Deep Session Inspection (DSI) is like having a security guard who watches the entire conversation between two people, instead of focusing on just a few sentences or words.
Let’s see how!
Traditional Threat Detection
Traditional network monitoring and threat detection methods, such as Deep Packet Inspection (DPI), examine individual data packets. However, these methods are limited in their data processing, as they are analyzing packets separately without considering the full context of the communication.
While this approach helps detect errors or threats in individual packets, it may overlook threats that unfold over time or across multiple steps. Network administrators and security teams often rely on these traditional methods, but they may struggle to detect advanced, multi-step attacks.
What is Deep Session Inspection (DSI)?
DSI looks at the entire data stream and communication session between two endpoints. This makes it more effective at identifying threats like malware and data breaches.
Its reach extends across network choke points, proxied traffic, email systems, and internal data centre access points, delivering a strong defense against attacks.
Unlike traditional intrusion detection systems, which primarily focus on packet-by-packet analysis, DSI inspects full communication sessions, providing a deeper level of threat detection.
What Makes DSI Better than DPI?
The holistic nature of DSI helps with anomaly detection and uncovers threats that traditional systems might miss. By analyzing the full context of a network session, DSI can spot more sophisticated attacks that unfold over time and detect subtle or slow-moving threats before they cause significant damage.
In contrast, traditional systems like DPI focus on individual packets, which may seem harmless when considered individually, and pass through the network while attackers plan larger attacks.
For example, an attacker might gradually send seemingly harmless messages to test the system’s security or slowly gain entry. While a DPI system inspects only these packets, DSI examines the entire session, allowing it to quickly flag suspicious behavior, even when individual packets seem fine.
To better understand how DSI differs from DPI, here’s a quick overview of their key differences:
| Feature | Deep Packet Inspection (DPI) | Deep Session Inspection (DSI) |
|---|---|---|
| Scope of Analysis | Examines individual network packets. | Analyzes entire network sessions (all packets within the session). |
| Content Inspection | Limited to packet headers and payloads; often lacks full content visibility. | Fully reconstructs network traffic for detailed inspection. |
| Encoding and Obfuscation Handling | Struggles with encoded, obfuscated, or complexly layered data. | Capable of handling and decoding multiple layers of encoding (e.g., embedded documents, web traffic). |
| Application Areas | Common in firewalls, intrusion prevention systems, and secure web gateways. | Can be applied to network choke points, email systems, proxied traffic, and internal data center access points. |
| Real-Time Analysis | Processes packets as they flow through the network, often with minimal delay. | Analyzes network sessions in real-time or retrospectively, providing immediate and long-term threat detection. |
| Metadata Collection | Limited network metadata collection, often restricted to packet-level information. | Collects and stores extensive metadata for every network session, enabling retrospective analysis of many sessions. |
| Context Awareness | Lacks the ability to correlate context over time, limiting detection capabilities. | Combines content with context (e.g., sender/receiver info) for more accurate and actionable security policies. |
| Security Coverage | Effective at detecting single-packet attacks, like buffer overflow or DDoS. | Provides comprehensive coverage across the entire attack kill chain, from initial attack to data leakage. |
| Flexibility in Application | Typically used for detecting known threats in isolated packets. | Offers broader use cases, such as identifying low-and-slow attacks, data leakage, and sophisticated multi-session threats. |
Overall:
DSI enables better detection of advanced threats, data leakage attempts, and sophisticated attack methods, providing a level of visibility that packet filtering systems alone cannot achieve.
Now that we have seen the impact of DSI on network security, let’s dive into how Fidelis Network® applies this advanced method to strengthen its threat detection and response capabilities.
Fidelis Network® and Deep Session Inspection® (DSI)
Fidelis Network® Detection and Response (NDR) provides a unified, robust cybersecurity solution with comprehensive visibility and advanced threat detection across all network ports and protocols.
Fidelis Network® leverages its patented Deep Session Inspection (DSI) method that extracts and analyzes embedded files, enabling precise detection of data exfiltration attempts.
For example, if an employee attempts to send a large file to an external email address—an action that seems unusual for their role—DSI will not only flag the file transfer but also correlate it with the session context. This includes analyzing the sender’s access patterns and determining whether such activity aligns with their usual behavior.
By inspecting not only individual packets but also the context of entire network interactions across the corporate network, Fidelis Network® enhances its ability to detect sophisticated threats like data leakage and complex attack strategies, ensuring comprehensive protection across the network.
See how Fidelis DSI helps you:
- Reassemble and analyze network, email, and web traffic in real-time
- Identify threats and data leaks by decoding session content
- Enhance threat detection with context and metadata
- Automate responses, such as alerts and quarantines
To understand how this works, let’s explore the process in more detail.
Sensors Used in Fidelis Network®
Fidelis Network® uses 2 sensors—Direct Sensors and Internal Sensors, to analyze network traffic in real-time as it passes through the network.
- Direct Sensors: Optimized for boundary traffic between internal and external networks. They handle many small, fast sessions (e.g., web or email traffic).
- Internal Sensors: Optimized for internal network traffic, handling fewer but longer sessions, like file-sharing, often lasting days or weeks.
These sensors operate without holding or delaying traffic, ensuring near-zero latency. However, since they analyze a copy of the traffic rather than the original, prevention of attacks cannot be guaranteed.
Analysis Engines: Enhancing DSI's Detection Capabilities
Both Direct and Internal Sensors use 3 analysis engines to inspect the traffic:
- Deep Session Inspection® (DSI) Engine: This is the core engine that reassembles network traffic into a session buffer, allowing for deep inspection of file formats, emails, and other data types. It can even handle compressed files, revealing content that other analysis methods might overlook.
- Deep Packet Inspection (DPI) Engine: The DPI engine examines each packet using predefined rules with minimal delay. However, since it works on a copy of the packet, it can only take preventive action on the next packet, not the current one.
- Malware Detection Engine (MDE): The MDE scans files detected during the DSI decoding process using various methods to identify malware, helping to prevent potential damage before it occurs.
Here, let’s focus on the DSI engine.
The DSI engine places each packet’s data into a session buffer as it arrives. As more packets are processed, the buffer grows. This allows Fidelis to identify the application protocol, content, and file types, and decode everything—including compressed files—to uncover the full content of files, emails, and other data.
Also, in Fidelis Network®, DPI and DSI engines are used in parallel to ensure thorough inspection.
DPI, which relies on packet-by-packet analysis, drops the next packet if it finds an issue, while DSI works on analyzing the complete session, for full content inspection.
See how Fidelis Network helps you:
- Block malware and limit data leaks
- Secure internal and external access with specialized sensors
- Prevent breaches with real-time threat detection
- Configure sensors for optimal protection
With these steps, the DSI engine in Fidelis Network® ensures robust threat detection and helps prevent attacks, providing comprehensive protection against potential cyberattacks in real-time.
Wrapping Up,
Deep Session Inspection is a transformative approach in the cybersecurity industry, going beyond traditional methods of individual packet analysis. This holistic approach to examining entire communication sessions enables organizations to uncover advanced threats, suspicious actions, and data breaches that might otherwise slip through the cracks. With its ability to detect nuanced attack strategies and handle complex, encoded traffic data, DSI strengthens security at every network level.
By leveraging DSI through solutions like Fidelis Network®, businesses can achieve enhanced protection, proactive threat detection, and faster response times, ensuring a safer, more resilient network environment.
