Qosmos

Resources

Which Cybersecurity Products Use Deep Packet Inspection and Why?

By Erik Larsson, VP Marketing at Qosmos, the network intelligence division of Enea.

In a recent webinar with IHS Markit, the audience was asked the question “Which security products need DPI”? Here is my take on the results.

IHS Cybersecurity Poll March 2017
Source: IHS Markit Webinar Poll March 2017

 

It is not surprising to see that most respondents picked “Firewall”. In 2007, Palo Alto Networks was the first vendor to ship a firewall that could identify and provide fine-grained control of applications, regardless of ports or IP addresses. How did they do it? Their (new) secret sauce was DPI.

Since then, all good firewalls have built-in DPI, providing real-time application visibility for effective blocking and alerting. That’s why 10 years later, “Firewall” tops the list of security products that need DPI inside.

It also seems natural to have DPI as a core technology inside sophisticated security solutions that protect against Malware and Data Loss. Here, the DPI software extracts raw traffic content and metadata, which is used by product developers to reconstruct emails, attached files, images, videos, Websites, etc. The security experts will then apply in-house investigation and mitigation methods to identify potential threats.

SIEM is not obviously associated with DPI. Here is how DPI can play a major role: SIEM and other security analytics products use Netflow and IDS info to describe network activity and create a timeline mapping actors and actions. But results are not always satisfactory since Netflow lacks Layer 7 application info and IDS logs and events tend to focus on alerts, not actions.

DPI adds valuable information, which can be indexed by SIEM: referring party, session cookies, server codes, etc. This improves the accuracy of SIEM: searching is more fine-grained, alerting more accurate and there are fewer false positives.

Beyond this webinar poll, I see a steady stream of new security products that also need to understand network traffic in detail; therefore, DPI will remain a key ingredient for effective cybersecurity for a long time.

If you would like to strengthen your cybersecurity products with DPI, check out: http://www.qosmos.com/cybersecurity/overview/