Stamus-Networks-Blog

Detection Technology Truth-telling and a Focus on Results

Written by Ken Gramley | Jul 8, 2021 1:16:29 PM

In my last blog article, I introduced some of the factors that have contributed to our successes and some of the reasons customers have chosen our solutions. 

I mentioned that many of our customers find us because they are looking for a “better intrusion detection system (IDS)” to replace their aging or ineffective solution. Decision makers quickly learn that our deep Suricata expertise has enabled us to create just that, and much, much more. 

One of the results - Stamus Network Detection (ND) - is a drop-in replacement for their current IDS that delivers higher-confidence threat detection in north-south as well as east-west traffic and can be deployed on-premise or in cloud environments. And because we incorporate both the powerful IDS and network security monitoring (NSM) capabilities of Suricata along with organization-specific context and automated alert triage, event review and incident investigation can be performed with far fewer resources.

So, while we may be known in the industry for our commercial Suricata solutions, our customers recognize that Stamus ND delivers much more than simply a commercially-supported and scaleable version of an amazing open source engine; we combine the best capabilities of IDS, NSM and NDR into a single powerful solution that optimizes organizations' network security.

In this article I will explain how our results-focused approach to adding new detection technologies and advanced threat intelligence enables organizations to further increase confidence and reduce their resource requirements. The result - Stamus Network Detection and Response (NDR) - is available as a license upgrade to Stamus ND users.

Enter “Truly Useful” Detection

Our customers tell us that one of their biggest challenges when evaluating network security solutions is separating vendor technology hype from the reality of their efficacy. For example, we hear complaints about machine learning (ML) and artificial intelligence (AI) ‘black magic’ -- technology that seems to uncover bad things, but provides little evidence or explanation.

Without supporting evidence, these systems are merely providing more indicators of compromise that each need extensive investigation by analysts using logs and other substantiating information. Something must be done to make this useful.

At Stamus Networks, we are driven by an obligation to detect everything possible. But in the end, even the best detection is not that valuable if it results in too much noise and not enough insights. And detection that is not supported by evidence is nearly useless. That’s why we focus on making our detection as useful as possible.

This is codified in one of our core principles at Stamus Networks: Deliver the most useful detection. Period.

That’s why we incorporate a broad spectrum of detection techniques. These include machine learning - yes - but also signatures, anomaly algorithms, and simple policies. It’s why we integrate third party threat intelligence and allow for substantial customization. And it’s why we correlate these results and enrich all the data with organizational context to provide the evidence needed to quickly respond.

We’re pleased that our customers have validated this approach by telling us we frequently detect threats that their other systems miss.

Ultimately, our goal is to simplify our customers’ lives by giving them Declarations of Compromise™ -- high-confidence meaningful signals that indicate something requires immediate attention and providing them with the evidence to quickly confirm and resolve the incident.

On Machine Learning and Signatures

Historically, signatures - also referred to as rules - have been the standard threat detection mechanism for Suricata (and Snort before that) sensor-based network intrusion detection systems. Teams of threat researchers work non-stop to develop signatures for each new attack type. In fact, that was the primary business of my previous employer Emerging Threats, now part of Proofpoint. When written well, signatures can detect not just known threats but also future zero day attacks. 

Recently, we have seen that AI and ML can be very good at finding certain things and solving certain problems. These technologies definitely have their strengths and have demonstrated immense potential which is why they have created such buzz.

But in many cases, the results of ML and AI merely indicate “anomalous activity” and not definitive imminent threats. So with each sighting of anomalous activity flagged by the ML/AI system, a trained analyst must still perform an investigation to confirm or reject the claim. This is where the lack of evidence logged by some current systems and what we call the “un-explainability” of an event makes the analyst’s job difficult. And it’s why it is difficult to use these anomalous results to trigger an automated response.

That said, we have found that when properly integrated with other detection techniques, ML can deliver incredible value by uncovering suspicious activity that might otherwise be missed and providing corroborating evidence to help with the subsequent investigation.

As such, we will soon introduce the first of our machine learning (ML) capabilities for Stamus NDR which will present “suspicious activity” to the analyst, backed up by corroborating evidence from our other detection techniques and metadata enrichment. Our research has shown this to be the path to delivering the most “useful” detection and making the defender’s job simpler and more impactful.

We are very excited by the results we’ve seen and what we have been able to detect in our test environments. We will be unveiling more about this capability shortly, so stay tuned.

Likewise, there are many incidents that signature/rule-based detection is still extremely good at finding. And we are not going to abandon that approach just because the industry thinks AI and ML are the sexiest things right now. In fact, we relentlessly innovate on ways to improve the efficacy of signature detection and make it more useful to the practitioner, such as incorporating them in higher level threat intelligence and enriching the alerts they trigger to create the pool of evidence presented with our “declarations of compromise.”

One thing I learned during my time as CEO of Emerging Threats is that good threat detection rules are actually quite effective. Rule writing is a very specific skill and unfortunately, throughout the years many vendors delivered inferior rules with their IDS tools, creating frustration with rule-based systems among enterprise security teams. This undoubtedly contributed to the “rules suck, so use artificial intelligence!” attitude among many.  

At Stamus Networks, we believe strongly in applying the best technology available for the problem at hand. We don’t view ourselves as an “AI company,” and - this may surprise many - we don’t view ourselves as a “signature” or “rules” company either. Stamus Networks is a network security company that strives to simply make the job of the defender easier and more impactful using whatever technology proves effective.

NDR is the Next Step

The rise of NDR is the next logical step in the evolution of effective network security. It offers the very real promise of combining extraordinarily powerful threat detection with the resource savings that come from automating key elements of an organization’s incident response.

But for NDR to realize its ultimate potential, two things must happen: 

  1. 1. Security practitioners and pundits must not view NDR as a singular technology whose detection is based only on machine learning. As I mentioned earlier, our customers have found extreme success in employing a broad spectrum approach to threat detection. 
  2. 2. The industry needs to provide a clear path from historical IDS use cases to full-blown NDR. This should include drop-in replacement options for today’s IDS that come with a seamless upgrade path to NDR.
  3.  

We are fortunate that Stamus Networks customers are clear-eyed with respect to #1, and our ability to deliver on #2 (Stamus NDStamus NDR) has won us a number of fans.