DeepFlow for SIEM Vendors
Typical situation today
Security Information and Event Management (SIEM) systems collect firewall logs, host syslog data, IPS/IDS logs. They collect network traffic through NetFlow probes with minimal application detection.
Flow traffic is used to normalize log data and acts as an index to search the system actions and behavior. Flow traffic lacks application details when correlating or validating events across multiple sources. This makes it time consuming for teams to check out alerts being generated on a system.
Strengthening the solution with Qosmos DeepFlow® Probes
DeepFlow for Security provides SIEM vendors with:
- A rich forensic record of network activity without the expense of full packet capture. This can be easily used to get an understanding of a customer ‘s normal and unusual network application behavior.
- Fine grained application behavior details for precise alerting. This can be used to reduce the false positives associated with some IDS alerts, or application events by themselves.
The SIEM vendor replaces NetFlow appliances with DeepFlow Probes. Minor changes are made on the SIEM system to support a rich new metadata stream, and enable metadata querying in the interface.
SIEM customers now have full application visibility for all network communication. Users can search through events and build alerts for complex application behavior. SIEM searching and alerting becomes more fine-grained, meaning quicker searches, fewer false positives, and more accurate alerts.