DPI Sensor for Threat Hunting
As cyber attacks become increasingly sophisticated, effective threat analytics require accurate and detailed input from different sources. One key source of information is the network traffic itself. The more detailed the traffic visibility available to analytics solutions, the more accurate the detection and investigation capabilities will be.
The Solution: Qosmos Probe – An Advanced DPI Sensor
A sensor (or software probe) using Deep Packet Inspection (DPI) provides the most granular detail available, delivering a complete picture of activity in a network, including internal traffic. By passively capturing packets, detecting applications, parsing protocols, and extracting traffic metadata, it can significantly improve detection of anomalies and raise the performance of proactive threat hunting.
The Qosmos Probe is a DPI sensor that embeds the market-leading DPI engine, Qosmos ixEngine®. It leverages years of experience from the most demanding environments, including cyber defense, and recognizes over 3100 protocols. It also has the ability to extract more than 5000 metadata, including cyber security dedicated metadata. Used by large SOCs operated by high-end MSSPs and Managed Detection & Response (MDR) service providers, it has become a key technology for advanced threat hunting.
The Qosmos Probe can be used to expose zero day attacks and advanced threats like data exfiltration, spear phishing, botnet beaconing, lateral movement, suspicious file transfers, SSL certificate violations, protocol obfuscation, etc.
Example of Qosmos Probe DPI Sensor in a SOC Architecture
DPI Sensor Applications
1. A rich information feed to strengthen threat analytics
Metadata extracted from traffic flows boosts machine learning for User and Entity Behavior Analytics (UEBA) and Next Gen SIEM. This translates into more accurate alerts, shorter time-to-detection, and fewer false positives.
2. An expert tool for network forensics and threat hunting
A DPI sensor streamlines investigations and improves time-to-detection for network forensics and threat hunting by capturing and storing detailed traffic information in a database where it can be rapidly and easily accessed for query and visualization. In addition, the sensor provides high information resolution using a fraction of the storage required for full packet capture because it only requires traffic metadata (sender, receiver, device type, file type, etc.), discarding irrelevant content, such as video.