Key Takeaways
- Fidelis Deep Session Inspection (DSI) captures full communication sessions across hybrid environments (on-premises + AWS/Azure/GCP) for forensic-level network visibility
- Reconstructs TCP streams, decodes nested protocols (HTTP/S, SMB, TLS where permitted), extracts C2 commands, files, credentials
- Agentless cloud coverage via VPC Traffic Mirroring, NSG integration—no cloud agents needed
- Generates court-ready PCAP/JSON exports with MITRE ATT&CK mapping for investigations
- Network DLP prevents data exfiltration during forensic capture
- Terrain mapping visualizes security posture across IoT/OT/cloud infrastructure
- Unifies threat detection, sandboxing, incident response in one platform
Hybrid environments combine on-premises data centers with public cloud platforms like AWS, Azure, and GCP. This creates complex east-west traffic and north-south flows where advanced cyber threats hide in encrypted tunnels. Fidelis Network® addresses this challenge with patented Deep Session Inspection (DSI) technology. DSI captures communication sessions across monitored network segments, recursively decodes nested protocols, data, and extracts network forensic evidence for hybrid networks.
DSI reconstructs communication sessions and unpacks layered protocols like HTTP-over-TLS-over-SMB. This reveals digital forensic artifacts such as embedded files, C2 commands, stolen credentials, and metadata trails that are ready for incident responses and investigations.
How Deep Session Inspection Provides Forensic Visibility
Traditional network monitoring tools operate at the packet or flow level. Flow-based tools provide snapshots. Netflow analysis tools deliver flow summaries. All struggle with context from encrypted tunnels or nested payloads. Fidelis Network® DSI follows three clear steps:
- Session Capture: Records complete traffic across monitored network segments where sensors are deployed
- Protocol Decoding: Unpacks HTTP/S, SMB, RDP, DNS, FTP, and inspects TLS-encrypted sessions where decryption policies permit. This reveals embedded content
- Artifact Extraction: Delivers files, commands, C2 beacons, IP addresses, and application data with session context
Real Attack Example: RDP lateral movement from on-premises data centers to Azure VMs. DSI reconstructs the session, showing stolen NTLM hashes, PowerShell commands, and staged files. This is that evidence investigators can trace across hybrid boundaries.
This deep session inspection significantly reduces visibility gaps across monitored network ports and protocols.
Hybrid Deployment Coverage. No Cloud Agents Required
Fidelis Network® captures traffic flow across hybrid environments:
| Environment | Deployment Method | Traffic Captured | Key Benefits |
|---|---|---|---|
| On-Premises Data Centers | Appliances via SPAN/TAP ports, GRE tunnels | VLANs, switches, critical applications | Comprehensive protocol decode |
| Private Clouds | VMware/KVM virtual sensors | VM-to-VM flows, storage networks | Scales with virtualization |
| AWS | VPC Traffic Mirroring | VPCs, EKS clusters, S3 access | Native cloud environments visibility |
| Azure | NSG integration + VNet sensors | AKS clusters, Azure SQL | Visibility into NSG-governed traffic |
| GCP | Packet Mirroring | GKE pods, Cloud Run workloads | Real-time cloud workload coverage |
Deployment Options:
- Out-of-band monitoring eliminates production risk
- Inline prevention where required
- Cloud auto-scaling for dynamic workloads
- High‑capacity session data retention supports threat hunting and deep‑dive analysis.
IoT devices, IT/OT systems, smart devices, and containers appear in unified views across private connections and public internet paths.
Network Forensics Evidence for Investigations
Fidelis generates digital evidence that security and legal teams can rely on for incident response and legal review:
Core Capabilities:
- Session reconstruction with MITRE ATT&CK mapping
- Search across large-scale session repositories by session data attributes such as IP addresses, domains, file hashes
- Visual attack replay from access to data exfiltration
- Timestamp preservation supports data integrity
Export Formats:
| Format | Contains | Perfect For |
|---|---|---|
| Alert‑triggered PCAP snippets | Partial session capture from DLP or policy‑triggered alerts | Investigating specific incidents in Wireshark or packet analyzers |
| JSON Exports | Files, metadata, commands, and session context | SIEM/SOAR tools (e.g., Splunk Enterprise Security, Cortex XSOAR, similar platforms) |
| CSV Reports | Risk-scored network events | Compliance audits and spreadsheet‑based analysis |
| STIX/TAXII Packages | Threat intelligence, indicator feeds, CTI | Threat‑sharing and XDR/SOC integrations |
Data Exfiltration Investigation:
- Risk engine flags suspicious data movement to cloud storage
- DSI reconstructs SMB session with embedded transfers
- Extracts files with session context
- Delivers digital evidence package for remediation
Network forensics shifts from days of log parsing to hours of focused analysis.
- This datasheet helps you:
- Identify east-west traffic blind spots
- Validate encrypted session inspection
- Confirm full session reconstruction
- Ensure investigation-ready evidence
Prevention During Forensic Capture
Fidelis captures evidence while preventing threats:
- Network DLP scans sensitive information patterns across protocols during inspection
- Inline sandbox analyzes payloads from network traffic
- Threat blocking and policy‑based captures generate linked evidence chains, so that blocked traffic, alerts, and captured session data remain associated for later investigation.
Ransomware Scenario: SMB enumeration triggers session capture. DSI builds forensic evidence while Network DLP prevents encryption across hybrid networks.
Fidelis vs. Other Network Detection Solutions
| Feature | Fidelis Network® | Behavioral NDR | Flow-Based Tools | Basic Packet Capture |
|---|---|---|---|---|
| Encrypted Analysis | Session decode + extraction | Metadata only | Flow headers | Raw streams |
| Session Reconstruction | Patented DSI | Anomaly patterns | NetFlow summaries | Manual sorting |
| Forensic Exports | PCAP/JSON + MITRE | Alert logs | Raw dumps | Untagged captures |
| Cloud Coverage | Native VPC/NSG integration | Agents required | Partial parsing | Mirror dependency |
| Inline DLP | DLP rules are optional and can be applied to DSI‑identified sessions for data‑loss prevention and capture. | Separate tool | Monitoring only | None |
Fidelis provides agentless hybrid coverage through native cloud integrations, unifying network forensics and security.
Proven Hybrid Threat Scenarios
- Manufacturing (on-premises + AWS EKS):
- Detects SMB lateral movement across production networks
- Reconstructs C2 to S3 buckets
- Maps ransomware attack chain
- Financial Services (Azure + data center):
- Identifies IP exfiltration to personal cloud services
- Reconstructs complete access patterns
- Supports termination proceedings
- Healthcare (GCP migration):
- Discovers misconfigured GKE workloads
- Reconstructs unauthorized API sessions
- Documents compliance issues
Seamless Security Ecosystem Integration
Terrain mapping visualizes security posture across on-premises data centers, private clouds, and public cloud platforms. Every connected device, workload, and traffic flow.
Why Security Teams Choose Fidelis for Hybrid Network Forensics
- Patented Deep Session Inspection
DSI reconstructs complete sessions with content extraction from network traffic. These are capabilities that typically require multiple tools. - Agentless Hybrid Coverage
Native AWS VPC Traffic Mirroring, Azure NSGs, GCP Packet Mirroring capture east-west traffic without cloud agents. - Investigation-Ready Evidence
Alert details are typically exported as JSON or PDF for analysis; PCAP is available as an optional export for deeper forensic review. - Unified Prevention + Forensics
Network DLP rules may block data loss during DSI inspection, while sandboxing analyzes payloads to stop malware execution. - Enterprise-Scale Architecture
Petabyte‑scale data access across large hybrid networks with terrain mapping and automated workflows.
Article Summary: Hybrid Network Forensics
| Hybrid Visibility Gap | Fidelis Network® Capability | Forensic-Level Outcome |
|---|---|---|
| East-west traffic blind spots across on-premises and cloud environments | Deep Session Inspection (DSI) session reconstruction | Deep protocol decoding across hybrid infrastructure with complete session context |
| Encrypted tunnel payloads and nested protocols | Recursive protocol decoding and TLS inspection where policy permits | Extracted C2 commands, embedded files, and reconstructed attack activity |
| Investigation evidence gaps during incident response | PCAP and JSON exports with MITRE ATT&CK technique mapping | Investigation-ready digital evidence for legal and compliance review |
| Real-time data exfiltration across hybrid networks | Inline Network DLP inspection during session analysis | Threat blocking while preserving complete session evidence |
| Multi-environment complexity across data centers and public cloud | Terrain mapping with high-capacity session storage | Unified security posture visibility across hybrid environments |
Core Relationship: Fidelis Network® → DSI technology → forensic visibility across hybrid environments
Frequently Ask Questions
How does Deep Session Inspection differ from DPI tools?
DPI tools inspect traffic at the packet level and can miss multi-packet or encrypted sessions. Deep Session Inspection (DSI) reconstructs complete communication sessions and decodes nested protocols and data like HTTP over TLS over SMB. This reveals digital forensic artifacts such as files, C2 commands, and malware payloads that DPI tools often overlook.
Can Fidelis analyze encrypted traffic across cloud platforms?
Yes, where decryption policies allow. DSI provides deep session inspection into TLS-encrypted sessions plus metadata analysis across AWS, Azure, and GCP cloud platforms through VPC Traffic Mirroring, NSG integration, and Packet Mirroring.
How does Fidelis achieve hybrid network visibility without cloud agents?
Native cloud integrations capture traffic flow through AWS VPC Traffic Mirroring, Azure Network Security Groups, GCP Packet Mirroring, plus SPAN/TAP for on-premises and virtual sensors for VMware. Terrain mapping creates unified hybrid network security.
What network forensics evidence supports legal investigations?
Fidelis Network® delivers session reconstruction, extracted files with metadata, MITRE ATT&CK mappings, and timestamped PCAP exports. These form complete digital evidence packages for data breach investigations and compliance.
Can Fidelis scale for large hybrid networks with IoT/OT?
Distributed sensors and high‑capacity session data access handle IoT endpoints, OT systems, containers, and cloud workloads across large hybrid networks.
