Fortinet Lacework FortiCNAPP

We use the tool for two main purposes: vulnerability management and monitoring. We utilize it to scan all of our IAC scripts and configurations across our AWS and GCP environments. Additionally, we employ its agent to scan our compute nodes. This covers three main areas: cloud configuration, host systems, and IAC code, all essential for vulnerability management. We primarily focus on monitoring AWS CloudTrail to detect anomalous activities and risky behavior.

I find the cloud configuration compliance scanning mature. It generates a lot of data and supports major frameworks like ISO 27001 or SOC 2, providing reports and datasets. Another feature I appreciate is setting custom alerts for specific events. Additionally, I value the agent-based monitoring and scanning for compute nodes. It gives us deeper insights into our workloads and helps identify vulnerabilities across our deployed assets.

One key aspect of the agent that stands out is its capability to distinguish between active and inactive packages on compute nodes. This feature reduces the number of actionable vulnerabilities by focusing on packages actively running in the environment rather than all installed packages.

I noticed that it was quite noisy, with many alerts about things I wasn't particularly concerned about. However, over time, Lacework's anomaly detection improved by establishing baselines of normal activity. It now alerts us only when there are deviations from these baselines. Integrating with Slack was especially beneficial—I set up a dedicated Slack channel just for Lacework alerts. This allowed me to focus on the alerts that required attention.

The solution lacks a cohesive data model, making extracting the necessary data from the platform challenging. It uses its own LQL query language, and each database across different layers and modules is structured differently, complicating correlation efforts. Consequently, I had to create extensive custom reports outside Lacework because their default dashboards didn't communicate risk metrics. They're addressing these issues by redesigning their tools, including introducing the dashboard, which is a step closer to actionable insights but still needs refinement.

Regarding reporting features, the ability to create granular custom alerts remains limited. For instance, I could only filter alerts by source or type rather than selecting alerts based on specific IDs. This lack of granularity in alert management and reporting customization is a notable drawback.

I have been using the product for one and a half years. 

The solution is scalable. I rate it a nine out of ten. 

One thing I appreciated about Lacework was the support I received from their team. I regularly met with them to provide feedback on what worked well and what didn't in their modules. They took my feedback seriously, often implementing it into features, hotfixes, and interface changes. Part of the reason for this was my clear and detailed communication style.

While some customers might say, "This sucks," I made sure to explain exactly why and how I would suggest fixing it. This approach was well-received by their product managers, who valued my input. As a premium customer, I have access to account managers. Its support is very good. 

Sometimes, the support process was quite slow. While they acknowledged my tickets promptly, resolving issues could take weeks as they liaised back and forth with engineering to diagnose and determine solutions. However, the support I received from my account management and technical account management teams was very good. 

Neutral

Lacework's advantage is its ability to differentiate between active and inactive packages through the agent. Most other CNAPP solutions don't offer this capability, and competitors like Wiz don't implement it as effectively.

I've used several other platforms, such as Wiz and Prisma, and they all cover similar functionalities, such as scanning for misconfigurations in the cloud against compliance standards, monitoring IAM configurations for risks, logging and anomaly detection, host-based vulnerability scanning, and IAC code scanning. Wiz offers better reporting and ease of data extraction from datasets.

Lacework, on the other hand, is generally more cost-effective and becomes user-friendly once you're accustomed to its UI conventions. However, extracting specific data from Lacework can sometimes be challenging.

The product is very straightforward to deploy across an entire AWS or GCP organization. They offer automation via Terraform and CloudFormation templates, which allow deployment across all accounts with the appropriate permissions. As for Azure, I'm unsure about its compatibility.

You can expect ROI from vulnerability management. 

My smaller deployments cost around 200,000 a year, which is probably not as expensive as Wiz.

I rate the overall product a seven out of ten. 

We are covering cloud security posture management and run-time detection as well, so there are two flavors. It is also used for inventory purposes. We are probably using all the capacity of the tool. We have the agents deployed in our environment, and we are also covering all of the cloud environments with the Cloud Security Posture Management version.

First of all, alert reduction is helping us to be focused on other things that matter. The other thing is in regards to visibility. What we found is that Lacework is super easy to deploy in Kubernetes environments and other environments. You can get super quick visibility into what is going on in your environment. Even though it has a behavioral engine, and it takes a couple of hours to consolidate the information and present that to you, it is pretty quick. We have a huge environment, it is great for us.

Lacework saves us a lot of money because in terms of the ingestion of data or in terms of the way AWS, GCP, and other cloud providers are sending logs into Lacework, if we have to ingest the data in our SIEM, for instance, it is going to cost us a lot of money. Having Lacework in the middle, ingesting the data, processing the data, and providing us with the right information is super valuable, at least from a cost perspective. I know every company would like to have all the logs in the SIEM or store them somewhere in their environment, but that is an advantage that I recognize in Lacework. The data is good. We can see the data that we want.

It is good for helping us view our environment from an attacker’s perspective. One of the things that they introduced recently is Attack Path. Previously, we needed to go to two or three places to figure out what was going on in our environment. Even though we had alerts from Lacework that gave us a lot of information, we sometimes needed to go to other places to make sure that we fully understood the context of the data alert. Lacework has introduced Attack Path which helps us a lot to identify the activity from the beginning to the end.

It has the ability to monitor configurations continuously. This capability is important, but we have complementary tools that monitor the configuration of certain files.

We have reduced the alert noise by 60% to 70%. We needed an opportunity to focus on projects and improve our controls elsewhere. We also wanted to focus on improving our detection capabilities because the network is providing a subset of alerts that are helpful, but we also need to think about all those things that we need to do in our environment, such as make a list of some use cases from an attacker's perspective and see if we can catch the event. We have threat intelligence as well. We can see whether we have a particular type of threat in our environment. There is vulnerability management as well. The combination of those factors is what we are currently doing. We can focus on these things.

Lacework helped save time by reducing our manual tasks. Lacework is providing us with comprehensive data or some set of data to see what is going on. In the past, we were doing that manually. We had to go to other places to understand what was going on, so Lacework helped us on that front. That was the most important saving of manual tasks.

It also has helped us to free up existing resources. The number of people that I had initially on the on-call rotation is less because of it. I could take out those people for other projects. That is the huge value that I saw from Lacework. As long as we reduce alerts, we will have time to focus on other things. In terms of human resources, people are more focused on other things.

Lacework has absolutely helped to reduce our organization's breach risk. Our company is super focused on protecting customer data. We are storing data in several cloud providers' object storage. With Lacework, especially with Cloud Security Posture Management, there is a compliance part where we can see how many object storages are exposed to the Internet. Whenever we have any event, we can identify that properly and immediately take action. That is how we reduce the risk in cloud providers. We take customer data super seriously, and we were able to identify all the alerts for the public object storage or for those that we had already but did not know.

Lacework has been helpful for spotting critical weaknesses. The most important thing is our customer data. It has helped us a lot, and it is super valuable.

Lacework is helping a lot in reducing the noise of the alerts. Usually, whenever you have a tool in place, you have a lot of noise in terms of alerts, but the time for an engineer to look into those alerts is limited. Lacework is helping us to consolidate the information that we are getting from the agents and other sources. We are able to focus only on the things that matter, which is the most valuable thing for us. It saves time, and for investigations, we have the right context to take action. 

Its integrations with third-party SIEMs can be better. That is one of the things that we discussed with them. We have integrations, for instance, with Splunk. The data that we are receiving in Splunk is huge, and it is valid because Lacework has a bunch of data that they can provide to you. However, to be able to import the data and create alerts, we needed to do some work, so integration is one of the things that they can improve. 

For container security, how they scan images and how they provide results is something that they need to continue improving in terms of visibility. We already have visibility to several artifacts, but they can take that to the next level and see what else they can do. There can be better integrations with CI/CD pipelines. There can be improvements in terms of how we can take action or how we can report from the number of inventories they are providing to us.

I have been using Lacework for about four years.

It is stable. We sometimes experienced slowness when the objects were loading in the console, but it was related to something internal. Overall, it is good.

It is scalable. We have multiple locations. We have about 10 data centers on-premises. We have deployed agents in all of them. We also have cloud providers such as AWS, GCP, Azure, and OCI. It is a pretty big environment with more than 8,000 assets to monitor, more than 45 cloud provider accounts, and about 10 on-prem data centers. It is only used by the security team. There are 10 to 15 people.

Their technical support is good. We have a Slack channel. We have monthly meetings. We have a dedicated customer success manager. He is taking care of all of the tickets that we are creating. We have probably opened five cases so far, and they were able to resolve them all. It might not have been at the pace that we were expecting, but in the end, they are supportive. I would rate them an eight out of ten.

Positive

We have used a lot of solutions. We had Sysdig. We had something from Rapid7. We had Prisma Cloud as well. Lacework stands out in reducing the alert noise, having the right context for investigations, and saving time. That was the main driver for us to switch to Lacework.

If I have to compare Lacework with other tools, it covers the basis, but from the detection perspective, when you combine different portions of the data that you are receiving and create a comprehensive alert for your analysis, that is the advantage that we have from Lacework against others. That is great because we are only focused on the things that we need to fix.

It is a cloud solution. I was involved in its deployment from the beginning. I started with the definitions of the success criteria that I was going to use with the team. I had the team implement it, and I was supervising. I was practically aware of every single aspect of this work.

Its initial deployment was super straightforward. It was super easy. It also depends on how your infrastructure is managed. In our case, it was easy to deploy the agents. For the entire environment, it took us four days. There were three to four people involved.

In terms of maintenance, from our side, only the agents need to be maintained. It requires us to download the new version of the agent and deploy it. Cloud Security Posture Management does not require any maintenance from our side. They are doing that by themselves.

We have seen an ROI. It has been three to four years since we have been using the tool. If we had gone to another tool in the past, we would have been spending a lot of money and resources as well.

It is slightly expensive. It depends on how big your environment is, but it is expensive. Right now, we are spending a lot of money. We have covered all of the cloud providers and most of our colocation facilities as well, so we cannot complain, but it is slightly expensive. It is not super expensive.

To those evaluating this solution, I would advise identifying the requirements of the company and having a clear understanding of the success criteria and the use cases that they want to cover. After that, they can do a PoC. Identify the right number of systems that you want to go over the cloud environments and then move to production. Take Lacework's support for production deployment. It is important.

I would rate Lacework a nine out of ten.