Stamus-Networks-Blog

From Open Source IDS to Cyber Kill Chain to SOAR – My First Eight Weeks at Stamus Networks

Written by Steve Patton | Sep 16, 2020 11:11:56 AM

Stamus Networks? They are the Suricata company aren’t they? And Suricata? It’s an open source IDS isn’t it? Well, that’s what I thought (and maybe you too) before I joined Stamus Networks a few months back. Absolutely, Suricata provides a very capable intrusion detection system (IDS) capability, but as I learned very quickly, that’s only one component of an integrated Network Detection and Response (NDR) solution. 

My first brush with Suricata was at a previous company, where it was used as an embedded IDS engine. It did that very well, and at a very high rate because of its multi-threaded optimised high-performance architecture. You can try out standard Suricata for yourself by downloading the open source and free Stamus Networks curated SELKS package, see here

But an integrated NDR solution cannot rely on signature match alerts alone. Network Traffic Analysis (NTA) provides protocol session and flow meta-data, often as Netflow or IPFix which is a crucial element of threat hunting used for anomaly and polymorphic threat detection. Meta-data from encrypted TLS sessions enables threat hunting and forensics for encrypted traffic flows. And there is even more data that can be harvested from NTA to enhance security events, such as host information and application use. 

The good news being this can all be done without the need for client or end-point agents. Add to this information you already know about your organisation, such as department, subnet and wi-fi hierarchy, then we end up with a very rich Network Security Monitoring (NSM) threat hunting environment. And as I was to discover, that’s one of the things Scirius Security Platform from Stamus Networks does. Oh - and did I mention data-set processing that enables “deny” and “allow” listing with super-efficient matching of millions of parameter values at full line rate? This helps us to quickly see activity (end-points, client types, applications …) not seen across our networks before and is great for policy and compliance auditing. 

Most of the cybersecuity analysts I have met want access to all of that meta-data, even though there’s never enough time to process it all. When you don’t know what you are looking for – nothing can be ignored or thrown away.

But a CISO’s priority is to minimise risk, one way to do that is to turn those millions of  data points into insight as quickly as possible to know if we are under attack or have already been compromised, so not Network Security Monitoring but Network Detection and Response 

And that’s what we do at Stamus with Scirius Security Platform; we enhance network meta-data and IDS alerts with information you already have – such as your network topology and organisational context then correlate this with host information retrieved from monitored traffic. We apply our in-house developed threat intelligence, which can be augmented by organisation- and situational- specific threat intelligence orchestrated within Scirius by your expert threat hunters, to both historic and future network traffic. 

We filter and prioritise events, provide cross referenceable context, map threats to impacted assets and project the most serious threats onto the Cyber Kill Chain. Integrated, if needs be, with your SOAR. 

From millions of events to a handful of the most important events that you must respond to today.  

So that's my journey from an open source ‘more than an IDS’, through millions of NSM events, to cyber kill chain and SOAR. And what I have learnt so far?

1. Suricata does more than IDS, and you really do not need to deploy a separate NSM  – you can try out all of its features for yourself for free by downloading SELKS.

2. Scirius from Stamus harnesses and enriches that Suricata goodness for maximum insight, to minimise risk. You can try that for free as well – contact us to arrange an evaluation. 

So, as I look ahead … I must confess to being very excited about sharing what I’ve learned with our customers and the industry at large. And I can’t wait to see what new insights I uncover in the weeks and months ahead.