Lacework FortiCNAPP Reviews

We are covering cloud security posture management and run-time detection as well, so there are two flavors. It is also used for inventory purposes. We are probably using all the capacity of the tool. We have the agents deployed in our environment, and we are also covering all of the cloud environments with the Cloud Security Posture Management version.

First of all, alert reduction is helping us to be focused on other things that matter. The other thing is in regards to visibility. What we found is that Lacework is super easy to deploy in Kubernetes environments and other environments. You can get super quick visibility into what is going on in your environment. Even though it has a behavioral engine, and it takes a couple of hours to consolidate the information and present that to you, it is pretty quick. We have a huge environment, it is great for us.

Lacework saves us a lot of money because in terms of the ingestion of data or in terms of the way AWS, GCP, and other cloud providers are sending logs into Lacework, if we have to ingest the data in our SIEM, for instance, it is going to cost us a lot of money. Having Lacework in the middle, ingesting the data, processing the data, and providing us with the right information is super valuable, at least from a cost perspective. I know every company would like to have all the logs in the SIEM or store them somewhere in their environment, but that is an advantage that I recognize in Lacework. The data is good. We can see the data that we want.

It is good for helping us view our environment from an attacker’s perspective. One of the things that they introduced recently is Attack Path. Previously, we needed to go to two or three places to figure out what was going on in our environment. Even though we had alerts from Lacework that gave us a lot of information, we sometimes needed to go to other places to make sure that we fully understood the context of the data alert. Lacework has introduced Attack Path which helps us a lot to identify the activity from the beginning to the end.

It has the ability to monitor configurations continuously. This capability is important, but we have complementary tools that monitor the configuration of certain files.

We have reduced the alert noise by 60% to 70%. We needed an opportunity to focus on projects and improve our controls elsewhere. We also wanted to focus on improving our detection capabilities because the network is providing a subset of alerts that are helpful, but we also need to think about all those things that we need to do in our environment, such as make a list of some use cases from an attacker's perspective and see if we can catch the event. We have threat intelligence as well. We can see whether we have a particular type of threat in our environment. There is vulnerability management as well. The combination of those factors is what we are currently doing. We can focus on these things.

Lacework helped save time by reducing our manual tasks. Lacework is providing us with comprehensive data or some set of data to see what is going on. In the past, we were doing that manually. We had to go to other places to understand what was going on, so Lacework helped us on that front. That was the most important saving of manual tasks.

It also has helped us to free up existing resources. The number of people that I had initially on the on-call rotation is less because of it. I could take out those people for other projects. That is the huge value that I saw from Lacework. As long as we reduce alerts, we will have time to focus on other things. In terms of human resources, people are more focused on other things.

Lacework has absolutely helped to reduce our organization's breach risk. Our company is super focused on protecting customer data. We are storing data in several cloud providers' object storage. With Lacework, especially with Cloud Security Posture Management, there is a compliance part where we can see how many object storages are exposed to the Internet. Whenever we have any event, we can identify that properly and immediately take action. That is how we reduce the risk in cloud providers. We take customer data super seriously, and we were able to identify all the alerts for the public object storage or for those that we had already but did not know.

Lacework has been helpful for spotting critical weaknesses. The most important thing is our customer data. It has helped us a lot, and it is super valuable.

We use the tool for two main purposes: vulnerability management and monitoring. We utilize it to scan all of our IAC scripts and configurations across our AWS and GCP environments. Additionally, we employ its agent to scan our compute nodes. This covers three main areas: cloud configuration, host systems, and IAC code, all essential for vulnerability management. We primarily focus on monitoring AWS CloudTrail to detect anomalous activities and risky behavior.

I find the cloud configuration compliance scanning mature. It generates a lot of data and supports major frameworks like ISO 27001 or SOC 2, providing reports and datasets. Another feature I appreciate is setting custom alerts for specific events. Additionally, I value the agent-based monitoring and scanning for compute nodes. It gives us deeper insights into our workloads and helps identify vulnerabilities across our deployed assets.

One key aspect of the agent that stands out is its capability to distinguish between active and inactive packages on compute nodes. This feature reduces the number of actionable vulnerabilities by focusing on packages actively running in the environment rather than all installed packages.

I noticed that it was quite noisy, with many alerts about things I wasn't particularly concerned about. However, over time, Lacework's anomaly detection improved by establishing baselines of normal activity. It now alerts us only when there are deviations from these baselines. Integrating with Slack was especially beneficial—I set up a dedicated Slack channel just for Lacework alerts. This allowed me to focus on the alerts that required attention.

We use it for anomaly detection and security compliance.

Lacework has helped us in a couple of areas. The first is that it helps us with compliance and third-party risk assessment. We do a lot of third-party risk assessments for other people that ask us questions about how we monitor our environment and who want to know what our security posture looks like. Lacework gives us the ability to respond favorably to those kinds of questions and we rely on the tool for that a lot. In terms of breach risk assessment, it helps us improve the confidence of third-party risk assessors and stakeholders. When they know that we're using Lacework or some other tool like that to help with anomaly detection and compliance to known standards, that is certainly a big benefit.

With regards to vulnerabilities, we can point to the Lacework reporting for some of that information to demonstrate compliance with NIST 800-53, CIS, and other security standards. It's very helpful from that perspective.

It also helps us from a day-to-day monitoring perspective, to know where we are in time with our security posture and if anything new has come in or something has changed in the environment that warrants some kind of immediate action.

And because it helps us focus on the severity of alerts, it has helped us bring down the number of alerts. If you work on trying to understand the cause of each of the alerts, and you then identify the appropriate actions to clear them, that will help you reduce the number of alerts. We've been able to leverage the tool to help us gain insights into some of the more nuanced challenges and vulnerabilities. 

If you take action on the alerts it's telling you about, it will help save time on manual compliance tasks. Like any tool though, if you're not understanding the alerts in the context of your architecture, and then taking the action needed to clear those alerts, it probably isn't saving you much time. But it is saving me time in helping me understand exactly what those alerts are about. It helps us focus on the right things. I would give it credit there, for sure.

It also helps free up staff a little bit because it doesn't take as many people to keep tabs on the environment as it used to. I don't feel we're spending as much time on that.

The biggest draw was being able to have a report that would tell me if my AWS cloud environment was in compliance or not. So, the biggest use case was that I needed something that I could just plug in, and it would go through all of my resources in AWS and find all those nooks and crannies, every little thing, and tell me if I'm in compliance or not.

It gives me the insight and transparency that I didn't have before. It tells me exactly how compliant I am. It also gives me peace of mind by monitoring behavior within my AWS accounts and then notifying me. It has changed our organization in that we can focus on other pressing items that will help drive sales more, which is what really matters. It eliminates that part of your brain that's always worried about compliance and regulation. 

It does exactly what you expect it to do. It detects user behavior that is not normal. For example, I might test out a new service in AWS, and I'll get a notification from Lacework saying, "Hey, this user with username logged into this service for the first time." It is detecting that already just because we implemented it. It monitors all the users. It monitors what the users typically do. So, anytime a user goes outside of that normal behavior, it notifies me. If you're worried about remote workers or intrusion, it's such a good feature to have.

Its ability to continuously monitor configurations is phenomenal. It's instant. We have it set up. So, it notifies us via Slack as soon as an environment goes out of compliance. It also notifies us as soon as it goes back into compliance. It's instant. This ability to continuously monitor configurations for the organization is critical if that's something that you care about. When you think about how many different configurations or services or how many different ways you can set up AWS, and then you compound that across accounts and different geographies, you would have to hire a massive team to be able to do that manually. You might even need a massive team to maintain that or a different system that's doing that. Installing the Lacework agent and having that monitored by Lacework is a great return on your investment.

It has allowed us to focus on other pressing priorities. Nobody wants to go through compliance and alerts. It provides the ability to reduce that overall and hit SOC 2 Type 2 compliance, incident management, and having all of that taken care of. We're doing less and less of it, and it has enabled us to move faster as an organization.

It has helped us free up existing resources. We also didn't have to hire additional resources.

It has had a major effect on our breach risk assessment. When there is an anomaly detected with a user's behavior, such as a password gets compromised or somebody gains access to a user account, it notifies me right away. It also notifies me right away when a new user is created. It's also a third-party system that is storing these logs. In a worst-case event, if somebody did breach into our system because nobody was paying attention to the alerts for whatever reason, I can go back and look at the logs within Lacework to see exactly what happened. So, I can do a very good postmortem after the fact. It has helped in more ways than I could have thought of in terms of breach detection and also postmortem on any breach.

We use Lacework for cloud security.

The ability to collect the information, analyze it, and then correlate it against the configured policy has helped us. It is easily integrated with security frameworks such as AWS, and CIS benchmarks.

Lacework, by its nature, maintains a low level of noise. Through its intelligent backend data aggregation and correlation, it effectively minimizes less relevant alerts, and instead alert on crucial matters or authentic instances of behavioral risks and concerns. However, what stands out is that having the capability to review configurations empowers us to enact adjustments internally, possibly resulting in a reduction of alerts needing attention.

We use it mostly for compliance and also to get better insight into our security posture as a company.

The biggest benefit is the automation because we are a small team of only six people. We are part of a bank, something like an internal startup company. So while we are a small team, we have to support a lot of users. Having to do all the things that Lacework does for us would require a whole team of people, and probably 24/7. We would need a SOC team to monitor everything, and people who would respond to things continuously and validate the alerts compared to the actual cloud infrastructure. But Lacework does all of that for us. All we have to do is integrate it with our cloud environment and it does 95 percent of the work, so it's quite a cost-effective solution.

And in the last six months, we have been able to reduce alerts by a good 20 percent. The reduced alerts mean our Lacework security policies are more effective and we spend less time reacting to alerts. Obviously, the fewer alerts you have, the less time you have to spend dealing with them. Regardless of what type of alert you receive, you have to acknowledge every single one. So a 20 percent reduction in alerts equals a lot of free time for me to spend on something else.

Lacework is a cloud security platform. We have multiple cloud providers, and we're ingesting the logs from each. About six people at my company use Lacework. 

Lacework provides a good overview of our security posture. We also use the Kubernetes agent because our software is a Kubernetes-based application. The Lacework polygraph offers nice visibility into the workloads on Kubernetes.

There are no applications out there that let you look at the workload in Kubernetes from the cluster to the namespace, pod, and images. From that image, you can see any connections going out. 

We use it mainly for detection and response purposes. We have also started using Lacework as our vulnerability management tool, which is most important for our organization. We don't have any kind of security layer for all our cloud infrastructure so we are using Lacework as a security product for our cloud infrastructure.

When I joined this organization, Lacework was being onboarded. It was in setup mode. If I compare the visibility I have had over those last 10 months with Lacework, with what visibility was like before, I now have complete visibility into my entire infrastructure. If anything happens, Lacework will definitely catch it. That is very efficient and I'm able to react before the attack.

An advantage that Lacework gives us in our environment is that it covers a vast majority of use cases, which helps us to detect things based on severity, and it helps us to have more focus on those issues. For example, last week we had an alert that said that there was an external connection made from an internal server, and our internal servers are not supposed to communicate with the external, because it's behind the VPN and it's behind the firewall. That should not happen, but it was happening. A good detection rule helped us.

In terms of seeing things from an attacker's point of view, a couple of weeks back I received an alert that a user with root permission had logged in and tried to do something he is not supposed to do, which means he didn't have admin permission. I also received an alert about policy changes. I got the user ID and did a reverse lookup in my database to find out who the user was and his department. I reached out to him and I asked him about it, and it turned out he was doing a red team activity and testing Lacework. Red team activity is very difficult to detect, but Lacework did a very good job on that.

And for continuous monitoring, we have created a kind of dashboard, although not a complete dashboard. Lacework has a better dashboard. Our major priority is to look into critical, high, and medium alerts, which we never miss. We continuously monitor for high-priority alerts. It shows us those by default in the Lacework dashboard. That helps in our daily monitoring.

With Lacework, the alert flow has been reduced a little bit, about 6 percent, but attackers never sleep. We have a lot of alerts coming in, day in and day out. It's now Christmas time and this is the perfect time for attackers to try to target an organization because as they know the response team will be outnumbered. In addition, Lacework has reduced the time it takes us in an investigation by 70 to 80 percent because it keeps complete information. That means we don't have to verify where the information came from. Rather, we can use that information in our investigation.

It helps free us up to work on other tasks. We can create custom rules to eliminate false positive alerts. These are the gray areas that we have started exploring and that gives us time to work on other stuff.