<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Scirius Security Platform: The First Chapters in the Quest

by Eric Leblond | Jul 02, 2020

Every great story begins with the first chapter. And with each new chapter the characters develop and temptations or challenges are identified and overcome. For us at Stamus Networks, living our story has been incredibly rewarding so far. 

And while we are on a lifetime quest to improve the efficacy of and reduce costs associated with cybersecurity through network detection and response (NDR) solutions, we are taking a moment to reflect on the early chapters of this quest.


Chapter 1 - A Better IDS/IPS 

We launched Stamus Networks in 2014 with the simple goal to provide an easy way to manage and tune rulesets for the Suricata IDS/IPS. To lower the total cost of ownership of Suricata-based solutions, we built complete appliances and developed a scalable central management interface. At the same time, we introduced SELKS as an open source alternative for a single probe with an entirely integrated management system.

Users of these early Scirius Security systems had a powerful system to deploy Suricata, which was quickly proving it was much more than just an IDS/IPS engine. And they were able to leverage their choice of threat intelligence from Suricata ecosystem providers and they were rewarded with an exceptional network-based threat detection solution. 

Chapter 2 - Enrichment

By 2017 Scirius was beginning to gain some traction. After observing users switching between different applications to look up IP address information, we saw an opportunity. So we set out to augment/enrich the security events with useful data to help the cyber threat hunters who were trying to make sense of the events in the context of their own environment.

In doing so, we introduced three important new capabilities: 

Organizational network definitions. The user assigns names to all the networks in their organization and they are added to the event record. For example, you can use this feature to map department structure context to network events, by labeling the network 10.1.5.0/24 as "Paris Marketing Office" and 10.10.1.0/24 and 192.168.0/24 as "North America offices, Sales." 

IP geolocation for external IP addresses. The system adds geographical information such as city, country, autonomous system number, and autonomous system organization for every IP address to the event record.

Fully Qualified Domain Names (FQDN) for internal IP addresses. Events with internal IP addresses are enriched with their corresponding FQDN. For example, now "10.10.10.5" is identified as "Joes.macbook.internalclinets.yourdomain.com," 

With all these features, the enriched data is added to the security event record, are displayed in the Scirius Enriched Hunting interfaces, and can be ingested and used by a third party SIEM or dashboard tool.

Chapter 3 - Addressing Alert Fatigue

Beginning in 2018, after several years of real-world deployment, we realized that alert fatigue was becoming a real problem for users of security monitoring systems, including network IDS. 

So, we decided to tackle this alert fatigue problem by developing a cyber threat hunting interface using two concepts that represented an entirely fresh and innovative approach. 

You see, we realized that if we exposed all the network metadata available from the Suricata engine and correlated it with the IDS alerts, we could offer security practitioners a powerful way to analyze alert events and other network activity from a single enriched threat hunting interface. 

And because we understand that you don’t want to begin each day looking for a new needle in the new proverbial haystack, we built in a mechanism that uses this metadata to efficiently classify current and future events as important, informational or unclassified (the default state). This simple yet powerful capability allows the security teams to “divide and conquer” the work of threat hunting.

For example, a Tier 3 analyst in your organization can review and identify the unclassified events as important or informational while a Tier 1 analyst focuses only on the new events that are tagged important

These enriched threat hunting capabilities dramatically reduce the time required to process alerts and give the analyst insights needed to identify anomalies in their environment.

Chapter 4 - Focus on the Host

In 2019, we began work to offer a more complete picture of the hosts operating on the network to help our users more quickly respond to incidents and policy violations. Specifically, we wanted to capture all the services, usernames, hostnames, along with HTTP and TLS agents associated with a given host. 

Aware that storage capacity is finite and how design choices can dramatically impact the user experience, we architected a host identification system that creates host activity records using the comprehensive network data collected by the probes through network traffic analysis (NTA). 

These architecture decisions allow Scirius Security Platform to deliver several important benefits, including: 

  • a very responsive user experience
  • minimal storage burden
  • deep and rich event history 

The capabilities introduced through NTA are key to connecting host activity to security events, policy violations and other anomalous network activity. For example, the host activity data can help answer questions that are simply not possible with the IDS alert logs, including:

  • What unauthorized proxy servers are deployed in my network?
  • Which of my production servers are running applications that require encryption, but are not using approved certificates?
  • Which desktops in the marketing department on the 5th floor are not running their endpoint protection service?

Finally, because the host data is correlated in real time with the alert data, it can provide a powerful place to pivot during an investigation. For example, a user wishing to see alerts on all NGINX servers in the enterprise network can do so with a few clicks in Scirius Enriched Hunting. And the results are returned nearly instantly, giving analysts meaningful insights, without the need to leave the hunting interface to manually look up the information in another system. 

What’s Next?

Very soon, we will introduce a new chapter in our quest for the ultimate network detection and response (NDR) solution. Please subscribe to this blog to be sure you don’t miss a thing.