Fortinet Lacework FortiCNAPP

We use the tool for two main purposes: vulnerability management and monitoring. We utilize it to scan all of our IAC scripts and configurations across our AWS and GCP environments. Additionally, we employ its agent to scan our compute nodes. This covers three main areas: cloud configuration, host systems, and IAC code, all essential for vulnerability management. We primarily focus on monitoring AWS CloudTrail to detect anomalous activities and risky behavior.

I find the cloud configuration compliance scanning mature. It generates a lot of data and supports major frameworks like ISO 27001 or SOC 2, providing reports and datasets. Another feature I appreciate is setting custom alerts for specific events. Additionally, I value the agent-based monitoring and scanning for compute nodes. It gives us deeper insights into our workloads and helps identify vulnerabilities across our deployed assets.

One key aspect of the agent that stands out is its capability to distinguish between active and inactive packages on compute nodes. This feature reduces the number of actionable vulnerabilities by focusing on packages actively running in the environment rather than all installed packages.

I noticed that it was quite noisy, with many alerts about things I wasn't particularly concerned about. However, over time, Lacework's anomaly detection improved by establishing baselines of normal activity. It now alerts us only when there are deviations from these baselines. Integrating with Slack was especially beneficial—I set up a dedicated Slack channel just for Lacework alerts. This allowed me to focus on the alerts that required attention.

The solution lacks a cohesive data model, making extracting the necessary data from the platform challenging. It uses its own LQL query language, and each database across different layers and modules is structured differently, complicating correlation efforts. Consequently, I had to create extensive custom reports outside Lacework because their default dashboards didn't communicate risk metrics. They're addressing these issues by redesigning their tools, including introducing the dashboard, which is a step closer to actionable insights but still needs refinement.

Regarding reporting features, the ability to create granular custom alerts remains limited. For instance, I could only filter alerts by source or type rather than selecting alerts based on specific IDs. This lack of granularity in alert management and reporting customization is a notable drawback.

I have been using the product for one and a half years. 

The solution is scalable. I rate it a nine out of ten. 

One thing I appreciated about Lacework was the support I received from their team. I regularly met with them to provide feedback on what worked well and what didn't in their modules. They took my feedback seriously, often implementing it into features, hotfixes, and interface changes. Part of the reason for this was my clear and detailed communication style.

While some customers might say, "This sucks," I made sure to explain exactly why and how I would suggest fixing it. This approach was well-received by their product managers, who valued my input. As a premium customer, I have access to account managers. Its support is very good. 

Sometimes, the support process was quite slow. While they acknowledged my tickets promptly, resolving issues could take weeks as they liaised back and forth with engineering to diagnose and determine solutions. However, the support I received from my account management and technical account management teams was very good. 

Neutral

Lacework's advantage is its ability to differentiate between active and inactive packages through the agent. Most other CNAPP solutions don't offer this capability, and competitors like Wiz don't implement it as effectively.

I've used several other platforms, such as Wiz and Prisma, and they all cover similar functionalities, such as scanning for misconfigurations in the cloud against compliance standards, monitoring IAM configurations for risks, logging and anomaly detection, host-based vulnerability scanning, and IAC code scanning. Wiz offers better reporting and ease of data extraction from datasets.

Lacework, on the other hand, is generally more cost-effective and becomes user-friendly once you're accustomed to its UI conventions. However, extracting specific data from Lacework can sometimes be challenging.

The product is very straightforward to deploy across an entire AWS or GCP organization. They offer automation via Terraform and CloudFormation templates, which allow deployment across all accounts with the appropriate permissions. As for Azure, I'm unsure about its compatibility.

You can expect ROI from vulnerability management. 

My smaller deployments cost around 200,000 a year, which is probably not as expensive as Wiz.

I rate the overall product a seven out of ten.