The document discusses Blue Coat's Content Analysis System (CAS) and advanced threat protection solutions. It describes a 3-stage lifecycle defense approach to blocking known threats, analyzing unknown threats, and reducing the time to resolve latent threats. The CAS uses a multi-layered approach including application whitelisting, signature databases, and sandboxing to inspect both encrypted and unencrypted traffic. It also leverages the global intelligence of 75 million users. The complete solution integrates the CAS, Malware Analysis Appliance for sandboxing, and Solera security analytics platform to provide comprehensive advanced threat protection.

1. CONTENT ANALYSIS SYSTEM
AND
ADVANCED THREAT PROTECTION
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
1

2. EVOLVING LANDSCAPE
OF MODERN THREATS
TODAY’S
ADVANCED
THREAT
LANDSCAPE
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
2

3. ADVANCED THREAT PROTECTION
LIFECYCLE DEFENSE
STAGE 3
STAGE 1
Resolve &
Remediate
Threats
Discovered on
the Network
Block &
Enforce
All Known Threats
GLOBAL
INTELLIGENCE
NETWORK
STAGE 2
Detect &
Analyze
Unknown Threats
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
3

4. BUSINESS ASSURANCE TECHNOLOGY
Security and
Policy Enforcement
Center
Mobility
Empowerment
Center
Trusted
Applications
Center
Performance
Center
Resolution
Center
SG & SG-VA
Web Security Service
WebFilter
SSL Visibility
CAS, MAA, DLP
FW/IDS on X-Series
Mobile Device
Security Service
App Classification
Service
Web App Reverse
Proxy
MACH5
CacheFlow
PacketShaper
Reporter SW
Reporter Service
Intelligence Center
DeepSee Analytics
Appliance
BUSINESS ASSURANCE PLATFORM
• Open Environment for Best-of-Breed Solutions
• Threat, Web & Application Intelligence
• Proxy-Based Architecture
• Scalable Virtualization Platform
• Global Cloud Infrastructure
• Rich Security Analytics
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
4

5. CONTENT ANALYSIS SYSTEM
&
ADVANCED THREAT PROTECTION
What problems are we solving?
Average cost per lost data record from advanced attack is $222.
This is 27% more than cost from incidents of insider negligence
Average time to discover an advanced persistent threat is 80
days for a malicious breach
Average time to resolution is 123 days for a malicious breach
Current solutions try and solve the ATP problem via silos of
technology
Security defenses must align with each other, share
information and be adaptive
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
5

6. THE NEED FOR
NETWORK-CENTRIC CONTENT ANALYSIS
SANS Institute
“Utilize network-based anti-malware tools to analyze
all inbound traffic and filter out malicious content
before it arrives at the endpoint.”
Critical Controls For Effective Cyber Defense
- SANS Institute, March 2013
Network World
“So ultimately enterprise organizations need both
network and host-based advanced malware
defenses. Yeah, it's a lot of work but it's inevitable.”
Advanced Malware Protection: Network or Host?
- Network World, July 2012
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
6

7. CONTENT ANALYSIS SYSTEM
AntiMalware
WhiteListing
Sophos
Kaspersky
McAfee
Bit 9
Sand-Boxing
Off-Box
Local
Sand-Boxing
On-Box
& Cloud
Static Code
Analysis
On-Box
DRTR
Future
Future
Future
Norman
Content Analysis System
Expandable, Best of Breed, High Performance, Integrated Security Platform
Blue Coat Confidential
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
7

8. CONTENT ANALYSIS SYSTEM
Content
Analysis
System
CA-S400-A1
CAS Appliance
50 Mbps
CAS Appliance
100Mbps
CA--S400-A3
CA-S400-A4
CAS APPLIANCE
CAS SW LICENSE
Key
Components
and
Packaging
CA-S400-A2
MALWARE ANALYSIS
APPLIANCE
(Sandbox)
MALWARE ANALYSIS
NW LICENSE
LICENSE A
Single AV + Bit 9 license
(by user )
CAS Appliance CAS Appliance
500 Mbps
250 Mbps
or
LICENSE B
Dual AV + Bit 9 license
(by user )
or
MalwareAnalysis Appliance
MAA-S500-10
MalwareAnalysis Appliance
MAA-S400-10
Annual Subscription and Update Service @ 20% of HW List
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
8

9. CONTENT ANALYSIS SYSTEM
FLEXIBLE CHOICES
Choose Content
Analysis device
Content
Analysis
System
CA-S400-A1
CA-S400-A2
CA-S400-A3
CA-S400-A4
– 50Mbps
– 100Mbps
– 250Mbps
– 500Mbps
+
Select single or dual AV from
Kaspersky, McAfee or Sophos
Subscription
Services
Single AV + Bit 9 Whitelisting
Dual AV + Bit 9 Whitelisting
+
Select
Malware Analysis
Appliance
Malware
Analysis
Malware Analysis Appliance MAA-S400
Malware Analysis Appliance MAA-S500
Cloud & On-Box Sandboxing
Available Mid-2014
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
9

10. WHY SANDBOXING?
 Traditional network defenses are
great at dealing with knownthreats, terrible at dealing with
unknown-threats
 Unknown threats require dynamic
analysis (aka detonation) in the
form of a virtual machine and/or
bare-metal or emulation sandbox
 By year-end 2016, 20% of
enterprises will implement
Windows containment
mechanisms for end users
handling untrusted content and
code, up from less than 1% in
2013. Gartner
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
10

11. MALWARE APPLIANCE
CORE TECHNOLOGY
Hybrid Analysis
Unmatched intelligence

Emulation

IntelliVM virtualization
Behavioral Patterns
Expose targeted attacks

Detection patterns

Open source patterns

Custom patterns
Plug-in Architecture
Extend detection and processing

Interact with running malware

Click-through dialogs and installers
SandBox
IntelliVM
Software x86
emulator
Full Windows XP or
Win 7 licensed
software
Hardware emulation
Hardware virtualization
Generates numerous
low-level events –
page faults,
exceptions, etc.
Generates high-level
events – file, registry,
network, process, etc.
Emulated network
access and services
Real network access
and services
Hook-based event
introspection
KernelScout filter
driver captures lowlevel events
Add your own
patterns
Add your own patterns
Supports EXEs and
DLLs
Wide range of file
support
Portable executable
memory dumps
Extend processing
with plugins
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
11

12. INTELLI-VM PROFILES AND PLUG-INS
 Supports multiple profiles for AND analysis
INTELLIVM PROFILESpowerfulPLUGINS
• Windows 7 SP1 and Windows XP SP3
 Customize to closely match production environments
• Pilot patches, software rollouts, and O/S upgrades
• Test with exact application versions, browsers, add-ons, etc.
 Flexibility to detect non-traditional threats
• VM kernel and application-level event monitoring
• Supports EXE, DLL, PDF, JAR, BAT, and Office Docs “out of the box”
Extend custom processing with plugins
• Interact with malware before, during, and after execution
• Hook detection, memory dumps, click-through dialogs and installers
Exercise malware within precisely tailored virtual
environments to see its real effects on operations
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
12

13. BEHAVIORAL DETECTION PATTERNS
INTELLIVM PROFILES AND PLUGINS
 Generic and malware campaign specific patterns
• Trojan, spyware, worm, ransomware
 Extensive pattern library
•
•
•
•
Core patterns (incl. WebPulse info)
Create your own patterns
All matching patterns will trigger
Global and user-specific patterns
 Risk scoring
• Set by highest matched pattern
• Scores update with new patterns
• Script notification triggers for further action
Patterns can detect targeted and single-use
malware, and do not rely on signature-based
detection methodologies
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
13

14. MALWARE APPLIANCE
KEY FEATURES
Malware Appliance
Enterprise Scalability – Approximately 50,000 analysis tasks per day per appliance
– Automated bulk sample processing and risk scoring
– Parallel processing on up to 40 virtual machines per appliance
Hybrid Analysis – Superior threat dual-detection methodology using SandBox and VM
IntelliVMs – Replicate actual production environments including custom applications
Plugins – Interact with malware, click through installers, extend custom processing
Best-in-class full-featured Web-UI, Analysis Desktop, searching and data mining
Open Patterns – Detection criteria is never hidden; Users can add custom patterns
Powerful RESTful API – Full programmatic access for integration and automation
Pub-Sub API – Secure notifications of analysis task status and task completion
Remote management, security, and health status monitoring eases deployment
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
14

15. BUSINESS CASE
ProxySG+ CAS + Malware Appliance
Proxy SG
Content Analysis System
Malware Analysis Appliance
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
15

16. CONTENT ANALYSIS SYSTEM:
MULTI-LAYERED SECURITY
FOR KNOWN & UNKNOWN THREATS
Unencypted
& Encrypted
ProxySG
Traffic
Not From Known
Malicious
Site/Malnet
Content Analysis System
ALLOW Further
Inspection
Application
Whitelist
Not On Whitelist
Send To Malware
Signature Databases
Known Malware
BLOCK
& UPDATE
WebPulse
BLOCK
Known Malicious
Site/Malnet
On Whitelist
ALLOW
DELIVERY
Slide under revision
BlueCoat
Malware
Appliance
Sandbox
Not
Malicious
ALLOW
DELIVERY
Malicious
UPDATE &
ALERT
Malware
Signature
Databases
Not On Malware
Signature
Databases
Allow Further
Inspection
Non-BlueCoat
Sandbox
Not
Malicious
ALLOW
DELIVERY
Malicious
ALERT
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
16

17. BLUECOAT NETWORK EFFECT
Benefits Of BlueCoat System
- Subsequent requests/lures
are blocked before download
- Performance improvements
for CAS and Malware Appliance
as further scans are not needed.
- False positives are reduced as filtering
occurs prior to the sandbox
- Webpulse updates all BlueCoat
SWG s for improved efficiency
on ALL devices
Able to feed information TO and collect
information FROM other vendor’s devices
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
17

18. COMPLETE
ADVANCED THREAT PROTECTION
ProxySG+ CAS + Malware Appliance + Solera Analytics
Security Analytics
Platform
Proxy SG
Content Analysis System
Malware Analysis Appliance
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
18

19. ADVANCED THREAT PROTECTION SOLUTION
LIFECYCLE DEFENSE
The Blue Coat ATP solution delivers the
industry’s most comprehensive
protection through the following:
1) Lifecycle Defense: Protection that
maps to three threat stages: Realtime blocking for known threats and
malware sources (malnets);
Advanced threat analysis for
unknown threats; and Dwell time
reduction for latent threats
2) Adaptive Malware Analysis:
Dynamic APT protection that
analyzes unknown threats and
shares information with other
systems in the security infrastructure
to increase protection efficiency for
unknown and latent threats
3) Network Effect: APT information
sharing between 75M users in
15,000 organizations through a
feedback loop into the Blue Coat
Global Intelligence Network
STAGE 3
STAGE 1
Resolve &
Remediate
Threats
Discovered on
the Network
Block &
Enforce
All Known Threats
GLOBAL
INTELLIGENCE
NETWORK
STAGE 2
Detect &
Analyze
Unknown Threats
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
19

20. CAS
COMPLETE
ADVANCED THREAT PROTECTION
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
20

21. BLUE COAT
ADVANCED THREAT PROTECTION
A Complete and Integrated
Portfolio of Advanced Threat
Protection Technologies
(need to add CAS & MAA pics)
Blocking and Prevention
SSL Visibility
Blue Coat SSL
Visibility
Appliance
Sandbox
Malware Analysis
Appliance
Blue Coat ProxySG
Content Analysis System
Security Analytics Platform by Solera
Solera
Appliances
Solera Storage
Appliances
ThreatBLADES
Solera Central
Manager
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
21

22. END
KEVIN FLYNN
PRODUCT MARKETING
OCTOBER, 2013
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
22