Host Based Intrusion Detection

The Threat Stack's host based intrusion detection system (HIDS) contextualizes security data from deep within the operating system, and combines it with security telemetry from across your cloud infrastructure.

host based intrusion detection

The Threat Stack Approach

Quickly Discover Risky User Behavior

Out host based intrusion detection system (HIDS) monitors all user or group modifications to help you catch privilege escalations, attempts by unapproved sudo users, abnormal login or user access attempts, and other risky activity.

System and File Integrity Monitoring

We watch for abnormal process events and other activity that could indicate malware or other dangerous command and control activity. We also monitor and alert on risky activities associated with critical or sensitive files, such as when files are opened, copied, moved, created, or modified in a way that appears suspicious.

Detect Known and Unknown Threats

Threat Stack's host based intrusion detection combines the machine learning engine of ThreatML and pre-built rules to detect known risks at massive scale and quickly uncover unknown anomalies across cloud workloads — so you can respond to threats faster.

Network Activity Monitoring

Our host based intrusion detection (HIDS) can identify changes to application services like web servers, database server binds, or proxy nodes, and other critical system service changes.

See How to Evaluate an ML-Based Cloud Security Solution

To be effective, ML models must account for an organization’s entire attack surface and collect data from every layer of the cloud infrastructure stack.

The Building Blocks for Strong Host Based Intrusion Detection System

Rapid Agent Deployment to Hosts or as Containers

Threat Stack offers multiple deployment options, so you can add host based intrusion detection without slowing DevOps velocity. Get up and running in minutes, with no additional infrastructure, via the following methods:

  • Bake it into your machine images
  • Use deployment scripts for Chef, Puppet, Ansible, or SaltStack
  • Run it within its own Docker container
  • Deploy it containerized, by including it in a Kubernetes DaemonSet

Deep Telemetry Across Workloads

Threat Stack HIDS captures all security audit signals by default from native OS subsystems like Linux Audit or the Windows Event Log. Collected telemetry data is enriched in the Threat Stack Cloud Security Platform®, where it's combined with metadata from EC2 instances, AWS management console activity, and more. This approach provides context-rich data that informs proactive security measures like threat hunting and predictive analytics, as well as the precision needed when reacting to an active cyber attack.

Streamlined Data Processing

Most of the time, the agent is simply gathering data and securely sending it to the Threat Stack platform. More processing happens platform-side, where events are parsed and alerts are fired. In the platform, all of the alerting is based on rules. Several hundred rules come out-of-the-box, and they are all directly customizable so you can ensure that security monitoring is fully tuned and optimized for specific workloads and compliance requirements. On the back end, raw event data is exportable off the platform and into your own S3 bucket.

Machine Learning + Rules + Human Expertise

Threat Stack delivers advanced anomaly detection with ThreatML, a machine learning engine that enhances security observability for the Threat Stack Cloud Security Platform, Threat Stack Oversight℠, and Threat Stack Insight℠

By combining full-stack telemetry, machine learning, rules, and human expertise, Threat Stack empowers security teams to accelerate mean-time-to-know (MTTK), focus on high-severity threats, save time, and reduce cost.

Supported Systems

At a high level, Threat Stack intrusion detection can be deployed in minutes to collect real-time security audit data from the operating system, handle file integrity monitoring (FIM), and capture user-space events. Threat Stack currently supports various versions of the following operating systems:

  • Amazon Linux
  • CentOS
  • Debian
  • Red Hat Enterprise Linux
  • Ubuntu
  • Windows Server

See The Documentation >>

for specific versions and minimum kernel requirements.

See What Our Customers Are Saying

December 7, 2020
Threat Stack is our HIDS and much else, and we've never seen cause to change!

We're a longtime customer that engaged with ThreatStack when they were a very young company. Threat Stack aggregates all of our Linux systems-level events and automatically classifies them according to severity (1, 2, and 3). Threat Stack comes with a default rule set that is good, and there is also a set of rules tuned ...

Want to read more reviews about Threat Stack? Visit our reviews page

Ready to secure your cloud?

Meet with us today.

Threat Stack is here to support you in achieving your goals for securing your entire cloud infrastructure and application stack. Schedule time with us today to explore how the Threat Stack Cloud Security Platform combines deep telemetry collection with rules, ML, and analytics for continuous cloud security monitoring.

Cloud Security Platform call-to-action