This technical deep dive highlights key capabilities released as part of Twistlock 19.03. To learn more about what’s included with Twistlock 19.03, check out our full release blog post.

In support of Cloud Workload Protection Platforms Twistlock has expanded into the area of host protection. Not just Docker nodes, but the “traditional” virtual machine and application models. Twistlock provides vulnerability management, compliance, runtime defense, and firewalling across all your VMs in all your clouds. We are focused on securing your cattle, not your pets.

The value of host forensics

So why the need for host forensics for your cattle? Out of your hundreds to thousands of VMs which one is the wolf in cow clothing? Host Forensics provides similar functionality to our Container Runtime Forensics feature. This provides you with the ability to aggregate events for your herd of servers for further investigation and analysis.

Host forensics deep dive

Twistlock introduced Host Runtime Defense in 2017. This capability provides real-time protection of the host. Twistlock develops models for process and file system actions that express the tasks that services routinely need to do. Attacker objectives are well known. They need to gain an entry point on the host, establish persistence, elevate permissions, etc. The path to achieving these objectives is also well known. Attackers must use specific utilities and manipulate specific files in order to advance their foothold. In many cases, these are the same utilities and files that legitimate services need to use. By selectively assigning capabilities to services so that they can do their job, but nothing more, Twistlock can limit what an attacker can do when they hijack a service and try to exploit it to run in non-legitimate ways.

The new Twistlock Host Forensics provides you with the ability to perform after-action analysis of host system behaviors to determine the sequence of events.

For example, let’s say an administrator adds a user account to a Google Cloud Platform (GCP) VM. The process to add accounts to a GCP VM is via the GCP Console’s SSH key / VM association.

The screenshot below includes a Twistlock Host google-account-daemon service capability model:

Therefore, accounts added to GCP VMs using this method will not generate a Twistlock alert, but will appear in the Host’s Forensics Data Monitor > Runtime > Host Models, as shown in the screenshot below:

But if an “administrator” secure shells into the GCP VM and performs the task adduser, Twistlock will alert upon this activity. These alerts will appear in Monitor > Events > Host Forensics:

Additionally, the events can easily be downloaded as a CSV file!

The events can also be obtained via the Twistlock API. For example, using my favorite scripting language, PowerShell:

$tlconsole = ""
$cred = Get-Credential
$request = "$tlconsole/api/v1/forensic/activities"
Invoke-RestMethod $request -Authentication Basic -Credential $cred -AllowUnencryptedAuthentication -SkipCertificateCheck


time          : 2/27/19 7:05:59 PM
hostname      : pfox.example.internal
user          : paul
type          : accounts-modified
modifiedFiles : {/etc/passwd-}
interactive   : True


Containerized microservices are discrete compute instances in which their runtime behaviors can be modeled and monitored. On this theme, the same modeling and monitoring techniques can be applied to cloud workload VMs. Now with Twistlock 19.03, you can protect all your workloads regardless of what underlying compute technology powers them. Twistlock Host Forensics provides you with the ability to monitor VM behaviors in real time and provide after-the-fact forensic data.

← Back to All Posts Next Post →