Live Demo

Host-Based Intrusion Detection

The Threat Stack's host based intrusion detection system (HIDS) contextualizes security data from deep within the operating system, and combines it with security telemetry from across your cloud infrastructure.

The Threat Stack Approach

risk icon
Quickly Discover Risky User Behavior

Out host based intrusion detection system (HIDS) monitors all user or group modifications to help you catch privilege escalations, attempts by unapproved sudo users, abnormal login or user access attempts, and other risky activity.

Application Security Monitoring Icon
System and File Integrity Monitoring

We watch for abnormal process events and other activity that could indicate malware or other dangerous command and control activity. We also monitor and alert on risky activities associated with critical or sensitive files, such as when files are opened, copied, moved, created, or modified in a way that appears suspicious.

detect icon
Detect Known and Unknown Threats

Threat Stack's host based intrusion detection combines the machine learning engine of ThreatML and pre-built rules to detect known risks at massive scale and quickly uncover unknown anomalies across cloud workloads — so you can respond to threats faster.

network activity monitoring icon
Network Activity Monitoring

Our host based intrusion detection (HIDS) can identify changes to application services like web servers, database server binds, or proxy nodes, and other critical system service changes.

The Building Blocks for Strong Host Based Intrusion Detection System

Rapid Agent Deployment to Hosts or as Containers

Threat Stack offers multiple deployment options, so you can add host based intrusion detection without slowing DevOps velocity. Get up and running in minutes, with no additional infrastructure, via the following methods:

  • Bake it into your machine images
  • Use deployment scripts for Chef, Puppet, Ansible, or SaltStack
  • Run it within its own Docker container
  • Deploy it containerized, by including it in a Kubernetes DaemonSet

workload telemetry

Deep Telemetry Across Workloads

Threat Stack HIDS captures all security audit signals by default from native OS subsystems like Linux Audit or the Windows Event Log. Collected telemetry data is enriched in the Threat Stack Cloud Security Platform®, where it's combined with metadata from EC2 instances, AWS management console activity, and more. This approach provides context-rich data that informs proactive security measures like threat hunting and predictive analytics, as well as the precision needed when reacting to an active cyber attack.

Streamlined Data Processing

Most of the time, the agent is simply gathering data and securely sending it to the Threat Stack platform. More processing happens platform-side, where events are parsed and alerts are fired. In the platform, all of the alerting is based on rules. Several hundred rules come out-of-the-box, and they are all directly customizable so you can ensure that security monitoring is fully tuned and optimized for specific workloads and compliance requirements. On the back end, raw event data is exportable off the platform and into your own S3 bucket.

data processing
machine learning

Machine Learning + Rules + Human Expertise

Threat Stack delivers advanced anomaly detection with ThreatML, a machine learning engine that enhances security observability for the Threat Stack Cloud Security Platform, Threat Stack Oversight℠, and Threat Stack Insight℠

By combining full-stack telemetry, machine learning, rules, and human expertise, Threat Stack empowers security teams to accelerate mean-time-to-know (MTTK), focus on high-severity threats, save time, and reduce cost.

What We Look For

Threat Stack intrusion detection behavioral analysis looks for potential signs of compromise and collects data such as:

  • User Logins
  • File Copies, Access, Modifications, and Deletions
  • Privilege Escalations
  • Login Attempts and Failures
  • Suspicious Commands
  • CloudTrail Events
  • New Processes and Kernel Modules
  • Known Vulnerabilities
  • Network Connections

Supported Systems

At a high level, Threat Stack intrusion detection can be deployed in minutes to collect real-time security audit data from the operating system, handle file integrity monitoring (FIM), and capture user-space events. Threat Stack currently supports various versions of the following operating systems:

  • Amazon Linux
  • CentOS
  • Debian
  • Red Hat Enterprise Linux
  • Ubuntu
  • Windows Server

See the documentation for specific versions and minimum kernel requirements

Ready to secure your cloud?

Meet with us today.

Threat Stack is here to support you in achieving your goals for securing your entire cloud infrastructure and application stack. Schedule time with us today to explore how the Threat Stack Cloud Security Platform combines deep telemetry collection with rules, ML, and analytics for continuous cloud security monitoring.

Cloud Security Platform call-to-action