DeepFlow DPI probe software for SIEM Vendors

Overview

Typical situation today

Security Information and Event Management (SIEM) systems collect firewall logs, host syslog data, IPS/IDS logs. They collect network traffic through NetFlow probes with minimal application detection. Flow traffic is used to normalize log data and acts as an index to search the system actions and behavior. Flow traffic lacks application details when correlating or validating events across multiple sources. This makes it time consuming for teams to check out alerts being generated on a system.

Strengthening the solution with Qosmos DeepFlow® probe software for security

DeepFlow DPI probe software configured for security provides SIEM vendors with:

  • A  rich forensic record of network activity without the expense of full packet capture. This can be easily used to get an understanding of a customer ‘s normal and  unusual network application  behavior.
  • Fine grained application behavior details for precise alerting. This can be used to reduce the false positives associated with some IDS alerts, or application events by themselves.

The SIEM vendor replaces NetFlow appliances with probes running DeepFlow software. Minor changes are made on the SIEM system to support a rich new metadata stream, and enable metadata querying through the SIEM vendor’s existing user interface.

Benefits

SIEM customers now have full application visibility for all network communication. Users can search through events and build alerts for complex application behavior. SIEM searching and alerting becomes more fine-grained, meaning quicker searches, fewer false positives, and more accurate alerts.

Example