When it comes to creating a solid SecOps program, an organization must consider people, processes, and technology. It’s not one area that makes a secure program, but a combination of all three working together.
As good as our people are, however, they would not get far without systematic processes backed by powerful tools and integrations. Here at Threat Stack, we use the following tools to ensure that our organization is safe, secure, and operating effectively.
Today, we’re sharing information about some of the top integrations we use at Threat Stack. By using these tools, we’re able to create processes that set our people up for success.
1. Internally Built Orchestration App
To integrate many of our systems, we use an internally built security orchestration app (SOAR). We created this custom internal app to receive, store, and perform actions on information from different sources (such as AWS, Cloudflare, Threat Stack itself, and others). Alerts from our own Threat Stack monitoring platform are received, and additional context is obtained for each alert by calling the same API our customers can use.
We chose to build our own app because we felt we could take an event-driven framework in a language we all knew and easily extend it to meet our needs, incorporating our internal detection and automated response systems. The decision to build vs. buy is often a difficult one for organizations, so building an orchestration app from scratch is not a choice we would have made if our team or organization looked different.
2. Threat Stack Cloud Security Platform
Yes, we eat our own dog food. We use our own cloud security platform to detect alerts and misconfigurations. By using Threat Stack, we’re able to reduce the risk of breach by detecting security incidents and malicious behavior, ensure compliance, and enable innovation without sacrificing velocity.
Graylog is a tried-and-true tool at our organization, used by our Operations team for log management. Our Security team adapted the tool for our own purposes, using our SOAR application to push and pull data, including Threat Stack alerts, to various systems. SOAR both pushes information to Graylog, and pulls out Graylog alerts, which are sent to tools like Slack and PagerDuty to notify our staff of any potentially anomalous activity. In essence, Graylog is doing double duty as a log management and SIEM tool.
Most organizations use a DNS provider, WAF, or CDN to ensure that web traffic is flowing properly both to and from their site while filtering out malicious traffic before it makes its way to their servers. At Threat Stack, we use Cloudflare for those purposes. We use the logs generated from Cloudflare received requests to feed into our internal orchestration app. Via Graylog monitoring of those logs, we can also feed in Threat Stack alerts, and other data sources, to discover whether any anomalies in web traffic are a cause for concern.
We use Slack primarily to keep our team members on the same page, in real time, but it’s also a useful tool to aggregate alerts. This integration streamlines security with SecOps team workflows so issues can be responded to (and remedied) as quickly as possible. These alerts allow our team to be more proactive about security.
PagerDuty is one of the best tools for aggregating information for engineering and IT systems in one place, as it displays operations systems, teams, and data in a single console. It makes managing and responding to incidents in real time much easier. Among other applications, we use PagerDuty to alert security team members in the on-call rotation about their temporary credentials, as well as manage other security events that need immediate response.
Integrations at Threat Stack
Threat Stack integrates with a wide array of tools using APIs and Webhooks, allowing SecOps teams to create an environment that works seamlessly to detect events and vulnerabilities. Ultimately, it’s up to individual teams to decide which tools make them most effective, but we find that Threat Stack’s system ensures that we are aware of issues in real time, and that nothing slips through the cracks.