DeepFlow® Security for Splunk - Qosmos

Product Datasheet

DeepFlow® Security for Splunk A new source of forensic traffic information for faster discovery and containment of advanced cyber threats. With the addition of DeepFlow records, Splunk's powerful correlation engine and high speed performance can reduce the time to discovery and containment of security breaches from weeks to days.

Key Facts Features  Classification of layer 4-7 flows, exported in a forensic data stream of syslog  Direct data export into Splunk for high volume collection and rule parsing.

The Challenge: Discover and Contain Breaches FASTER According to the Verizon Data Breach Investigations Report 2012, most organizations take months to discover that they have been compromised, and weeks to contain the breaches once they have been discovered. Therefore, the strategic challenge is to discover and contain advanced cyber threats faster. Time to Discover and Contain Breaches (source: Verizon)

 Transparent and risk-free upgrade: no impact on any existing systems  Works with Splunk and Splunk Enterprise Security Application  Form factor: 1U appliance, your logo branding, RMA support & inventory  Product Range: 2/4/10 Gbps Business Benefits (for Splunk Reseller)  New revenues in the form of additional sales of event licenses  New revenues from DeepFlow sales  New revenues in the form of professional services for DeepFlow dashboards and alert rule construction  Stronger overall Splunk Security Intelligence business Security Benefits (for Users)  Faster response to security incidents  Complete visibility of network-based security risks  More detailed and actionable information for overall stronger cyber protection

DeepFlow + Splunk: Speed Up Discovery and Containment Until now, there were only 2 ways to source traffic information for forensic analysis:

 Full packet capture: detailed information available to understand breaches, but long investigation times and expensive storage of traffic for significant periods

 NetFlow: short time to investigate but very limited information available, and therefore limited ability to discover and contain breaches Qosmos DeepFlow combines the best of full packet with the best of NetFlow: DeepFlow produces forensically relevant traffic information and enables short investigation times. With the addition of DeepFlow records, security tools like Splunk can typically reduce time to discovery and containment from weeks to days.

Network Application Behavior for Splunk

Making SIEMs More Accurate

Qosmos DeepFlow is a new approach for enriching Splunk with a rich application behavior stream in order to make better decisions. It is a new generation of probe which inspects network traffic through realtime network feeds, and classifies them into organized flows, describing the protocols and associated metadata. This metadata consists of actions or behaviors taken inside the session

Sending DeepFlow feeds to Splunk brings application and user behavior to at an unprecedented level. Analysts are now able to examine usage patterns (common URLs, SQL queries) and build simple but more accurate alerting rules for their environments, with a high degree of confidence.

Features  Classification of layer 4-7 flows exported in a forensic data stream in syslog  Real-time extraction of metadata and content from traffic flows  Over 350 protocols enabled by default, with hundreds of metadata elements chosen specifically for security analytics

 Identification of services like VoIP, video call, chat, file sharing, etc.

Combining the Best of Full Packet and NetFlow The cost and scale of full packet capture systems has limited their reach into data centers, with data retention averaging 3-4 weeks. In addition, as more applications become virtualized and put into the cloud, access between services has become costly, if not impossible to reach.

within Skype, Facebook, and all popular applications

 Example of application metadata: SMB filenames, FTP filenames, webmail usernames, email addresses, attachment names, etc.

 Real-time, event-based analytics. Individual Google and YouTube queries, protocols for Yahoo mail, Gmail, and other webmails. Detailed messages for protocols such as Facebook chat, IRC chat, Google chat, and MSN.

Qosmos DeepFlow provides traffic information specifically intended to describe the critical behavior of applications and protocols, formatted in a normalized data stream, and easily consumed by security solutions.

 De-capsulation of tunnels (GRE, L2TP etc.)

Between full packet and NetFlow, DeepFlow brings together the best of both environments, as described in the table below:

 Multiple probes can be connected to aggregate taps to scale

Performance & Robustness

 2/4/10 Gbps probe configurations available. beyond 20Gb/s in throughput

 Appliance is built on RedHat Linux appliance baseline  Built-in protection against DDOS attacks  Operates on fragmented, duplicated, and de-sequenced packets Export Capabilities and Formats

 Directly exports data into Splunk for high volume collection, rule parsing, and alerting

 Advanced alerting and rule playbook sets for various enterprise environments make DeepFlow security the long term forensic source and the advanced, complex threat detection solution Deployment By creating a forensically accurate stream in a compact format, we get a 150x reduction in size compared to full packet. This allows a team to collect much more data. In comparison to the typical 3-4 weeks of full packet retention, DeepFlow can easily store a year’s worth of data. This can be critical. In the 2012 Verizon Data Breach Report, 83% of breaches were discovered weeks to months from initial compromise, 54% of them were in the months category. This illustrates the vulnerability of full packet, which is limited by storage capacity and high costs.

 Plug & play probe that feeds data to Splunk, or other syslog compatible SIEM and NBAD solutions

 Passive probe in port mirroring/TAP mode with no impact on traffic  Individual protocols and metadata attributes can be turned on and off as needed to manage flow or control privacy information

 On-demand addition of plug-ins for specific/regional applications Hardware or Software Probe

 Physical probe: DeepFlow probe based on IBM x-Series or HP Servers and RHEL

 DeepFlow Soft Probe: Qosmos software for RHEL  Ready for virtualization: DeepFlow Security can be virtualized for deployment in cloud architectures

Qosmos is the leader in embedded Deep Packet Inspection and Layer 7 Network Intelligence. Qosmos is used in physical, virtualized and in SDN architectures. The company’s software development kit and probes are embedded by vendors into their products sold to telcos and enterprises. www.qosmos.com