One of the biggest benefits of the Threat Stack Cloud Security Platform® is the deep level of visibility we bring to observing operator behaviors in customers’ cloud runtime environments. We frame this discussion in terms of “security observability,” and it can be distilled into a single question: “If suspicious or risky behaviors occur on one of your servers, what can you see and how quickly can you see it?”
Security observability is here
Reducing this mean-time-to-know metric (MTTK) for Security and DevOps teams to a matter of minutes — as opposed to hours or days spent digging through logs — is when the Threat Stack platform truly shines. With this goal of saving our customers time, and surfacing security risks and threats as quickly and as easily as possible, we designed our rules-based alerting engine as a first-class citizen of the platform.
Due to the breadth and depth of event data that we aggregate, we haven’t made the entirety of these datasets available to customers historically. While real-time, rules-based security alerting is our primary focus, we recognize that many of our customers with sophisticated digital forensics, data analytics, and compliance needs want to get as much data as they can out of our platform.
The [data] is out there
With this release, we will be giving our customers the ability to export all host OS events and file integrity monitoring (FIM) events out of Threat Stack and into their own Amazon S3 buckets. This new feature will make it much easier to get more contextualized data out of Threat Stack.
The format of the data will be no surprise: JSON that’s rich in additional context, just like the event data that’s surfaced when drilling down into Threat Stack alerts. Now, for all event data, even if it never triggers an alert — typically 99% of data in a well-tuned environment — customers will be able to efficiently get bulk exports in regular batches to S3.
Once the data lands in a customer’s S3 bucket, there are abundant use cases for integration:
- Reporting and visualization workflows: Incorporate Threat Stack data into advanced analytics and threat hunting
- Security information and event management tools (SIEM): Aggregate Threat Stack events alongside data from other infrastructure monitoring and orchestration systems
- Cold storage: Persist Threat Stack data long term, in services like Amazon Glacier, to meet advanced compliance requirements
Using the new data portability feature is totally optional. For teams that need this level of detail and long-term data retention, however, the ability to export Threat Stack’s high-fidelity telemetry to S3 will be a simple and efficient way to access large amounts of rich data.
We formally announced this news in a press release, which you can check out for more industry context and expert quotations. Existing Threat Stack customers can also contact their account management teams to learn how they can get started with S3 data portability.
We can’t wait to hear about the new ways customers and partners are deriving value from additional Threat Stack data. Until then!