Success Story: Enhancing Security for Sleepme’s IoT platform with Defiance Digital


Executive Summary


Challenges

  • Bolster security practice for lean team without in-house DevOps engineers

  • Solve visibility challenges to protect customer data in IoT platform

  • Develop compliance plan to meet future business needs

Solutions

  • Connected with Defiance Digital, who brought in Lacework to fill security gaps

  • Used newfound visibility to solve logging issues, lowering bill by 20-25%

  • Simplified compliance process by consolidating numerous tools into a single platform

Results

  • Enabled small security team to easily monitor environment and follow up on critical alerts

  • Increased visibility for IoT application stack with cross-organizational product development

  • Prepared for SOC 2 compliance by harnessing modern tools through Lacework and Defiance




“Lacework and Defiance have

helped us instill trust in our

customers, and ensure that we’re doing everything we can to keep their data and smart devices as secure as possible.”

-Matthew Burkhard, Director of Engineeering, Sleepme

“Lacework and Defiance Digital brought in several high-level engineers to work through the details, point out exactly where in our configuration things were going wrong, and help us come to a resolution that lowered our AWS bill by 20 to 25%.”

-Matthew Burkhard, Director of Engineeering, Sleepme


About Sleepme

Sleepme is a sleep coaching site and the parent company of the revolutionary sleep science brand Chilisleep®, known for its award-winning sleep solutions including ChiliPAD™ and OOLER® products. The company began with the core mission of thermal regulation for mattresses, with internet of things (IoT)-connected products that allow users to improve sleep quality by setting schedules and adjusting temperatures throughout the night. Now, they’re expanding into the realm of holistic sleep improvement. Upcoming offerings include sleep coaching, supplements, and a best-in-class sleep tracking device.


Trey Robinson, the Chief Technology Officer, has played a large part in Sleepme’s expansion. Over his three years with the company, his team has expanded from zero engineers to upwards of 23. Also working diligently to grow Sleepme’s capabilities is Matthew Burkhard, Director of Engineering for the Wellness Platform. His responsibilities include overseeing the platform’s IoT-connected back end, as well as additional software-focused services that Sleepme plans to offer in the near future.


For their cloud environment, Sleepme uses Amazon Web Services (AWS), including almost all of the AWS IoT stack. “We have a pretty complex multi-account structure that has a management overhead account, in addition to product verticals for the IoT cloud work,” Burkhard details. “We also have web and mobile apps that have their own back ends. And then we’ve got two separate accounts for archiving all the logs in one aggregated spot to ensure that it’s in a read-only, mutable state so no one can go in and mess with those logs.” For help securing their accounts, and AWS application programming interface (API) logging in particular, the Sleepme team sought out a cloud security solution.



Challenges

Robinson had a key goal of helping his lean team bolster their security practice. “When you’re a product-focused company with a limited hiring capacity, you tend to hire engineers and product folks that are focused on core product development,” recalls Robinson. “You know security is important, but you can’t

hire an in-house security expert yet.” Adds Robinson, “Since we have a small team, proactive monitoring and alerting was really essential. We hired excellent engineers and felt confident in our security posture, but we didn’t have someone working full-time to make sure that we’re always on top of our security.”


To strengthen Sleepme’s security discipline as they expanded, Robinson connected with Defiance Digital, a boutique managed services provider. Charlie Gautreaux, Defiance’s Managing Director, remembers, “When Sleepme came to us, they were in the middle of building their IoT platform, which housed sensitive customer information. They didn’t have a CISO or a security team, but they knew they needed to focus on security.” Despite the resourcefulness of Sleepme’s DevOps team, Robinson still recognized the importance of a specialized

security practice. As Robinson recalls, “We talked to Defiance and realized that they understood what tools and techniques on the market would provide the most value without slowing us down.”


From the start, Defiance aimed to help Sleepme with visibility. “You can’t manage what you can’t see,” notes Gautreaux. “They needed strong visibility into their landscape from a security perspective, so that was the starting point.” Sleepme was making excellent use of AWS logging capabilities, including CloudTrail, but, Gautreaux says, “it’s very difficult to make sense of that logging data without some type of tooling on top. To solve that visibility problem, they came to us as a trusted partner to help set that up and make sure they’re shifting security left.” Additionally, Sleepme asked Defiance to assist with their compliance goals. “Although they didn’t have a compliance requirement yet, they wanted to prepare for audits down the road,” explains Gautreaux.



The Defiance Solution


Thanks to a strong partnership between Lacework and Defiance, Sleepme found the security solution they needed. At Defiance, Gautreaux states, “We offer everything from cloud management at the core infrastructure level all the way up through automation, observability, and security.” For companies like Sleepme who seek out security guidance in particular, Gautreaux says, “Our managed security offering couples our in-house technical expertise with a platform or product, and Lacework is our strategic go-to partner for cloud

security. The relationship has been working really well.”


Robinson agrees that these partnerships have been integral for Sleepme. “We brought Defiance in ahead of our launch to help us enact improvements. Now that we’re live in production, they help us audit the work we’ve done,” he explains. Together, Defiance and Lacework have also helped troubleshoot and speed up solutions. For instance, when the Sleepme team ran into logging issues, Burkhard recalls, “Lacework and Defiance Digital brought in several high-level engineers to work through the details, point out exactly where in our configuration things

were going wrong, and help us come to a resolution that lowered our AWS bill by 20 to 25%.”


Prior to implementing the Lacework Polygraph® Data Platform, Sleepme was looking into a number of disparate solutions. “All of these tools require integration, they require a lot of care and love, and they don’t surface all the relevant information in the timely, careful way that Lacework does,” says Gautreaux.

“The cohesive nature of the Platform itself was really critical. We did a trial of Lacework, and when Sleepme saw how it could meet all their needs, they chose to adopt it right away.” Since this adoption, Lacework and Defiance have worked in tandem to deliver comprehensive managed security for Sleepme. “We work to continuously improve Sleepme’s cloud security posture both through technology and through their processes, including their application delivery and IaC pipelines,” Gautreaux notes.



Results


Increasing consumer health data and IoT security

Given all the sensitive customer data that Sleepme handles, it’s essential to build in security right from the beginning. So far, the Platform has provided deep visibility to help Sleepme meet their goals. “With Lacework, when we set up a new container, process, or tool, we can get an early look at it earlier in the deployment process,” notes Robinson. “We want to catch everything before we head into production, and Lacework gives us this visibility as we build out new capabilities.” Burkhard reiterates, “Considering our ambitions to become more involved with health data and smart products, our ability to do this foundational work puts us ahead of the game. Lacework and Defiance have helped us instill trust in our customers, and ensure that we’re doing everything we can to keep their data and smart devices as secure as possible.” Gautreaux echoes this confidence in protecting customer data. “Lacework gives Sleepme the assurance that their customer information is being handled properly in the IoT platform itself for the sleep tracker data,” he adds.


Though IoT poses a unique challenge, Defiance and Lacework have paired up to ensure that Sleepme is prepared for anything that comes their way. “We had to prioritize visibility because IoT is not your typical application stack. It’s a very transient data platform, where the data moves around until it reaches a back-end data source,” explains Gautreaux. “Sleepme relies on Lacework to ensure that all the data transfers are happening securely, that the data itself is being handled securely and written in the correct place, and that we’re properly using and configuring the AWS services.” Compared with a traditional stack, IoT consists of billions of tiny pieces of information. “Actually scanning that much information is not possible,” Gautreaux says. “So you need a cloud security

posture management (CSPM) that knows what it’s doing, what it’s looking at, and for what purpose.” To better process all this data, Lacework and AWS joined forces, bringing in their respective product development teams to make progress for both platforms. “The strong partnership between Lacework, AWS, Sleepme, and Defiance moved the ball forward in terms of product development for IoT security,” Gautreaux states.


Reducing alerts

So far, Lacework has had a major impact on Sleepme’s alert reduction. “When you’re a small team without dedicated DevOps security engineers, you just don’t have the time to look into every issue yourself,” states Robinson. “Lacework helps

with proactive communication by allowing us to monitor and follow up on the alerts that it surfaces. It tells us when there’s a new behavior, or when someone logs into a new region.” Since setting up Lacework, Burkhard says, “We have really seen the power of Lacework in its anomaly detection engine and alert

reduction capabilities. Because of this, we were able to tackle the critical and high ones immediately instead of spending time sorting through tons of useless alerts.”


Lacework has also allowed Sleepme to track their continuous improvement. “When we started, we had a Lacework score of 65 or 70,” recalls Burkhard. “Working with the Defiance team, we took a handful of actions, like shutting down public S3 access and fixing some Cognito tool settings, and others, and

now we’re consistently in the range of 95 to 100. This goes to show that the work we initially did with Defiance to enhance our architecture put us in a solid spot.”



Creating a compliance strategy

With Lacework, Sleepme was able to start working toward SOC 2 compliance. “We’re dealing with IoT products that are in people’s homes, so the last thing we want is any product vulnerability,” explains Robinson. “We wanted to do a gap

analysis, so we had Defiance run an audit, and they brought in Lacework to help us proactively start our compliance journey.”


While Sleepme hasn’t yet achieved SOC 2 compliance, they are working steadily toward it. “Being SOC 2 compliant will be crucial for Sleepme in the future as we start to roll out our Software as a Service (SaaS) offering,” Robinson says. “It will

be important for clients and board members to see that we’re compliant. We’re planning to use Lacework to help close that gap before the end of this year.” Since this will be the Sleepme team’s first time going through this process, Robinson notes, “Defiance and Lacework will show us the modern tools and techniques we can leverage to achieve compliance faster.”


From Defiance’s perspective, Lacework helps streamline the compliance services they give to clients like Sleepme. “We offer compliance as a managed service, and we use Lacework on the back end,” Gautreaux explains. “With Lacework, we have the assurance that an organization’s security posture is continuously being looked at. To do the same thing with other technologies, it takes at least five different tools, which gets expensive and arduous to manage.” The single-platform approach from Lacework means that Defiance can enable Sleepme to simplify while staying secure.



 

About SleepMe

Sleepme Inc. is a sleep technology brand revolutionizing the way the world sleeps. Through decades of learning and experience as well as an extensive patent portfolio, Sleepme’s purpose is to make sleep easy, achievable, and a positive part of everyone’s health.