Host Based Intrusion Detection

The Threat Stack Cloud Security Platform with ThreatML™ contextualizes security data from deep within the operating system, and combines it with security telemetry from across your cloud infrastructure for comprehensive intrusion detection.

Book Your Demo

The Threat Stack Approach

Quickly Discover Risky User Behavior

We monitor all user or group modifications to help you catch privilege escalations, attempts by unapproved sudo users, abnormal login or user access attempts, and other risky activity.

System and File Integrity Monitoring

We watch for abnormal process events and other activity that could indicate malware or other dangerous command and control activity. We also monitor and alert on risky activities associated with critical or sensitive files, such as when files are opened, copied, moved, created, or modified in a way that appears suspicious.

Detect Known and Unknown Threats

We combine the machine learning engine of ThreatML and pre-built rules to detect known risks at massive scale and quickly uncover unknown anomalies across cloud workloads — so you can respond to threats faster.

Network Activity Monitoring

We identify changes to application services like web servers, database server binds, or proxy nodes, and other critical system service changes.

The Building Block for a Strong Cloud Security Posture

Rapid Agent Deployment to Hosts or as Containers

Threat Stack offers multiple deployment options, so you can add security without slowing DevOps velocity. Get up and running in minutes, with no additional infrastructure, via the following methods:

  • Bake it into your machine images
  • Use deployment scripts for Chef, Puppet, Ansible, or SaltStack
  • Run it within its own Docker container
  • Deploy it containerized, by including it in a Kubernetes DaemonSet

Deep Telemetry Across Workloads

Threat Stack captures all security audit signals by default from native OS subsystems like Linux Audit or the Windows Event Log. Collected telemetry data is enriched in the Threat Stack Cloud Security Platform®, where it's combined with metadata from EC2 instances, AWS management console activity, and more. This approach provides context-rich data that informs proactive security measures like threat hunting and predictive analytics, as well as the precision needed when reacting to an active cyber attack.

Streamlined Data Processing

Most of the time, the agent is simply gathering data and securely sending it to the Threat Stack platform. More processing happens platform-side, where events are parsed and alerts are fired. In the platform, all of the alerting is based on rules. Several hundred rules come out-of-the-box, and they are all directly customizable so you can ensure that security monitoring is fully tuned and optimized for specific workloads and compliance requirements. On the back end, raw event data is exportable off the platform and into your own S3 bucket.

Machine Learning + Rules + Human Expertise

Threat Stack delivers advanced anomaly detection with ThreatML, a machine learning engine that enhances security observability for the Threat Stack Cloud Security Platform, Threat Stack Oversight℠, and Threat Stack Insight℠

By combining full-stack telemetry, machine learning, rules, and human expertise, Threat Stack empowers security teams to accelerate mean-time-to-know (MTTK), focus on high-severity threats, save time, and reduce cost.

Supported Systems

At a high level, Threat Stack can be deployed in minutes to collect real-time security audit data from the operating system, handle file integrity monitoring (FIM), and capture user-space events. Threat Stack currently supports various versions of the following operating systems:

  • Amazon Linux
  • CentOS
  • Debian
  • Red Hat Enterprise Linux
  • Ubuntu
  • Windows Server

See The Documentation >>

for specific versions and minimum kernel requirements.