At Threat Stack, we have two high-level goals when it comes to product development. First, we want to continue to build a powerful, cloud-based security platform with all the features users need to keep their cloud environment protected as they scale. And second, we want to create a platform that’s easy to use and customize, so users can move as fast as possible and also strengthen their organization’s security.
In the first part of 2016 we put a large effort into the first goal, increasing the breadth and depth of our feature set, including vulnerability assessment, more powerful investigative tools, etc. Recently we have focused heavily on the second goal, streamlining workflows in three areas of our Cloud Security Platform:
- Host Intrusion Detection (HIDS) Rules Management
- Management of Servers protected by Threat Stack
- Software Vulnerability Assessment and Management
In this post, I’ll discuss how users can customize HIDS using the streamlined rules management functionality. In a follow-up post, I will talk about streamlined workflows that are now available for server management and software vulnerability assessment and management
HIDS Rules Management Workflows
One of the first features new customers encounter in Threat Stack is Host Intrusion Detection (HIDS). As part of our workflow streamlining effort, we looked at how to get new customers ramped up as quickly as possible generating HIDS alerts and then customizing them to their environment.
When a new user begins a Threat Stack trial, the first thing they do is deploy the Threat Stack agent on a server and begin observing alerts on the behaviors of that server. To enable this, we provide a Base Rule Set (default rules) that catches specific behaviors.
The next step is for users to become familiar with these base rules and then customize them to their specific environment. To make this easier, we redesigned the main rules management page so the first thing they see is an alphabetized list of all the rules, which they can scroll through and become familiar with.
Many users go on to tailor the default rules to further filter out normal behavior so they can focus on the suspicious behaviors they need to know about or take action on. To make this easier and faster, we’ve developed two helpful new tools: Rule Cloning and Test Filter.
- Rule cloning: Default rules can now be cloned, along with rule suppressions. New users can start with default Threat Stack rules and then easily copy and modify them to match the behavior of their environment. This enables quicker differentiation between behaviors that are normal and those that need to be escalated.
- Test filter: After working with many of our users and watching them go through the rule creation process, we learned that they needed an instant way to confirm that their rule behaves as expected before it is implemented, and therefore we created the Test Filter.
As users become more familiar with Threat Stack capabilities, they often want to expand their use of File Integrity Monitoring (FIM) to protect keys, files with sensitive data, etc. To make it easier to create and manage file integrity rules, we located everything needed to create a rule on one page. The user simply specifies the file paths to be tracked and the behaviors to be alerted to (e.g., open, modify, delete, etc.) to keep those key files protected.
We boiled the process of creating a FIM rule down to four easy steps:
- Give your rule a name. It can be anything that will help you identify it later.
- Specify the text you want to appear in the alert title. You can even include variables. For example, the alert title could be "[filename] was modified by [command]".
- Specify the file paths you want to monitor.
- Specify the events you want to be alerted on, such as when the file gets opened, modified, or deleted.
The workflow enhancements we’ve made to the Threat Stack Cloud Security Platform strengthen our focus on giving organizations the tools they need to easily customize and prioritize what matters the most in their environments.They make it easier to operate and customize Threat Stack, and as a result, users tend to increase their commitment to the platform. This, in turn, improves the “fit” between Cloud Security Platform and each user’s environment, increases agility and operational velocity, and improves the organization’s overall security posture.
Stay tuned for Part 2 for a discussion of the streamlined workflows that are now available for Server Management and Software Vulnerability Assessment and Management.