A Security Solutions Leader in its Own Right, Lookout Relies on Uptycs for Workstation and AWS Infrastructure Security

"We've gotten a significant ROI on our Uptycs investment by playing to its strengths - the single data model and backend analytics.” Grant Kahn Director, Security Intelligence Engineering
Lookout Logo White Trans 180x120
Grant Kahn 60x60
Grant Kahn
Director, Security Intelligence Engineering
Cloud environment
Frame 62794
Workstation environment
apple Windows_icon_logo
Lookout Protects All Kinds of
Endpoints and Cloud Interfaces

Lookout is an endpoint-to-cloud security company that is purpose-built for the intersection of enterprise and personal data. The company safeguards data across devices, apps, networks, and clouds through a unified, cloud-native security platform. Lookout is trusted by enterprises of all sizes, government agencies, and millions of consumers to protect sensitive data. The company has won  numerous awards for its innovative products, including making the Forbes Cloud 100 List  for several consecutive years.

Mobile device protection is Lookout’s genesis. The app collects data from the device and submits it to a cloud-based engine. There it performs dynamic and static analysis based on threat research and machine learning to  determine if other apps on the device pose a security risk.

Enterprises can log in to view the threat information about their device fleet, interacting with mobile device management  and system center configuration manager tools to extend their capabilities. Lookout recently acquired a company that provides secure service edge, taking the company into the market of protecting all kinds of  endpoints and cloud interfaces.

Lookout’s secure web gateway includes an agent that sits on desktops and laptops to route traffic to the nearest point of presence. This agent uses embedded osquery to do posture checking of the devices. Familiarity with osquery has been helpful to Lookout’s security engineering team in exploiting Uptycs’ capabilities to the fullest extent.

Lookout Gets Significant ROI From Uptycs

Having joined Lookout three-plus years ago, Grant Kahn brings an extensive security background to his role as its security  intelligence engineering director. His team  performs a variety of infrastructure, cloud, and application security functions.

Used mostly for compliance, Uptycs was already operational when Kahn arrived at Lookout. However, it was underutilized. “Since then, we’ve realized significant ROI on our Uptycs investment,” he says. “It’s feeding  us useful intelligence on both our production and user endpoints.”

For production systems, Uptycs is the behavior-based antimalware story. “The same alerts can be categorized as either normal  user endpoint background noise or as extremely concerning if they occur on  production systems—and vice versa,” says Kahn. “We worked to get our asset groupings right, so we’ve got the right information  coming at the right time. And we’ve been able to cut down on noise.”

“We went from having Uptycs for compliance only to making it one of the most powerful tools in our security arsenal.” Grant Kahn
Director, Security Intelligence Engineer
Deep Asset Inventory and Service Categorization is Essential

How Lookout performs its core functions makes asset categorization quite complicated. Kahn explains, “Our dynamic analysis  infrastructure reaches into suspicious places, downloads things then takes them apart to see what they are. That’s normal and acceptable behavior. But if my Mac is touching a known bad place I want to know about that.”

The company’s application architecture is based on microservices, and the teams responsible for these services are autonomous. Kahn says that when an alert requiring follow-up occurs, his team needs to know precisely which of the services teams to talk to. This is managed internally through AWS metadata tags. Every AWS service has a tag, and every instance has a tag that identifies what service it is. The AWS metadata tags are essentially the source of truth about Lookout’s infrastructure.

“We’re able to create matching asset groups in Uptycs, to which we can apply our
backend and all the things we want to do based on our nomenclature,” says Kahn.
“We worked closely with Uptycs’ customer support to get this working exactly the
way we want.”

“We get great service from Uptycs and have productive meetings with them. In my long career, I don't think I've ever had a better vendor relationship.”Grant Kahn
Director, Security Intelligence Engineer

Kahn gives an example of the power of using AWS asset tagging in Uptycs and other Lookout systems. “Before Uptycs, if we learned that EC2 instance is doing a potentially bad thing, it would take a long time to figure out what that action is. I had to take that IP over to the AWS console, figure out what it was, who owned it, where it sat, whether I care about it or not, and then figure out if it was doing what it was supposed to be doing.

“With Uptycs, my service tag on the instance informs me right away. I look and see it's just this instance that's part of, say, a policy engine service doing X, Y, and Z. If it shouldn't be doing that, I can jump right on it. This offers a whole new range of capabilities and security operational efficiencies for us."

“The service tags are part of our IRT’s runbook. That team can look up who’s on call for that service and tell them what to look at for an incident. We’ve been able to create runbooks that help the IRT fulfill some of the functions of a SOC. That was the final step in fitting the Uptycs information stream into the broader Lookout security monitoring information stream.”

Uptycs Improves How Lookout’s ELK-based SIEM Functions Meet FedRAMP Requirement

Lookout is under a FedRAMP requirement to have a single pane of glass for security event monitoring. The company uses an ELK-based SIEM for this purpose. But Kahn says it’s difficult to use and expensive when handling large data volumes. “Its query infrastructure and indexing, and even just generally creating an alert, are a hassle with ELK,” he explains. 

“Instead, the security team feeds the data to Uptycs, where it does the analysis, then sends the highly filtered results to ELK. This way, we don’t have to store the enormous volume of data twice, and we get the best analysis from Uptycs.”

“Uptycs is super deep in terms of the kind of information it provides, and it's relatively easy to pivot through it all."
Grant Kahn
Director, Security Intelligence Engineering

Kahn says they’re looking at using Uptycs for AWS CloudTrail logs instead of having ELK do it. This is because Uptycs is more feature-rich and faster in its ability to analyze data and generate alerts. Only the filtered results will then be fed into ELK, thus satisfying FedRAMP’s ‘single pane of glass' requirement.

“When we feed that data through Uptycs, we extract actual intelligence out of it,” says Kahn. “We can offload all of that from the very expensive, per-cluster ELK licenses, shut down all that storage and the processing nodes, and get all the intelligence we need out of Uptycs— with just the cream going over to ELK. Eventually, we’ll be able to decommission some of the ELK resources and save considerable expense by doing even more in Uptycs.”

Because of FedRAMP requirements, Lookout doesn’t use the Uptycs SaaS for data analysis. Instead, it has deployed a unique Uptycs instance directly into their AWS account that Lookout controls, maintains, and monitors. Uptycs engineers simply update this in-account system to keep it aligned with its SaaS version.

Lookout now has a level of visibility across its AWS estate it didn’t previously enjoy. “We had CloudWatch and other information from AWS, but Uptycs gives us a single data model and query ability that’s very powerful,” says Kahn. “The Uptycs analytics backend just takes all that data and makes it accessible and useful.”

Security challenges:
  • How to use asset groupings to qualify the basis of a security alert
  • Fit into the existing infrastructure for the incident response team’s (IRT) process regarding alert responses according to specific services
  • Reduce cost and increase effectiveness of the ELK based SIEM in analyzing data while generating meaningful alerts
Uptycs security results:
  • Uptycs supports Lookout’s nomenclature for asset groups that helps pinpoint specific alerts
  • The Uptycs information stream fits into the IRT’s monitoring nomenclature, reducing the time it takes to respond to incidents
  • Large amounts of data and analytics processing power are offloaded from the ELK SIEM to Uptycs, resulting in faster meantime-to-respond (MTTR) and a dramatic reduction in SIEM costs

See Uptycs in action

Find and remove critical risks in your modern attack surface - cloud, containers, and endpoints - all from a single UI and data model. Let our team of experts show you how.