Lacework agentless workload scanning just got a major upgrade. As of August 2023, Lacework customers can now use this feature to gain more visibility over their cloud estate. Agentless workload scanning can now:Support scanning of container images managed by Containerd runtime Be integrated with Google Cloud Scan multiple/secondary volumes on hosts Scan stopped instancesLacework is also rolling out advanced threat detection capabilities. Now, in public preview, customers can reduce the time between alert detection and alert generation for high-confidence events with the platform’s new Near Real-Time Alerting Solution. Visit this Docs page to see a roundup of all the month’s product releases.
Starting in July, customers with Amazon Linux environments can expect more around vulnerability management. The platform can now track Amazon Linux vulnerabilities by CVE IDs, rather than ALAS. Amazon Linux 2023 is also now supported for vulnerability scanning.Customers can benefit from loads of enhancements, now available in Public Preview. These include:MITRE ATT&CK tagging: Now in Lacework alerts, users can see MITRE ATT&CK tags that correspond with the potential threat. Amazon GuardDuty + composite alerts: Users can now enrich the platform’s composite alerts with Amazon GuardDuty data.’ Lacework + Security in Jira integration: Lacework now supports Security in Jira integrations, where you can view, prioritize, and track remediation of vulnerabilities from your active image repositories. Visit this Docs page to see a roundup of all the month’s product releases.
In June, Lacework took steps to make risk management even easier for users.The Lacework Remediate CLI can help users swiftly resolve a wide range of compliance issues within their AWS infrastructures using a set of pre-build remediation templates. These templates assess each alert and provide command-line remediation guidance specific to that feature. Active filters now influence the Open vulnerabilities chart for hosts and containers, and all active filters on the Host and Container Vulnerability pages now propagate to CSV reports.Visit this Docs page to see a roundup of all the month’s product releases.
Hi,Looking for some advice.Basically with-in lacework kubernetes , looking to see which pods & nodes are accessible from internet ( inbound from internet). What i found so far is we can use Resources → Kubernetes → Pod Network → External connections . You can select all columns and download a CSV. There is a similar view for actual nodes as well. Node→ Kubernetes → Node Network → Node External Connections I am not 100% sure if this is accurate. Also this does not tell what ports are open for inbound connections ( some of the ports listed are >65k which seems to be odd as well)Wondering if anyone had figured out the correct way to “Identify Internet accessible nodes and container pods ( inbound from internet)?”. Thanks in advanceAgentLinux 6.6XPlatformUsing Lacework/OperationalizingCloudGCP
First of all, love the new Lacework community. Thank you for building it and the invitation. In my opinion, there is a security flaw in the current implementation of Portal SSO when it interacts with the community. Currently, when the user login to the community page, the user been granted the whole access to the portal page https://portal.lacework.com/app/UserHome The logout functionality appears to have a flaw as it allows users to easily log back in without entering any username or password credentials. This poses a security risk and needs to be addressed.Moreover, an effective example of Single Sign-On implementation can be seen with Okta and Jira. In this case, users are unable to access Okta through the Jira login, ensuring a more secure authentication process. Since the Lackwork portal and/or community page is perpetually logged in, an attacker has the potential to manipulate any settings within the system(e.g. XSS or phishing). This poses a significant security risk as unautho
Another exciting week for Lacework! Here are some of the top stories of the week: TSB Bank selected our platform for multicloud security CEO Jay Parikh joined tech leaders on NYSE's Future in Five We announced our new detection capabilities We released a new episode of the Code to Cloud podcast with Upvest CSO Sebastien Jeanquier @Merritt Baer wrote a guide to help CISOs navigate their first 90 days @juliensobrier wrote a blog explaining how Lacework detects Kubernetes attack techniques We published a new edition of the Code to Cloud Monthly DigestAgentN/APlatformDeploy Lacework/InstallationCloudN/A
I only want to see vulnerabilities for hosts that have been running in last 8 hours in my vulnerability reports. How can I craft my API calls to achieve this? AgentN/APlatformN/ACloudN/A
Risk is a hard thing to quantify at times. But I think having a good understanding of your security risk can elevate the conversation at the executive level. It can tie security problems to business outcomes, which can ultimately help make a stronger security program and get more budget. How do people quantify risk in your organization? AgentN/APlatformUsing Lacework/OperationalizingCloudN/A
The api.lacework.net agent url will retire on October 31, 2023, and will be replaced with agent.lacework.net.Is there a way to have the agent change its own target? Is there a way to get a report on which IP addresses are using the old endpoint before the retirement?AgentN/APlatformUsing Lacework/OperationalizingCloudAWS
How have you and your team leveraged the Lacework API to develop automation that effectively replaced a manual Lacework process within your organization? Please share your success story! AgentN/APlatformUsing Lacework/OperationalizingCloudN/A
Hi everybody:Today Lacework is launching a host of new enhanced threat detection upgrades aimed at improving alert quality and speed, Enhancements include:Improved composite alerts that capture more signals and reduce noise Better threat intelligence that considers Indicators of Compromise (IoC) and severity Faster detections with improvements to mean time to detect (MTTD) and mean time to react (MTTR) Better mapping of treats to industry frameworks like MITRE ATT&CKCheck out our blog post covering the updates here.
This week, Snowflake and Lacework reaffirmed our strategic partnership: Two companies and technologies that can support the volume, velocity, and variety of cloud data. This is our signal that we are committed to securing cloud environments no matter how large they become. Check out the news in the links above! AgentN/APlatformUsing Lacework/OperationalizingCloudN/A
From securing accolades to expanding partnerships, there's a lot going on at Lacework. Here are a few highlights from the week: We topped the charts in the G2 Fall reportsLacework landed in the Leader quadrant across 7 different categories in the G2 Fall Reports.Join us for AWS GameDay in Palo Alto on Sept. 26 We’re getting excited for our upcoming Lacework and AWS GameDay, where you can solve real-world problems in a gamified risk-free environment. Register now to join us! We expanded our partnership with SnowflakeWe recently announced the expansion of our partnership with Snowflake. Through the combined use of our platform and Snowflake's Data Cloud, our customers can now extend the benefits of cloud security data to other areas of their business. AgentN/APlatformDeploy Lacework/InstallationCloudN/A
Welcome to the communityHi everyone 👋🏼! If you’re here it’s because you want to build better cloud security — alongside all your peers. We’re excited to have you and look forward to some great discussions. This is the perfect time to introduce yourself and offer up a fun fact. Don’t be shy — it will help you connect with others, I promise. Happy hunting and happy connecting!
LQL Overviewhttps://docs.lacework.net/lql/restricted/lql-overviewThe Lacework Query Language (LQL) is an SQL-like query language for specifying the selection, filtering, and manipulation of data. Queries let you interactively request information from curated datasources. Queries have a defined structure for authoring detections.LQL enables you to find non-compliant resources or suspicious activity by querying data ingested from cloud providers, Kubernetes, CloudTrail activity logs, and the Lacework agent. Then you can associate queries with policies, which contain rich reporting metadata. LQL Operatorshttps://docs.lacework.net/lql/restricted/lql-operatorsLQL uses conventional SQL notation for arithmetic, comparisons, and logical operations. LQL Functionshttps://docs.lacework.net/lql/restricted/lql-functionsThis topic lists all Lacework Query Language functions alphabetically. Datasource Metadatahttps://docs.lacework.net/lql/restricted/datasource-metadataThis topic lists the datasources
In case you and your team want to explore the existing LQL (Lacework Query Language), the output from lacework query list --json, can be processed with a combination of grep and sed to output a single file that lists all of the Out-Of-The-Box LQL Queries (with the properly formatted LQL). A single file will enable you toCopy and Paste specific LQL queries into a file to run with lacework query run -f <FILENAME>.lql. Search across ALL examples by Data Source Functions Keywords Operators % lacework query list --json | grep "queryId\|queryText" | sed 's/\\n}",/\n }\n/g; s/\\n/\n/g; s/",$//g; s/^ "queryId": "/\n---\nqueryId: /; s/^ "queryText": "/queryText: |-\n /g;' | less -O lacework.query.list.lql---queryId: LW_Global_AWS_CTA_AccessKeyDeletedqueryText: |- { source { CloudTrailRawEvents } filter { EVENT_SOURCE = 'iam.amazonaws.com' and EVENT_NAME = 'DeleteAccessKey' and ERROR_CODE is null } return distinct { INSERT_ID,
Hello, I would like to know if it is possible to track updates / deletion of a Registered Domain in Route 53 through Cloudtrail x Lacework.As this ressource is critical, the alarm must be immediately raised. Thank you for your assistance. Lucas AgentAgentless (Workload Scanning)PlatformTuning Lacework/CustomizationCloudAWS
I would like to run the Lacework agent as a sidecar in my ECS Fargate cluster. I followed the documentation here to add the datacollector sidecar container into my task definition. When the task starts, I can see both my application and the datacollector containers. The datacollector container starts and stops, then my application container starts and runs. Is this expected? AgentLinux 6.6XPlatformDeploy Lacework/InstallationCloudAWS
Hey everyone,I wanted to share something valuable with the community, especially since a few customers have inquired about this recently. We all know the significance of staying a step ahead in the cybersecurity landscape, and this is a step in that direction.LOLDrivers is a well-curated list of Windows drivers that adversaries commonly use to bypass security measures and execute attacks. It has been used quite often by many threat actors: https://cybernews.com/security/bring-your-own-vulnerable-driver-attack/.I've crafted a script that automatically fetches the latest malicious hashes from the LOLDrivers project and builds an LQL rule, which can be seamlessly deployed in your Lacework environment. This script serves as a tool to monitor and detect malicious drivers in real-time within your infrastructure.Here's how you can integrate this into your Lacework setup:1. Get the Script: Grab the script from this link. 2. Deploy the LQL Rule: Use the Lacework CLI with the following command
Looking to get feedback on what types of reports or report data points must uesrs really care about or help them in there work flow.There is lots of data there but what do you really want to see and how would you like to see it AgentN/APlatformUsing Lacework/OperationalizingCloudN/A
If I’m getting a lot of medium-level alerts for things that aren’t that big a deal for our organization, how do I set them to Low or Info? AgentN/APlatformCurrentCloudAWS
AgentN/APlatformCurrentCloudN/A
Details
Better detection for Compromised Credentials and Cloud-Native Ransomware - these are the two initially targeted detection use cases Automatically combines events from many detection sources Provides a single, actionable “story” on cloud activity (vs multiple isolated alerts) Provides improvements in: cross-model detections, leveraging domain knowledge at scale, scaling up detection services, and incorporating user feedbackFind out more here:https://docs.lacework.net/console/introduction-to-composite-alerts AgentN/APlatformUsing Lacework/OperationalizingCloudAWS
Lacework’s CIEM is likely new to you, but for those of us that have used CIEM-like solutions elsewhere, you will immediately note ways to accelerate the march toward Zero Trust and Least Privilege absent those other solutions. Operationalizing CIEMHow often is the first step of operationalizing something to “do nothing, sit back and enjoy.” That is where I like to start discussions of CIEM. Why? Once CIEM is enabled (did you have your CSM, PS, or SE enable it in your GUI with your tenant’s unique organizational GUID?). Thats it ! Lacework automatically moves through configuration and log data to profile all your resources and ownership including net-effective permissions (say goodbye to those spreadsheets). Then, Lacework relies upon an automatic composite alert to fire. These provide high efficacy context signals of privilege escalation and enumeration of anomalies. Why do I start here? Because, most customer risk and IAM managers say they already have Identity and access handled by v
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.
