OverviewQosmos DeepFlow for SIEM is a new generation appliance which inspects network traffi c through real-time network feeds, and classifi es them into organized fl ows, describing the protocols and associated metadata. This metadata is streamed from DeepFlow into a SIEM to provide a step-function improvement in security visibility.
Typical Situation TodaySIEM systems collect fi rewall logs, host syslog data and IPS/IDS logs. They collect network traffi c through NetFlow probes with minimal application detection. Flow traffi c is used to normalize log data and acts as an index to search the system actions and behavior. Flow traffi c lacks application details when correlating or validating events across multiple sources. This makes it time-consuming for teams to check out alerts being generated on a system.
Strengthening SIEM with DeepFlowNetFlow appliances are replaced with DeepFlow Probes. Minor changes are made on the SIEM system to support a rich new metadata stream, and enable metadata querying in the SIEM interface.
SIEM users now have full application visibility for all network communication. They can search through events and build alerts for complex application behavior.
SIEM searching and alerting becomes more fi ne-grained, meaning quicker searches, fewer false positives, and more accurate alerts.
Security Benefi ts (For Users):
n Complete visibility of network-based security risks
n Higher information resolution
n Faster response to security incidents
Business Benefi ts (For Vendors):
n More customer wins thanks to augmented SIEM solution
n Ability to upgrade installed SIEM customer base
n Protection of customer base thanks to more sticky relationship
Qosmos DeepFlowTM for SIEMAugment Your SIEM With UnprecedentedNetwork Visibility
Product: Qosmos DeepFlowTM for SIEM
SIEMs Supported: ArcSight, Splunk, LogRhythm, LogLogic, NitroSecurity, and more
Users: SIEM vendors and integrators, MSSPs
Key Features:n Ready-to-use appliance with
extensive metadata extractionn Real-time protocol updatesn 2/4/10 Gbps capturen IPFIX/Syslog/JSON export formatsn 1U server form factorn Optimized for Intel® DPDK (Data
Plane Developer Kit)
“Traffi c metadata improve
visibility and understanding
of network traffi c and
applications, giving
cybersecurity solutions
the ability to clearly
differentiate good from
bad traffi c, especially for
application-level attacks.”
SIEM MSSP
Full Packet Capture Qosmos DeepFlow NetFlow
Information Resolution
High High Low
Access to all traffi c, but hard to interpret
Extended, formatted info: same as NetFlow + 100 protocols and metadata attributes
Limited info: IP source, IP dest, ports, bytecount, timestamp
Time To Investigate
Long Short Short
Raw format needs to be analyzed
Normalized data stream of ALL network behavior and activity
Normalized data stream of limited network behavior and activity
Augmenting SIEM With DeepFlow Metadata
Protocoland Application Support
Protocol Plugin Suite
n 1000+ protocols and applications identifi ed
n 5000+ metadata extracted
Examples of protocols and applications identifi ed
n Web: HTTP, HTTPS, URL signaturesn Audio/video streaming: RTP, RTSP,
WMP, YouTube, Dailymotion, Real Player, etc.
n VoIP: H323, SIP, MGCP, etc.n Enterprise: Citrix, Oracle, SAP, MS
Exchange, McAfee, etc.n Peer-to-Peer: eMule, BitTorrent, etc.n Network: TCP/IP, DNS, DHCP, etc.n Tunneling: ICMP, HTTP tunneling, etcn Instant Messaging: Skype, MSN,
Gtalk, etc.n Webmail: Gmail, Hotmail, Yahoo!Mail,
etc.n Mobile telephony: WAP, GTP, etc.
Examples of traffi c metadata delivered
n Flow level: IP address, TCP/UDP ports, etc.
n Service level: VoIP codec usedn Application level: type and name of
downloaded fi le, Google query, etc.n Application content: text and subject
of emails, webmails and instant messaging
n User level: sender, receiver, login, etc.
Maximum responsiveness to technology evolution
n Continuous protocol evolution watch and frequent updates.
n Fast delivery of popular new protocol identifi cations
n On-demand development of custom protocol recognition
n Protocol Plugin Creator to develop your own customized protocol and application plugins
Implementation Principle
n DeepFlow adds metadata which can be indexed by SIEM and used to create stronger security rules: Referring party, session cookie, suspicious browser, server code, .exe fi le in the traffi c, etc.
Standard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80
Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80
Before DeepFlow After DeepFlow
Event Collector
SIEM
NetFlowProbe
NetFlowProbe
Host / AppSyslogs
FW / IPSLogs
Event Collector
SIEM
DeepFlowProbe
DeepFlowProbe
Host / AppSyslogs
FW / IPSLogs
Same caller/callee
Different source IP
DeepFlow™
NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).
time 13:20:21 5/6/2011
referrer chicaroo.cc
browser curl 2.x
url http://www.golf.com/failedlogin.php
cookies session1=’ ‘session2=’ ‘
login [email protected]
method GET
server code 200
bytes transferred 2k
SIEM GUI
SecurityAnalyst
Syslogor IPFIX
ExistingSIEM Feeds :
Logs,NetFlow, etc.
Copy ofIP Traffic
InternalServers
Logs, NetFlow, etc.
DeepFlow NetworkMetadata
Internet
IntranetTap
DeepFlow™Standard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80
Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80
Before DeepFlow After DeepFlow
Event Collector
SIEM
NetFlowProbe
NetFlowProbe
Host / AppSyslogs
FW / IPSLogs
Event Collector
SIEM
DeepFlowProbe
DeepFlowProbe
Host / AppSyslogs
FW / IPSLogs
Same caller/callee
Different source IP
DeepFlow™
NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).
time 13:20:21 5/6/2011
referrer chicaroo.cc
browser curl 2.x
url http://www.golf.com/failedlogin.php
cookies session1=’ ‘session2=’ ‘
login [email protected]
method GET
server code 200
bytes transferred 2k
SIEM GUI
SecurityAnalyst
Syslogor IPFIX
ExistingSIEM Feeds :
Logs,NetFlow, etc.
Copy ofIP Traffic
InternalServers
Logs, NetFlow, etc.
DeepFlow NetworkMetadata
Internet
IntranetTap
DeepFlow™
ContactsCorporate HeadquartersQosmosImmeuble Le Cardinet5, impasse Chalabre75017 Paris – France+33 (0)1 78 09 14 [email protected]
AmericasQosmos Inc.440 N Wolfe RdSunnyvale, CA 94085USA+1 (240) 252 [email protected]
AsiaQosmos Pte Ltd.51 Goldhill Plaza#22-01/02Singapore 308900+65 63 56 97 [email protected]
www.qosmos.com
Standard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80
Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80
Before DeepFlow After DeepFlow
Event Collector
SIEM
NetFlowProbe
NetFlowProbe
Host / AppSyslogs
FW / IPSLogs
Event Collector
SIEM
DeepFlowProbe
DeepFlowProbe
Host / AppSyslogs
FW / IPSLogs
Same caller/callee
Different source IP
DeepFlow™
NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).
time 13:20:21 5/6/2011
referrer chicaroo.cc
browser curl 2.x
url http://www.golf.com/failedlogin.php
cookies session1=’ ‘session2=’ ‘
login [email protected]
method GET
server code 200
bytes transferred 2k
SIEM GUI
SecurityAnalyst
Syslogor IPFIX
ExistingSIEM Feeds :
Logs,NetFlow, etc.
Copy ofIP Traffic
InternalServers
Logs, NetFlow, etc.
DeepFlow NetworkMetadata
Internet
IntranetTap
DeepFlow™
Standard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80
Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80
Before DeepFlow After DeepFlow
Event Collector
SIEM
NetFlowProbe
NetFlowProbe
Host / AppSyslogs
FW / IPSLogs
Event Collector
SIEM
DeepFlowProbe
DeepFlowProbe
Host / AppSyslogs
FW / IPSLogs
Same caller/callee
Different source IP
DeepFlow™
NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).
time 13:20:21 5/6/2011
referrer chicaroo.cc
browser curl 2.x
url http://www.golf.com/failedlogin.php
cookies session1=’ ‘session2=’ ‘
login [email protected]
method GET
server code 200
bytes transferred 2k
SIEM GUI
SecurityAnalyst
Syslogor IPFIX
ExistingSIEM Feeds :
Logs,NetFlow, etc.
Copy ofIP Traffic
InternalServers
Logs, NetFlow, etc.
DeepFlow NetworkMetadata
Internet
IntranetTap
DeepFlow™
Photo credits: Andy Murch / Elasmodiver.com