Host Security

The Threat Stack Windows and Linux Agent contextualizes security data from deep within the operating system, and sends it to the Threat Stack Cloud Security Platform® for processing.

Book Your Demo

The Threat Stack Approach

User Access Monitoring

We monitor all user or group modifications to help you catch privilege escalations, attempts by unapproved sudo users, abnormal login or user access attempts, and other risky activity.

System Integrity Monitoring

We watch for abnormal process events, deviations in the use of authorized ports and services, and other activity that could indicate malware or other dangerous command and control activity.

File Integrity Monitoring

We alert you to risky activity on critical credential and configuration files, special system directories, and data exfiltration on sensitive files.

Network Activity Monitoring

We identify changes to application services like web servers, database server binds, or proxy nodes, and other critical system service changes.

Supported Systems

At a high level, the Threat Stack Agent is deployed in minutes to collect real-time security audit data from the operating system, handle file integrity monitoring (FIM), and capture user-space events. Threat Stack currently supports various versions of the following operating systems:

  • Amazon Linux
  • CentOS
  • Debian
  • Red Hat Enterprise Linux
  • Ubuntu
  • Windows Server

See The Documentation >>

for specific versions and minimum kernel requirements.

The Building Block for a Strong Cloud Security Posture

Rapid Agent Deployment to Hosts or as Containers

The Threat Stack Agent offers multiple deployment options, so you can add security without slowing DevOps velocity. Install the agent in minutes, with no additional infrastructure, via the following methods:

  • Bake the Threat Stack Agent into your machine images
  • Use deployment scripts for Chef, Puppet, Ansible, or SaltStack
  • Run the Linux agent as its own Docker container
  • Deploy the containerized Linux agent by including it in a Kubernetes DaemonSet

Deep Telemetry Across Workloads

The agent captures all security audit signals by default from native OS subsystems like Linux Audit or the Windows Event Log. Agent data is enriched in the Threat Stack Cloud Security Platform®, where it's combined with metadata from EC2 instances, AWS management console activity, and more. This approach provides context-rich data that informs proactive security measures like threat hunting and predictive analytics, as well as the precision needed when reacting to an active cyber attack.

Streamlined Data Processing

Most of the time, the agent is simply gathering data and securely sending it to the Threat Stack platform. More processing happens platform-side, where events are parsed and alerts are fired. In the platform, all of the alerting is based on rules. Several hundred rules come out-of-the-box, and they are all directly customizable so you can ensure that security monitoring is fully tuned and optimized for specific workloads and compliance requirements. On the back end, raw event data is exportable off the platform and into your own S3 bucket.

Why Host Context Matters

Host context gives you the data needed to eliminate false negatives and drive security alerting that's data rich and actionable. Here are some common examples that the Threat Stack Agent is well positioned to capture:

  • User privilege escalations
  • Modification of the kernel at run time
  • Processes running from /tmp or other special system directories
  • Audit trails of critical filesystem changes Monitoring of host system network services