DeepFlow for SIEM Vendors

Overview

Typical situation today

Security Information and Event Management (SIEM) systems collect firewall logs, host syslog data, IPS/IDS logs. They collect network traffic through NetFlow probes with minimal application detection.
Flow traffic is used to normalize log data and acts as an index to search the system actions and behavior. Flow traffic lacks application details when correlating or validating events across multiple sources. This makes it time consuming for teams to check out alerts being generated on a system.

Strengthening the solution with Qosmos DeepFlow® Probes

DeepFlow for Security provides SIEM vendors with:

  • A  rich forensic record of network activity without the expense of full packet capture. This can be easily used to get an understanding of a customer ‘s normal and  unusual network application  behavior.
  • Fine grained application behavior details for precise alerting. This can be used to reduce the false positives associated with some IDS alerts, or application events by themselves.

The SIEM vendor replaces NetFlow appliances with DeepFlow Probes. Minor changes are made on the SIEM system to support a rich new metadata stream, and enable metadata querying in the interface.

Benefits

SIEM customers now have full application visibility for all network communication. Users can search through events and build alerts for complex application behavior. SIEM searching and alerting becomes more fine-grained, meaning quicker searches, fewer false positives, and more accurate alerts.

Example

Related Resources

Qosmos DeepFlow for SIEM Datasheet – Download PDF

Improving Network Security with Qosmos and Deep-Secure  – Download PDF

DeepFlow Security for HP ArcSight Datasheet  – Download PDF

Qosmos Announces HP ArcSight CEF Certification – Read more