Next-Generation Network Forensics and Behavior Anomaly Detection (NBAD)

The Challenge

In order to enhance cyber security, a SaaS provider wanted to enhance its ability to search forensically through all network connections for certain parameters and extract relevant information. SaaS provider’s current platform needed to be improved to 1) provide a more detailed understanding of network traffic and 2) shorten forensic search times. In addition there was a need to move from CLI to GUI.

Qosmos Solution

Protocol decoding up to Layer 7 with Qosmos ixEngine enables complete visibility of all network traffic and applications, independently of ports. As an addition to logs, Qosmos provides the ability to search collected metadata such as URLs, cookies, services on non-standard ports, etc. The extracted metadata is mixed with log info and indexed by Splunk for easier and faster retrieval. Splunk is used for search, statistics and GUI.

Benefits for SaaS Provider

  • Search times are reduced from hours to minutes
  • The new solutions gives full detail about all communication sessions
  • Less storage is required, by using communication metadata instead of full packet capture
  • A new user interface makes the systems easier to work with

Example of Implementation

NBAD Qosmos

Information Extracted

Recognized Applications and Protocols (sample)

  • Network services: DHCP, DNS, Ethernet, IP, TCP, UDP, SNMP, etc.
  • Database: Mysql, Postgress, tds, tns
  • Instant Messaging: AIM, msn, Skype, Yahoo, Google Talk, etc.
  • Webmail: Gmail, Hotmail, Livemail, Squiremail, Yahoo mail, etc.

Extracted Information (sample)

  • User ID
  • IP address
  • Date & time of login / logoff
  • Instant Messaging: Login, Sender, Receiver, File Transfer, Attached Documents
  • Email: Subject of email, Recipients, Content of email, Attached documents (content + metadata), Header field, Envelop field
  • Data transfer sessions: type, content, time