How to Prioritize Security Tasks When You Have Limited Resources

Many organizations have limited resources (time, personnel, and money) for IT, and oftentimes only a small portion of that is devoted to security. Given the limited resources available to create and execute a best practice security plan, you will need to face up to these constraints and prioritize security tasks.

But how, exactly, should you go about strategically prioritizing your security needs? How can you determine which aspects need to be addressed first and which can be dealt with later? After all, aren’t they all important? Read more “How to Prioritize Security Tasks When You Have Limited Resources”

Configuration Auditing Adds Single View for Multiple AWS Accounts

Continuing our commitment to improving the user experience, we are announcing the most recent enhancement to AWS Configuration Auditingthe ability to view multiple AWS accounts from one central location. 

Note:

  • If you are a current customer, this feature will be updated automatically.

  • If you’re not yet a Threat Stack customer, the links at the bottom of this post will give you excellent insights into the capabilities of Threat Stack’s AWS Configuration Auditing.

Read more “Configuration Auditing Adds Single View for Multiple AWS Accounts”

Why You Don’t Need to Code to Run Secure on AWS

Amazon Web Services, the ubiquitous cloud infrastructure provider, has made it increasingly easy for businesses to move to the cloud and take advantage of the scalability, flexibility, and cost savings this approach offers. For some businesses that are contemplating the move to AWS, you may be wondering whether it’s necessary to have a team of developers who can help to ensure that you are capable of running securely on AWS.

The short answer is: You don’t need to start from scratch when it comes to security, and you don’t need  to have extensive coding resources in-house to run securely on AWS. With the right tools at your disposal, you can quickly measure compliance with  your unique security policy and adapt to changes in your environment as needed.

Here’s what you need to know to run securely on AWS, with or without a legion of development resources at your disposal.

Read more “Why You Don’t Need to Code to Run Secure on AWS”

73% of Companies Have Critical AWS Security Misconfigurations

Threat Stack Delivers Wake Up Call

Wide open SSH and infrequent software updates among top risks identified in the majority of cloud-based environments

How effective are your AWS security configurations? And how do you know for sure?

In a recent eye-opening study, Threat Stack found that 73% of companies have at least one critical security misconfiguration, such as remote SSH open to the entire internet. By “critical”, we mean configuration lapses that enable an attacker to gain access directly to private services or the AWS console, or that could be used to mask criminal activity from monitoring technologies.

If we caught your attention with that opening statistic, please read on. Read more “73% of Companies Have Critical AWS Security Misconfigurations”

Write Your Own AWS Configuration Auditing Rules With Threat Stack’s Guided Rules Editor

Today Threat Stack is excited to announce a powerful and easy-to-use new feature of the  AWS Configuration Auditing capabilities — the Guided Rules Editor for AWS Configuration Auditing. With the Guided Rules Editor, available in the Threat Stack Audit Plan,  users can quickly tailor AWS Configuration Auditing rulesets to their organization’s specific security policies and adapt to changes in their environment.
Read more “Write Your Own AWS Configuration Auditing Rules With Threat Stack’s Guided Rules Editor”

Demonstrating PCI Compliance Using Threat Stack

PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. Threat Stack customers frequently ask us how Threat Stack can help them comply with these two sets of requirements:

  • Requirement 10: Track and monitor all access to network resources and cardholder data (in other words, determine the who, what, where, and when)

  • Requirement 11: Regularly test security systems and processes (in order to continuously monitor and test security controls)

The good news is that the following Threat Stack features can provide significant benefits to customers who need to satisfy PCI Compliance Requirements 10 and 11:

  • Configuration Auditing
  • Vulnerability Scanning
  • Rules monitoring file integrity, logins, network access, and threat intelligence activity

In the remainder of this post, we’ll demonstrate how these can help you meet your PCI compliance and security goals. Read more “Demonstrating PCI Compliance Using Threat Stack”

A Year in the Life of Threat Stack’s Cloud Security Platform®

Before we get too far into 2017, we want to take a final look back at 2016 — specifically at some of the great enhancements we made to Threat Stack’s Cloud Security Platform®.

In the security world, 2016 was filled with major incidents, including massive data breaches, nation-state cyber interference, crippling DDoS attacks, and increased numbers of ransomware incidents — along with all the less glamorous, day-to-day security threats that had the potential to impact every cloud-based business in existence. So much for the bad news!

At Threat Stack, 2016 was the year we transformed our best-of-breed Host Intrusion Detection System into the industry’s first cloud-native, end-to-end Cloud Security Platform to deliver a unified view into workloads, infrastructure monitoring, vulnerability management, threat intelligence, and compliance reporting. Read more “A Year in the Life of Threat Stack’s Cloud Security Platform®”

Adopt a Cloud Security Maturity Model to Guide Your Journey in the Cloud

Moving to and scaling in the cloud — especially for those who came from on-premise environments — can not only be overwhelming, but confusing, too. With new services available to your organization, policies to adhere to, and users and systems to secure, where should you begin?

Many of us at Threat Stack, including myself, have worked with on-premise environments at other organizations. So we understand the experience of being overwhelmed and confused when it comes to getting started securing your cloud or hybrid environment. The good news is that we have some real experts and great customers who have helped us identify best practices for transitioning to and scaling in a cloud environment, and we want to share those with you! 

We use a Cloud Maturity Model as a starting point. Essentially, it lays out the stages and activities companies should follow to mature their cloud environment — but we believe secure cloud computing needs to play a bigger part. As such, the Threat Stack team agreed it was time to develop a Cloud Security Maturity Model to help companies understand, step by step, how to implement and scale security as they grow in the cloud.
Read more “Adopt a Cloud Security Maturity Model to Guide Your Journey in the Cloud”

Threat Stack Broadens Cloud Security Platform With New Configuration Auditing

How securely configured is my AWS environment? Have I checked all the right boxes? Have I locked all my doors and windows?

With the release of AWS Configuration Auditing — a major new feature of the Threat Stack Cloud Security Platform® (CSP) — Threat Stack is the only cloud security monitoring platform that enables customers to assure that their AWS environment is configured to policy and from there, implement continuous security monitoring, alerting, and investigation at any stage in their company’s cloud maturity lifecycle.

Configuration Auditing enables Threat Stack customers operating in AWS to implement AWS security best practices by automatically auditing current environments and providing an immediate, concise report of configurations that are non-compliant with best practices. Threat Stack then offers steps to remediate the issues and make the AWS environment more secure.
Read more “Threat Stack Broadens Cloud Security Platform With New Configuration Auditing”