BLUECOAT ATP SOLUTION
LIANG-JUN TSENG
BlueCoat Systems
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
1
APT / ATP
APT (Advance Persistent Threat)
APT 攻擊為一種有策略性且多面相的入侵，其入侵的通常都是長時間
且持續性的，並非單一事件，因此其防範方法也必須在各種細節中嚴
加堤防注意，並不能因為單一危機解除後就掉以輕心。
ATP (Advance Threat Protection)
先進的威脅防護機制透過安全和策略執行,提供全面的生命週期防禦強
化的網絡。
先進的威脅防護機制解決方案需具備:

阻擋已知的先進持續性威脅(APT)

主動偵測未知和業已存在的惡意軟件

自動化入侵後事件遏制和解決
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
2
OPERATIONS & INCIDENT RESPONSE
DIFFERENT BUDGETS
Bring the Groups Together!
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
3
INTEGRATED
A Complete and Integrated Portfolio
of Modern Advanced Threat
Protection Solutions
SSL Visibility
Blocking and Prevention
Malware Analysis Appliance
Blue Coat SSL
Visibility Appliance
Blue Coat Malware
Analysis Appliance
Blue Coat ProxySG
Content Analysis System
Security Analytics Platform by Solera
Security Analytics
Appliances
Security Analytics
Storage
ThreatBLADES
Security Analytics
Central Manager
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
4
CONTENT
ANALYSIS (CAS)
MALWARE
ANALYSIS (MAA)
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
5
CONTENT ANALYSIS SYSTEM &
MALWARE ANALYSIS SYSTEM
Content
Analysis
System
CA-S400-A2
CA-S400-A3
CA-S400-A4
50 Mbps
100Mbps
250 Mbps
500 Mbps
CAS APPLIANCE
CAS SW LICENSE
Key
Components
and
Packaging
CA-S400-A1
Single AV + Whitelist
(per user)
or
Dual AV + Whitelist
(per user)
MALWARE ANALYSIS
APPLIANCE
(Sandbox)
MAA-S400-10
MALWARE ANALYSIS
LICENSE
MAA-S500-10
Annual Pattern Update Subscription
(per box)
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
6
ADVANCED THREAT PROTECTION
“LIFECYCLE DEFENSE”
Advanced
Web Gateway
Security
Analytics
Incident
Resolution
DeepSee Platform
(Solera) with
ThreatBlades for nonweb protocols
Ongoing
Operations
Investigate &
Remediate Breach
Threat Profiling
& Eradication
Detect & Protect
Block All
Known Threats
ProxySG + BCWF
GLOBAL
INTELLIGENCE
NETWORK
Content Analysis
System
NEW REAL-TIME
THREAT
INTELLIGENCE
SHARED
LOCALLY AND
GLOBALLY
Incident
Containment
Analyze & Mitigate
Novel Threat
Interpretation
Hybrid On-Prem
Malware Analysis
Malware Analysis
Appliance
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
7
ATP INTEGRATED SOLUTION
Internet
Internal Network
BLUECOAT
THREATBLADES
WebPulse
Security Analytics
Platform
Proxy SG
ICAP / S-ICAP
Malware Analysis
Appliance
Content Analysis
System
Threat Data To
WebPulse:
- File HASH
- URL
- Time Stamp
- File Name
HTTPS API For Flexible/Scalable Deployment
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
8
INTELLIGENT DEFENSE IN DEPTH
Block Known Web
Block Known
Web Threats
Threats
ProxySG
ProxySG
Allow Known Good
Allow
Good
Content Known
Analysis System
Contentwith
Analysis
System with
Application
Application
Whitelisting
Whitelisting
Block Known
Known Bad
Block
Bad
Downloads
Downloads
Content
Analysis
System
Content
Analysis
&
withMalware
Malware
Scanning
Analysis
Analyze
Unknown Threats
Malware Analysis
Appliance
Block all known sources/malnets and
threats before they are on the network
Free up resources to focus on advanced
threat analysis
Reduce threats for incident containment
and resolution
Discover new threats and then update
you gateways
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
9
CAS AV ENGINE LICENSE
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
11
PROSPECTING FOR CUSTOMERS
AND HANDLING OBJECTIONS
MALWARE
ANALYSIS
APPLIANCE
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
12
NEXT-GEN SANDBOXING TECHNOLOGY
“NOT A CAR ALARM”
NEXT-GENERATION
MALWARE
NEXT GENERATION
MALWARE ANALYSIS
•
VM–Evasive
•
Emulation Sandboxing
•
Targeted
•
IntelliVM Sandboxing
•
‘Sleeper Cell’ Malware
•
‘Ghost User’ Malware Analysis
•
Polymorphic
•
Threat and Risk Scoring
•
Multi-State and Multi-Vector
•
Pre-filtering & Brokering
•
Encrypted
•
SSL Visibility
•
Global Intelligence Feedback
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
13
MALWARE ANALYSIS
Risk Level is based on
the highest matching
pattern
Activity Report
shows summary
event data
grouped by type
to aid in analysis
and remediation
efforts
Task Details describe
the analysis environment
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
14
SSL Visibility
Appliance
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
16
INVISIBLE
Threats we can’t see…
30-40% of Traffic is
Encrypted
Majority of APTs
Operate Over SSL
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
17
LEADERSHIP IN SSL SECURITY
NEW SSL Visibility Product Line
 2013 Blue Coat acquired SSL
product line from Netronome
 Previously only offered via
private label OEM partners
 Shifting to more direct sales &
partner strategy
 We are investing in SSL Visibility
appliances, future capabilities
 External validation of our SSL
leadership
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
18
EXTERNAL VALIDATION
• SC Magazine 2010
– “SSL Inspector has the most comprehensive
feature set and the best overall performance of any
of its competitors.”
• Gartner: Cool Vendors in Security 2012
– “What makes Netronome cool is its ability to
perform an inspection of SSL. Its Flow Processors
allow for the inspection of SSL sessions to combat
the latest threats that utilize SSL encryption as a
subversion technique.”
• NSS LABS Analyst Brief “SSL Performance
Problems” 2013
– “The Sourcefire 8250 NGFW is currently
performance rated by the vendor at 10Gbps.
During NSS testing, the actual performance was
rated at 12.9Gbps. The Sourcefire 8250 was the only
vendor that utilized a dedicated SSL appliance (SV3800)
during testing. The TPS achieved were the highest of all the
devices tested.”
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
19
CHOOSING THE RIGHT SSL SOLUTION –
COVERAGE & PERFORMANCE
SSL Sites on the Web
HTTPS traffic booming (20% Y/Y)
Enterprise apps
2,000,000
Cloud apps – i.e., SFDC
Internet apps – i.e., Google, FB
1,500,000
Mobile apps
1,000,000
More protocols are SSL encrypted
500,000
HTTP / SPDY/ FTP / SMTP / /
XMPP, etc.
0
2007
2008
2009
2010
2011
2012
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
20
SSL VISIBILITY APPLIANCE
PRODUCT FAMILY
Function
SV1800
SV2800
SV3800
Total Throughput
4 Gbps
20 Gbps
40 Gbps
SSL Visibility Throughput
1.5 Gbps
2.5 Gbps
4 Gbps
Concurrent SSL Flow States
100,000
200,000
400,000
SSL Flow Setups / Tear Down
6,500 per sec
9,500 per sec
11,500 per sec
Configurations
Fixed
Modular 3 Slots
Modular 7 Slots
Input/Output
10/100/1000
Copper or Fiber
(fixed)
2x10G-Fiber, 4x1G
Copper, 4x1G Fiber
Network Modules
2x10G-Fiber, 4x1G
Copper, 4x1G Fiber
Network Modules
High Availability
Dual 450w Power
Supplies, HA
Deployments,
FTW/FTA
Dual 650w Power
Supplies, HA
Deployments,
FTW/FTA
Dual 750w Power
Supplies, HA
Deployments,
FTW/FTA
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
21
ENHANCES EXISTING SECURITY
APPLICATIONS
Supports multiple
active/passive feeds
simultaneously
DLP / Forensics /
Compliance / IDS / SIEM
Inline IPS Malware
/ NGFW
Copy
Copy
Network In
Network Out
Decrypt once, feed analysis, action and logging
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
22
ENHANCES EXISTING CUSTOMER
SECURITY APPLICATIONS
Enables multiple active & passive feeds simultaneously
Security Analytics Platform
with ThreatBlades
ACTIVE:
Inline IPS, NGFW, Malware
PASSIVE:
Forensics, IDS, SIEM,
DLP, Compliance
Copy
Network In
Global
Intelligence
Network
- for policy
categories
Network Out
‘Decrypt Once, Feed Many’ analysis, action and logging
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
23
Security Analytics
Platform
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
24
EVOLVING LANDSCAPE OF
MODERN THREATS
TODAY’S
ADVANCED
THREAT
LANDSCAPE
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
25
FINDING ANSWERS TO DREADED POSTBREACH QUESTIONS
Who did this to us?
How did they do it?
What systems and data were affected?
Can we be sure it is over?
Can it happen again?
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
26
SOLERA DEEPSEE®
The Most Comprehensive and Flexible SIA Solution
Flexible and easy-todeploy on leading
platforms.
Comprehensive,
pre-configured SIA
appliances.
Total network visibility.
Maximum flexibility.
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
27
90% OF COMPANIES HAD A BREACH
IN THE LAST 24 MONTHS
Prevention is not enough…
…Need Retrospective
Investigation
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
28
BLUE COAT ADVANCED
THREAT PROTECTION
THE SECURITY CAMERA FOR YOUR NETWORK
Turing Complexity into Context
Full Visibility: Before, During & After the Attack
Big Data Security Analytics: Collect, Analyze & Store
Threat Intelligence: Web, File, Email & Malware Reputation
Real-time & Retrospective Analysis & Resolution
Simple, Flexible & Extensible
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
29
APPLICATION CLASSIFICATION AND
DESCRIPTION
 Powerful Deep Packet Inspection (DPI)
Locates evasive applications and malware
 Classifies network traffic by application
fingerprint
 Extracts metadata to describe identities,
actions, and content
 DPI improves directed search performance
by up to 10X
30
Application Families
1800+
Applications and
Protocols
6000+
Metadata Attributes
“I can now see all applications and files, regardless of the port they
might be hiding on…and digging through GBs of data is fast”
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
30
ADVANCED THREAT PROTECTION –
DRIVING REAL-WORLD USE CASES
Situational Awareness
INTEGRATED
ECOSYSTEM
Policy & ITGRC
Incident
Response
Web Control
and Security
Enforcement
Data Loss
Monitoring &
Analysis
Advanced
Malware
Detection
Continuous
Monitoring
ANALYTICS AND
INTELLIGENCE
• Collect &
Warehouse
• Investigate
• Alert & Report
ENRICHMENT
• Technology
Partners
• File Analysis & IP
Reputation
• Malware
Sandboxing
FLEXIBLE FORM
FACTORS
• Hardware
• Software
• Virtual Machines
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
31
REPUTATION SERVICES/
DATA ENRICHMENT
On-demand Reputation Checks,
including:









ISC/SANS
Google SafeBrowse
VirusTotal
Bit9
LastLine
Domain Age
RobText
SORBS
WHOIS
“I can lookup IPs, URLs, files and
hashes against multiple reputation
services? Multiply 12 keystrokes and
2 browser tabs by 100x a day and you
just gave me an extra day a month!”
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
32
RUN THE REPUTATION SERVICE
• Forward file to MalwareAnalysis BLADE for
reputation check .
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
33
MALWARE ANALYSIS
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
34
BLUE COAT THREATBLADES
Three new ThreatBLADES for unbeatable
Advanced Threat Protection…
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
35
WEB, MAIL & FILE
THREAT IDENTIFICATION
WebThreat BLADE
MailThreat BLADE
FileThreat BLADE
inspects all HTTP or HTTPS
traffic and identifies malicious
communications and files
inspects all SMTP, POP3 and
IMAP traffic for malicious
communications and files
inspects all FTP and SMB
traffic for malicious
communications and files
If no clear verdict on content, suspicious files are delivered to a hybrid sandbox for analysis
Malware
Analysis
Appliance
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
36
SIEM
SIEM
=
PHONE
BILL
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
37
IPS
IPS
=
SINGLE
FRAME
9A
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
38
AN EXAMPLE DEPLOYMENT
Users
+Reports
TAP/SPAN
Application Servers
+Alerts
Mobile Devices
+Artifact
Timeline
Management
Network
DeepSee Appliance
DeepSee
Dashboard
+Root Cause Explorer
+Threat Analysis
+PCAP Import
+Comparative Reporting
+Reputation Services
+more…
Optional Storage
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
40
SECURITY ANALYTICS
Partner Integrations
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
41
FIREEYE™ INTEGRATION
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
42
MCAFEE™ NSM INTEGRATION
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
43
MCAFEE™ ESM INTEGRATION
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
44
SOURCEFIRE™ INTEGRATION
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
45
HP ARCSIGHT™ INTEGRATION
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
46
SPLUNK™ INTEGRATION
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
47
IBM QRADAR™ INTEGRATION
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
49
SOLERA DEEPSEE CENTRAL MANAGER
• Single point of
management
• Central access
• Directed searches
Distributed
Network
• Aggregate searches
• Arbitrary groups and
sub-groups
DeepSee Central Manager
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
50
Dynamic Lifecycle for Advanced Threat Protection
6
We repeat the process
dynamically
5
4
We resolve and
remediate underlying
vulnerabilities
We conduct retrospective
analysis of previously captured
data with newer threat
intelligence
3
We update signature-based tools
with new threat intelligence, inform
our knowledge-bases and fortify the
security ecosystem
Global Intelligence
Network and
Knowledgebase
1
Block all the known bad with
preventative and signature-based
security tools including ProxySG
and Content Analysis System
2
We use Security Analytics,
ThreatBLADES and Malware
Analysis / Sandboxing to
detect and analyze the threats
and attacks that get through
signature-based security tools
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
51
SECURITY ANALYTICS PLATFORM
Use Cases
Situational
Awareness
Continuous
Monitoring
DeepSee® Applications
Threat
Intelligence
Big Data
Analytics
Reports, GeoIP, Reconstruction,
Packet Analysis
Cyber Threat
Detection
Incident
Response
Partner Integration
Data Loss
Policy
Monitoring & Analysis Compliance
Reputation, Threat Feeds,
and File Analysis
DeepSee Big Data Security Analytics
Sensors
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
52
ENABLING
ADVANCED THREAT PROTECTION
SIEM
1) Encrypted Traffic
Management
IPS
Servers
SSL Visibility Appliance
2) Known Threat
Protection
Internal Network
4) Incident
Resolution
& Analysis
Security
Analytics
Platform
ProxySG
Global Intelligence
Network
3) Unknown
Threat
Protection
Malware Analysis
Appliance
Content Analysis
System
5) Collaborative,
Real-time
Advanced Threat
Database
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
53
USE
CASES
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
54
CUSTOMERS
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
55
THANKS
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
56