Linux Production Protection

Fast and accurate protection from attacks – even those using zero-days – across tens of thousands of nodes per installation with minimal performance impact on even the busiest production systems.

The Challenge

As an organization with an expanding and increasingly heterogeneous production environment, you need a Linux security solution that protects your containers, virtual machines, or bare metal systems, whether deployed on premise or in the cloud.

Maybe you use an Intrusion Prevention System’s (IPS) network detection capabilities, but understand that it offers no insight into host activities and that it also clogs your network. Endpoint Detection & Response (EDR) tools may be work for desktop systems, but simply don’t scale for production systems. You need a performant solution that can deployed to tens of thousands of nodes — any of which could be handling thousands of connections per second.

Moreover, you need a security approach that won’t drown you in false alerts and instead keep you focused on actual attacks that can be prevented before they take hold.

The Capsule8 Difference

The Capsule8 Platform detects indicators of attack (IOA) across your entire Linux production environment, pointing you to true, active attacks that require attention. Capsule8 can detect privilege escalation, container escapes, command injection, memory corruption, and all the other exploits attackers would love to use on your production systems. The ability to detect live exploitation allows you to address security incidents quickly, versus simply looking for conventional indicators of compromise (IoC) which give you awareness only after an attacker successfully compromised your environment.

With Capsule8, only small amounts of security-critical telemetry data are needed to provide protection, keeping resource usage to a level even Ops will appreciate. The vast majority of this telemetry is managed locally and not shared over network, ensuring Capsule8 won’t bring any risk to your production systems.

Real-Time Detection & Prevention.

Once your productions systems are breached, you have to pay a high price in actual dollars, man hours, and a loss of customer confidence. There’s no cost, however, if you stop an attack before it becomes a breach. We provide you with high-fidelity data as attacks happen, which greatly improves visibility and response time — particularly when you use our prevention strategies to automatically stop active exploitation. With Capsule8, it’s easy to determine the legitimacy of each alert and to automate the response accordingly, and you don’t have to wait for a product update or algorithms to get smarter to be protected.

Deep Context in Alerts to Help Understand Each Attack.

Capsule8 finds exploits – including those based in the kernel – that other tools miss. Our alerts are enhanced by customer-defined and workload-based metadata to deliver true positives with all the context you need to investigate an event. With data around users, activities, process lineage, and timing, you can understand the nature of an attack and quickly kill or freeze processes that violate policy. Capsule8 provides only the right information and doesn’t spam you with irrelevant data.

Complete Visibility.

Capsule8 exposes all pre-and post-exploitation activity, including commands issued as well as files and networks accessed. Much like a bank robber is focused on your money (not all of your office supplies), an attacker is looking for your most sensitive data (not every resource you own) — and that’s exactly what Capsule8 analyzes. Correlation data is important for understanding everything an attacker is doing throughout your environment, so our analytics reflect associations between actions and events to highlight what they mean for you.

Flexible and Efficient Operations.

Capsule8 offers many ways to manage alert data and minimize performance impact to your production systems so your operations team won’t scared about security. Capsule8 allows you to set limits that control its consumption of CPU, memory, disk space, and event rate. Our development philosophy is to be API-first, providing the flexibility to integrate with your existing cloud, security, and storage tools. Capsule8 sends alerts to your existing tools and workflows via API, file, stdout, and S3 Bucket.

CVE Analysis Reports.

Capsule8 provides you with reporting on how our protection fared against Linux Common Vulnerabilities and Exposures (CVEs). Our security researchers and data analysts document relevant CVEs, the type of exploit involved, and the Capsule8 detection methods that would have prevented the exploit. This provides transparency in Capsule8’s ability to protect your organization. We’ll even write a custom exploit if there isn’t one publicly available to make sure your systems are safe and sound.

Product Overview

Capsule8 is the industry’s only real-time, zero-day exploit detection platform purpose-built for Linux production systems in hybrid environments – whether multicloud, containerized, virtualized or bare metal.