Content Analysis System and Advanced Threat Protection
22
1 Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CONTENT ANALYSIS SYSTEM AND ADVANCED THREAT PROTECTION
-
Upload
blue-coat -
Category
Technology
-
view
3.341 -
download
2
description
The need for network-centric content analysis.
Transcript of Content Analysis System and Advanced Threat Protection
1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
CONTENT ANALYSIS SYSTEMAND
ADVANCED THREAT PROTECTION
2Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
EVOLVING LANDSCAPE OF MODERN THREATS
TODAY’SADVANCED
THREATLANDSCAPE
3Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE
STAGE 3Resolve & Remediate
Threats Discovered on the Network
STAGE 1Block &
Enforce All Known Threats
STAGE 2Detect & Analyze
Unknown Threats
GLOBAL INTELLIGENCE
NETWORK
4Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
BUSINESS ASSURANCE TECHNOLOGY
Security and Policy Enforcement
Center
Mobility Empowerment
Center
Trusted Applications
Center
PerformanceCenter
ResolutionCenter
SG & SG-VAWeb Security Service
WebFilterSSL Visibility
CAS, MAA, DLPFW/IDS on X-Series
Mobile Device Security Service
App ClassificationService
Web App Reverse Proxy
MACH5CacheFlow
PacketShaper
Reporter SWReporter Service
Intelligence CenterDeepSee Analytics
Appliance
BUSINESS ASSURANCE PLATFORM • Open Environment for Best-of-Breed Solutions
• Proxy-Based Architecture
• Global Cloud Infrastructure
• Threat, Web & Application Intelligence
• Scalable Virtualization Platform
• Rich Security Analytics
5Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
CONTENT ANALYSIS SYSTEM &
ADVANCED THREAT PROTECTION
What problems are we solving?
Average cost per lost data record from advanced attack is $222. This is 27% more than cost from incidents of insider negligence
Average time to discover an advanced persistent threat is 80 days for a malicious breach
Average time to resolution is 123 days for a malicious breach
Current solutions try and solve the ATP problem via silos of technology
Security defenses must align with each other, share information and be adaptive
6Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
SANS Institute
Critical Controls For Effective Cyber Defense- SANS Institute, March 2013
“Utilize network-based anti-malware tools to analyze all inbound traffic and filter out malicious content before it arrives at the endpoint.”
THE NEED FOR NETWORK-CENTRIC CONTENT ANALYSIS
Network World
Advanced Malware Protection: Network or Host?- Network World, July 2012
“So ultimately enterprise organizations need both network and host-based advanced malware defenses. Yeah, it's a lot of work but it's inevitable.”
7Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
CONTENT ANALYSIS SYSTEM
Anti-Malware
SophosKaspersky
McAfee
Blue Coat Confidential
Content Analysis SystemExpandable, Best of Breed, High Performance, Integrated Security Platform
White-Listing
Bit 9
Sand-BoxingOff-BoxLocal
Sand-BoxingOn-Box & Cloud
Static Code Analysis
On-BoxDRTR
Future Future FutureNorman
8Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
CONTENT ANALYSIS SYSTEM
CAS APPLIANCE
CAS Appliance50 Mbps
Content Analysis System
Key Components
and Packaging
CAS SW LICENSE
CAS Appliance100Mbps
LICENSE ASingle AV + Bit 9 license
(by user )
LICENSE BDual AV + Bit 9 license
(by user )or
MALWARE ANALYSIS APPLIANCE(Sandbox)
MALWARE ANALYSIS NW LICENSE
MalwareAnalysis ApplianceMAA-S500-10
MalwareAnalysis ApplianceMAA-S400-10
or
Annual Subscription and Update Service @ 20% of HW List
CA-S400-A1 CA-S400-A2
CAS Appliance250 Mbps
CA--S400-A3
CAS Appliance500 Mbps
CA-S400-A4
9Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
CONTENT ANALYSIS SYSTEMFLEXIBLE CHOICES
Content Analysis System
CA-S400-A1 – 50MbpsCA-S400-A2 – 100MbpsCA-S400-A3 – 250MbpsCA-S400-A4 – 500Mbps
Choose Content Analysis device
Subscription Services
+
Single AV + Bit 9 WhitelistingDual AV + Bit 9 Whitelisting
Malware Analysis
+
Malware Analysis Appliance MAA-S400 Malware Analysis Appliance MAA-S500
Select single or dual AV from Kaspersky, McAfee or Sophos
Select Malware Analysis
Appliance
Cloud & On-Box Sandboxing Available Mid-2014
10Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
WHY SANDBOXING?
Traditional network defenses are great at dealing with known-threats, terrible at dealing with unknown-threats
Unknown threats require dynamic analysis (aka detonation) in the form of a virtual machine and/or bare-metal or emulation sandbox
By year-end 2016, 20% of enterprises will implement Windows containment mechanisms for end users handling untrusted content and code, up from less than 1% in 2013. Gartner
11Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
Hybrid Analysis
Unmatched intelligence
Emulation
IntelliVM virtualization
Behavioral Patterns
Expose targeted attacks
Detection patterns
Open source patterns
Custom patterns
Plug-in Architecture
Extend detection and processing
Interact with running malware
Click-through dialogs and installers
MALWARE APPLIANCECORE TECHNOLOGY
SandBox IntelliVM
Software x86 emulator
Full Windows XP or Win 7 licensed software
Hardware emulation Hardware virtualization
Generates numerous low-level events – page faults, exceptions, etc.
Generates high-level events – file, registry, network, process, etc.
Emulated network access and services
Real network access and services
Hook-based event introspection
KernelScout filter driver captures low-level events
Add your own patterns
Add your own patterns
Supports EXEs and DLLs
Wide range of file support
Portable executable memory dumps
Extend processing with plugins
12Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
INTELLIVM PROFILES AND PLUGINS Supports multiple profiles for powerful analysis• Windows 7 SP1 and Windows XP SP3
Customize to closely match production environments• Pilot patches, software rollouts, and O/S upgrades
• Test with exact application versions, browsers, add-ons, etc.
Flexibility to detect non-traditional threats• VM kernel and application-level event monitoring
• Supports EXE, DLL, PDF, JAR, BAT, and Office Docs “out of the box”
Extend custom processing with plugins• Interact with malware before, during, and after execution
• Hook detection, memory dumps, click-through dialogs and installers
Exercise malware within precisely tailored virtual environments to see its real effects on operations
INTELLI-VM PROFILES AND PLUG-INS
13Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
INTELLIVM PROFILES AND PLUGINS
BEHAVIORAL DETECTION PATTERNS
Generic and malware campaign specific patterns• Trojan, spyware, worm, ransomware
Extensive pattern library• Core patterns (incl. WebPulse info)
• Create your own patterns
• All matching patterns will trigger
• Global and user-specific patterns
Risk scoring• Set by highest matched pattern
• Scores update with new patterns
• Script notification triggers for further action
Patterns can detect targeted and single-use malware, and do not rely on signature-based
detection methodologies
14Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
MALWARE APPLIANCEKEY FEATURES
Malware Appliance
Enterprise Scalability – Approximately 50,000 analysis tasks per day per appliance – Automated bulk sample processing and risk scoring – Parallel processing on up to 40 virtual machines per appliance
Hybrid Analysis – Superior threat dual-detection methodology using SandBox and VM
IntelliVMs – Replicate actual production environments including custom applications
Plugins – Interact with malware, click through installers, extend custom processing
Best-in-class full-featured Web-UI, Analysis Desktop, searching and data mining
Open Patterns – Detection criteria is never hidden; Users can add custom patterns
Powerful RESTful API – Full programmatic access for integration and automation
Pub-Sub API – Secure notifications of analysis task status and task completion
Remote management, security, and health status monitoring eases deployment
15Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
BUSINESS CASE
ProxySG+ CAS + Malware Appliance
Content Analysis System
Proxy SG
Malware Analysis Appliance
16Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
ProxySGALLOW Further
Inspection
BlueCoat Malware
ApplianceSandbox
Non-BlueCoatSandbox
Not From Known Malicious
Site/Malnet
Known Malicious Site/Malnet
BLOCK
Content Analysis System
Known MalwareBLOCK
& UPDATE
Malware Signature Databases
Application Whitelist
Not On Malware Signature Databases
Allow Further InspectionOn Whitelist
ALLOW DELIVERY
Not On WhitelistSend To Malware
Signature Databases
Not MaliciousALLOW
DELIVERY
MaliciousUPDATE &
ALERT
Not MaliciousALLOW
DELIVERY
MaliciousALERT
WebPulse
CONTENT ANALYSIS SYSTEM:
MULTI-LAYERED SECURITY FOR KNOWN & UNKNOWN THREATS
Unencypted & Encrypted
Traffic
Slide under revision
17Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
Benefits Of BlueCoat System
- Subsequent requests/lures are blocked before download
- Performance improvements for CAS and Malware Appliance as further scans are not needed.
- False positives are reduced as filtering occurs prior to the sandbox
- Webpulse updates all BlueCoat SWG s for improved efficiency on ALL devices
Able to feed information TO and collect information FROM other vendor’s devices
BLUECOAT NETWORK EFFECT
18Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
COMPLETEADVANCED THREAT PROTECTION
ProxySG+ CAS + Malware Appliance + Solera Analytics
Malware Analysis ApplianceContent Analysis System
Security AnalyticsPlatform Proxy SG
19Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
ADVANCED THREAT PROTECTION SOLUTION
LIFECYCLE DEFENSEThe Blue Coat ATP solution delivers the industry’s most comprehensive protection through the following:
1) Lifecycle Defense: Protection that maps to three threat stages: Real-time blocking for known threats and malware sources (malnets); Advanced threat analysis for unknown threats; and Dwell time reduction for latent threats
2) Adaptive Malware Analysis: Dynamic APT protection that analyzes unknown threats and shares information with other systems in the security infrastructure to increase protection efficiency for unknown and latent threats
3) Network Effect: APT information sharing between 75M users in 15,000 organizations through a feedback loop into the Blue Coat Global Intelligence Network
STAGE 3Resolve & Remediate
Threats Discovered on the Network
STAGE 1Block &
Enforce All Known Threats
STAGE 2Detect & Analyze
Unknown Threats
GLOBAL INTELLIGENCE
NETWORK
20Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
COMPLETEADVANCED THREAT PROTECTION
CA
S
21Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
BLUE COAT ADVANCED THREAT PROTECTION
SSL Visibility
Sandbox
ThreatBLADESSecurity Analytics Platform by Solera
Blue Coat SSL Visibility Appliance
Malware Analysis Appliance
SoleraAppliances
Solera StorageAppliances
Solera CentralManager
Blocking and Prevention
A Complete and Integrated Portfolio of Advanced Threat
Protection Technologies(need to add CAS & MAA pics)
Blue Coat ProxySG Content Analysis System
22Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
END
KEVIN FLYNN
PRODUCT MARKETING
OCTOBER, 2013
