.

Aside from failing to implement robust security measures for your containerized environment, people make other common mistakes make when switching to Docker containers. To gain some insight into the most common, we reached out to a panel of Docker experts and asked them to answer this question:

“What’s the biggest mistake people make in switching to Docker containers?”

Read more “21 Developers & Docker Experts Reveal the Biggest Mistakes People Make When Switching to Docker Containers”

Leveraging Threat Stack’s Out-of-the-Box Rulesets and Single View for Managing Multiple AWS Accounts

Increasingly, AWS users are leveraging multiple accounts to manage their infrastructure. While doing so is a recommended best practice that enables users to achieve the highest levels of resource and security isolation and to optimize operational costs, it can also increase the amount of time and effort required for effective administration and remediation.

As a remedy to this problem (and “account sprawl” in general), and as a means of providing more granular alerting and actionable data, Threat Stack has built two key functionalities into its Cloud Security Platform®:

  • The ability to view multiple AWS accounts from one central location: Our unified view reduces admin time and provides significant convenience because end users no longer need to gather information and alerts from multiple accounts. This means you can focus on business issues and not administration!
  • Rulesets that are focused on giving more granular alerting and context to your interactions with the AWS control plane: Our extensive out-of-the-box rulesets give customers increased control plane visibility and more granular tracking of AWS API actions within their accounts, and you still have the flexibility of creating new rules and modifying existing rules (as we have previously documented.)

Read on for more details. Read more “Leveraging Threat Stack’s Out-of-the-Box Rulesets and Single View for Managing Multiple AWS Accounts”