Jérôme is responsible for research, development and innovation at Qosmos, a leading supplier of Network Intelligence technology.
At Qosmos, we work with cyber security teams who protect very sensitive networks. These security analysts typically work in a Security Operations Center (SOC), monitoring traffic and checking for suspicious activity, such as:
- Services or encrypted traffic on non-standard ports
- Referring URI, which can be used to detect Phishing software loading partial content from a real site
- Many (hundreds) of “IP gets” from black-listed countries
- Specific malware file names (e.g. shell.exe)
- Suspicious malformed traffic
- Information feeds in the form of logs and traffic metadata
- Search and analysis capabilities
Examples of communications metadata which are relevant for cyber security:
The advantages of metadata:
- Not only do good metadata complement logs, they are also MORE valuable than full packet payloads to identify patterns! As someone said to me: “sometimes, you can’t see the forest (situational awareness) for the trees (packet payloads)”
- In addition, metadata require less storage than full packet capture which means that historic info can be kept for longer time periods (months) than full packet capture: this means much stronger investigative capabilities.
- Metadata also enables much faster forensic search, with the ability to search 2TB of data in less than 2 minutes!
- Finally, metadata can be used to index flows and packet contents
A tool case can be built on Qosmos + Splunk. In this case, Qosmos does the protocol decoding up to Layer 7, providing complete visibility of all network traffic and applications, independently of ports. The extracted protocol metadata is indexed by Splunk in addition to log information. Splunk is then used for search, statistics and GUI.
Example of Searching for Suspicious Network Activity by using Qosmos + Splunk
Let’s give cyber security artists the tools they need to exercise their art!
Jerome
Posts
