FortiCNAPP Reviews

We use it mostly for compliance and also to get better insight into our security posture as a company.

The biggest benefit is the automation because we are a small team of only six people. We are part of a bank, something like an internal startup company. So while we are a small team, we have to support a lot of users. Having to do all the things that Lacework does for us would require a whole team of people, and probably 24/7. We would need a SOC team to monitor everything, and people who would respond to things continuously and validate the alerts compared to the actual cloud infrastructure. But Lacework does all of that for us. All we have to do is integrate it with our cloud environment and it does 95 percent of the work, so it's quite a cost-effective solution.

And in the last six months, we have been able to reduce alerts by a good 20 percent. The reduced alerts mean our Lacework security policies are more effective and we spend less time reacting to alerts. Obviously, the fewer alerts you have, the less time you have to spend dealing with them. Regardless of what type of alert you receive, you have to acknowledge every single one. So a 20 percent reduction in alerts equals a lot of free time for me to spend on something else.

The most valuable feature, from a compliance perspective, is the ability to use Lacework as a platform for multiple compliance standards. We have to meet multiple standards like PCI, SOC 2, CIS, and whatever else is out there. The ability to have reports generated, per security standard, is one of the best features for me. In the portal, you can go to reports and pick any security framework, any standard, like PCI DSS, for example. It will automatically generate a report on your security posture for your entire infrastructure, based on that security framework, which is really useful. Otherwise, I would have to do all that manually. It has definitely helped save time. 

And one of the reasons we adopted Lacework was the continuous monitoring of our configurations, as well as the ability to adapt and the scalability that it offers. The continuous monitoring is one of the major things that alleviates some of the pressure on our team. It's one of the most useful features. It's essential and, without it, it wouldn't be of much use to us in the context of compliance. It needs to continuously monitor all the changes, and that is what it is doing quite well.

It does so much in terms of security assessments that would require a lot of effort, with multiple other tools that are available on the market, to compensate for what Lacework offers. It does a lot and offers a lot of features packaged into one solution.

We use it in the public cloud, on GCP and Microsoft Azure. That's another aspect that is really good, that you can so easily integrate it into a multi-cloud environment.

What they could improve is communicating their changes to customers. Most changes are being communicated through the Lacework portal, whereas I would appreciate it if those changes were communicated through a personalized email, with generous advanced notice, before they actually implemented them. 

For example, to understand the context, last year just before Christmas, when we stopped working during the last two weeks in December, they introduced API changes. When I came back to work in the first week of January, lots of things broke in our CI/CD pipelines because they weren't working with the old API version.

Another thing that I would like, a feature that I have requested from them, is the ability to sort alerts and policies based on a security framework. Right now, when you go into alerts, you have hundreds and hundreds of them that you have to manually pick. It would be useful to have categories for CIS Benchmark or SOC 2 and be able to display all the alerts and policies for one security framework. The filtering of alerts could be improved.

I've been using Lacework for about six months.

It's fairly stable. I've only come across one issue, which was the API problem, but that didn't impact the existing integrations. In terms of stability, it's fairly good. We haven't noticed any issues at all.

It scales very well. We add resources almost on a weekly basis and there's virtually no work required on our side.

We monitor about 150 people with Lacework.

I contacted their support in the first week of January when we had that issue with the API, and that was sorted out fairly quickly. They're very responsive and quite good when it comes to technical help.

We have monthly catch-up meetings. They're quite good in the sense that they offer a lot of advice and suggestions, and they're quite responsive when you need help. They're always happy to help, which I appreciate a lot. Anytime I have doubts about alerts, or have a question, I can contact them. Or, if they proactively have a suggestion for us, they will reach out and we'll just get it sorted. We constantly work on updating our alert and policy strategies.

From my perspective, there's an immediate return on investment because, as I mentioned, you would need a team of people to deal with these sorts of things, whereas Lacework does most of the hard labor for you. Just by adopting Lacework as a solution, you eliminate the need for having a team of people. One person can do it.

My advice is that it's very important to understand what you have and where you want to get to. You can use Lacework in many ways, and one of the ways you can use it is to assess the security posture of your infrastructure. If you understand what your security requirements are, you will better understand how to get the most out of Lacework.

Lacework provides insight, to some extent, for viewing our environment from an attacker's perspective, because every alert is broken down into the steps someone took to get to the point where it generated the alert. That way, you get some insight into how someone would approach hacking the infrastructure. But it obviously doesn't offer as much detail as a pen test would.

Because of the way we use Lacework, integrated with public cloud providers, every time we create an environment in the public cloud, we have to create an integration with Lacework. We do that through Terraform, using the principle of infrastructure as code. The maintenance comes in when Lacework makes API changes on their end. If the API changes in such a way that it's not compatible with our code, then we have to update it. But that happens rarely. It has only happened once in the last six months.

Overall, I rate Lacework at 10 out of 10. I've been really happy with it.

Lacework is a cloud security platform. We have multiple cloud providers, and we're ingesting the logs from each. About six people at my company use Lacework. 

Lacework provides a good overview of our security posture. We also use the Kubernetes agent because our software is a Kubernetes-based application. The Lacework polygraph offers nice visibility into the workloads on Kubernetes.

There are no applications out there that let you look at the workload in Kubernetes from the cluster to the namespace, pod, and images. From that image, you can see any connections going out. 

The most valuable feature is Lacework's ability to distill all the security and audit logs. I recommend it to my customers. Normally, when I consult for other customers that are getting into the cloud, we use native security tools. It's more of a rule-based engine. 

They have to go in and put their policies in place. It's hard for them to implement that, especially if they don't have a real security team. The team's policymakers don't do anything. Lacework takes out all the noise and gives them bits of things that actually matter with the application after it learns the behavior.

Lacework lacks remediation features, but I believe they're working on that.  They're focused on the reporting aspect, but other features need to improve. They're also adding some compliance features, so it's not worth saying they need to get better at it.

Also, they do image scanning for security vulnerabilities. They would have a full cloud security package if they could compete with Snyk or Qualys by providing vulnerability scanning for VMs.

I've been affiliated with Lacework for three or four years.

I've never experienced an outage or a hangup or even anything in the UI that says, "Still processing, give us a moment." 

I rate Lacework 10 out of 10 for scalability. I haven't run into any scaling issues.

Lacework support is awesome. They get right back to me. The account guys are also superresponsive.

 I've used all the cloud platforms, including GCP and AWS, so we used CloudWatch and Security Command Center.

Setting up Lacework was straightforward. I've deployed it both ways. I did it manually, which took a little time to go through the documentation. I used Terraform scripts the second time. Deployment took me 15 minutes. It's on the cloud. I'm using Google and AWS. 

You get a return from Lacework.

Lacework's price isn't too bad. I would rate it seven out of 10 for affordability.

As a consultant, I've seen all the products, and I was working with Lacework when it came out. They only supported AWS at the time, so I didn't what they could do. I recommend Lacework to other customers because I have customers who generate 30,000 alerts daily on GCP. I recommended Lacework, and we ripped out Security Command Center. With Lacework, they were getting maybe 15 alerts instead of 25,000.

I'm a fan, so I rate Lacework 10 out of 10. I recommend implementing it immediately. If you have a security team writing rules and trying to enforce them the old-fashioned way, that's a lot of man-hours. If they were to have a breach, not only the security team would be impacted but also the administrators. They have to go through the logs and parse them to figure out how many things were touched. You have to look through the VMs, load balancers, and other pieces of the infrastructure. You would need to put it in a spreadsheet and write a script to go through it. It's a pain.

With Lacework, it's all there in one fell swoop, and you can go through all the logs. However, if you are a rules-based person, Lacework has the features to do that too. You can add some specific rules that aren't part of the normal CIS benchmarks and stuff that is already in the posture. You're getting scanned across the CIS benchmarks whether or not you implement them or not. You can also go in there and switch those values around to meet whatever your organizational goals are.

We use it mainly for detection and response purposes. We have also started using Lacework as our vulnerability management tool, which is most important for our organization. We don't have any kind of security layer for all our cloud infrastructure so we are using Lacework as a security product for our cloud infrastructure.

When I joined this organization, Lacework was being onboarded. It was in setup mode. If I compare the visibility I have had over those last 10 months with Lacework, with what visibility was like before, I now have complete visibility into my entire infrastructure. If anything happens, Lacework will definitely catch it. That is very efficient and I'm able to react before the attack.

An advantage that Lacework gives us in our environment is that it covers a vast majority of use cases, which helps us to detect things based on severity, and it helps us to have more focus on those issues. For example, last week we had an alert that said that there was an external connection made from an internal server, and our internal servers are not supposed to communicate with the external, because it's behind the VPN and it's behind the firewall. That should not happen, but it was happening. A good detection rule helped us.

In terms of seeing things from an attacker's point of view, a couple of weeks back I received an alert that a user with root permission had logged in and tried to do something he is not supposed to do, which means he didn't have admin permission. I also received an alert about policy changes. I got the user ID and did a reverse lookup in my database to find out who the user was and his department. I reached out to him and I asked him about it, and it turned out he was doing a red team activity and testing Lacework. Red team activity is very difficult to detect, but Lacework did a very good job on that.

And for continuous monitoring, we have created a kind of dashboard, although not a complete dashboard. Lacework has a better dashboard. Our major priority is to look into critical, high, and medium alerts, which we never miss. We continuously monitor for high-priority alerts. It shows us those by default in the Lacework dashboard. That helps in our daily monitoring.

With Lacework, the alert flow has been reduced a little bit, about 6 percent, but attackers never sleep. We have a lot of alerts coming in, day in and day out. It's now Christmas time and this is the perfect time for attackers to try to target an organization because as they know the response team will be outnumbered. In addition, Lacework has reduced the time it takes us in an investigation by 70 to 80 percent because it keeps complete information. That means we don't have to verify where the information came from. Rather, we can use that information in our investigation.

It helps free us up to work on other tasks. We can create custom rules to eliminate false positive alerts. These are the gray areas that we have started exploring and that gives us time to work on other stuff.

There are many valuable features that I use in my daily work. The first are alerts and the event dossier that it generates, based on the severity. That is very insightful and helps me to have a security cap in our infrastructure. 

The second thing I like is the agent-based vulnerability management, which is the most accurate information. It helps us to know what the security gaps or weaknesses are in the systems and to patch them. Finding a critical weak spot is one of the best features, with the agent-based scanner. We can check it out, based on a filter of the host or container, get the vulnerability report for that particular host, and just share it with the DevOps team to patch.

For anomalous activities, Lacework has a good set of rules for detection and it gives super-informative alert information. For example, when an issue is detected that results in an alert, it doesn't just give the details. It also explains clearly what is happening, with "WH" questions. In the alert, if you click on "Why this alert has been detected," there is a clear explanation for it. Next, you can click on, "When," and it gives the time range of the detection time. The next is "What has been impacted?" That kind of accurate information means we don't have to look around or worry about the source of the information or the legitimacy of the alert.

I would like to see a remote access assistance feature. And the threat-hunting platform could be better.

We have been using Lacework for about 10 months.

It's a stable product compared to the initial days that we had it. They are doing much better because they are also conducting frequent webinars on how to use new features whenever an update comes out. 

We haven't faced any issue, like a Google outage, in the last 10 months. It's really good. I do see a little lag but it could be because of my internet connection since I'm working from home.

We use all the cloud environments, Azure, GCP, and AWS, and have deployed Lacework for all three. We have approximately 50 people who use it, on and off.

Even though here and there there are some problems with the solution, whenever we address the issues with the Lacework team, they're always ahead of it in their response and they always are supportive. 

We have a community channel as well. CSP is partnered with us and we have frequent communications with them. We have a conversation with them on a day-to-day basis on a Slack channel. Their technical team is connected all the time. The moment we post a question on that channel, we will get a response within five or 10 minutes. That is a much faster resolution than any other solution that I have used.

Positive

We have a separate DevOps that takes care of Lacework deployment, uploading and installing the agent. My job is to make sure that we have visibility into all our containers and host-based cloud infrastructure. Lacework has a feature called resource that completely shows how many containers or instances are running with Lacework and without Lacework. I just pull that data and give it to the DevOps team. They go in and do the config of hosts that don't have a Lacework agent.

There is some maintenance involved with Lacework, but in most scenarios it isn't a problem. We always want to have visibility into everything, so we need to make sure that things are working fine.

There are very few solutions out there for cloud infrastructure. When it comes to physical infrastructure, there are already many tools. But the cloud industry is just beginning. I have worked with a few of the cloud solutions and I found Lacework is the most useful one because it has various categories of alerts.

The security team is the most important part of any organization because they are the people who help protect your organization. For them to protect you, they need better visibility into the environment and infrastructure and certain tools to help do their jobs more easily. As an analyst, I think Lacework is much better.

When an analyst gets an alert, time becomes very crucial. His response time should be 30 minutes. In the first 15 minutes, he should be able to understand what type of attack it is, exactly what is happening, and how to stop it. And he also should come to a method of remediation to stop the attack for the short term. For all these aspects, Lacework is really much better. Any analyst, when working on an alert, will initially have the five questions: why, when, what, how, and where. That's what Lacework provides. These questions are the template for any analyst and with them, it takes me about 15 minutes to understand an alert. In the next 15 minutes, I will work on contacting the team, et cetera. From a time perspective, Lacework is much better.

Give Lacework a try. It's one of the best tools in the market that I have used so far. Except for the RTR response, the rest is fine. It is really doing a pretty good job. It will never disappoint you.

We use it for monitoring of security vulnerabilities in the cloud.

Lacework has given us more information to use. We have more visibility into the whole pie, instead of just pieces. It has also helped us save time when it comes to manual compliance tasks.

It's also given us information on vulnerabilities, made us more aware of them, and helped us to know where to focus.

The most valuable aspects are 

• identifying vulnerabilities, things that are out there that we aren't aware of
• finding what path of access attackers could use
• being able to see open SSL or S3 buckets and the like.

For detecting anomalous activities, as well as known threats, it's good. It is definitely a decent platform for doing that. It is also good for helping us see our environment from an attacker’s perspective.

It also does a good job of continuously monitoring configurations. You can set up alerts around that monitoring and know whether or not there have been any kinds of changes. It's good, especially with automation. The way that things are happening in the cloud, there is a need for security teams to see vulnerabilities as they come up and address them as quickly as possible.

When it comes to helping us view the environment from an attacker’s perspective, I would like to see more work on their side to make that more descriptive, more usable in that context; to make it more obvious. There are a lot of things within the data that they provide but, unfortunately, it's not easily understood at first look.

It's a decent platform, but it's a little complicated and not very intuitive. They need to make things a little simpler to understand so that we can create actionable items. 

Also, Lacework has not reduced the number of alerts we get. We've actually had to add resources as a result of using it because the application requires a lot of people to understand it to get the value out of it properly.

Another point is that we have found that the scanning of some of our AWS instances is extremely slow and that has been a big challenge in our organization.

We've been using Lacework for about a year.

It seems to be pretty stable.

I haven't contacted their tech support but, as a customer, we have.

We did not have a previous solution.

We have not really seen ROI. 

We're evaluating other solutions. There is a possibility we will switch from Lacework. 

Evaluate all other options to know what you are looking for, and you should already have a process in place to take findings from a particular platform and put them into actionable changes.

Lacework is a sales platform.

Because Kubernetes had a number of important processes that used EKS, we needed Lacework to protect the cloud environment in general and Kubernetes in particular. We required it to defend both the overall cloud posture and to offer protection. And then our container environment's detecting capabilities.

The best feature, in my opinion, is the ease of use. As well as some levels of machine learning anomaly detection that they have that can detect pivotal anomalies faster.

Visibility is lacking, and both compliance-related metrics and IAM security control could be improved. This is what Ermetic does. IAM security management controls, as well as detection of deviations and misconfigurations, are critical but not fully developed in Lacework.

There is no data governance or data visibility. It's a little bit different, in the vector of cloud security management, but Lacework does not yet support this.

I would like to see some sort of data mapping or detection. The ability to pinpoint the exact location of data. Something similar to what Flow Security is currently doing. And that is what some other companies are attempting to do with data detection capabilities. Cloud Data Detection.

I used Lacewok more than 12 months ago. I evaluated it a year and a half ago, I believe, approximately 15 months ago.

I am not sure of the exact version.

It was used in the AWS environment.

It appears to be functioning in terms of stability. 

The impression is less that it has a lot of false positives in terms of detection and capability. There are some detections that are not particularly accurate. This is the general perception regarding data models. It needs to be improved.

I didn't notice any scalability or people-related issues because it's not a platform for widespread use. 

If you try to populate a very large environment in Lacework and there is a lot of traffic, you may encounter some difficulties. 

The system may struggle, but users, or operators, are not supposed to seriously disrupt or interfere with the platform.

We didn't experience any problems.

This solution was used by no more than 20 people in our organization.

But it is rarely used. You are supposed to get alerts from it from other places, such as Select PagerDuty.

The SIM system. You are not supposed to use it continuously.

We contacted technical support briefly, but not too much. We contacted them during the initial integration phase, but after that, communication was minimal.

Technical support was fine.  I would rate them a four out of five.

Several other vendors approached us. Dome9, which Check Point purchased, and Cloud Guard were both used in the past. However, when we decided to relocate, I believe I met some Lacework employees at a conference. And after reviewing the solution, we made the decision to put it to try.

They are starting to use Ermetic .

The initial setup is relatively straightforward.

The deployment was completed in two weeks. You will then have some additional time to configure everything.

We purchase the license here. 

The licensing fee was approximately $80,000 USD, per year.

There may be some discounts available. However, it is a one-time fee with no additional charges.

Currently, it is determined by your capabilities and the size of your environment.

In general, I would not recommend Lacework right now. There are more mature solutions that would be a better fit. 

It is very dependent on the specific environment in which you operate. Lacework isn't necessarily bad; it's just that the more mature solutions on the market have significantly more capabilities. Prisma Cloud, for example, or Rapid7 Clouds, I believe, have more capabilities and support. In the cloud environment, better support and different security use cases are available.

However, it is similar to the situation with automobiles. You are not required to drive a Ferrari. You could buy, a simpler car and seat it for your needs. It depends on what you want to accomplish.

I would rate Lacework an eight out of ten.

It has some technical capabilities, which are not bad, but it is currently lacking some technical features. It's also prone to false positives, which I believe is due to an over-reliance on some AI detection models. But the precision of those things isn't always good.