Review: Protecting multi-cloud environments with Threat Stack

With a large number of organizations moving their data and applications to the cloud, there is an acute need for a platform designed to natively detect malicious activity occurring there without hindering the underlying network or the business functions that rely on it. The Threat Stack Cloud Security Platform was made to fill that need.

At first glance, Threat Stack may seem a lot like security programs designed to protect traditional hardware. There is even a colorful dashboard showing things like the percentage of the network that is protected by Threat Stack agents and security events ranked by severity. This makes the platform look at bit like a security information and event manager (SIEM) designed to work in the cloud, but most similarities end there.

John Breeden II / IDG

As deep as Threat Stack goes on detection, there is no ability to stop suspicious activity, quarantine clients or anything like that, which is intentional because it is designed to be deployed to protect things like ecommerce applications in the cloud that might process millions of dollars in business every hour. The idea is that anything that could disrupt operations might bring a multimillion-dollar operation to a halt, so Threat Stack takes no chances and simply concentrates on the detection aspect of cybersecurity. That may seem counterintuitive compared with most security mindsets, but it’s attractive in environments that require constant uptime, no matter what.

The platform can be installed in any cloud environment, including public, private, community, hybrid, and container based. It also works in multi-cloud environments. It is compatible with every major cloud provider. We even placed it at the core of a Docker environment, and every container spawned from there had an agent go live at creation.

John Breeden II/IDG

Although it can operate in an agentless state as a sort-of security overwatch program, it’s most powerful when agents are deployed directly into each cloud instance. Users have a variety of choices for deploying the agents. It can be done by hand on each instance that needs to be protected, or the agents can be made a part of the image file that loads when each new cloud service is spun up. In our testing, agents took less than 10 seconds from installation to connect with the Threat Stack platform and started reporting about their cloud’s activities. The main dashboard shows a running total of what percentage of the clouds, in all instances, are protected by a Threat Stack agent.

John Breeden / IDG

Pricing for Threat Stack is based on runtime. For example, if an organization used a single agent on a single cloud-based server, they would be charged for between 720 and 730 hours of runtime each month, assuming the server was constantly active. There is also on-demand pricing that gives pretty much unlimited usage, and which would certainly be a better option to support larger deployments.

Once the agent is installed, users can load behavior-based rules for it to keep an eye on. The platform comes with a large set of best-practice type rules. We chose one for the payment card industry (PCI) and began protecting the cloud instances accordingly in the demo environment. All of the rules can be configured, modified, removed or added to as needed.

John Breeden II / IDG

The agents work by first examining all of the cloud’s user call functions. In this way it will know, for example, if users have escalated their privileges, or attempt to do things like change configuration or hidden files, run a shell program or spin up a new service. None of that alone would be proof positive of malicious intent, but there is little danger in pointing it out since Threat Stack is not taking any overt action to halt things, just to make admins aware.

Agents can also look for workloads and data loss. Here they look for things like large data downloads, or data moving out of protected areas or into less secure housing.

John Breeden II / IDG

The one possible negative to this approach of reporting everything is that when first installed, Threat Stack can, and probably will, generate a lot of alerts that aren’t malicious. These are not false positives as the alerted activity is happening, but probably by authorized users or developers acting within their job responsibilities. Admins can easily whitelist particular types of behaviors or exempt users from having the platform report on them for certain actions. Threat Stack officials say they work with every new client for about a week to help them push through that period of multiple alerts. Once configured for their environment, the program may only generate a few alerts a day.

Alerts are ranked based on severity. So if a user is exhibiting multiple bad behaviors, that one might filter up to the critical list. Certain behaviors like unauthorized data exfiltration might also cause a priority alert. The idea is that Threat Stack is catching these bad behaviors extremely early in the cyber kill chain, and that the program is accurate because most of the authorized behaviors that look suspicious are defined to the program during that initial week of installation. By jumping in very quickly, cybersecurity teams can respond to problems before they escalate.

This makes up for the fact that Threat Stack is not taking any actions other than detecting and alerting, though that does require a dedicated cybersecurity team who can respond at any time. Threat Stack has its own management console, but can also report to most major SIEM programs. In either case, taking the warnings from the platform seriously, especially in the case of priority alerts, is paramount to a good defense.

Not only does Threat Stack bring security for multi-cloud environments together into one place, it also works without any chance of disrupting the business or ecommerce applications running in those clouds. It would make for a good security component in an environment where uptime is the primary concern, but that also needs some form of protection running in tandem.