One of the new, exciting innovations available with the release of Stamus Security Platform (SSP) U 40 is the inclusion of Declarations of Policy Violation™ (DoPV). This new class of auto-prioritized security event is an excellent way to get definitive notifications of policy violations taking place on your organization’s network. In this feature spotlight, we will explain what the new DoPVs are, what information they include, and how you can use them to uncover unwanted activity at your organization.
In simple terms, a Declaration of Policy Violation (also known as a DoPV) are high-confidence and high-priority notifications of severe security events related to the predefined security policy of your organization and activities you have set as “unauthorized”. These are similar to the Declarations of Compromise™ (DoCs) that you are likely already familiar with, but unlike a DoC which is triggered by a threat on an asset, DoPVs are triggered by unauthorized activities or policy violations such as clear text passwords, outdated TLS versions, insecure cypher suites, and TOR browser usage.
DoPVs can be viewed in the operational center immediately next to Declarations of Compromise.
DoPVs are linked to assets and threats, enabling the user to quickly understand which host has been compromised and what specific policy was violated. As we can see in the image below, this DoPV was triggered by the presence of a clear text password originating from one of our assets.
The Stamus Security Platform currently offers a broad coverage of general policy violation detections, such as Potential Data Leakage (clear text passwords, abused file sharing services, etc) and Adware. Additional policy violation detection will be added in future releases. Because each organization has its own unique set of policies, SSP users are encouraged to create their own custom policy violations in order to get the most out of the new feature.
SSP users can elevate any security event to a policy violation, thus creating a detection strategy that will fit any organization’s unique internal policies. This process is similar to the one used to create a custom Declaration of Compromise.
In the example above, the organization has asked the SSP admin to create a custom DoPV to detect and alert upon an FTP application being used to and from specific servers. To do so, the detection method “ET CHAT IRC JOIN command” from a specific source and destination has been elevated to a DoPV. In the future, whenever this detection method will trigger on the IPs mentioned, it will trigger a DoPV.
When a DoPV has been detected by the SSP, users can tag it as either informational or relevant
By doing so, future DoPVs from that category will already be tagged. This mechanism will help SSP users classify the information faster.
The Stamus Security Platform is fully integrable with third party softwares and tools, thus integrating seamlessly into your organization’s security stack.
As a result, there are several possible workflows that can be automated when a DoPV alert is triggered:
A DoPV contains the same information one would find in a Declaration of Compromise. The alert will contain a broad range of data points:
As example view of the information available in a DoPV alert can be seen below:
DoPVs will proactively highlight any policy violation within your network. By integrating with your cybersecurity and incident response stack, DoPVs will make tracking, notifying and incident response faster and more accurate.
Unlike a DoC, which alerts organizations to high-priority external threats, DoPV coverage extends to any activities that are considered “unauthorized”, thus bringing many high-risk activities into the spotlight that are often only caught by proactive threat hunting. Now, SSP users can quickly understand the state of their network and organization directly from the operational center, seeing both attacks on assets (DoCs) and unauthorized activity that may not necessarily be malicious, but still poses a risk to the organization (DoPVs).
As a new customer, you will automatically benefit from the DoPV feature as it is native to u40, the latest version of the SSP. If you are an existing customer, upgrading to u40 will let you benefit from this new feature.
Once you are using the latest version of Stamus Security Platform, you can start by navigating to the operational center and check if a policy violation was detected in your environment.
In addition, you can also take a look at the policy violations predefined filters in the hunting dashboard and start creating custom DoPVs – as described above – to enhance policy violation detection within SSP.
Declarations of Policy Violation are very helpful for enterprise security teams looking to cut through the noise of their alerts and quickly gain an understanding of the unauthorized or otherwise unwanted activity happening on their network.
To stay updated with new blog posts from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.