Content Analysis System and Advanced Threat Protection

CONTENT ANALYSIS SYSTEM
AND
ADVANCED THREAT PROTECTION

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.

1

EVOLVING LANDSCAPE
OF MODERN THREATS

TODAY’S
ADVANCED
THREAT
LANDSCAPE


2

LIFECYCLE DEFENSE

STAGE 3

STAGE 1

Resolve &
Remediate
Threats
Discovered on
the Network

Block &
Enforce
All Known Threats
GLOBAL
INTELLIGENCE
NETWORK

STAGE 2
Detect &
Analyze
Unknown Threats


3

BUSINESS ASSURANCE TECHNOLOGY

Security and
Policy Enforcement
Center

Mobility
Empowerment
Center

Trusted
Applications
Center

Performance
Center

Resolution
Center

SG & SG-VA
Web Security Service
WebFilter
SSL Visibility
CAS, MAA, DLP
FW/IDS on X-Series

Mobile Device
Security Service

App Classification
Service
Web App Reverse
Proxy

MACH5
CacheFlow
PacketShaper

Reporter SW
Reporter Service
Intelligence Center
DeepSee Analytics
Appliance

BUSINESS ASSURANCE PLATFORM
• Open Environment for Best-of-Breed Solutions

• Threat, Web & Application Intelligence

• Proxy-Based Architecture

• Scalable Virtualization Platform

• Global Cloud Infrastructure

• Rich Security Analytics


4

&

What problems are we solving?
Average cost per lost data record from advanced attack is $222.
This is 27% more than cost from incidents of insider negligence
Average time to discover an advanced persistent threat is 80
days for a malicious breach
Average time to resolution is 123 days for a malicious breach

Current solutions try and solve the ATP problem via silos of
technology

Security defenses must align with each other, share
information and be adaptive

5

THE NEED FOR
NETWORK-CENTRIC CONTENT ANALYSIS

SANS Institute
“Utilize network-based anti-malware tools to analyze
all inbound traffic and filter out malicious content
before it arrives at the endpoint.”
Critical Controls For Effective Cyber Defense
- SANS Institute, March 2013

Network World
“So ultimately enterprise organizations need both
network and host-based advanced malware
defenses. Yeah, it's a lot of work but it's inevitable.”
Advanced Malware Protection: Network or Host?
- Network World, July 2012

6


AntiMalware

WhiteListing

Sophos
Kaspersky
McAfee

Bit 9

Sand-Boxing
Off-Box
Local

Sand-Boxing
On-Box
& Cloud

Static Code
Analysis

On-Box
DRTR

Future

Future

Future

Norman

Content Analysis System
Expandable, Best of Breed, High Performance, Integrated Security Platform

Blue Coat Confidential

7


Content
Analysis
System

CA-S400-A1

CAS Appliance
50 Mbps

CAS Appliance
100Mbps

CA--S400-A3

CA-S400-A4

CAS APPLIANCE

CAS SW LICENSE

Key
Components
and
Packaging

CA-S400-A2

MALWARE ANALYSIS
APPLIANCE
(Sandbox)

MALWARE ANALYSIS
NW LICENSE

LICENSE A
Single AV + Bit 9 license
(by user )

CAS Appliance CAS Appliance
500 Mbps
250 Mbps

or

LICENSE B
Dual AV + Bit 9 license
(by user )

or
MalwareAnalysis Appliance
MAA-S500-10

MalwareAnalysis Appliance
MAA-S400-10

Annual Subscription and Update Service @ 20% of HW List


8

FLEXIBLE CHOICES

Choose Content
Analysis device

Content
Analysis
System

CA-S400-A1
CA-S400-A2
CA-S400-A3
CA-S400-A4

– 50Mbps
– 100Mbps
– 250Mbps
– 500Mbps

+
Select single or dual AV from
Kaspersky, McAfee or Sophos

Subscription
Services

Single AV + Bit 9 Whitelisting
Dual AV + Bit 9 Whitelisting

+
Select
Malware Analysis
Appliance

Malware
Analysis

Malware Analysis Appliance MAA-S400
Malware Analysis Appliance MAA-S500

Cloud & On-Box Sandboxing
Available Mid-2014

9

WHY SANDBOXING?
 Traditional network defenses are
great at dealing with knownthreats, terrible at dealing with
unknown-threats
 Unknown threats require dynamic
analysis (aka detonation) in the
form of a virtual machine and/or
bare-metal or emulation sandbox
 By year-end 2016, 20% of
enterprises will implement
Windows containment
mechanisms for end users
handling untrusted content and
code, up from less than 1% in
2013. Gartner

10

MALWARE APPLIANCE
CORE TECHNOLOGY
Hybrid Analysis
Unmatched intelligence


Emulation



IntelliVM virtualization

Behavioral Patterns
Expose targeted attacks


Detection patterns



Open source patterns



Custom patterns

Plug-in Architecture
Extend detection and processing


Interact with running malware



Click-through dialogs and installers

SandBox

IntelliVM

Software x86
emulator

Full Windows XP or
Win 7 licensed
software

Hardware emulation

Hardware virtualization

Generates numerous
low-level events –
page faults,
exceptions, etc.

Generates high-level
events – file, registry,
network, process, etc.

Emulated network
access and services

Real network access
and services

Hook-based event
introspection

KernelScout filter
driver captures lowlevel events

Add your own
patterns

Add your own patterns

Supports EXEs and
DLLs

Wide range of file
support

Portable executable
memory dumps

Extend processing
with plugins


11

INTELLI-VM PROFILES AND PLUG-INS
 Supports multiple profiles for AND analysis
INTELLIVM PROFILESpowerfulPLUGINS
• Windows 7 SP1 and Windows XP SP3

 Customize to closely match production environments
• Pilot patches, software rollouts, and O/S upgrades
• Test with exact application versions, browsers, add-ons, etc.

 Flexibility to detect non-traditional threats
• VM kernel and application-level event monitoring
• Supports EXE, DLL, PDF, JAR, BAT, and Office Docs “out of the box”

Extend custom processing with plugins
• Interact with malware before, during, and after execution

• Hook detection, memory dumps, click-through dialogs and installers

Exercise malware within precisely tailored virtual
environments to see its real effects on operations

12

BEHAVIORAL DETECTION PATTERNS

INTELLIVM PROFILES AND PLUGINS
 Generic and malware campaign specific patterns
• Trojan, spyware, worm, ransomware

 Extensive pattern library
•
•
•
•

Core patterns (incl. WebPulse info)
Create your own patterns
All matching patterns will trigger
Global and user-specific patterns

 Risk scoring
• Set by highest matched pattern
• Scores update with new patterns
• Script notification triggers for further action

Patterns can detect targeted and single-use
malware, and do not rely on signature-based
detection methodologies

13

MALWARE APPLIANCE
KEY FEATURES
Malware Appliance
Enterprise Scalability – Approximately 50,000 analysis tasks per day per appliance
– Automated bulk sample processing and risk scoring
– Parallel processing on up to 40 virtual machines per appliance
Hybrid Analysis – Superior threat dual-detection methodology using SandBox and VM
IntelliVMs – Replicate actual production environments including custom applications
Plugins – Interact with malware, click through installers, extend custom processing
Best-in-class full-featured Web-UI, Analysis Desktop, searching and data mining
Open Patterns – Detection criteria is never hidden; Users can add custom patterns
Powerful RESTful API – Full programmatic access for integration and automation
Pub-Sub API – Secure notifications of analysis task status and task completion
Remote management, security, and health status monitoring eases deployment


14

BUSINESS CASE

ProxySG+ CAS + Malware Appliance

Proxy SG

Malware Analysis Appliance


15

CONTENT ANALYSIS SYSTEM:
MULTI-LAYERED SECURITY
FOR KNOWN & UNKNOWN THREATS
Unencypted
& Encrypted
ProxySG
Traffic

Not From Known
Malicious
Site/Malnet


ALLOW Further
Inspection

Application
Whitelist

Not On Whitelist
Send To Malware
Signature Databases

Known Malware
BLOCK
& UPDATE

WebPulse
BLOCK
Known Malicious
Site/Malnet

On Whitelist
ALLOW
DELIVERY

Slide under revision

BlueCoat
Malware
Appliance
Sandbox

Not
Malicious
ALLOW
DELIVERY

Malicious
UPDATE &
ALERT

Malware
Signature
Databases
Not On Malware
Signature
Databases
Allow Further
Inspection

Non-BlueCoat
Sandbox

Not
Malicious
ALLOW
DELIVERY

Malicious
ALERT


16

BLUECOAT NETWORK EFFECT

Benefits Of BlueCoat System
- Subsequent requests/lures
are blocked before download
- Performance improvements
for CAS and Malware Appliance
as further scans are not needed.
- False positives are reduced as filtering
occurs prior to the sandbox
- Webpulse updates all BlueCoat
SWG s for improved efficiency
on ALL devices

Able to feed information TO and collect
information FROM other vendor’s devices

17

COMPLETE

ProxySG+ CAS + Malware Appliance + Solera Analytics

Security Analytics
Platform

Proxy SG

Malware Analysis Appliance


18

ADVANCED THREAT PROTECTION SOLUTION
LIFECYCLE DEFENSE
The Blue Coat ATP solution delivers the
industry’s most comprehensive
protection through the following:
1) Lifecycle Defense: Protection that
maps to three threat stages: Realtime blocking for known threats and
malware sources (malnets);
Advanced threat analysis for
unknown threats; and Dwell time
reduction for latent threats
2) Adaptive Malware Analysis:
Dynamic APT protection that
analyzes unknown threats and
shares information with other
systems in the security infrastructure
to increase protection efficiency for
unknown and latent threats
3) Network Effect: APT information
sharing between 75M users in
15,000 organizations through a
feedback loop into the Blue Coat
Global Intelligence Network

STAGE 3

STAGE 1

Resolve &
Remediate
Threats
Discovered on
the Network

Block &
Enforce
All Known Threats
GLOBAL
INTELLIGENCE
NETWORK

STAGE 2
Detect &
Analyze
Unknown Threats


19

CAS

COMPLETE


20

BLUE COAT
A Complete and Integrated
Portfolio of Advanced Threat
Protection Technologies
(need to add CAS & MAA pics)
Blocking and Prevention

SSL Visibility
Blue Coat SSL
Visibility
Appliance

Sandbox
Malware Analysis
Appliance

Blue Coat ProxySG


Security Analytics Platform by Solera

Solera
Appliances

Solera Storage
Appliances

ThreatBLADES

Solera Central
Manager

21

END

KEVIN FLYNN
PRODUCT MARKETING

OCTOBER, 2013


22

Content Analysis System and Advanced Threat Protection

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (10)

Semelhante a Content Analysis System and Advanced Threat Protection

Semelhante a Content Analysis System and Advanced Threat Protection (20)

Último

Último (20)

Content Analysis System and Advanced Threat Protection

Notas do Editor