Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Revolutionizing Advanced Threat Protection


Published on

Published in: Technology
  • Be the first to comment

Revolutionizing Advanced Threat Protection

  1. 1. REVOLUTIONIZING ADVANCED THREAT PROTECTION A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group GRANT ASPLUND Senior Technology Evangelist
  4. 4. IMPROVED Smarter | Faster | Stronger Rootkits Virtual machine Detection Line-by-line debugger detection Re-writes host file Multi-packed, one time, encrypted Fuzzing Reverse Engineering Code Auditing
  5. 5. THE INVISIBLE THREATS Majority of APTs Operate Over SSL 20-70% of Traffic is Encrypted Threats we can’t see…
  7. 7. Average Number of Personal Mobile Devices Used for Work By Enterprise Employees. TODAY’S ENTERPRISE USER
  10. 10. POST-PREVENTION SECURITY GAP Threat Actors Nation States Cybercriminals Hactivists Insider-Threats HostAV NGFW IDS/IPS Signature-based Security Picket Fence DLP SIEM EmailGateway WebApplicationFirewall WebGateway Traditional Threats Known Threats Known Malware Known Files Known IPs/URLs Advanced Threats Novel Malware Zero-Day Threats Targeted Attacks Modern TTPs Modern, Post- Prevention Security • Context • Content • Visibility • Detection • Intelligence
  11. 11. THE WINDOW OF OPPORTUNITY Hours 60% Days 13% weeks 2%Seconds 11% Minutes 13% 84% Initial Attack to Compromise Months 62% Weeks 12% 78% Initial Compromise to Discovery Days 11% Hours 9% Years 4%
  12. 12. Proof of the Problem
  13. 13. CURRENT SOLUTIONS OPERATE IN SILOS Technology and Organizational Silos Limit Current Defenses
  14. 14. DREADED QUESTIONS FROM CISO Who did this to us? How did they do it? What systems and data were affected? Can we be sure it is over? Can it happen again?
  15. 15. PROTECTING AGAINST ADVANCED THREATS WITH CRIME ‘CRIME’ METHODOLOGY • Faster time-to-action • Faster time-to- react/respond • Greater ability to reduce/minimize/elim inate impact! ERADICATION CONTEXT MITIGATION ROOT CAUSE IMPACT
  16. 16. Percentage of Enterprise IT Security Budgets Allocated to Rapid Response Approaches by 2020. — Gartner 2013 SECURITY SHIFTS TO SWIFT RESPONSE
  17. 17. ADVANCED THREAT PROTECTION USE CASES Who? When? What?Where? How? Target(s)? Who Else? Is It Over? What Else? How Long? Continuous Monitoring Situational Awareness Incident Response Data Loss Monitoring & Analysis Policy Compliance Cyber Threat Protection
  19. 19. SITUATION BIG DATA SECURITY IS HERE – Volume, velocity and variety0 01 100 0 01 00011 11 01 101101 101 00101101 1 001 1 0 01 0001101 10 0 01 0 0 01 00 WHAT KEPT US SECURE – Has stopped working GOOD OR BAD SECURITY – Is irrelevant with an attacker’s resources & motivation MODERN ADVANCED THREAT PROTECTION – Is the new imperative
  20. 20. POSITION “ ”— General George S. Patton Fixed fortifications are monuments to man’s stupidity.
  21. 21. BUSINESS ASSURANCE TECHNOLOGY Web Gateway & Orchestration(SWG) Web & Network Protection SSL Interception Security & Policy Enforcement Center Web Gateway Mobile Expander Mobile Protection Mobility Empowerment Center Application Management Business Application Enablement Trusted Applications Center WAN/Video Optimization Cache optimization Shaping Performance Center Vulnerability Expertise Services Case Analyst Workflow Reporting and Management Resolution Center Cloud Mobility Security Analytics Platform by Solera (formerly DeepSee) • Cloud • 15,000 Customers • 80M Users • VM, Appliance, X-Beam platforms Business Assurance Platform • 33 Worldwide PoP’s • 84% of Fortune 500, 90% FedGov ThreatBLADES Blue Coat Advanced Threat Protection WebThreat MailThreat FileThreat ATP Suite Custom Analytics Malware Analysis SSL Visibility Content Analysis System
  22. 22. MODERN ADVANCED THREAT PROTECTION Complete Web Control Web Security, Content Analysis, Real-time Blocking Advanced Malware Detection White/Blacklists, Sandboxing, Feeds Visual Insight Context, Real-time Awareness, IOCs, Alerts Full Packet Capture Layer 2 – 7 Indexing & Classification Threat Intelligence Security Visibility Big Data Security Analytics Blocking and Enforcement Network Effect Integration Layer
  23. 23. MODERN ADVANCED THREAT PROTECTION Security Visibility Security Visibility • Full packet capture • Layers 2-7 indexing • Deep packet inspection • Session reconstruction • Scalability and performance • Single pane-of-glass
  24. 24. Security Visibility Big Data Security Analytics Big Data Security Analytics • Heuristic detection • Statistical analysis • Inferential reporting • Context-aware analysis • IOC’s & TTP’s • Visual insight MODERN ADVANCED THREAT PROTECTION
  25. 25. Threat Intelligence Security Visibility Big Data Security Analytics Threat Intelligence • Real-time white/black lists • Sandbox detonation • On-premises or cloud-based • External data enrichment • Dynamic Intelligence Cloud • Machine-learning architecture MODERN ADVANCED THREAT PROTECTION
  26. 26. Threat Intelligence Security Visibility Big Data Security Analytics Blocking and Enforcement Blocking and Enforcement • Scan, block and cache • Inline AV with feedback loop • Obscure sensitive data or block • Web and application controls • Best-of-breed perimeter blocking • Granular customization MODERN ADVANCED THREAT PROTECTION
  27. 27. Threat Intelligence Security Visibility Big Data Security Analytics Blocking and Enforcement Network Effect Integration Layer Network Effect and Integration Deliver: • Security Ecosystem • Context-Aware Security • Adaptive Security • Enhance existing investments • Integrated workflow automation MODERN ADVANCED THREAT PROTECTION
  28. 28. Real-time & Retrospective Analysis & Resolution Simple, Flexible & Extensible BLUE COAT ADVANCED THREAT PROTECTION THE SECURITY CAMERA FOR YOUR NETWORK Turing Complexity into Context Full Visibility: Before, During & After the Attack Big Data Security Analytics: Collect, Analyze & Store Threat Intelligence: Web, File, Email & Malware Reputation
  29. 29. Advanced Threat Protection Improving Real-World Use Cases INTEGRATED ECOSYSTEM Situational Awareness Incident Response Policy & ITGRC Data Loss Monitoring & Analysis Advanced Malware Detection Continuous Monitoring ANALYTICS AND INTELLIGENCE • Collect & Warehouse • Investigate • Alert & Report ENRICHMENT • Technology Partners • File Analysis & IP Reputation • Malware Sandboxing FLEXIBLE FORM FACTORS • Hardware • Software • Virtual Machines Web Control and Security Enforcement
  30. 30. Three new ThreatBLADES for unbeatable Advanced Threat Protection… BLUE COAT THREATBLADES
  31. 31. WEB, MAIL & FILE THREAT IDENTIFICATION If no clear verdict on content, suspicious files are delivered to a hybrid sandbox for analysis Malware Analysis Appliance WebThreat BLADE inspects all HTTP or HTTPS traffic and identifies malicious communications and files FileThreat BLADE inspects all FTP and SMB traffic for malicious communications and files MailThreat BLADE inspects all SMTP, POP3 and IMAP traffic for malicious communications and files
  34. 34. Resolution Center Reporter SW Reporter Service Intelligence Center Advanced Threat Protection Appliance Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication Ongoing Operations Detect & Protect Block All Known Threats Incident Containment Analyze & Mitigate Novel Threat Interpretation ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE GLOBAL INTELLIGENCE NETWORK Security & Policy Enforcement Center ProxySG & SG-VA Web Security Service WebFilter Content Analysis Malware Analysis SSL Visibility Content Analysis, DLP FW/IDS on X-Series Resolution Center Reporter SW Reporter Service Intelligence Center Advanced Threat Protection Appliance Now known threats blocked at gateway Fewer threats to contain and resolve Increased system performance through fewer malware scans More robust threat analysis with fewer false positives
  35. 35. USE CASES
  36. 36. OVERSTOCK.COM …using root cause analysis from Solera Networks, we were able to pinpoint how the exploit occurred, understand the full scope of the problem, and completely prevent that exploit from ever happening again.... – “ ” • Identify attacks that passed preventative controls • Remediate all infected systems quickly • Ensure that preventative controls are working REQUIREMENTS • Deployed various Solera Security Analytics form factors • Built an IR process around Solera Security Analytics • Integrated Solera with log management and IPS SOLUTION • Identified nefarious activity sourced from inside and outside the network • Pinpointed “all” compromised systems through root cause analysis • Conducted assurance testing on preventative controls by replaying malicious packets on a shadow network VALUE
  37. 37. US COAST GUARD • Enhance threat detection • Reduce threat acquisition window • Improve team effectiveness REQUIREMENTS • Integrated with existing McAfee NSM (IPS) solution • Employed 100% data capture • Built custom reports for rapid analysis SOLUTION • Reduced threat identification time by 60% • Reduced threat remediation time by 75% • Allowed for more unified threat management across disparate, internal teams through the use of reporting VALUE
  38. 38. JEFFERIES GLOBAL INVESTMENT BANKING • Streamline monitoring of a dozen international locations • Provide workflow that supports multiple analysts • Integrate with FireEye and Blue Coat ProxySG, WebPulse & SSL Visibility REQUIREMENTS • Consolidated incident detection and response • Supported several months of packet and metadata retention • Improved ROI & ROSI through integration SOLUTION • Improved incident responder workflow with reduced response times • Leveraged fewer FTEs for tactical analysis: strategically repurpose other FTEs • Achieved holistic visibility across network traffic, users and data (files, IM, voice, etc.) VALUE
  39. 39. US AIR FORCE • Monitor all major Internet gateways • Support over 50 concurrent analysts with disparate privileges/visibility • Use APIs to integrate with COTS, GOTS, and open source security solutions REQUIREMENTS • Provided tiered, centralized management • Supported lossless capture on multiple 10 gigabit networks • Integrated with 3rd party solutions such as ArcSight SOLUTION • Deployed with 100% situational awareness with a small (green) footprint • Utilized RBAC via LDAP for granular access control • Passed multiple, stringent military testing and certification criteria • Replaced incumbent solution based on scalability, capability and footprint VALUE
  41. 41. Grant Asplund 206-612-8652 Twitter: @gasplund LinkedIn: THANK YOU!