Powerful Lacework alerting overhaul helps teams act faster, together - Lacework

Powerful Lacework alerting overhaul helps teams act faster, together

Editorial Lacework

August 9, 2022

More flexibility and visibility with agentless coverage for workloadsIs your cybersecurity technology making your job harder or easier?

A June 2022 study revealed that 70% of organizations struggle to keep up with the growing number of security alerts. This should come as no surprise. Cloud migration has only increased alert volume to exponential levels, especially for organizations using legacy rules- and signature-based security solutions that weren’t built for the cloud.

This overwhelming alert quantity works at the expense of security quality. Per IDC, each alert takes 30 minutes on average to investigate, with false positives taking even longer. If practitioners are spending their bandwidth investigating false positives, that leaves less time for the alerts that actually matter.

Today, at Lacework, we’re doubling down on our commitment to safer cloud environments and more efficient teams with the announcement of some major alerting upgrades. We are excited to announce a complete user experience overhaul to our alerting capabilities, which will be available to new and existing Lacework customers in the months ahead. As a part of this overhaul, users will notice:

  • Interactive alerting capabilities: Teams can more easily organize alerts, view tags, filter to see a set of specific alerts, change alert statuses, and add comments to better collaborate with other teams inside of the platform.
  • New bi-directional Jira integration: When an alert is updated in the Lacework user interface or in an associated Jira ticket, the alert is synced between the two platforms. This integration is configured via a simple, one-time setup.
  • Automated alert grouping: Similar alerts are grouped together by various criteria to give the complete picture of what happened, helping organizations understand where to focus and how to make better decisions.

With behavior-based threat detection built for the cloud, Lacework customers already report a 100:1 alert reduction, as compared to legacy security solutions. And now, with these upgrades, teams can better prioritize, investigate, and track the status of all incoming alerts.

Less alert noise with more actionable context

Every day, global security practitioners use our platform — the Lacework Polygraph® Data Platform — to make their jobs easier. With our platform, teams experience 80% faster security investigations and a 90% reduction in manual efforts, in addition to the 100:1 alert reduction referenced above.

With this latest release, Lacework wanted to take these positive results a step further to make security operations even more efficient. For example, though our platform provides far fewer alerts than traditional security solutions, users needed a simpler way to prioritize these alerts, manage the alert lifecycle, and seamlessly collaborate on alerts across teams and tools.

Here’s a closer look at how each of these three upgrades give users more context to make better decisions.

Take action on the alert within the alert

The hallmark of today’s announcement is the introduction of interactive alerts, which involves multiple different facets.

 

  • Immediate insights: Within the alert itself, teams can get a deep dive on the resources that caused the alert and any associated details. For example, if a user sees a vulnerability-related alert, they can double-click to get more information about the impacted resources.
  • Advanced filtering: Organizations can now view, sort, and search based on status, severity, categories (anomaly, compliance, vulnerability, policy tags, etc.), and much more. Filter configurations can also be saved for later reference.
  • Alert comments / dialogue: Users can now leave comments within the alerts themselves to prioritize and track alerts and to better collaborate with other teams across the organization.
  • Change alert status: Teams can now assign statuses to alerts to help organize and respond. Upon issue close, users can also assign a reason for closing. For example, if an alert is a false positive, users can designate the alert as such, which the platform then learns and applies to similar alerts moving forward. Finally, alert queues can be filtered by status, to further allow teams to focus on priorities versus backlog items.

 

Here’s a brief snapshot of these interactive alerts, within the actual platform.

Alerting Blockers

 

 

Keep alerts consistent, across platforms

Nearly half of the Lacework customer base takes advantage of our off-the-shelf Jira integration. Through this integration, events flagged within the Lacework platform can automatically open tickets within the Jira workflow management platform, helping teams organize, prioritize, and delegate security needs.

Prior to today’s release, the two platforms did not communicate every status update with each other. For example, if a user closed an alert ticket in Jira, that alert wouldn’t indicate that it had been closed on our platform. Now, the integration is bi-directional, meaning the two platforms will sync up with each other regularly. If a change is made within a Jira ticket, that change is reflected in Lacework (and vice versa).

This step removes some manual, tedious lift from security practitioners and will accelerate issue resolution. It also helps avoid a situation where security teams are noticing discrepancies between the two platforms and are forced to spend time discerning which platform is telling the truth.

Automatically discover similar alerts

When it comes to acting fast on alerts, context is key. And with our platform, users will never see alerts in isolation. One key differentiator for our Polygraph platform is the rich context that the platform provides around every alert, including grouping any other alerts that carry similar characteristics.

Through our related alerts feature, alerts will be grouped around common entities, such as common IP addresses, common host name, same alert time, same object, etc. Within our interactive alerts window, users can find all these related alerts easily for further investigation.

This way, alerts that were likely caused by the same event can be investigated and remediated en masse rather than one-off, once again saving time and energy for security teams.

 

 Cloud security made simple with Lacework

All these exciting upgrades being announced today are currently in the Beta phase, with General Availability (GA) planned in the coming months. These features will be available to new and existing customers who use both our agentless and agent-based offerings.

As mentioned above, Lacework is committed to taking the pain out of cybersecurity, especially for modern cloud environments defined by change. Lots of responsibility rides on the shoulders of cybersecurity teams. As cyber attacks and threats grow more sophisticated, your cybersecurity tools should be working for you — not against you.

So, back to the question — is your cybersecurity technology making your job harder or easier? At Lacework, we are committed to the latter. And these alert upgrades are just one more step in that direction.