Advanced Threat Protection - Sandboxing 101
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Advanced Threat Protection - Sandboxing 101

  • 1,203 views
Uploaded on

Advanced Threat Protection Solution Lifecycle Defense

Advanced Threat Protection Solution Lifecycle Defense

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,203
On Slideshare
1,203
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
80
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. ADVANCED THREAT PROTECTION SANDBOXING 101 KEVIN FLYNN PRODUCT MARKETING OCTOBER, 2013 Blue Coat Confidential – Internal Use Only Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 1
  • 2. ADVANCED THREAT PROTECTION SOLUTION LIFECYCLE DEFENSE The Blue Coat ATP solution delivers the industry’s most comprehensive protection through the following: 1) Lifecycle Defense: Protection that maps to three threat stages: Realtime blocking for known threats and malware sources (malnets); Advanced threat analysis for unknown threats; and Dwell time reduction for latent threats 2) Adaptive Malware Analysis: Dynamic APT protection that analyzes unknown threats and shares information with other systems in the security infrastructure to increase protection efficiency for unknown and latent threats 3) Network Effect: APT information sharing between 75M users in 15,000 organizations through a feedback loop into the Blue Coat Global Intelligence Network Blue Coat Confidential – Internal Use Only STAGE 3 STAGE 1 Resolve & Remediate Threats Discovered on the Network Block & Enforce All Known Threats GLOBAL INTELLIGENCE NETWORK STAGE 2 Detect & Analyze Unknown Threats Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 2
  • 3. WHY SANDBOXING? DETECTING & ANALYZING UNKNOWN THREATS  Traditional network defenses are great at dealing with known-threats, terrible at dealing with unknown-threats  Unknown threats require dynamic analysis (aka detonation) in the form of a virtual machine and/or bare-metal or emulation sandbox  Tight integration is necessary between the sandbox and your web gateway Blue Coat Confidential – Internal Use Only Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 3
  • 4. BLUECOAT SANDBOX MALWARE ANALYSIS APPLIANCE CORE TECHNOLOGY Hybrid Analysis Unmatched intelligence  SandBox emulation  IntelliVM virtualization Behavioral Patterns Expose targeted attacks  Detection patterns  Open source patterns  Custom patterns Plug-in Architecture Extend detection and processing  Interact with running malware  Click-through dialogs and installers Blue Coat Confidential – Internal Use Only SandBox IntelliVM Software x86 emulator Full Windows XP or Win 7 licensed software Hardware emulation Hardware virtualization Generates numerous low-level events – page faults, exceptions, etc. Generates high-level events – file, registry, network, process, etc. Emulated network access and services Real network access and services Hook-based event introspection KernelScout filter driver captures lowlevel events Add your own patterns Add your own patterns Supports EXEs and DLLs Wide range of file support Portable executable memory dumps Extend processing with plugins Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 4
  • 5. BEHAVIORAL DETECTION PATTERNS INTELLIVM PROFILES AND PLUGINS  Generic and malware campaign specific patterns • Trojan, spyware, worm, ransomware  Extensive pattern library • • • • Core patterns (incl. WebPulse info) Create your own patterns All matching patterns will trigger Global and user-specific patterns  Risk scoring • Set by highest matched pattern • Scores update with new patterns • Script notification triggers for further action Patterns can detect targeted and single-use malware, and do not rely on signature-based detection methodologies Blue Coat Confidential – Internal Use Only Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 5
  • 6. MALWARE APPLIANCE KEY FEATURES Malware Appliance Enterprise Scalability – Approximately 50,000 analysis tasks per day per appliance – Automated bulk sample processing and risk scoring – Parallel processing on up to 40 virtual machines per appliance Hybrid Analysis – Superior threat dual-detection methodology using SandBox and VM IntelliVMs – Replicate actual production environments including custom applications Plugins – Interact with malware, click through installers, extend custom processing Best-in-class full-featured Web-UI, Analysis Desktop, searching and data mining Open Patterns – Detection criteria is never hidden; Users can add custom patterns Powerful RESTful API – Full programmatic access for integration and automation Pub-Sub API – Secure notifications of analysis task status and task completion Remote management, security, and health status monitoring eases deployment Blue Coat Confidential – Internal Use Only Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 6
  • 7. BLOCKING, DETECTION & ANALYSIS ProxySG + CAS + Malware Analysis Appliance (Sandbox) Proxy SG Content Analysis System Malware Analysis System Blue Coat Confidential – Internal Use Only Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 7
  • 8. WWW.BLUECOAT.COM Blue Coat Confidential – Internal Use Only Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 8