Stamus-Networks-Blog

Scaling Suricata in the Enterprise - Leverage Advanced Analytics

Written by Peter Manev | Dec 15, 2020 12:15:00 PM

Background

As we have previously written, for all Suricata’s capabilities, building out an enterprise-scale deployment of Suricata with mostly open source tools can be a challenge. 

In this final entry in the series of blog posts, we review another one of the five ways to improve the scalability of Suricata in an enterprise deployment - Leveraging Advanced Analytics for Insights.

Note: for a more complete review of all five improvements, please check out the white paper, Scaling Suricata for Enterprise Deployment. You can download your copy here >>

Leveraging Advanced Analytics to Gain Insights 

With an enterprise-scale deployment, the sheer volume of alerts being generated by the 10s or 100s of Suricata sensors can be overwhelming. Even when organizations have operationalized a SIEM to collect, normalize, and correlate all the activity, security teams find it nearly impossible to know what is important or urgent and what does not deserve their attention.

In order to effectively deploy Suricata at an enterprise scale, it is critical that organizations consider advanced analytics or higher order threat detection algorithms in order to know where to begin their hunt. Without such systems, the number of individual indicators can appear as false positives which leads to alert fatigue which ultimately leads to inaction. This is a big data problem that requires advanced automation solutions.

So, the goal is to reduce the noise and provide automation to guide the threat hunter towards the most important issues of the day. As in other areas, there are several open source and do-it-yourself options as well as a long list of commercial options. In this paper we will touch on a few of the open source options and explore one commercial solution in some detail. 

With a limited set of open source options available, in order to solve this problem organizations must either develop home grown systems or invest in commercial solutions. Here are three resources that could be helpful when considering developing your own visualization and threat hunting interface: 

  • MITRE ATT&CK™: Design and Philosophy - The MITRE ATT&CK knowledgebase describes cyber adversary behavior and provides a common taxonomy for both offense and defense. It has become a useful tool across many cybersecurity disciplines to convey threat intelligence, perform testing through red teaming or adversary emulation, and improve network and system defenses against intrusions.
  • Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains -Using a kill chain model to describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action, identifying patterns that link individual intrusions into broader campaigns, and understanding the iterative nature of intelligence gathering form the basis of intelligence-driven computer network defense (CND).
  • IDS for logs: Towards implementing a streaming Sigma rule engine - The Sigma rule format has emerged in recent years as a signature-like ruleset for event logs for use by security operations and threat hunting communities. This paper provides a detailed technical outline of our implementation. 

When evaluating alternatives, keep in mind that a common, perhaps overly-simplified, solution is to aggregate events based on the source, destination, or other common factors present in each event. This results in a more condensed display of information that allows for simpler analysis.

The problem with this method is that it fails to address the current attack mechanisms, which are multi-stage. These attacks - modeled by the cyber kill chain - can begin by exploiting a system vulnerability, then installing on the system and communicating with the control server to collect and perform desired actions on the target. Aggregating events by metadata doesn’t allow the cyber kill chain to be considered. An additional abstraction is needed, or we won’t be able to observe the exploitation from one server and the command and control beacon which is part of the same process. 

Spotlight on One Commercial Solution - Stamus Security Platform (formerly Scirius Security Platform)

Developed by Stamus Networks, Stamus Security Platform can provide a single alert, and the SOC analyst sees only that - for example - the malware appeared on the server in the Command and Control phase of the kill chain. The analyst also sees the specific time that the communication was detected and when it was last seen. All those repeated noisy alerts are suppressed, but they remain available in the system logs as important corroborating evidence for the incident investigation.

This approach completely changes the paradigm of how security teams view individual events drawn directly from network traffic, by moving to a whole new way of identifying incidents. Getting warned about events such as a new threat detected on an asset or a change in the progression along the kill chain is now a reality. The great news - it will warn analysts only when something meaningful happens on the network.

Other Articles in the Series on Scaling Suricata

In an earlier blog article we reviewed ways to optimize your sensor placement. Future blog articles will cover the additional three considerations that can help you improve the scalability of Suricata in your enterprise. Here’s the complete list of articles:

Additional Suricata Resources

If you are interested in exploring this topic further, we recommend the following resources: