Threat Stack – Let’s Make Network Security Monitoring work.

It’s 2012.  Why is Network Security Monitoring still so hard?

Well, truthfully, there are a lot of legitimate reasons why it’s so hard. There are a lot of factors that go into Network Security Monitoring: understanding TCP/IP traffic, distinguishing real attacks from false positives in events, and once identifying some traffic may be a real incident, figuring out how to respond. However, there’s still a lot of (in my opinion) non-legitimate reasons why people don’t do network security monitoring:

  1. If you go the open source route, it’s difficult to configure and maintain the ecosystem (though projects like SecurityOnion have made a world of difference in this respect).
  2. It’s too hard to maintain sensors rules and keep them up to date.
  3. If you buy one of these “get up and go” security appliances, it’s expensive (Sourcefire’s “entry level” offering (IPSx) starts at 18k!) — and there’s no guarantee you’ll have any easier time installing it!

With Cloud Sight by Threat Stack, our goal is remove some of these pains so at the very least setting up an inexpensive NSM system isn’t a several-day ordeal. If you believe (and we certainly do) there is no “silver bullet” to security, Network Security Monitoring is just a good idea for a well rounded security program — your AV and firewall aren’t going to catch everything. If you have a store full of valuable merchandise, are you going to stop at expensive locks — if you could, wouldn’t you install an “alarm system” that will trigger when something out of the ordinary happens? This is just as true for the data assets at your 100 person business as it is for a 10,000 node enterprise corporation. You might not have a sophisticated security team and a million dollar security budget, but let’s make it easier for your IT guy to get started.

We’re developers who have a history in the security community developing products for network security monitoring. We know how people use and attempt to use these products, and frankly, we know the whole experience should be much better. There are some amazing capabilities already in open source software and tools — we think it’s our duty to make it available to the masses in a way where you don’t need a computer science degree and a deep understanding of compiler output to get up and running.

How does it work?

  1. We provision and deploy a Threat Stack server for you on your own private VPS (e.g., https://<mythreatstackserver>
  2.  You download a prebuilt Threat Stack IDS agent ready to go (it has Suricata + Barnyard + Emerging Threat rules, plus secure TLS certificates for secure communications to your server) OR, download certificates to hook up your existing Snort or Suricata instance and start sending logs to Threat Stack!
  3.  Login to your Threat Stack server and start viewing your events!

Why didn’t you guys use Security Onion?

Good question. Security Onion has a lot of awesome features and for people who want to host/control their own NSM platforms, it’s the premier choice for getting up and running really fast with a really powerful solution (e.g., Sguil). We’re in the process of developing some cool features that would make our platform just as powerful as Sguil for network security monitoring.

What about full packet capture?

We are in the process of developing full packet capture features for our agent.  Stay tuned!

What other features do guys have planned?  

  • Full packet capture agents (with a secure mechanism to query it from your Threat Stack server)
  • HIDS support
  • Partner branding
  • Automatic backups (daily)
  • Easier rules management
  • … Your suggestions!  Supply or vote for them at