CONTENT ANALYSIS SYSTEM
AND
ADVANCED THREAT PROTECTION

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.

1
EVOLVING LANDSCAPE
OF MODERN THREATS

TODAY’S
ADVANCED
THREAT
LANDSCAPE

Copyright © 2013 Blue Coat Systems Inc. All Right...
ADVANCED THREAT PROTECTION
LIFECYCLE DEFENSE

STAGE 3

STAGE 1

Resolve &
Remediate
Threats
Discovered on
the Network

Blo...
BUSINESS ASSURANCE TECHNOLOGY

Security and
Policy Enforcement
Center

Mobility
Empowerment
Center

Trusted
Applications
C...
CONTENT ANALYSIS SYSTEM
&
ADVANCED THREAT PROTECTION

What problems are we solving?
Average cost per lost data record from...
THE NEED FOR
NETWORK-CENTRIC CONTENT ANALYSIS

SANS Institute
“Utilize network-based anti-malware tools to analyze
all inb...
CONTENT ANALYSIS SYSTEM

AntiMalware

WhiteListing

Sophos
Kaspersky
McAfee

Bit 9

Sand-Boxing
Off-Box
Local

Sand-Boxing...
CONTENT ANALYSIS SYSTEM

Content
Analysis
System

CA-S400-A1

CAS Appliance
50 Mbps

CAS Appliance
100Mbps

CA--S400-A3

C...
CONTENT ANALYSIS SYSTEM
FLEXIBLE CHOICES

Choose Content
Analysis device

Content
Analysis
System

CA-S400-A1
CA-S400-A2
C...
WHY SANDBOXING?
 Traditional network defenses are
great at dealing with knownthreats, terrible at dealing with
unknown-th...
MALWARE APPLIANCE
CORE TECHNOLOGY
Hybrid Analysis
Unmatched intelligence


Emulation



IntelliVM virtualization

Behavi...
INTELLI-VM PROFILES AND PLUG-INS
 Supports multiple profiles for AND analysis
INTELLIVM PROFILESpowerfulPLUGINS
• Windows...
BEHAVIORAL DETECTION PATTERNS

INTELLIVM PROFILES AND PLUGINS
 Generic and malware campaign specific patterns
• Trojan, s...
MALWARE APPLIANCE
KEY FEATURES
Malware Appliance
Enterprise Scalability – Approximately 50,000 analysis tasks per day per ...
BUSINESS CASE

ProxySG+ CAS + Malware Appliance

Proxy SG

Content Analysis System
Malware Analysis Appliance

Copyright ©...
CONTENT ANALYSIS SYSTEM:
MULTI-LAYERED SECURITY
FOR KNOWN & UNKNOWN THREATS
Unencypted
& Encrypted
ProxySG
Traffic

Not Fr...
BLUECOAT NETWORK EFFECT

Benefits Of BlueCoat System
- Subsequent requests/lures
are blocked before download
- Performance...
COMPLETE
ADVANCED THREAT PROTECTION

ProxySG+ CAS + Malware Appliance + Solera Analytics

Security Analytics
Platform

Pro...
ADVANCED THREAT PROTECTION SOLUTION
LIFECYCLE DEFENSE
The Blue Coat ATP solution delivers the
industry’s most comprehensiv...
CAS

COMPLETE
ADVANCED THREAT PROTECTION

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.

20
BLUE COAT
ADVANCED THREAT PROTECTION
A Complete and Integrated
Portfolio of Advanced Threat
Protection Technologies
(need ...
END

KEVIN FLYNN
PRODUCT MARKETING

OCTOBER, 2013

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.

22
Upcoming SlideShare
Loading in...5
×

Content Analysis System and Advanced Threat Protection

3,717

Published on

The need for network-centric content analysis.

Published in: Technology
0 Comments
10 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,717
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
201
Comments
0
Likes
10
Embeds 0
No embeds

No notes for slide
  • The SANS Institute is one of the world’s most respected cyber security organizations. Their March 2013 report includes their recommendations for creating an effective cyber defense and the importance of network based anti-malware.http://www.sans.org/critical-security-controls/cag4-1.pdf --- Page 28.
  • Content Analysis System and Advanced Threat Protection

    1. 1. CONTENT ANALYSIS SYSTEM AND ADVANCED THREAT PROTECTION Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 1
    2. 2. EVOLVING LANDSCAPE OF MODERN THREATS TODAY’S ADVANCED THREAT LANDSCAPE Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 2
    3. 3. ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE STAGE 3 STAGE 1 Resolve & Remediate Threats Discovered on the Network Block & Enforce All Known Threats GLOBAL INTELLIGENCE NETWORK STAGE 2 Detect & Analyze Unknown Threats Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 3
    4. 4. BUSINESS ASSURANCE TECHNOLOGY Security and Policy Enforcement Center Mobility Empowerment Center Trusted Applications Center Performance Center Resolution Center SG & SG-VA Web Security Service WebFilter SSL Visibility CAS, MAA, DLP FW/IDS on X-Series Mobile Device Security Service App Classification Service Web App Reverse Proxy MACH5 CacheFlow PacketShaper Reporter SW Reporter Service Intelligence Center DeepSee Analytics Appliance BUSINESS ASSURANCE PLATFORM • Open Environment for Best-of-Breed Solutions • Threat, Web & Application Intelligence • Proxy-Based Architecture • Scalable Virtualization Platform • Global Cloud Infrastructure • Rich Security Analytics Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 4
    5. 5. CONTENT ANALYSIS SYSTEM & ADVANCED THREAT PROTECTION What problems are we solving? Average cost per lost data record from advanced attack is $222. This is 27% more than cost from incidents of insider negligence Average time to discover an advanced persistent threat is 80 days for a malicious breach Average time to resolution is 123 days for a malicious breach Current solutions try and solve the ATP problem via silos of technology Security defenses must align with each other, share information and be adaptive Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 5
    6. 6. THE NEED FOR NETWORK-CENTRIC CONTENT ANALYSIS SANS Institute “Utilize network-based anti-malware tools to analyze all inbound traffic and filter out malicious content before it arrives at the endpoint.” Critical Controls For Effective Cyber Defense - SANS Institute, March 2013 Network World “So ultimately enterprise organizations need both network and host-based advanced malware defenses. Yeah, it's a lot of work but it's inevitable.” Advanced Malware Protection: Network or Host? - Network World, July 2012 Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 6
    7. 7. CONTENT ANALYSIS SYSTEM AntiMalware WhiteListing Sophos Kaspersky McAfee Bit 9 Sand-Boxing Off-Box Local Sand-Boxing On-Box & Cloud Static Code Analysis On-Box DRTR Future Future Future Norman Content Analysis System Expandable, Best of Breed, High Performance, Integrated Security Platform Blue Coat Confidential Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 7
    8. 8. CONTENT ANALYSIS SYSTEM Content Analysis System CA-S400-A1 CAS Appliance 50 Mbps CAS Appliance 100Mbps CA--S400-A3 CA-S400-A4 CAS APPLIANCE CAS SW LICENSE Key Components and Packaging CA-S400-A2 MALWARE ANALYSIS APPLIANCE (Sandbox) MALWARE ANALYSIS NW LICENSE LICENSE A Single AV + Bit 9 license (by user ) CAS Appliance CAS Appliance 500 Mbps 250 Mbps or LICENSE B Dual AV + Bit 9 license (by user ) or MalwareAnalysis Appliance MAA-S500-10 MalwareAnalysis Appliance MAA-S400-10 Annual Subscription and Update Service @ 20% of HW List Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 8
    9. 9. CONTENT ANALYSIS SYSTEM FLEXIBLE CHOICES Choose Content Analysis device Content Analysis System CA-S400-A1 CA-S400-A2 CA-S400-A3 CA-S400-A4 – 50Mbps – 100Mbps – 250Mbps – 500Mbps + Select single or dual AV from Kaspersky, McAfee or Sophos Subscription Services Single AV + Bit 9 Whitelisting Dual AV + Bit 9 Whitelisting + Select Malware Analysis Appliance Malware Analysis Malware Analysis Appliance MAA-S400 Malware Analysis Appliance MAA-S500 Cloud & On-Box Sandboxing Available Mid-2014 Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 9
    10. 10. WHY SANDBOXING?  Traditional network defenses are great at dealing with knownthreats, terrible at dealing with unknown-threats  Unknown threats require dynamic analysis (aka detonation) in the form of a virtual machine and/or bare-metal or emulation sandbox  By year-end 2016, 20% of enterprises will implement Windows containment mechanisms for end users handling untrusted content and code, up from less than 1% in 2013. Gartner Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 10
    11. 11. MALWARE APPLIANCE CORE TECHNOLOGY Hybrid Analysis Unmatched intelligence  Emulation  IntelliVM virtualization Behavioral Patterns Expose targeted attacks  Detection patterns  Open source patterns  Custom patterns Plug-in Architecture Extend detection and processing  Interact with running malware  Click-through dialogs and installers SandBox IntelliVM Software x86 emulator Full Windows XP or Win 7 licensed software Hardware emulation Hardware virtualization Generates numerous low-level events – page faults, exceptions, etc. Generates high-level events – file, registry, network, process, etc. Emulated network access and services Real network access and services Hook-based event introspection KernelScout filter driver captures lowlevel events Add your own patterns Add your own patterns Supports EXEs and DLLs Wide range of file support Portable executable memory dumps Extend processing with plugins Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 11
    12. 12. INTELLI-VM PROFILES AND PLUG-INS  Supports multiple profiles for AND analysis INTELLIVM PROFILESpowerfulPLUGINS • Windows 7 SP1 and Windows XP SP3  Customize to closely match production environments • Pilot patches, software rollouts, and O/S upgrades • Test with exact application versions, browsers, add-ons, etc.  Flexibility to detect non-traditional threats • VM kernel and application-level event monitoring • Supports EXE, DLL, PDF, JAR, BAT, and Office Docs “out of the box” Extend custom processing with plugins • Interact with malware before, during, and after execution • Hook detection, memory dumps, click-through dialogs and installers Exercise malware within precisely tailored virtual environments to see its real effects on operations Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 12
    13. 13. BEHAVIORAL DETECTION PATTERNS INTELLIVM PROFILES AND PLUGINS  Generic and malware campaign specific patterns • Trojan, spyware, worm, ransomware  Extensive pattern library • • • • Core patterns (incl. WebPulse info) Create your own patterns All matching patterns will trigger Global and user-specific patterns  Risk scoring • Set by highest matched pattern • Scores update with new patterns • Script notification triggers for further action Patterns can detect targeted and single-use malware, and do not rely on signature-based detection methodologies Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 13
    14. 14. MALWARE APPLIANCE KEY FEATURES Malware Appliance Enterprise Scalability – Approximately 50,000 analysis tasks per day per appliance – Automated bulk sample processing and risk scoring – Parallel processing on up to 40 virtual machines per appliance Hybrid Analysis – Superior threat dual-detection methodology using SandBox and VM IntelliVMs – Replicate actual production environments including custom applications Plugins – Interact with malware, click through installers, extend custom processing Best-in-class full-featured Web-UI, Analysis Desktop, searching and data mining Open Patterns – Detection criteria is never hidden; Users can add custom patterns Powerful RESTful API – Full programmatic access for integration and automation Pub-Sub API – Secure notifications of analysis task status and task completion Remote management, security, and health status monitoring eases deployment Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 14
    15. 15. BUSINESS CASE ProxySG+ CAS + Malware Appliance Proxy SG Content Analysis System Malware Analysis Appliance Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 15
    16. 16. CONTENT ANALYSIS SYSTEM: MULTI-LAYERED SECURITY FOR KNOWN & UNKNOWN THREATS Unencypted & Encrypted ProxySG Traffic Not From Known Malicious Site/Malnet Content Analysis System ALLOW Further Inspection Application Whitelist Not On Whitelist Send To Malware Signature Databases Known Malware BLOCK & UPDATE WebPulse BLOCK Known Malicious Site/Malnet On Whitelist ALLOW DELIVERY Slide under revision BlueCoat Malware Appliance Sandbox Not Malicious ALLOW DELIVERY Malicious UPDATE & ALERT Malware Signature Databases Not On Malware Signature Databases Allow Further Inspection Non-BlueCoat Sandbox Not Malicious ALLOW DELIVERY Malicious ALERT Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 16
    17. 17. BLUECOAT NETWORK EFFECT Benefits Of BlueCoat System - Subsequent requests/lures are blocked before download - Performance improvements for CAS and Malware Appliance as further scans are not needed. - False positives are reduced as filtering occurs prior to the sandbox - Webpulse updates all BlueCoat SWG s for improved efficiency on ALL devices Able to feed information TO and collect information FROM other vendor’s devices Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 17
    18. 18. COMPLETE ADVANCED THREAT PROTECTION ProxySG+ CAS + Malware Appliance + Solera Analytics Security Analytics Platform Proxy SG Content Analysis System Malware Analysis Appliance Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 18
    19. 19. ADVANCED THREAT PROTECTION SOLUTION LIFECYCLE DEFENSE The Blue Coat ATP solution delivers the industry’s most comprehensive protection through the following: 1) Lifecycle Defense: Protection that maps to three threat stages: Realtime blocking for known threats and malware sources (malnets); Advanced threat analysis for unknown threats; and Dwell time reduction for latent threats 2) Adaptive Malware Analysis: Dynamic APT protection that analyzes unknown threats and shares information with other systems in the security infrastructure to increase protection efficiency for unknown and latent threats 3) Network Effect: APT information sharing between 75M users in 15,000 organizations through a feedback loop into the Blue Coat Global Intelligence Network STAGE 3 STAGE 1 Resolve & Remediate Threats Discovered on the Network Block & Enforce All Known Threats GLOBAL INTELLIGENCE NETWORK STAGE 2 Detect & Analyze Unknown Threats Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 19
    20. 20. CAS COMPLETE ADVANCED THREAT PROTECTION Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 20
    21. 21. BLUE COAT ADVANCED THREAT PROTECTION A Complete and Integrated Portfolio of Advanced Threat Protection Technologies (need to add CAS & MAA pics) Blocking and Prevention SSL Visibility Blue Coat SSL Visibility Appliance Sandbox Malware Analysis Appliance Blue Coat ProxySG Content Analysis System Security Analytics Platform by Solera Solera Appliances Solera Storage Appliances ThreatBLADES Solera Central Manager Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 21
    22. 22. END KEVIN FLYNN PRODUCT MARKETING OCTOBER, 2013 Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 22
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×