1. No category

SECURITY ANALYTICS MOVES TO REAL

SECURITY ANALYTICS
MOVES TO
REAL-TIME PROTECTION
How Blue Coat ThreatBLADES add real-time
threat scanning and alerting to the
Blue Coat Security Analytics Platform
WHITEPAPER
Security
Empowers
Business
INTRODUCTION: SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION
Security analytics solutions have become an essential weapon against advanced threats. They reduce the impact
of data breaches by giving security operations staff and incident responders powerful capabilities for capturing,
reconstructing, analyzing and remediating attacks.
Until recently security analytics products typically were brought into play after a breach had been detected, and
used almost exclusively for retrospective analysis and forensics.
But that is changing. Now companies like Blue Coat are adding real-time threat detection and protection to their
security analytics offerings. They are giving security analytics platforms the ability to detect advanced threats and to
alert administrators and security analysts in real-time.
Embedding real-time detection in a security analytics solution provides
three major advantages over deploying traditional security tools:
• More attacks and threats are detected. Security analytics tools can
capture, extract and reconstruct suspicious files and other artifacts
for real-time scanning and analysis. These files and artifacts would
not be visible to stand-alone gateway anti-malware products, nextgeneration firewalls, intrusion detection systems or SIEM tools.
• Attacks are detected and prioritized faster. Detection is integrated
with an advanced alert system that delivers meaningful, risk-ranked
threat intelligence to security analysts and incident responders in
real time.
An appendix answers frequently asked questions about deploying
ThreatBLADES in Blue Coat’s Security Analytics Platform.
An Overview of Blue Coat ThreatBLADES:
Real-Time Threat Intelligence
Blue Coat ThreatBLADES are threat intelligence software modules
that run on the Blue Coat Security Analytics Platform (formerly Solera
DeepSee)1. They are modular, and can be deployed individually or in
any combination on all form factors of the Security Analytics Platform:
physical appliance, virtual appliance, and software.
WebThreat BLADE
• Threats can be analyzed and remediated more thoroughly. Alerts
include direct and immediate access to detailed forensic information
that enhance threat analysis and risk management.
MailThreat BLADE
FileThreat BLADE
This white paper examines in detail how real-time detection works in
a security analytics solution to deliver advanced threat protection. It
describes Blue Coat ThreatBLADES, and discusses how they:
• Support global threat intelligence sharing and real-time alerting.
• Facilitate dynamic analysis (sandboxing) of unknown malware.
SECURITY ANALYTICS MOVES
TO REAL-TIME PROTECTION
©
BLUE COAT SYSTEMS, INC
• Add real-time contextual and actionable information to security
analytics.
Security Analytics Platform
Figure 1: ThreatBLADES on Security Analytics Platform
• Fit in an advanced threat protection lifecycle defense.
1
For more information on the Security Analytics Platform,
see http://www.bluecoat.com/products/atp-security-analytics-platform.
2
WHITEPAPER
Security
Empowers
Business
ThreatBLADES provide real-time threat intelligence services. Each one is
optimized to:
Figure 3 highlights the basic functions of the ThreatBLADES.
Security Analytics Platform
1.Scan specific protocols.
2.Detect and extract files, URLs and IP addresses.
3.Inspect and categorize those files, URLs and IP addresses as known
good, known bad (malicious), or unknown.
1
4.Based on that determination, take appropriate actions in real-time.
The characteristics of the ThreatBLADES available today are shown in
Figure 2.
WebThreat BLADE
MailThreat BLADE
FileThreat BLADE
HTTP, HTTPS**
SMTP, POP3, IMAP,
Webmail
FTP, SMB, TFTP,
NFS*
File whitelist



Malware scanning

Protocols scanned


URL and IP
reputation
database

*
URL and IP risk
scores

*
Real-time queries
to the Blue Coat
Global Intelligence
Network


Sandbox brokering
to the Blue Coat
Malware Analysis
Appliance
(optional)

*Available soon

WebThreat BLADE
MailThreat BLADE
FileThreat BLADE
Detect
HTTP/S Traffic
Detect
Mail Traffic
Detect
File Traffic
2
Reconstruct Files and Classify URLs
3
Check Local Database and Apply Policies
Send File for
Analysis
Query
4
Verdict
& Info
Blue Coat
Global Intelligence
Network
** SSL Visibility Appliance required
5
Malware Analysis
Appliance
Known
Good

Verdict
& Info
Suspicious
or Known Bad

Add to
Whitelist
Send
Alerts
6
Figure 2: Characteristics of the ThreatBLADES
SECURITY ANALYTICS MOVES
TO REAL-TIME PROTECTION
©
Figure 3: Overview of ThreatBLADES on the Security Analytics Platform
BLUE COAT SYSTEMS, INC
3
WHITEPAPER
Security
Empowers
Business
As illustrated in the diagram:
1.The ThreatBLADES continuously scan traffic over their respective
protocols.
2.The ThreatBLADES work with the Security Analytics Platform to
extract and reconstruct files in real-time, and to extract URLs and IP
addresses.
3.File signatures (hashes) and URLs are checked against a local
database. When “known bad” files and URLs are found, the Security
Analytics Platform immediately sends alerts to administrators and
security analysts.
4.If a file or URL is not found in the local database, a query is sent to
the Blue Coat Global Intelligence Network. The Global Intelligence
Network checks a massive security database containing threat
information from over 15,000 customers and 75 million users, and
returns a verdict (good, bad or unknown) and additional information
including a risk score.
5.If a file is still unknown, it is automatically sent to the Blue Coat
Malware Analysis Appliance for dynamic analysis (sandboxing). The
Malware Analysis Appliance “detonates” the file in a secure, isolated
environment, observes suspicious and malicious activities as the file
executes, and returns a risk rating and other information about the file.
6.The Security Analytics Platform takes appropriate action. “Good” files
are added to the file whitelist, so they will not have to be re-analyzed
in the future. Files with high risk ratings can trigger automatic realtime alerts to administrators, analysts, incident responders, managers
and others. Analysts can then use the Security Analytics Platform
to reconstruct the full details of the attack and take appropriate
remediation actions.
The next sections of this paper describe how deploying ThreatBLADES
on the Security Analysis Platform enhances critical security processes:
• Threat intelligence sharing and real-time alerting
• Detection of unknown malware
SECURITY ANALYTICS MOVES
TO REAL-TIME PROTECTION
©
BLUE COAT SYSTEMS, INC
• Threat analysis and reconstruction
Going Real-Time:
Threat Intelligence Sharing and Real-Time Alerting
When it comes to security intelligence, nobody can afford to be
an island. A threat intelligence network can help enterprises share
signatures and data about:
• Previously unknown zero-day malware.
• Targeted and polymorphic malware known to only one or a handful of
organizations.
• Botnets, malnets (malware networks), websites used for phishing, and
legitimate web sites that have been compromised.
• Indicators of compromise (IOCs) that provide clues about advanced,
complex attacks.
This information helps enterprises in the network inoculate themselves
against unknown and rare threats, block more attacks at the perimeter,
and more swiftly identify and mitigate those attacks that do get past the
perimeter defenses.
The Global Intelligence Network provides a cloud-based infrastructure
for sharing real-time threat data among 15,000 Blue Coat customers
with over 75 million users. It includes:
• An extensive malware database updated by 39 anti-virus
scanning engines and feeds from anti-virus vendors, anti-malware
clearinghouses and the entire Blue Coat customer base.
• An industry-leading URL reputation database updated continuously
with information on good, bad and suspect URLs, IP addresses and
domains, based on over 1 billion web requests per day.
• The results of sophisticated tests to identify malnets, botnets, APT
command-and-control servers, compromised and infected web sites
and other web sites under the control of spammers, cybercriminals
and hackers.
• Information on zero-day malware and advanced attacks produced by
behavioral analysis, dynamic analysis (sandboxing), script scrubbers,
and machine and human analysis.
ThreatBLADES automate the use of threat information from the Global
Intelligence Network, so that the information can be utilized in real time
by the Security Analytics Platform.
4
WHITEPAPER
Security
Empowers
Business
When a ThreatBLADE identifies a file or URL that is not present in the
local database on the Security Analytics Platform, a query is sent to the
Global Intelligence Network in real-time. The Global Intelligence Network
replies with information about the file or URL. Information about files
includes the file type, MD5 and SHA1 hashes, and a risk score of 1-10.
Information about URLs includes the URL category (out of more than
100 categories in the database) and a threat score of 1-10.
The Security Analytics Platform can use this information to send realtime alerts to administrators, analysts, incident responders, managers
and others, warning them about malnets, malware, suspicious activities
and attacks.
These alerts, and the information shared from the Global Intelligence
Network, allow security personnel to take immediate action against known
attacks and to quickly initiate investigations based on warning signs.
Capturing the Unknown:
Integrating Dynamic Malware Analysis
Shared threat intelligence helps organizations track malware that has
already been identified by someone. But to detect new and unknown
malware they need dynamic, next-generation malware analysis, also
known as “sandboxing.”
Sandboxing “detonates” suspect files in a safe, isolated environment
and monitors the behavior of the software. Suspicious and malicious
activities are observed and assessed. Common examples include
changing registry settings, starting up new services, trying to disable
antivirus packages, and trying to contact an external server. Dynamic
analysis identifies advanced malware by its actions, without relying on
signatures or any previous evaluation.
ThreatBLADES can act as real-time file brokers to Blue Coat’s nextgeneration sandboxing solution, the Malware Analysis Appliance. As
each ThreatBLADE monitors traffic, it sends unknown files in real time to
the Malware Analysis Appliance for analysis.
The Malware Analysis Appliance collects detailed information on the
activities of each unknown file, identifies suspicious activities, and
assigns a risk score of 1 to 10 based on the observed behaviors. This
information is returned to the Security Analytics Platform, where it can
generate alerts to administrators, analysts and others. Alerts can be
tailored based on the risk scores and company-specific rules.2
ThreatBLADES save money for organizations that deploy sandboxing.
By automatically pre-filtering known files and brokering only unknown
files to the sandboxing appliances for analysis, they reduce the number
of sandboxing appliances needed for a given volume of network traffic.
ThreatBLADES also make the security staff more efficient and effective
by giving them real-time risk-based alerts, so they can react more
quickly and give top priority to the most serious and relevant threats.
Enriching Security Analytics:
Providing Contextual and Actionable Information
ThreatBLADES enhance the post-breach analysis and incident
response capabilities of the Security Analytics Platform, and ensure
that many types of data are available for analysis through the Security
Analytics Platform. This includes information about malware files,
details about packets, and extensive meta-data about malnets,
botnets, APT command-and-control servers, applications, user
sessions and websites.
This information helps security personnel reverse engineer attacks and
identify sources and root causes, which in turn allows for faster and
more complete remediation.
For example, the Security Analytics Platform might alert a security
analyst that a previously unknown file, detected by the MailThreat
BLADE and brokered to the Malware Analysis Appliance for analysis,
had been given a “High Risk” rating (Figure 4).
SECURITY ANALYTICS MOVES
TO REAL-TIME PROTECTION
©
BLUE COAT SYSTEMS, INC
2
For more information on the Blue Coat Malware Analysis Appliance and its dynamic malware analysis
capabilities, see: http://www.bluecoat.com/products/malware-analysis-appliance
5
WHITEPAPER
Security
Empowers
Business
With the Security Analytics Platform, the analyst could “pivot” from the
file and display many types of related information, such as the source
of the email (Figure 6), the user who requested it, the IP address from
which it was sent, other emails and files received from that address, and
other users and servers that received the same file.
Figure 4: Information from the MailThreat BLADE about a suspect file (fax.pdf.exe). Note
the risk rating of 10, “Very High Risk”.
Figure 6: The Security Analytics Platform lets the analyst “pivot” from one piece of information to find additional facts about the attack
This information would allow the analyst to confirm that an attack was
in progress, reconstruct the timeline and details of the attack, and
immediately pinpoint the users and systems affected by the attack.
He or she would be able to target a response with high accuracy and
stop the attack sooner, ideally before any damage was done. The
analyst would also have critical information related to cleaning up and
removing the malware, and to fortifying the network and systems against
subsequent attacks.
These steps would be much more difficult if the analyst had to rely solely
on logs from an IDS or a SIEM product. A log entry might show that a
suspicious file had entered the network, but it would have taken much
more time to associate that file with the other elements of the attack.
It also would have taken much more work to determine the source of
the malware, its role in the advanced attack, and its spread within the
organization.
Figure 5: Malware Analysis Appliance report showing suspicious behaviors of the file
The analyst would then have access to a full report from the Malware
Analysis Appliance detailing suspicious actions taken by the file, with a
risk score for each action (Figure 5).
SECURITY ANALYTICS MOVES
TO REAL-TIME PROTECTION
©
This is only one example that shows the power of the ThreatBLADES
and the Security Analytics Platform for detecting, analyzing and
resolving advanced threats. A similar investigation could be triggered by
many other threat indicators, such as a file downloaded from an infected
web site or a malnet, an email coming from a server associated with
spam, or a file transferred by FTP from a server in the data center to an
unknown website.
By reducing time to detection and resolution with ThreatBLADES
and the Security Analytics Platform, enterprises can lower response
costs, mitigate data loss, and better protect company reputation and
customer loyalty.
BLUE COAT SYSTEMS, INC
6
WHITEPAPER
Security
Empowers
Business
Real-Time Detection and Security Analytics in an
Advanced Threat Protection Lifecycle Defense
But where do real-time detection and security analytics fit in the “big
picture” of a defense-in-depth security strategy?
Figure 7 shows Blue Coat’s diagram of an advanced threat protection
lifecycle defense. The first stage, ongoing operations, involves products
that detect and block known threats. This is typically the role played by
secure web gateways like the Blue Coat ProxySG, by network-based
tools for detecting and blocking “known” malware, such as network
anti-virus products and the Blue Coat Content Analysis System, and by
network security products such as next-generation firewalls (NGFWs)
and intrusion prevention systems (IPSs). The first stage also includes
technologies that enable visibility into encrypted traffic, such as the
capabilities provided by the Blue Coat SSL Visibility Appliance.
Events and files that are not known to those signature-based perimeter
blocking tools must be escalated to the second phase of the lifecycle
defense, which is focused on incident containment and mitigation.
This is where ThreatBLADES and the Malware Analysis Appliance play
a major role. They help enterprises detect and analyze indicators of
compromise and unknown files in real time using information from the
Security Analytics Platform, the Global Intelligence Network, and results
of the dynamic analysis of zero-day threats performed by the Malware
Analysis Appliance. The alerting capabilities of the Security Analytics
Platform give administrators, analysts and others the opportunity to
mitigate the effects of the attacks before major damage is incurred.
The third stage is focused on security incident resolution and
remediation. This is where organizations gain significant value from
security analytics solutions like the Blue Coat Security Analytics
Platform. ThreatBLADES enhance
the power of the Security Analytics
Platform to initiate swift incident
analysis, by providing associated
attributes of indicators of
compromise and zero-day threats
in real time. Contributing this
real-time detection component to
the solution, ThreatBLADES help
enterprises reduce the time to
resolution and minimize the window
of exposure.3
Figure 7: Diagram of Blue Coat’s Advanced
Threat Protection Lifecycle Defense
SECURITY ANALYTICS MOVES
TO REAL-TIME PROTECTION
©
BLUE COAT SYSTEMS, INC
3
For more information on advanced threat protection lifecycle defense,
see http://dc.bluecoat.com/ATPResourceCenter.
7
WHITEPAPER
Security
Empowers
Business
Summary
Adding software blades with real-time detection capabilities directly into
a security analytics solution provides three major advantages.
Enterprises can detect more attacks and threats
Blue Coat’s Security Analytics Platform can capture traffic coming
across all major transport protocols used for web, email and file
transfers and extract suspicious files in real time for scanning by the
ThreatBLADES. Many of these malicious files would not be available for
scanning by network anti-malware or IDS products, and would enter the
network undetected.
In addition, ThreatBLADES provide seamless integration with the Global
Intelligence Network, which provides unrivaled threat intelligence in
real time, and with the Malware Analysis Appliance, Blue Coat’s nextgeneration sandboxing solution.
Enterprises can prioritize and respond to attacks faster
Enterprises can analyze threats in more detail and remediate
attacks more thoroughly
ThreatBLADES automatically provide critical information for threat
analysis and resolution, allowing analysts to reconstruct attacks and
identify root causes more quickly and completely.
Putting these advantages together produces bottom line results that
include:
• More accurate and efficient threat detection.
• Fewer successful attacks.
• Less damage from breaches that do gain a foothold.
• Lower costs to identify and remediate the effects of attacks.
For more information on the concepts and products discussed in this
white paper, and to determine how these solutions can help in your
environment, please visit Blue Coat at www.bluecoat.com/advancedthreat-protection.
ThreatBLADES work with the alerting features of the Security Analytics
Platform to deliver contextual, actionable intelligence to administrators,
analysts and incident responders in real time. Risk scoring and rich
contextual information help focus attention on the threats that matter.
SECURITY ANALYTICS MOVES
TO REAL-TIME PROTECTION
©
BLUE COAT SYSTEMS, INC
8
WHITEPAPER
Security
Empowers
Business
APPENDIX: FREQUENTLY ASKED QUESTIONS
Are ThreatBLADES a replacement for secure web
gateways?
What are the benefits of deploying ThreatBLADES on
the Security Analytics Platform?
No, secure web gateways are still the best way to detect and block
web-borne threats. But ThreatBLADES can scan other protocols in
addition to HTTP and HTTPS. Also, as part of the Security Analytics
Platform, they can be placed at many locations on the network, for
example between network segments, at data centers, and in front of
critical business systems.
More attacks and threats are detected, because ThreatBLADES and
the Security Analytics Platform scan more protocols and detect more
files and other artifacts than standalone anti-malware, IDS and SIEM
products.
Attacks are detected and prioritized faster, because ThreatBLADES
combine automated, real-time detection with an advanced alert system
to deliver meaningful real-time intelligence to analysts and incident
responders.
Threats can be analyzed and remediated more thoroughly, because
the ThreatBLADES and Security Analytics Platform together provide
more contextual, actionable intelligence in real time for threat analysis
and remediation.
Is the Security Analysis Platform needed to use
ThreatBLADES?
Yes, ThreatBLADES are software blades that only run on the Blue Coat
Security Analytics Platform.
Are ThreatBLADES a replacement for network
anti-malware products?
No, network anti-malware products are still useful for detecting and
blocking known malware. For example, the Blue Coat Content Analysis
System provides comprehensive whitelisting and dual network anti-virus
engines for comprehensive malware blocking. But ThreatBLADES scan
all protocols for malware and indicators of compromise, broker unknown
files to the Malware Analysis Appliance for examination, and provide
associated information about known and newly-analyzed malware so
attacks can be analyzed and reconstructed by the Security Analytics
Platform.
Can the Malware Analysis Appliance be used without
ThreatBLADES?
Yes, the Malware Analysis Appliance can be deployed without
ThreatBLADES. But automated file brokering and pre-filtering, which
are provided by ThreatBLADES and by the Content Analysis System,
make sandboxing more efficient by allowing the sandboxing product to
evaluate only unknown files. Also, ThreatBLADES automatically integrate
output from the Malware Analysis Appliance with the analysis and
forensics capabilities of the Security Analytics Platform.
What is the relationship between WebThreat BLADE
and Blue Coat WebPulse?
The WebThreat BLADE is part of the Security Analytics Platform. It relies
on Blue Coat WebPulse, a part of the Global Intelligence Network, for
comprehensive real-time cloud-based threat intelligence. WebPulse
provides real-time threat intelligence from Blue Coat customers about
URL categories and malicious IP addresses and URL links.
Can ThreatBLADES be deployed on all form factors of
the Security Analytics Platform?
Yes, ThreatBLADES can be deployed on the physical appliance, virtual
appliance and software versions of the Security Analytics Platform.
SECURITY ANALYTICS MOVES
TO REAL-TIME PROTECTION
©
BLUE COAT SYSTEMS, INC
9
WHITEPAPER
Security
Empowers
Business
Is ProxySG needed to use ThreatBLADES?
No, ThreatBLADES and the Security Analytics Platform can be used
without a ProxySG appliance (Figure 8a). Many other configurations are
possible, including ThreatBLADES and the Security Analytics Platform
A
deployed with the Blue Coat SSL Visibility Appliance and the Malware
Analysis Appliance (Figure 8b), or as part of a comprehensive Advanced
Threat Protection Lifecycle Defense that includes ProxySG and Content
Analysis System appliances (Figure 8c).
B
Web
Server
Web
Server
SSL Visibility
Appliance
LB/WCCP
Internal
Network
Blue Coat
ThreatBLADES
Internal
Network
Blue Coat
Global Intelligence
Network
Security Analytics Platform
Blue Coat
ThreatBLADES
Security Analytics Platform
Blue Coat
Global Intelligence
Network
Malware Analytics Appliance
C
Web
Server
SSL Visibility
Appliance
Internal
Network
LB/WCCP
Blue Coat
ThreatBLADES
ProxySG
SECURITY ANALYTICS MOVES
TO REAL-TIME PROTECTION
©
BLUE COAT SYSTEMS, INC
Figure 8: ThreatBLADES and the
Security Analytics Platform can
be deployed with other Blue Coat
solutions in many configurations
Security Analytics Platform
Malware Analytics Appliance
Blue Coat
Global Intelligence
Network
Content Analytics System
10
WHITEPAPER
Security
Empowers
Business
Blue Coat Systems Inc.
www.bluecoat.com
Corporate Headquarters
Sunnyvale, CA
+1.408.220.2200
© 2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue
Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter,
CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5,
Packetwise, Policycenter, ProxyAV, ProxyClient, SGOS, WebPulse,
Solera Networks, the Solera Networks logos, DeepSee, “See Everything.
Know Everything.”, “Security Empowers Business”, and BlueTouch are
registered trademarks or trademarks of Blue Coat Systems, Inc. or its
affiliates in the U.S. and certain other countries. This list may not be
complete, and the absence of a trademark from this list does not mean it
is not a trademark of Blue Coat or that Blue Coat has stopped using the
trademark. All other trademarks mentioned in this document owned by
third parties are the property of their respective owners. This document is
for informational purposes only. Blue Coat makes no warranties, express,
implied, or statutory, as to the information in this document. Blue Coat
products, technical services, and any other technical data referenced
in this document are subject to U.S. export control and sanctions laws,
regulations and requirements, and may be subject to export or import
regulations in other countries. You agree to comply strictly with these
laws, regulations and requirements, and acknowledge that you have the
responsibility to obtain any licenses, permits or other approvals that may
be required in order to export, re-export, transfer in country or import after
delivery to you.
v.WP-SECURITY-ANALYTICS-REAL-TIME-PROTECTION-EN-v1e-0714
EMEA Headquarters
Hampshire, UK
+44.1252.554600
APAC Headquarters
Singapore
+65.6826.7000
11

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz