Threat Stack January Update

At Threat Stack, we’ve started the new year off with a bang by getting straight to work on many new exciting features that we can’t wait to share with you! No more eggnog, traveling to the in-laws’ house or singing carols — our heads are down making our flagship product Cloud Sight better than ever.

Performance & Speed

This past month we worked tirelessly to make the task of tracking, auditing, and displaying forensic information for an organization even easier and faster than before.

To see an overview of how this now works, take a peek at this screencast demonstrating a vulnerable cloud deployment. As you saw (you watched the screencast, right?!) because of poor user and password management, multiple systems were compromised. Just like Superman, Cloud Sight swept in and reconstructed a full timeline of events — from the introduction of a new user right down to the nitty-gritty details of the rootkit installed after the compromise.

Cutting-Edge Dashboard Visualization

We’re also excited to announce that the Cloud Sight analytics dashboard is now available!  This feature provides an overview of activity across your organization for any given time period (by default, the window of time is 24 hours, however, this is configurable).


One-Click Access to Login Activity

Want a quick overview of what your users are doing and where they are logging in from?  With our new analytics dashboard and login tracking, you can now get a bird’s-eye view of account activity across your infrastructure.


Seamless View of User Sessions

Each login entry is now linked to an audit history of commands that were run by a user. But we didn’t stop there — you can also follow a user’s session through any account transition. For example, if a user changes credentials, (e.g., `sudo su`) we will display the history of commands run under the new identity within a single window.


From here, you can click on individual commands to view detailed information on that specific process, such as network connections, file events (if applicable), and more.

Pretty sweet, right?!  (By the way, you need to first  upgrade the agent to v1.0.8 to take advantage of these features — it’s quick, we promise).

Unified Process & Network History

We worked several long nights (and chugged lots of caffeine-related products) to also give you the ability to visualize all of your new process and network activity across your entire organization — right from the dashboard:


Effortless File Integrity Monitoring

We’ve made it possible for you to now determine (in seconds) the files a process may have modified, created, or accessed.

With Cloud Sight’s new file integrity monitoring capabilities, we associate for you the file activity and process activity — right in the “Process Detail” page.


Improved Search For Processes

Using Cloud Sight’s search interface, you can query for a specific filename (below shows filename like ‘authorized_keys’). From the search results, click on the ‘View Process Details’ eyeball which then displays detailed information about the process that accessed, created, deleted, or modified the file. It’s like a surveillance camera on all of your servers!


Meaningful Visualizations For Statistical Information

Many of the Cloud Sight widgets now include an option to display statistical information visually (your manager will love this!).


Compact Agents and Alerts



Other Changes:

  • Performance optimizations and extended filtering & logging for the Threat Stack audit and file monitoring services.
  • Fixes for issues where process arguments were not being tracked with the process.
  • Disabled email alerts by default. We quickly realized that this was too much of an annoyance — so we wiped them away.
  • Removed potentially noisy alert rules which were also enabled by default.
  • Agent install or upgrade will enable pam_loginuid if not already enabled

Interested? Join our beta today