Warning: You are viewing an older version of this documentation. Most recent is here: 40.0.1
Stamus Central Server¶
Stamus Central Server™ provides the centralized management of the probes, third party threat intelligence and rulesets, consolidated event storage and a central integration point.
It includes an additional layer of machine learning and algorithmic threat detection, along with automated event triage – enabled by tagging and classification. Finally, the Stamus Central Server provides SSP users a powerful threat hunting and incident investigation interface. SSP also includes a comprehensive API that enables evidence queries and configuration commands to be initiated by third party systems, such as a SIEM, SOAR, XDR, EDR, IR, with access to all SSP functions
Detecting these and other threats requires combining multiple mechanisms, some simple and others quite sophisticated. Each contributes to the system’s ability to efficiently uncover threats and support an appropriate response. SSP currently employs the following detection mechanisms:
Explicit rules – the most efficient way to detect known threats
Machine learning – extremely good at detecting difficult patterns or abnormalities
Behavioral analytics – an efficient mechanism for identifying unauthorized activity
Stateful logic – required for tracking the activities associated with an asset over time
Threat intelligence (IoC) matching – mechanism to leverage work of threat researchers to identify IP addresses and domains that are know to or suspected to be used by threat actors
Statistical anomalies - an efficient mechanism for identifying subtle behavioral changes
“First seen” indicators (e.g. Stamus Sightings™) - identifies new communication artifacts – never observed before on the network – such as a HTTP User-Agent, a domain name, a JA3/JA4 hash, and more
The combination of multiple detection techniques is much more effective than a single mechanism such as machine learning or explicit rules alone. In addition, these mechanisms allow SSP to generate a multi-dimensional stream of events that can be correlated and used for threat hunting and incident investigation.
The threat research team at Stamus Labs is continually developing and updating new algorithms and intelligence to improve the SSP threat detection capability. SSP users receive threat intelligence updates daily and improved detection algorithms several times per year.