In the previous blog, we talked about Deep Packet Inspection (DPI), its capabilities, and its limitations. One key limitation is the inability to inspect content hidden deep inside the packet. We also talked about Deep Session Inspection (DSI), a technology designed and patented specifically to overcome this limitation and inspect content obfuscated deep within a packet.
Deep Session Inspection was designed to act as the host computer to reassemble the network traffic into application content. Extracting and understanding content is a key requirement to detect content-focused security problems like detecting malware and preventing data loss.
DSI is conceptually similar to endpoint protection and its capabilities can be applied to network choke points, email systems, proxied traffic, and at internal data center access points. In addition to its protection capabilities, DSI also offers the ability to monitor all network activity and record metadata that can be used as the basis of manual or machine-automated analysis. Let us see how DSI works and how it can be used to detect threats and data hidden deep inside the contents of a packet.
In order to identify inbound threats and unapproved outbound transfer of sensitive data, DSI technology needs to identify multiple protocols, application, and files using transport protocols, application protocols, and all file formats including embedded documents. DSI can be used to effectively analyze network, email, and proxied web traffic.
Using DSI, the reassembled network session is decoded to identify the application protocol, the application, and all embedded content. At each step of the decoding process, all applicable attributes of the application protocol, the application, and the file are extracted and stored. These extracted attributes provide context to the content that was extracted from the data. These attributes are collectively referred to network metadata. This extracted metadata and content provide comprehensive visibility into network traffic. With this deep visibility, security policies can be crafted to detect and manage network threats and data leakage.
The diagram below provides an example user session as it proceeds through the decoding process. We refer to this as the Decoding Tree.
As you can see above, through Deep Session Inspection, Fidelis provides visibility and a unique, patented contextual perspective across your network, email, and proxied web traffic. Combining this valuable contextual perspective with machine learning, sandboxing, threat intelligence and active deception defenses ensures more effective threat detection throughout the entire kill chain – from initial infection through data leakage by malicious outsiders or malicious insiders.
Threats and data leakage attempts/attacks can be detected in real-time as well as retrospectively through a combination of machine learning, sandboxing, rules, reputation, external IOCs, threat intelligence, and signatures. Teams can rapidly respond to identified issues in the network or at the endpoint to immediately remove malware, execute a response playbook and prevent data theft.
In conclusion, by using Deep Session Inspection together with Deep Packet Inspection, you can achieve robust detection capabilities and a deep view of content flowing across your network.