DPI Sensor for Threat Hunting
Cyber crime is becoming increasingly sophisticated with advanced malware now able to evade commercial IDS. Security Operations Centers therefore need to bolster their security solutions with extra barriers to intrusion and a higher level of cyber threat detection.
At the same time, data overload is becoming a critical problem in cyber security operations, hampering efficiency and performance:
- Huge amounts of data must be gathered, analyzed and stored.
- Numerous alerts are generated, many of them false positives that use up significant resources and drown out legitimate alerts.
By adding Deep Packet Inspection (DPI) sensors to existing security systems, data volumes can be reduced and cyber threat detection can be improved through more efficient data analysis and a higher level of traffic visibility:
- A DPI sensor can help reduce the size of forensic data storage by up to 150x compared to full packet capture (FPC).
- Using DPI to inspect traffic provides visibility up to Layer 7. The extraction of metadata gives a higher granularity of information and can also be used to index content, improving threat hunting.
- Information on patterns gathered by the DPI sensor can be combined with existing traffic rules and used to constantly update the security system by creating new rules for other components such as IDPS, drastically reducing the number of false positives.
Qosmos Probe – An Advanced DPI Sensor
Qosmos Probe provides a perfect complement to signature-based detection tools e.g. IPS and FPC.
Qosmos Probe in a Security Operations Center
The classification and metadata engine embedded in Qosmos Probe is based on Qosmos ixEngine, the most widely used DPI engine in cyber security. Qosmos Probe provides detailed visibility of traffic up to Layer 7, recognizing over 3 000 protocols and with the ability to extract more than 5 000 metadata, including cyber security dedicated metadata.
- Detects patterns based on a Regular Expression matching.
- Gives full visibility on traffic, including services or encrypted traffic and non-standard ports, enabling sharper tools for threat hunting.
- The Deep File Inspection capability detects file type, checks consistency between MIME type and file extension, computes file hash and extracts metadata.
Qosmos Probe supports extensive data formats and standard APIs, making integration in cyber security architectures, whether physical or virtualized, rapid and simple.
Qosmos technology has proven performance, reliability and scalability. Qosmos Probe can scale up to N x 100 Gbps and can therefore be deployed in country-size networks.