How to Make SecOps Work in the Real World

Smart organizations already know that running securely is key to success in today’s competitive landscape. So why isn’t security table stakes in 2018?

Unfortunately, there seems to be a disconnect between what organizations want when it comes to security, and what they’re actually able to put into practice. In Threat Stack’s recent report, Bridging the Gap Between SecOps Intent and Reality, we found that 85% of organizations believe bridging the gap and employing SecOps best practices is an important goal, yet just 35% say that SecOps is a completely or mostly established practice at their organizations, and 18% say it’s not established at all.

It’s clear that the challenge is how to make SecOps work in the real world. Whether you’re challenged by a security talent shortage, siloing between teams, out-of-date skills, or major rifts in perception, it is possible to better integrate SecOps using the right strategy.

To help you apply security best practices to your organization, let’s take a look at four concrete ways that teams can begin to close the SecOps chasm. Read more “How to Make SecOps Work in the Real World”

Are You Ready for GDPR Compliance? Here’s a Checklist.

The European Union’s General Data Protection Regulation (GDPR) is going into effect in just two months — on May 25, 2018. Yet a recent Forrester report indicates that only about 30% of companies say they’re ready to comply, and at least some of those firms are actually overstating their readiness.

If you haven’t completed your preparations or you’re not confident about your status, we’ve created the following checklist to help your organization prepare for the upcoming changes. We hope you find it useful. Read more “Are You Ready for GDPR Compliance? Here’s a Checklist.”

Threat Stack Introduces Rapid Baselining — Transforming Data Into Actionable Intelligence

One of the biggest challenges with alert-based IDS solutions is handling the sheer volume of alerts that can be generated on a daily basis. Teams need a way to navigate this data so they can quickly and effectively hone in on the critical details that indicate anomalous activity and tune alerts that are unique to their environment — thereby ensuring ongoing protection against threats and continuously enhancing their organization’s security posture.

At Threat Stack, we have always made sure that customers are seeing the most important security alerts so they can run efficient workflows. To strengthen that capability, we have just introduced Rapid Baselining — a new feature that groups alerts based on the associated rule. By leveraging the metadata within the alerts, we add deeper intelligence to the alert information. Read more “Threat Stack Introduces Rapid Baselining — Transforming Data Into Actionable Intelligence”

Upcoming Webinar — Good, Fast, or Secure? Why DevOps Means You Don’t Have to Choose

Live Tuesday, March 27 at 1:00 p.m. EST

Click here to register.

Overview

Common wisdom holds that, when it comes to software releases, you can only have two of: good, fast, or secure. But we don’t agree at all. When DevOps is implemented thoughtfully and holistically — and when security is brought into the process early — it’s entirely possible to release high-quality, secure code as quickly as the market demands.

In this webinar, we’ll walk you through exactly how Threat Stack has avoided sacrificing security on the altar of speed and share best practices to help you achieve the holy trinity of good, fast, secure code at your organization. Read more “Upcoming Webinar — Good, Fast, or Secure? Why DevOps Means You Don’t Have to Choose”

How Threat Stack Does DevOps — Series Overview

Pete Cheslock, Threat Stack’s Senior Director of Operations, has just published a four-part blog series that gives deep insights into his experience “doing DevOps” at a variety of companies — in particular, his highly successful experience building DevOps practices into the fabric of Threat Stack virtually from day one.

We encourage you to read the entire series: It’s loaded with great accounts of what works and doesn’t work in real-life environments  — there’s nothing academic about Pete’s approach — and also offers up lots of practical advice you can draw on if you’re trying to figure out the best way to implement DevOps in your organization. But before you dive in, we thought we’d offer up a reader’s digest version to get you going. Read more “How Threat Stack Does DevOps — Series Overview”

The Best Cloud Security Conferences to Attend in 2018 and Beyond

Securing any cloud infrastructure is a big job. You have to be constantly up to date when it comes to skills, tools, and technology, as well as the vulnerabilities and threats that crop up continuously. When it comes to security, being stagnant isn’t an option. A good cloud security professional only remains top notch by staying on top of the latest cloud security trends, emerging threats, and best practices.

That’s where cloud security conferences come in, bringing together top experts, cloud security thought leaders, and industry professionals to share tips, tricks, and tactics for bolstering cloud security in the modern landscape.

With the spring conference season kicking off,  we’ve rounded up 50 cloud security conferences you should attend in 2018, grouped by quarter so you can easily plan your schedule for the remainder of the year:

Read more “The Best Cloud Security Conferences to Attend in 2018 and Beyond”

How Threat Stack Does DevOps (Part IV): Making Engineers Accountable

Early on at Threat Stack, we focused on giving engineers the tools and ownership over their applications that would empower them to deploy and manage their applications in a safe way without causing customer downtime or other issues. As a small, but rapidly growing company, this is necessary for survival. For most of the last four years, Threat Stack has only had a two- to three-person operations team. With a such a small team, we understand that we can’t have our hands on everything that happens in production. It just doesn’t scale, especially given how difficult it can be to hire engineers is this competitive market.

In this post, we’ll take a look at how you can better scale your organization by employing the DevOps best practice of giving engineers fundamental responsibility for their code. Read more “How Threat Stack Does DevOps (Part IV): Making Engineers Accountable”

How to Integrate Security Into a DevOps World

Introduction

by Pete Cheslock, Senior Director Operations, Threat Stack

Today we’re pleased to have Franklin Mosley, Senior Application Security Engineer at PagerDuty, contribute to our blog.

Drawing on his extensive experience as an information security professional, Franklin takes a detailed look at the how’s and why’s of integrating security into a DevOps environment, and provides great tips on how you can start making the transition to a DevOps culture at your organization.


I have been in security for many years, so I have heard many of my colleagues complain that developers and operations have little regard for security. But my perspective is a little different: I used to be a software engineer, so I understand the challenges faced in getting software developed and deployed. To that end, I want to share some of my experiences in this post, and hopefully pass along some valuable tips on how to effectively integrate security into your DevOps world. Read more “How to Integrate Security Into a DevOps World”

How Threat Stack Does DevOps (Part III): Measuring and Optimizing System Health

One of the most important things that any company can do to benefit from DevOps is define and implement useful, actionable metrics for visibility into business operations.

This is already standard practice in most areas of the average organization. KPIs drive sales and marketing teams, finance groups, and even HR. Yet, at many companies, having metrics for the application that brings in the money is an afterthought — or is not prioritized at all.

In this post, we’ll take an in-depth look at why application and infrastructure metrics should be baked into your engineering organization as early as possible, how to do it, and what tools can enable your success around this key area of DevOps. Read more “How Threat Stack Does DevOps (Part III): Measuring and Optimizing System Health”

How to Achieve Type 2 SOC 2 With Zero Exceptions — Webinar Recap

SOC 2 compliance is one of the most common customer use cases we come across at Threat Stack. Developed by the American Institute of CPAs (AICPA), the framework is designed for service providers storing customer data in the cloud, and SaaS companies among others often turn to us as they begin to feel overwhelmed by the requirements.

Having undergone a Type 2 SOC 2 examination ourselves, Threat Stack’s Vice President of Technical Operations Pete Cheslock, and Senior Infrastructure Security Engineer Pat Cable, gathered for a webinar recently to discuss exactly what we did to achieve SOC 2 compliance with zero exceptions. Read the recap below, or listen to the full webinar here. Read more “How to Achieve Type 2 SOC 2 With Zero Exceptions — Webinar Recap”