For many organizations considering Network Detection and Response (NDR), one of the most valuable steps in the evaluation process is a “Proof of Value” or “POV”. In this step in the evaluation process, the organization tests a limited deployment of the NDR (in our case, the Stamus Security Platform a.k.a. SSP) on their network to see how it operates in their environment.
Oftentimes, when we engage in a POV with a potential customer, we notice that SSP frequently identifies threats or other vulnerabilities missed by the organization’s current security tools. This is where the “Value” comes into play. By showing how SSP operates on an organization’s network, we can demonstrate just how effective NDR actually is.
In this blog post, we are going to share some results from a recent POV we did with a potential customer, where SSP was able to detect a serious breach that the organization’s other security tools had not identified.
Background
A large state-owned energy corporation in Africa, with over 6,000 employees working remotely and on site, faced challenges – such as alert fatigue and a lack of supporting evidence with the alerts –,with their existing in-house custom Suricata intrusion detection system. They suspected these challenges were causing them to miss critical security threats. In addition to Suricata, the company deployed endpoint detection and response (EDR) and security orchestration automation and response (SOAR) systems along with other basic tools.
After deploying Stamus Security Platform (SSP), they were able to overcome these limitations and gain comprehensive visibility into their complex hybrid network. SSP's advanced capabilities helped uncover hidden threats, reduce alert fatigue, increase efficiency, and enhance overall security posture.
What we found
The organization evaluated Stamus Security Platform for a total of 30 days, in which time SSP observed and analyzed over 59 TB of network traffic and collected insights for more than 2.3 billion network communication endpoints (including hosts, websites, devices, and more) from both within and outside of the organization.
Among those events, the Stamus Central Server generated nearly 10 million raw detection events. The most serious of those events escalated into Declarations of Compromise™ (DoCs).
As a reminder, DoCs are an innovation feature unique to SSP — ultra high-confidence and high-priority security events that indicate a “serious and imminent” threat on an asset. SSP has DoC coverage for thousands of known threats and TTPs using hundreds of different detection methods. When SSP generates a DoC, it creates a data record that contains a substantial amount of meta data and associated artifacts that help the analyst understand exactly why it triggered and provide evidence for any investigation that may follow.
In this evaluation, SSP escalated 234 DoC events, detailing 20 different active threats taking place across 213 different impacted assets. In other words, this organization was experiencing an incredibly serious breach that their other tools had entirely missed.
Using several different methods, such as machine learning, advanced heuristics, statistical anomalies, IoC matching, and signature-based detection, SSP identified numerous malicious activities taking place across various stages of the cyber kill chain.
SSP recorded all the evidence needed for remediation, including fully transparent detection logic disclosure, protocol transaction data, file information, flow and anomaly transaction logs, and network forensic evidence in the form of packet capture files (PCAP).
Two of the major malware families we can see here in this image are ViperSoftX and DarkGate, malwares that we have seen in other organizations previously. To learn more about these malware groups and how SSP has detected them in the past, read our blog “Uncovered with Stamus Security Platform: DarkGate Malware as a Service (MaaS)”.
During this evaluation, SSP identified and automatically triaged 11 different major threat families, including:
- APT (Advanced Persistent Threats)
- Backdoor
- Botnet
- Trojan
- Ransomware
- and more
In addition to the vast amount of malware-related threats SSP discovered over the course of the 30 day POV, SSP also identified a staggering amount of Declaration of Policy Violation™ (DoPV) events.
DoPVs are a new feature available in the most recent release of Stamus Security Platform, version u40. These are a new high-fidelity event category, similar to DoCs, focused on unauthorized activity and policy violations, such as clear text passwords, outdated TLS versions, insecure cypher suites, and TOR browser usage. SSP customers can create custom DoPVs based on their organization’s unique organizational policies. Additionally, any of SSP’s several hundred guided threat hunting filters can be escalated into either a DoPV or a DoC.
These DoPVs do not necessarily represent threats on an asset, but rather instances where an activity is outside of what most organizations would consider “approved”. These violations could result in data leakage, breaches in compliance, a loss in productivity, or could open the door for further malware infection.
Why this matters
While we cannot share the specific details of Stamus Networks’ recommendations to this organization, we can share that this organization has a serious undertaking ahead of them. In this example, the organization experienced an extremely severe breach. A breach that was not caught to its fullest extent by their existing security stack.
Therein lies the “value” in a “Proof of Value”. While most organizations testing Stamus Security Platform do not experience such dramatic results, the proof of SSP’s effectiveness is seen in examples like these. The network does not lie, and by that we mean that it is incredibly difficult for these types of threats to bypass the visibility and coverage provided by Network Detection and Response systems. When configured properly, NDR can catch threats that get missed not only by Endpoint Detection, but also by intrusion detection systems (IDS), firewalls, and other common security tools.
For those organizations wondering if adding NDR to their security strategy is the right choice, the most effective way to discover that answer is by engaging in a POV with the experts at Stamus Networks. To determine if NDR is right for your organization, use the button below to book a demo and speak to our team. We would love to hear about your network and see how Stamus Security Platform can help.
To stay updated with new blog posts and other news from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.