Click here to load reader

Qosmos DeepFlowTM for SIEM ArcSight, Splunk, · PDF fileSIEM systems collect fi rewall logs, host syslog data and IPS/IDS logs. They collect network traffi c through NetFlow probes

  • View
    222

  • Download
    0

Embed Size (px)

Text of Qosmos DeepFlowTM for SIEM ArcSight, Splunk, · PDF fileSIEM systems collect fi rewall logs,...

  • OverviewQosmos DeepFlow for SIEM is a new generation appliance which inspects network traffi c through real-time network feeds, and classifi es them into organized fl ows, describing the protocols and associated metadata. This metadata is streamed from DeepFlow into a SIEM to provide a step-function improvement in security visibility.

    Typical Situation TodaySIEM systems collect fi rewall logs, host syslog data and IPS/IDS logs. They collect network traffi c through NetFlow probes with minimal application detection. Flow traffi c is used to normalize log data and acts as an index to search the system actions and behavior. Flow traffi c lacks application details when correlating or validating events across multiple sources. This makes it time-consuming for teams to check out alerts being generated on a system.

    Strengthening SIEM with DeepFlowNetFlow appliances are replaced with DeepFlow Probes. Minor changes are made on the SIEM system to support a rich new metadata stream, and enable metadata querying in the SIEM interface.

    SIEM users now have full application visibility for all network communication. They can search through events and build alerts for complex application behavior.

    SIEM searching and alerting becomes more fi ne-grained, meaning quicker searches, fewer false positives, and more accurate alerts.

    Security Benefi ts (For Users):

    n Complete visibility of network-based security risks

    n Higher information resolution

    n Faster response to security incidents

    Business Benefi ts (For Vendors):

    n More customer wins thanks to augmented SIEM solution

    n Ability to upgrade installed SIEM customer base

    n Protection of customer base thanks to more sticky relationship

    Qosmos DeepFlowTM for SIEMAugment Your SIEM With UnprecedentedNetwork Visibility

    Product: Qosmos DeepFlowTM for SIEM

    SIEMs Supported: ArcSight, Splunk, LogRhythm, LogLogic, NitroSecurity, and more

    Users: SIEM vendors and integrators, MSSPs

    Key Features:n Ready-to-use appliance with

    extensive metadata extractionn Real-time protocol updatesn 2/4/10 Gbps capturen IPFIX/Syslog/JSON export formatsn 1U server form factorn Optimized for Intel DPDK (Data

    Plane Developer Kit)

    Traffi c metadata improve

    visibility and understanding

    of network traffi c and

    applications, giving

    cybersecurity solutions

    the ability to clearly

    differentiate good from

    bad traffi c, especially for

    application-level attacks.

    SIEM MSSP

    Full Packet Capture Qosmos DeepFlow NetFlow

    Information Resolution

    High High Low

    Access to all traffi c, but hard to interpret

    Extended, formatted info: same as NetFlow + 100 protocols and metadata attributes

    Limited info: IP source, IP dest, ports, bytecount, timestamp

    Time To Investigate

    Long Short Short

    Raw format needs to be analyzed

    Normalized data stream of ALL network behavior and activity

    Normalized data stream of limited network behavior and activity

  • Augmenting SIEM With DeepFlow Metadata

    Protocoland Application Support

    Protocol Plugin Suite

    n 1000+ protocols and applications identifi ed

    n 5000+ metadata extracted

    Examples of protocols and applications identifi ed

    n Web: HTTP, HTTPS, URL signaturesn Audio/video streaming: RTP, RTSP,

    WMP, YouTube, Dailymotion, Real Player, etc.

    n VoIP: H323, SIP, MGCP, etc.n Enterprise: Citrix, Oracle, SAP, MS

    Exchange, McAfee, etc.n Peer-to-Peer: eMule, BitTorrent, etc.n Network: TCP/IP, DNS, DHCP, etc.n Tunneling: ICMP, HTTP tunneling, etcn Instant Messaging: Skype, MSN,

    Gtalk, etc.n Webmail: Gmail, Hotmail, Yahoo!Mail,

    etc.n Mobile telephony: WAP, GTP, etc.

    Examples of traffi c metadata delivered

    n Flow level: IP address, TCP/UDP ports, etc.

    n Service level: VoIP codec usedn Application level: type and name of

    downloaded fi le, Google query, etc.n Application content: text and subject

    of emails, webmails and instant messaging

    n User level: sender, receiver, login, etc.

    Maximum responsiveness to technology evolution

    n Continuous protocol evolution watch and frequent updates.

    n Fast delivery of popular new protocol identifi cations

    n On-demand development of custom protocol recognition

    n Protocol Plugin Creator to develop your own customized protocol and application plugins

    Implementation Principle

    n DeepFlow adds metadata which can be indexed by SIEM and used to create stronger security rules: Referring party, session cookie, suspicious browser, server code, .exe fi le in the traffi c, etc.

    Standard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80

    Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80

    Before DeepFlow After DeepFlow

    Event Collector

    SIEM

    NetFlowProbe

    NetFlowProbe

    Host / AppSyslogs

    FW / IPSLogs

    Event Collector

    SIEM

    DeepFlowProbe

    DeepFlowProbe

    Host / AppSyslogs

    FW / IPSLogs

    Same caller/callee

    Different source IP

    DeepFlow

    NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).

    time 13:20:21 5/6/2011

    referrer chicaroo.cc

    browser curl 2.x

    url http://www.golf.com/failedlogin.php

    cookies session1= session2=

    login [email protected]

    method GET

    server code 200

    bytes transferred 2k

    SIEM GUI

    SecurityAnalyst

    Syslogor IPFIX

    ExistingSIEM Feeds :

    Logs,NetFlow, etc.

    Copy ofIP Traffic

    InternalServers

    Logs, NetFlow, etc.

    DeepFlow NetworkMetadata

    Internet

    IntranetTap

    DeepFlowStandard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80

    Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80

    Before DeepFlow After DeepFlow

    Event Collector

    SIEM

    NetFlowProbe

    NetFlowProbe

    Host / AppSyslogs

    FW / IPSLogs

    Event Collector

    SIEM

    DeepFlowProbe

    DeepFlowProbe

    Host / AppSyslogs

    FW / IPSLogs

    Same caller/callee

    Different source IP

    DeepFlow

    NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).

    time 13:20:21 5/6/2011

    referrer chicaroo.cc

    browser curl 2.x

    url http://www.golf.com/failedlogin.php

    cookies session1= session2=

    login [email protected]

    method GET

    server code 200

    bytes transferred 2k

    SIEM GUI

    SecurityAnalyst

    Syslogor IPFIX

    ExistingSIEM Feeds :

    Logs,NetFlow, etc.

    Copy ofIP Traffic

    InternalServers

    Logs, NetFlow, etc.

    DeepFlow NetworkMetadata

    Internet

    IntranetTap

    DeepFlow

    ContactsCorporate HeadquartersQosmosImmeuble Le Cardinet5, impasse Chalabre75017 Paris France+33 (0)1 78 09 14 [email protected]

    AmericasQosmos Inc.440 N Wolfe RdSunnyvale, CA 94085USA+1 (240) 252 [email protected]

    AsiaQosmos Pte Ltd.51 Goldhill Plaza#22-01/02Singapore 308900+65 63 56 97 [email protected]

    www.qosmos.com

    Standard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80

    Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80

    Before DeepFlow After DeepFlow

    Event Collector

    SIEM

    NetFlowProbe

    NetFlowProbe

    Host / AppSyslogs

    FW / IPSLogs

    Event Collector

    SIEM

    DeepFlowProbe

    DeepFlowProbe

    Host / AppSyslogs

    FW / IPSLogs

    Same caller/callee

    Different source IP

    DeepFlow

    NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).

    time 13:20:21 5/6/2011

    referrer chicaroo.cc

    browser curl 2.x

    url http://www.golf.com/failedlogin.php

    cookies session1= session2=

    login [email protected]

    method GET

    server code 200

    bytes transferred 2k

    SIEM GUI

    SecurityAnalyst

    Syslogor IPFIX

    ExistingSIEM Feeds :

    Logs,NetFlow, etc.

    Copy ofIP Traffic

    InternalServers

    Logs, NetFlow, etc.

    DeepFlow NetworkMetadata

    Internet

    IntranetTap

    DeepFlow

    Standard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80

    Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80

    Before DeepFlow After DeepFlow

    Event Collector

    SIEM

    NetFlowProbe

    NetFlowProbe

    Host / AppSyslogs

    FW / IPSLogs

    Event Collector

    SIEM

    DeepFlowProbe

    DeepFlowProbe

    Host / AppSyslogs

    FW / IPSLogs

    Same caller/callee

    Different source IP

    DeepFlow

    NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).

    time 13:20:21 5/6/2011

    refer

Search related