Botprobe’s next-generation intelligent IDS takes an alternative approach to using full packet capture for network threat detection. Threat detection using full packet capture add overheads to both during transportation of the captured network traffic back to an analyser, and during the subsequent searching for the threat in unstructured PCAP data; particularly as many fields in packet are discarded during the detection phase. Botprobe strips the packet of superfluous data at source, according to detection rule requirements, and re-packages the information as structured data.
Reduction in traffic volumes means that each, and every, networked device can become a network IDS sensor, extending your visibility of your threat surface across your entire organisation.
Today’s IDS solutions react to linear detection rules written for unstructured data. Our probes adapt in real-time to capture the most relevant IOA in network traffic as a threat evolves across a network; ensure threat conversation integrity whilst capturing the minimum subset of traffic.
Our alternative approach has several advantages over traditional IDS. Next-gen detection rules allow more intelligence and easier to construct:
- Structured data – makes threat searching simpler and faster, removing the regex-based rules when defining traditional IDS alerts;
- Smart Detection LogicTM - easy-to-create detection rules combine conditional logic with fuzzy logic to simply describe complex detection rules;
- Adaptive CaptureTM – intelligent prediction of traffic content allows the probes to adapt, in real-time, to changes in an attack profile and capture just the traffic-based IOA attributes required for threat detection;
- Encrypted Search – real-time search of SSL/TLS traffic.
Extends IDS visibility across your entire network threat surface, without losing the context of the threat information:
Unlimited number of probes– significant reductions in the volumes of capture data lifts the restrictions imposed from full packet capture on the number of probes deployed in a network;
Deployable on any networked device - small footprint TAP probes can be installed on any network device to extend the IDS visibility from the core key assets right up to the network edge;
Deployable in legacy networks – network hardware TAP probes replace software probes in environments where software cannot be easily installed, removing traffic duplication arising from mirroring SPAN ports.