As cyber attacks against critical public and private infrastructures become increasingly sophisticated, effective threat analytics require accurate and detailed input from different sources. One key source of information is the network traffic itself. The more detailed the traffic visibility available to analytics solutions, the more accurate the detection and investigation capabilities will be.
A sensor (or software probe) using Deep Packet Inspection (DPI) provides the most granular detail available, delivering a complete picture of activity in any size network. By passively capturing packets, detecting applications, parsing protocols, and extracting traffic metadata, it can significantly improve detection of attacks and raise the performance of proactive threat hunting.
The Qosmos Probe is a DPI sensor that embeds the market-leading DPI engine, Qosmos ixEngine®. This engine offers the broadest protocol coverage in the market, recognizing more than 3700 protocols and applications, including IoT and M2M/SCADA protocols, with support for custom protocols.
The Qosmos Probe leverages years of experience in cyber defense environments and is a key component of the security technology stack for government-run Security Operations Centers (SOCs). For these sensitive environments, combining DPI information with a proprietary, confidential solution creates an additional layer of security, complementing turnkey commercial products such as IDS, which have technical capabilities that can be known by attackers.
1. A rich information feed to strengthen threat analytics
2. An expert tool for network forensics and threat hunting
Get maximum visibility into all encrypted traffic to support triage for decryption, advanced analytics for anomaly detection, and forensics.
Detect anonymous proxy services that may be cloaking harmful activities, including those using multiple layers of encryption.
Gain visibility into traffic using complex tunneling, with full protocol paths revealed for up to 16 levels of encapsulation.
Detect non-standard tunneling activities over legitimate protocols such as DNS or ICMP, which may indicate unauthorized or illegal activities.
Identify apps (e.g., eProxy, HTTP Injector) that combine techniques (such as protocol header customization, proxies, tunneling & domain fronting) to evade detection.
Detect inconsistencies such as a false MIME type or a mismatch between the original hash and computed hash.
Identify OS and Device in the company’s network to set specific rules in a BYOD world.