Threat Stack Blog and Cloud Security News

Continuous security monitoring for your cloud.

Threat Stack Alerts Now Available in Slack

by Venkat Pothamsetty Mar 9, 2016 12:19:02 AM

slack.pngWhen it comes to leveraging modern infrastructure to run fast in the cloud, there simply isn’t room for inefficient processes and siloed workflows. That’s why many of today’s fast growing businesses leverage alerting for intelligent and valuable insights into security issues. But the very best way to leverage the deep insights alerts give to security and ops teams is by integrating them into existing workflows to increase efficiencies and visibility into the issues that matter most.

We’re excited to announce today that Threat Stack now integrates with Slack, the leading app for real-time messaging, archiving and search for modern teams. The integration is aimed to streamline security and Ops team workflows so you can get out of the weeds and back to responding to issues to continuously improve your security posture. As Slack power users ourselves, we’re especially excited about this new integration.

Reinventing Security and Operations Workflows in the Cloud

Threat Stack’s Slack integration automates the entire security alerting and response process by delivering prioritized alerts directly into a single platform (Slack), so you can seamlessly view and respond to real threats the instant they happen.

How does it work? The Threat Stack Cloud Security Platform:

  1. Analyzes the entire stream of security-related events automatically.

  2. Baselines this data using benchmarks of “normal” behavior to suppress known actions and highlight abnormal activity.  

  3. Alerts you in Slack in near real-time of high-severity alerts within the cloud environment (infrastructure, workloads, services).

If you’re employing the “trust but verify” DevOps model, here it is in action! 

Delivering High-Impact Threat Stack Alerts in Slack

Now, we all know Slack channels can get noisy. That’s why we designed Threat Stack to deliver the most important alerts to you in Slack only after they’ve been analyzed and intelligently baselined in Threat Stack. That means you’ll only see Severity 1 and 2 alerts — no extra noise, no false positives. When Threat Stack pings you on Slack, you know it matters.

Severity 1 and 2 alerts include:

  • Abnormal user behavior (e.g. insider threats)
  • Abnormal process behavior (e.g. new process behavior)
  • Abnormal network behavior (e.g. connections to new and bad IPs)
  • File tracking and copying of files
  • Abnormal infrastructure and CloudTrail activity

 

Slack-1-1.jpg

 

Integrating Threat Stack’s Slack Alerts With Existing Teams and Workflows

Workflows are only as effective as the people involved in them, and with our Slack integration, your teams can select exactly who will be on the channel. We recommend including your entire Ops team as well as a few key developers; essentially those who need to be aware of issues and can act on them fast.

This allows the Ops team to regularly monitor the channel for high severity alerts while providing the necessary developer stakeholders visibility into the security impact of application, workload and service deployments, access and updates.

When a Severity 1 or 2 alert flows into the channel, the first team member who sees it can ping the person responsible for that activity so they can respond and take action fast.

Even better, the workflow and conversation thread won’t stay locked up in Slack, forever lost in the abyss of daily communications. The Slack integration ties in tightly with Threat Stack’s audit trail capabilities, meaning you will have a complete audit trail captured in Threat Stack. And if you’re on Slack’s Plus plan, you can easily archive these conversations (for audit and compliance purposes) and match them to alerts in Threat Stack to provide valuable context.

Other Workflows Threat Stack Covers in Slack Include:

  • Pinning Alerts: If someone cannot respond to an issue immediately, users can pin the item to the channel for viewing later.
  • Dismissing Alerts: Because the review of alerts happens in real time, you won’t have to dismiss every alert every time you login, as opposed to traditional workflows.
  • New Pattern and Rule Identification: Leveraging Slack’s collaborative nature, team-based monitoring helps find new normal and abnormal patterns to add to the Threat Stack alert and suppression patterns.

Deepening Alert Context

One reason we love dogfooding our new features internally is that it can inspire new use cases. Specifically, we noticed that our own team members started pre- and post-announcing alerts. By pre-announcing to the channel an activity that will generate an alert (e.g. an accidental login failure), the team can better determine if and when an alert is a real threat or not.

Here’s a great example:

Slack-2.jpg

 

By post-announcing, team members can comment on why an alert took place or take responsibility for an action to determine the best course of action.  

Here’s an example:

Slack-3.jpg


Leveraging the benefits of Slack’s real-time communication, customers will find they’re also able to gain deeper context on alerts than they would through traditional alerting workflows.

 

Getting Started with Threat Stack’s Slack Integration

On the cloud, security is everyone’s responsibility, and because Threat Stack’s Slack integration drives security into existing workflows, it improves the speed at which teams can streamline security monitoring and response into a single notification system.

Existing customers can get started by simply providing their webhook API and alert severity preferences in the Threat Stack dashboard, and new customers can get started here:

 

Get Threat Stack’s Slack Integration with a free trial! 

 

Topics: DevOps, SecDevOps, Integrations, Operational Efficiency, ChatOps, Slack

Venkat Pothamsetty

Written by Venkat Pothamsetty

As Vice President of Products & Customer Advocacy, Venkat Pothamsetty is responsible for technology innovation and strategic alignment with customer business requirements. Venkat previously led products for two startups, Tollgrade and Industrial Defender, and was a major part of the successful exits for both companies. As Products Lead, Pothamsetty took several products from prototypes to successful mainstream products and, in many cases, defined market categories. Pothamsetty has also led services, pre-sales, solutions, and architecture teams at Cisco and Accenture.

Subscribe via email:

Posts by Topic

see all