OverviewQosmos DeepFlow for SIEM is a new generation appliance which inspects network traffi c through real-time network feeds, and classifi es them into organized fl ows, describing the protocols and associated metadata. This metadata is streamed from DeepFlow into a SIEM to provide a step-function improvement in security visibility.

Typical Situation TodaySIEM systems collect fi rewall logs, host syslog data and IPS/IDS logs. They collect network traffi c through NetFlow probes with minimal application detection. Flow traffi c is used to normalize log data and acts as an index to search the system actions and behavior. Flow traffi c lacks application details when correlating or validating events across multiple sources. This makes it time-consuming for teams to check out alerts being generated on a system.

Strengthening SIEM with DeepFlowNetFlow appliances are replaced with DeepFlow Probes. Minor changes are made on the SIEM system to support a rich new metadata stream, and enable metadata querying in the SIEM interface.

SIEM users now have full application visibility for all network communication. They can search through events and build alerts for complex application behavior.

SIEM searching and alerting becomes more fi ne-grained, meaning quicker searches, fewer false positives, and more accurate alerts.

Security Benefi ts (For Users):

n Complete visibility of network-based security risks

n Higher information resolution

n Faster response to security incidents

Business Benefi ts (For Vendors):

n More customer wins thanks to augmented SIEM solution

n Ability to upgrade installed SIEM customer base

n Protection of customer base thanks to more sticky relationship

Qosmos DeepFlowTM for SIEMAugment Your SIEM With UnprecedentedNetwork Visibility

Product: Qosmos DeepFlowTM for SIEM

SIEMs Supported: ArcSight, Splunk, LogRhythm, LogLogic, NitroSecurity, and more

Users: SIEM vendors and integrators, MSSPs

Key Features:n Ready-to-use appliance with

extensive metadata extractionn Real-time protocol updatesn 2/4/10 Gbps capturen IPFIX/Syslog/JSON export formatsn 1U server form factorn Optimized for Intel® DPDK (Data

Plane Developer Kit)

“Traffi c metadata improve

visibility and understanding

of network traffi c and

applications, giving

cybersecurity solutions

the ability to clearly

differentiate good from

bad traffi c, especially for

application-level attacks.”

SIEM MSSP

Full Packet Capture Qosmos DeepFlow NetFlow

Information Resolution

High High Low

Access to all traffi c, but hard to interpret

Extended, formatted info: same as NetFlow + 100 protocols and metadata attributes

Limited info: IP source, IP dest, ports, bytecount, timestamp

Time To Investigate

Long Short Short

Raw format needs to be analyzed

Normalized data stream of ALL network behavior and activity

Normalized data stream of limited network behavior and activity

Augmenting SIEM With DeepFlow Metadata

Protocoland Application Support

Protocol Plugin Suite

n 1000+ protocols and applications identifi ed

n 5000+ metadata extracted

Examples of protocols and applications identifi ed

n Web: HTTP, HTTPS, URL signaturesn Audio/video streaming: RTP, RTSP,

WMP, YouTube, Dailymotion, Real Player, etc.

n VoIP: H323, SIP, MGCP, etc.n Enterprise: Citrix, Oracle, SAP, MS

Exchange, McAfee, etc.n Peer-to-Peer: eMule, BitTorrent, etc.n Network: TCP/IP, DNS, DHCP, etc.n Tunneling: ICMP, HTTP tunneling, etcn Instant Messaging: Skype, MSN,

Gtalk, etc.n Webmail: Gmail, Hotmail, Yahoo!Mail,

etc.n Mobile telephony: WAP, GTP, etc.

Examples of traffi c metadata delivered

n Flow level: IP address, TCP/UDP ports, etc.

n Service level: VoIP codec usedn Application level: type and name of

downloaded fi le, Google query, etc.n Application content: text and subject

of emails, webmails and instant messaging

n User level: sender, receiver, login, etc.

Maximum responsiveness to technology evolution

n Continuous protocol evolution watch and frequent updates.

n Fast delivery of popular new protocol identifi cations

n On-demand development of custom protocol recognition

n Protocol Plugin Creator to develop your own customized protocol and application plugins

Implementation Principle

n DeepFlow adds metadata which can be indexed by SIEM and used to create stronger security rules: Referring party, session cookie, suspicious browser, server code, .exe fi le in the traffi c, etc.

Standard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80

Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80

Before DeepFlow After DeepFlow

Event Collector

SIEM

NetFlowProbe

NetFlowProbe

Host / AppSyslogs

FW / IPSLogs

Event Collector

SIEM

DeepFlowProbe

DeepFlowProbe

Host / AppSyslogs

FW / IPSLogs

Same caller/callee

Different source IP

DeepFlow™

NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).

time 13:20:21 5/6/2011

referrer chicaroo.cc

browser curl 2.x

url http://www.golf.com/failedlogin.php

cookies session1=’ ‘session2=’ ‘

login drogan@hotspot.com

method GET

server code 200

bytes transferred 2k

SIEM GUI

SecurityAnalyst

Syslogor IPFIX

ExistingSIEM Feeds :

Logs,NetFlow, etc.

Copy ofIP Traffic

InternalServers

Logs, NetFlow, etc.

DeepFlow NetworkMetadata

Internet

IntranetTap

DeepFlow™Standard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80

Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80

Before DeepFlow After DeepFlow

Event Collector

SIEM

NetFlowProbe

NetFlowProbe

Host / AppSyslogs

FW / IPSLogs

Event Collector

SIEM

DeepFlowProbe

DeepFlowProbe

Host / AppSyslogs

FW / IPSLogs

Same caller/callee

Different source IP

DeepFlow™

NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).

time 13:20:21 5/6/2011

referrer chicaroo.cc

browser curl 2.x

url http://www.golf.com/failedlogin.php

cookies session1=’ ‘session2=’ ‘

login drogan@hotspot.com

method GET

server code 200

bytes transferred 2k

SIEM GUI

SecurityAnalyst

Syslogor IPFIX

ExistingSIEM Feeds :

Logs,NetFlow, etc.

Copy ofIP Traffic

InternalServers

Logs, NetFlow, etc.

DeepFlow NetworkMetadata

Internet

IntranetTap

DeepFlow™

ContactsCorporate HeadquartersQosmosImmeuble Le Cardinet5, impasse Chalabre75017 Paris – France+33 (0)1 78 09 14 40emea-sales@qosmos.com

AmericasQosmos Inc.440 N Wolfe RdSunnyvale, CA 94085USA+1 (240) 252 2505us-sales@qosmos.com

AsiaQosmos Pte Ltd.51 Goldhill Plaza#22-01/02Singapore 308900+65 63 56 97 62apac-sales@qosmos.com

www.qosmos.com

Standard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80

Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80

Before DeepFlow After DeepFlow

Event Collector

SIEM

NetFlowProbe

NetFlowProbe

Host / AppSyslogs

FW / IPSLogs

Event Collector

SIEM

DeepFlowProbe

DeepFlowProbe

Host / AppSyslogs

FW / IPSLogs

Same caller/callee

Different source IP

DeepFlow™

NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).

time 13:20:21 5/6/2011

referrer chicaroo.cc

browser curl 2.x

url http://www.golf.com/failedlogin.php

cookies session1=’ ‘session2=’ ‘

login drogan@hotspot.com

method GET

server code 200

bytes transferred 2k

SIEM GUI

SecurityAnalyst

Syslogor IPFIX

ExistingSIEM Feeds :

Logs,NetFlow, etc.

Copy ofIP Traffic

InternalServers

Logs, NetFlow, etc.

DeepFlow NetworkMetadata

Internet

IntranetTap

DeepFlow™

Standard NetFlow Record12.56.124.1:21011 - 139.58.110.45:80

Qosmos Metadata Enhancements12.56.124.1:21011 - 139.58.110.45:80

Before DeepFlow After DeepFlow

Event Collector

SIEM

NetFlowProbe

NetFlowProbe

Host / AppSyslogs

FW / IPSLogs

Event Collector

SIEM

DeepFlowProbe

DeepFlowProbe

Host / AppSyslogs

FW / IPSLogs

Same caller/callee

Different source IP

DeepFlow™

NOTE : The standard NetFlow record is typically a5 tuple message with Layer 3 headers (source and destination IP adresses, port numbers, and IP protocol). Metadata adds visibility into encapsuled protocols, MPLS labels, IPv6 adresses and ports, and the details of user behavior and applications usage (who, what, how, when).

time 13:20:21 5/6/2011

referrer chicaroo.cc

browser curl 2.x

url http://www.golf.com/failedlogin.php

cookies session1=’ ‘session2=’ ‘

login drogan@hotspot.com

method GET

server code 200

bytes transferred 2k

SIEM GUI

SecurityAnalyst

Syslogor IPFIX

ExistingSIEM Feeds :

Logs,NetFlow, etc.

Copy ofIP Traffic

InternalServers

Logs, NetFlow, etc.

DeepFlow NetworkMetadata

Internet

IntranetTap

DeepFlow™

Photo credits: Andy Murch / Elasmodiver.com