Upcoming Threat Stack / PagerDuty Webinar: 52% of Companies Sacrifice Cybersecurity for Speed

by    •   February 28, 2018
posted in Business Insights

Live Thursday, March 1 at 1:00 p.m. EST (18:00:00 UTC)

Click here to register.

Overview

A recent Threat Stack survey finds that over 50% of companies admit to cutting back on security measures to meet a business deadline or objective. As long as companies are willing to sacrifice security to gain speed, the long-held dream of marrying DevOps and security won’t come true.

Who & What

Join this webinar to hear Pete Cheslock, Threat Stack Senior Director of Operations, and Franklin Mosley, PagerDuty Senior Application Security Engineer, discuss the current status of SecOps along with critical gaps and obstacles.

Here are a few of the survey findings:

  • 68% of companies say their CEO demands that DevOps and security teams do nothing to slow the business down
  • 57% percent say their Operations team pushes back on security best practices
  • 44% of developers aren’t trained to code securely

When

  • Live Thursday, March 1 at 1:00 p.m.EST (18:00:00 UTC)

How to Get Your SaaS Company SOC 2 Compliant With Minimal Headaches

by    •   February 27, 2018
posted in Compliance & Customer Requirements

SOC 2, which was developed by the American Institute of CPAs (AICPA), is specifically designed for service providers storing customer data in the cloud, which means that it applies to nearly every SaaS company operating today.

So, what is SOC 2 exactly? While the framework is a technical audit, it goes above and beyond this to require that companies establish and follow strict information security policies and procedures. The criteria for developing these policies and procedures is based on five “trust service principles” to ensure:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy of customer data

Compliance can be evaluated by independent auditors who assess a company’s ability to comply with these five principles.

SOC 2 is one of the more common requirements that SaaS companies must meet, but that doesn’t make compliance any simpler or dealing with an audit any less exacting. In this post we have laid out the most important requirements and the steps you should take to become compliant quickly in order to stay out of trouble with auditors and compete in a crowded SaaS market. Read more “How to Get Your SaaS Company SOC 2 Compliant With Minimal Headaches”

GDPR: What is the Right to Erasure?

by    •   February 23, 2018
posted in Compliance & Customer Requirements

Introduction

— by David Weinstein, Senior Security Engineer, Threat Stack

The other week, Chris Lippert, Privacy Technical Lead at Schellman & Company, LLC., wrote an excellent blog post that explores overlaps and differences between GDPR and other frameworks, including ISO/IEC 27000, NIST, and PCI, as well as ways organizations can start to bridge the gaps to achieve alignment with GDPR.

In this post, Frank Kyazze, Senior Associate at Schellman, zeroes in on one of the questions that sit at the heart of the GDPR: “What is the Right to Erasure?” In this highly informative article, Frank explains some of the rights of data holders, responsibilities of data controllers, and best practices for effectively responding to requests for erasure. Read more “GDPR: What is the Right to Erasure?”

New eBook: 5 Ways to Strengthen Your SaaS Security & Build Customer Loyalty

by    •   February 22, 2018
posted in Cloud Security Planning, How To Strengthen Security

The SaaS subscription model can make churn an unavoidable issue because there’s nothing to prevent customers from cutting ties with one provider and moving to another.

As a security or operations professional at a SaaS company, you know you have to address trust and loyalty at the platform level so your customers experience optimal performance. You also know you have to deal with the unique security requirements associated with your SaaS infrastructure. The good news is, if you take steps to ensure platform stability, performance, and data security, you’ll be well-positioned to attract prospects and build long-term customer trust.

To help you get there, our new eBook — 5 Ways to Strengthen Your SaaS Security & Build Customer Loyalty — offers practical advice and specific steps you can take to avoid operational pitfalls, secure your SaaS business, and give customers the assurances they need to stay loyal to your service. Read more “New eBook: 5 Ways to Strengthen Your SaaS Security & Build Customer Loyalty”

Meltdown & Spectre: How to Secure Your SaaS Environment From Unknown Threats

by    •   February 22, 2018
posted in Business Insights, How To Strengthen Security

As a SaaS provider, securing your environment from known threats is one thing, but how about the unknown? That’s a different story altogether, and it’s exactly why the security community is so worked up over Meltdown and Spectre. With so much to learn about the newly discovered vulnerabilities and the threats they pose, many have been sent into a bit of a tailspin. But, before you give in to the panic, we’ve laid out specific steps below that can help you mitigate the risks in order to keep your data and that of your customers secure. Read more “Meltdown & Spectre: How to Secure Your SaaS Environment From Unknown Threats”

Strategies for Measuring and Monitoring the Cloud Like a Boss — Webinar Recap

by    •   February 21, 2018
posted in Cloud Security Planning, How To Strengthen Security

As you’re probably well aware by now, security is different in the cloud. The good news, of course, is that running in the cloud offers more visibility than ever before. It’s now possible to gain a bird’s-eye view of your entire environment, something that was unimaginable with on-premise data centers.

In partnership with Dark Reading, Threat Stack’s VP of Product, Chris Ford, got together in a recent webinar to discuss measurement and monitoring in the realm of cloud security with Rich Mogull, CEO and Analyst at Securosis. You can read the recap below or view the entire webinar here. Read more “Strategies for Measuring and Monitoring the Cloud Like a Boss — Webinar Recap”

T-72 Hours to Report a Breach – Are You GDPR Ready? – Webinar Recap

by    •   February 20, 2018
posted in Compliance & Customer Requirements

The GDPR deadline is looming large. With fewer than 100 days until May 25, many U.S. companies are still unsure what their responsibilities are under GDPR and what steps they need to take to meet new requirements.

To help you prepare, Threat Stack product marketing manager Hank Schless got together with Paul-Johan Jean, GDPR legal consultant at Sphaerist Advisory to give a high level-summary of GDPR responsibilities for U.S. companies in a recent webinar. You can either stream the archived webinar right now, or read the recap below. Read more “T-72 Hours to Report a Breach – Are You GDPR Ready? – Webinar Recap”

Threat Stack Successfully Completes Type 2 SOC 2 Examination

by    •   February 20, 2018
posted in Compliance & Customer Requirements

Threat Stack is proud to announce that we have successfully completed a Type 2 SOC 2 examination for the Security and Availability principles with Schellman & Co for our intrusion detection platform and Oversight Managed Service.

This accomplishment is especially exciting for the Threat Stack team because we were able to pass our first SOC 2 examination with zero exceptions — without having taken the organization through any similar experiences before — underscoring our commitment to maintaining rigorous security standards in our company’s technology, processes, and personnel along with the highest level of security and privacy for our customers.

In this post, we want to share highlights of Threat Stack’s SOC 2 journey — why we chose this standard, the process we followed, and our commitment to our customers. In upcoming posts we’ll provide more detailed specifics as our customers go through similar journeys. Read more “Threat Stack Successfully Completes Type 2 SOC 2 Examination”

GDPR vs. Existing Frameworks: Overlaps, Differences, and Filling the Gaps

by    •   February 13, 2018
posted in Compliance & Customer Requirements

Introduction

— by Pat Cable, Senior Infrastructure Security Engineer, Threat Stack

From time to time Threat Stack invites industry experts to share our blog space, and in today’s post, Chris Lippert, Privacy Technical Lead at Schellman & Company, LLC., takes a look at the General Data Protection Regulation (GDPR), a topic that is on everyone’s mind, whether they’re prepared for it or not.

In this post, Chris explores what’s unique about the GDPR, how it overlaps with existing frameworks including ISO/IEC 27000, NIST, and PCI, and points to how you can leverage your current controls to meet many of the security considerations for personal data under Article 32, as well as other requirements of the GDPR, such as data protection policies or vendor management.

Without further ado, here are Chris’ insights into GDPR. Read more “GDPR vs. Existing Frameworks: Overlaps, Differences, and Filling the Gaps”

How We Integrated Rust Into Threat Stack’s Operations Workflow

by    •   February 12, 2018
posted in Development

Note: The following post is related to Sensu, a monitoring tool for internal infrastructure health and alerting. If you use Sensu (https://sensuapp.org/) for internal monitoring of your own infrastructure health, this could be useful for you. However, this tool does not integrate with Threat Stack services and is not intended or supported for any such use case. It is a tool that we use internally, and we have released this with the intention that it may be helpful to the wider open source community.

Tooling is an integral part of operations at Threat Stack. On the Operations team, our job is to enable both ourselves and the Development team to work more effectively. When I started at Threat Stack almost a year ago, my role primarily centered on improving our tooling to create more granular control over our environment. My first project was creating “shush,” an operations tool for temporarily silencing monitoring checks in Sensu during maintenance. Up to that point, we had had less granularity in our check silencing capabilities for routine maintenance. While we could silence groups of checks and checks coming from a particular node, we were not able to silence single checks or a subset of checks on these hosts. After we discussed the requirements for this tool, I ultimately suggested that it be written in Rust.

In this post I describe our experience integrating Rust and also cover the benefits of using Rust in an operations workflow both technically and from a human factors perspective. Read more “How We Integrated Rust Into Threat Stack’s Operations Workflow”