RingCentral Mitigated Security False Positives Across Hundreds of AWS Accounts

TL;DR
Goals & challenges
  1. Adhering to a strict customer SLA while maintaining compliance across over 100 AWS accounts.
  2. Experiencing too many false positives from cloud security solutions.
  3. Cross-account dependencies required manual investigations. 
  4. Managing asset inventory across all environments.
The solution
  1. Implemented Stream for complete real-time inventory and compliance enforcement.
  2. Customized guardrails to mitigate violations as they occur.
  3. Revealed configuration changes impact.
Results
  1. Advanced alerting and investigation capabilities across 100+ AWS accounts under a unified dashboard. 
  2. Achieved real-time compliance controls and streamlined auditing processes.
  3. Eliminated false-positives alerts and saved engineering and SecOps time.  
  4. Reduced cloud security license cost by 25%.

The customer

RingCentral is a leading global provider of cloud-based business communications and collaboration solutions that seamlessly combine phone, messaging, video meetings, and contact center. RingCentral empowers customers with AI-powered conversation intelligence that unlocks insights from their interaction data to accelerate business outcomes. With decades of expertise in reliable and secure cloud communications, RingCentral has earned the trust of millions of customers and thousands of partners worldwide.

RingCentral delivers a unique synchronized communication experience between regular phone calls, video and chat communication for millions of customers. To deliver strict SLAs to their customers, RingCentral relies on AWS and GCP, in addition to their modern data centers that account for most of their infrastructure. AWS provides the flexibility and scalability they need to deliver the best customer experiences.

Tracking the changes across 100+ AWS accounts consumed precious engineering time.

Before working with Stream Security, the SecOps team's challenge was pinpointing specific changes in their complex infrastructure. Reviewing and investigating cross-account dependencies had become a labor-intensive task. With multiple S3 buckets spread across different accounts and zones, they manually analyzed each account separately. 

The team struggled to address tasks such as:

  • Mapping Virtual Private Clouds (VPCs) with its accounts and services.
  • Navigating the complexities of access management cross-sections.
  • Manage the inventory of their keep-growing AWS accounts.
“We developed an internal tool to keep an inventory of our growing AWS accounts, but we couldn’t track the who, when and what for changes. We needed a solution to find specific changes in our vast cloud stack – resembling finding a needle in the haystack.”
Petr Zuzanov
SecOps Architect at RingCentral

77% of cloud alerts turned out to be false positives

RingCentral adopted the Stream platform, leveraging its CloudTwin capabilities and gaining real-time visibility into AWS inventory, compliance violations, and traffic flow logs.

During the PoC, the RingCentral team quickly recognized that Stream provided context-aware insights. 

The RingCentral SecOps team is responsible for security and compliance, for which they need to demonstrate compliance with PCI DSS, ISO 27000, SOC 2, and High Trust, along with frequent internal and external audits. Stream's platform assesses potential security issues, focusing on relevant ones to streamline prioritization. The team was surprised that their actual compliance levels stood at 80%, significantly contrasting the 11% reported by other tools. The team investigated this gap and found that the low compliance rate reported by other tools resulted from false positives. 

Before Stream, RingCentral had to assign engineers to investigate the insights from legacy tools and, regretfully, to discover that the vast majority are false positives. 

Stream provides out-of-the-box support for 23 compliance frameworks addressing all our required compliance, making the compliance process constantly measurable and efficient.  

Stream's context-aware alerts provided actionable insights, and the teams now use a single solution for configuration review and traffic investigation. Compliance alerts are triggered instantly when a change violates it, allowing RingCentral to maintain a compliant environment continuously and significantly reduce the effort of the audit preparation phase. In addition to security gaps, Stream’s platform has revealed we can improve cost best-practices and suggested enhancements that proved fascinating for the FinOps team, streamlining cross-team collaboration.

“Getting all Cloud SecOps analytics on a single solution in real time is hugely beneficial for our team. Context-aware architectural standards help keep our team on top of compliance on a daily basis, with actionable results.”
Petr Zuzanov
SecOps Architect at RingCentral

A framework for innovation

CloudTwin's real-time capabilities serve not only as a time-saving solution but also as a trigger for innovation. RingCentral has started proactively engaging with the model and conducting advanced queries based on IPs, tags, and identities. This strategic approach empowers the team to investigate any suspicious behavior within the environment in real time, enabling them to eliminate the activities of malicious actors. By enriching posture-aware insights with data from VPC flow logs and IAM activities, a new framework for investigation capabilities has emerged, elevating the ability to investigate and eliminate potential threats.

 “Stream’s platform is extremely powerful not only for investigating the current posture, but also for understanding historical changes and configuration states for our AWS environment. Seeing our posture alongside VPC flow logs accelerates investigations and shows us all the context we need in one place.”
Petr Zuzanov
SecOps Architect at RingCentral

RingCentral was impressed with the quick time to value and expertise demonstrated by the Stream team. During the Proof of Concept (PoC), Stream's context-aware insights surpassed native tools, providing additional verification of findings and saving engineering time. The Stream team's responsiveness and continuous development of new capabilities strengthened the partnership.

“The Stream team is very responsive and has been a great partner, Stream develops new capabilities very quickly and continues to expand their capabilities. We’ve reproduced superior results compared to our previous solutions without customization.”
Petr Zuzanov
SecOps Architect at RingCentral

Future Plans:

RingCentral plans to expand Stream usage to optimize internal processes and extend into Azure and Google Cloud once available.