Skip to main content

Lacework Overview

Lacework delivers native cloud infrastructure compliance and security for devops, workloads, and cloud containers.

Compliance Reporting

Compliance identifies any configuration best practice violations that exist in your environment and notifies you through your chosen method. The compliance portion helps you understand configurations and audit controls so you deploy cloud resources using best practices. Lacework continuously and automatically monitors your environment so you do not need to create or edit policies or algorithms.

After you set up integration with your cloud provider(s), Lacework scans your environment to find any account security risks, misconfigurations, etc. Lacework accomplishes this by using SecurityAudit API calls to check all resource configurations and validating each control against CIS and Lacework defined best practices. Lacework then reports misconfigured items to be resolved. 2020-10-05_10-28-24.png

For example, when you integrate Lacework with AWS, AWS could contain misconfigurations of IAMs, S3, and security groups. The CIS benchmarks prescribe best practices for security groups, EC2 instances, IAM roles, etc. Lacework then displays any violations in the Lacework console AWS compliance report and compliance dossier. A Lacework dossier contains detailed in-context data that you can use for security auditing and remediation. Lacework can retain this data for up to 180 days.

Additionally, Lacework ingests AWS CloudTrail, Azure Activity Log, and GCP Audit Logs and streams them to the Lacework data warehouse to build a baseline of normal behavior, which is updated hourly. From this, Lacework can provide detailed in-context alerts for anomalous behavior by comparing each hour to the previous one. Anomaly detection uses machine learning to determine, for example, if a user account accesses a specific resource for the first time, logs in from a new region, or if a user adds a new user. Lacework then displays any anomalies in the Lacework console CloudTrail dossier.

Lacework’s CloudTrail, Activity Log, and Audit Trail log scanning uses policy-based detection that contains Lacework-defined policies. These predefined policies are visible in the Lacework console. You can enable or disable policies as needed. The Lacework console also has the ability to suppress AWS behavior anomaly policies, which allow you to tune alerts to focus on specific assets.

Workload Security

The workload portion provides process-aware threat and intrusion detection for your cloud environment and notifies you through your chosen method of any events.

After you install the Lacework agent on hosts, Lacework scans those hosts and streams select metadata to the Lacework data warehouse to build a baseline of normal behavior, which is updated hourly. From this, Lacework can provide detailed in-context alerts for anomalous behavior by comparing each hour to the previous one. Anomaly detection uses machine learning to determine, for example, if a machine sends data to an unknown IP, or if a user logs in from an IP that has not been seen before.

Workload security uses policy-based detection. Two policy types are available, Lacework-defined default policies and custom policies. Custom policies are policies that you create to check for unwanted behavior specific to your environment, for example, the use of Telnet. You can enable or disable policies as needed. The Lacework console also has the ability to suppress host behavior anomaly policies, which allow you to tune alerts to focus on specific assets.

With threat feeds from ReversingLabs, Lacework can detect bad IPs, bad file hashes, and crypto mining and alert you of any IOCs. Lacework displays any anomalies in the Lacework Console host dossiers, which contain activity in the following contexts: applications, files (FIM), machines, networks, processes, and users.

Container Security

Lacework provides the ability to scan, identify, and report vulnerabilities found in the operating system managed software packages in a container image before the container image is deployed. This means you can identify and take action on software vulnerabilities in your container images and manage that risk proactively. In addition, Lacework automatically correlates assessed images to active containers in your monitored environment, so you have continuous visibility into your software vulnerability risk.

After integrating a container registry in Lacework, Lacework finds all container images in the registry repositories, scans those container images for software packages with known vulnerabilities, and reports them. For each container image found in the repositories, Lacework also checks and reports the number of running containers found in the current workload for the current container image. The Lacework Console also displays anomalies in the container dossiers, which contain activity in the container and Kubernetes contexts.