REVOLUTIONIZING

ADVANCED THREAT PROTECTION

A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group

GRANT ASPLUND Senior Technology Evangelist

http://www.isc2.e-symposium.com/index.php

EVOLVING LANDSCAPE OF MODERN THREATS

TODAY’S

ADVANCED

THREAT

LANDSCAPE

ADVANCED

THREATS

IMPROVED

Smarter | Faster | Stronger

Rootkits Virtual machine

Detection

Line-by-line debugger

detection

Re-writes

host file

Multi-packed,

one time, encrypted

Fuzzing

Reverse Engineering

Code Auditing

http://www.isc2.e-symposium.com/index.php

http://www.isc2.e-symposium.com/index.php

TOTAL NUMBER OF NEW TABLET

DEVICES RELEASED IN 2013

Average Number of

Personal Mobile Devices

Used for Work By

Enterprise Employees.

TODAY’S ENTERPRISE USER

TODAY’S SURFACE AREA

WHY A

MODERN

APPROACH

POST-PREVENTION SECURITY GAP

Threat

Actors

Nation States

Cybercriminals

Hactivists

Insider-Threats

Host A

V

NG

FW

IDS

/ I

PS

Signature-based Security Picket Fence

DL

P

SIE

M

Em

ail

Ga

tew

ay

Web A

pp

lica

tion F

ire

wa

ll

Web G

ate

wa

y

Traditional

Threats

Known Threats

Known Malware

Known Files

Known

IPs/URLs

Advanced

Threats

Novel Malware

Zero-Day

Threats

Targeted

Attacks

Modern TTPs

Modern, Post-

Prevention

Security

• Context

• Content

• Visibility

• Detection

• Intelligence

THE WINDOW OF OPPORTUNITY

Hours

60%

Days

13%

weeks

2% Seconds

11% Minutes

13%

84%

Initial Attack to Compromise

Months

62% Weeks

12%

78%

Initial Compromise to Discovery

Days

11%

Hours

9% Years

4%

Proof of the Problem

CURRENT SOLUTIONS OPERATE IN SILOS

Technology and Organizational Silos Limit Current Defenses

DREADED QUESTIONS FROM CISO

Who did this to us?

How did they do it?

What systems and data were affected?

Can we be sure it is over?

Can it happen again?

PROTECTING AGAINST ADVANCED

THREATS WITH CRIME

‘CRIME’ METHODOLOGY

• Faster time-to-action

• Faster time-to-

react/respond

• Greater ability to

reduce/minimize/elim

inate impact!

ERADICATION CONTEXT

MITIGATION ROOT CAUSE

IMPACT

Percentage of Enterprise IT

Security Budgets Allocated to

Rapid Response Approaches

by 2020. — Gartner 2013

SECURITY SHIFTS TO SWIFT RESPONSE

ADVANCED THREAT PROTECTION USE CASES

Who? When? What? Where? How?

Target(s)? Who

Else? Is It Over? What Else? How Long?

Continuous

Monitoring

Situational

Awareness

Incident

Response

Data Loss Monitoring & Analysis

Policy

Compliance

Cyber Threat

Protection

MODERN

COUNTER-

MEASURES

SITUATION

BIG DATA SECURITY IS HERE – Volume, velocity and variety 0 0 1 1 0 0 0 0 1 0 0 0 1 1 1 1 0 1 1 0 1 1 0 1

1 0 1 0 0 1 0 1 1 0 1 1 0 0 1 1 0 0 1 0 0 0 1 1 0 1 1 0

0 0 1 0 0 0 1

0 0

WHAT KEPT US SECURE – Has stopped working

GOOD OR BAD SECURITY – Is irrelevant with an attacker’s resources & motivation

MODERN ADVANCED THREAT PROTECTION – Is the new imperative

POSITION

“ ” — General George S. Patton

Fixed fortifications

are monuments

to man’s stupidity.

BUSINESS ASSURANCE TECHNOLOGY

Web Gateway &

Orchestration(SWG)

Web & Network

Protection

SSL Interception

Security &

Policy

Enforcement

Center

Web Gateway

Mobile Expander

Mobile Protection

Mobility

Empowerment

Center

Application

Management

Business

Application

Enablement

Trusted

Applications

Center

WAN/Video

Optimization

Cache optimization

Shaping

Performance

Center

Vulnerability

Expertise Services

Case Analyst

Workflow

Reporting and

Management

Resolution

Center

Cloud Mobility

Security Analytics Platform by Solera (formerly DeepSee)

• Cloud

• 15,000 Customers

• 80M Users

• VM, Appliance, X-Beam platforms

Business

Assurance

Platform

• 33 Worldwide PoP’s

• 84% of Fortune 500, 90% FedGov

ThreatBLADES Blue Coat

Advanced

Threat

Protection

WebThreat MailThreat FileThreat

ATP Suite

Custom Analytics

Malware Analysis

SSL Visibility

Content Analysis System

MODERN ADVANCED THREAT PROTECTION

Complete Web Control Web Security, Content Analysis,

Real-time Blocking

Advanced Malware

Detection White/Blacklists, Sandboxing, Feeds

Visual Insight Context, Real-time Awareness, IOCs,

Alerts

Full Packet Capture Layer 2 – 7 Indexing & Classification

Threat

Intelligence

Security

Visibility

Big Data

Security

Analytics

Blocking and

Enforcement

Network

Effect

Integration

Layer

MODERN ADVANCED THREAT PROTECTION

Security

Visibility

Security Visibility

• Full packet capture

• Layers 2-7 indexing

• Deep packet inspection

• Session reconstruction

• Scalability and performance

• Single pane-of-glass

Security

Visibility

Big Data

Security

Analytics

Big Data Security Analytics

• Heuristic detection

• Statistical analysis

• Inferential reporting

• Context-aware analysis

• IOC’s & TTP’s

• Visual insight

MODERN ADVANCED THREAT PROTECTION

Threat

Intelligence

Security

Visibility

Big Data

Security

Analytics

Threat Intelligence

• Real-time white/black lists

• Sandbox detonation

• On-premises or cloud-based

• External data enrichment

• Dynamic Intelligence Cloud

• Machine-learning architecture

MODERN ADVANCED THREAT PROTECTION

Threat

Intelligence

Security

Visibility

Big Data

Security

Analytics

Blocking and

Enforcement

Blocking and Enforcement

• Scan, block and cache

• Inline AV with feedback loop

• Obscure sensitive data or block

• Web and application controls

• Best-of-breed perimeter blocking

• Granular customization

MODERN ADVANCED THREAT PROTECTION

Threat

Intelligence

Security

Visibility

Big Data

Security

Analytics

Blocking and

Enforcement

Network

Effect

Integration

Layer

Network Effect and Integration Deliver:

• Security Ecosystem • Context-Aware Security • Adaptive Security • Enhance existing

investments • Integrated workflow

automation

MODERN ADVANCED THREAT PROTECTION

Real-time & Retrospective Analysis & Resolution

Simple, Flexible & Extensible

BLUE COAT ADVANCED THREAT PROTECTION THE SECURITY CAMERA FOR YOUR NETWORK

Turing Complexity into Context

Full Visibility: Before, During & After the Attack

Big Data Security Analytics: Collect, Analyze & Store

Threat Intelligence: Web, File, Email & Malware Reputation

Advanced Threat Protection

Improving Real-World Use Cases

INTEGRATED ECOSYSTEM

Situational Awareness

Incident Response

Policy & ITGRC

Data Loss Monitoring &

Analysis

Advanced Malware Detection

Continuous Monitoring

ANALYTICS AND

INTELLIGENCE

• Collect &

Warehouse

• Investigate

• Alert & Report

ENRICHMENT

• Technology

Partners

• File Analysis & IP

Reputation

• Malware

Sandboxing

FLEXIBLE FORM

FACTORS

• Hardware

• Software

• Virtual Machines

Web Control and Security Enforcement

Three new ThreatBLADES for unbeatable

Advanced Threat Protection…

BLUE COAT THREATBLADES

WEB, MAIL & FILE THREAT IDENTIFICATION

If no clear verdict on content, suspicious files are delivered to a hybrid sandbox for analysis

Malware

Analysis

Appliance

WebThreat BLADE inspects all HTTP or HTTPS

traffic and identifies malicious

communications and files

FileThreat BLADE inspects all FTP and SMB

traffic for malicious

communications and files

MailThreat BLADE inspects all SMTP, POP3 and

IMAP traffic for malicious

communications and files

SIEM

SIEM

=

PHONE

BILL

IPS

IPS

=

SINGLE

FRAME

9A

Resolution Center

Reporter SW

Reporter Service

Intelligence Center

Advanced Threat Protection Appliance

Incident Resolution Investigate &

Remediate Breach Threat Profiling & Eradication

Ongoing Operations

Detect & Protect Block All

Known Threats

Incident Containment Analyze & Mitigate

Novel Threat Interpretation

ADVANCED THREAT PROTECTION

LIFECYCLE DEFENSE

GLOBAL INTELLIGENCE

NETWORK

Security & Policy Enforcement

Center

ProxySG & SG-VA

Web Security Service

WebFilter

Content Analysis

Malware Analysis

SSL Visibility

Content Analysis, DLP

FW/IDS on X-Series

Resolution Center

Reporter SW

Reporter Service

Intelligence Center

Advanced Threat Protection Appliance

Now known threats blocked at gateway

Fewer threats to contain and

resolve

Increased system performance through fewer malware scans

More robust threat analysis with fewer

false positives

USE

CASES

OVERSTOCK.COM

…using root cause

analysis from Solera

Networks, we were able

to pinpoint how the exploit

occurred, understand the

full scope of the problem,

and completely prevent

that exploit from ever

happening again....

– Overstock.com

“

”

• Identify attacks that passed preventative controls

• Remediate all infected systems quickly

• Ensure that preventative controls are working

REQUIREMENTS

• Deployed various Solera Security Analytics form factors

• Built an IR process around Solera Security Analytics

• Integrated Solera with log management and IPS

SOLUTION

• Identified nefarious activity sourced from inside and outside

the network

• Pinpointed “all” compromised systems through root cause analysis

• Conducted assurance testing on preventative controls by replaying

malicious packets on a shadow network

VALUE

US COAST GUARD

• Enhance threat detection

• Reduce threat acquisition window

• Improve team effectiveness

REQUIREMENTS

• Integrated with existing McAfee NSM (IPS) solution

• Employed 100% data capture

• Built custom reports for rapid analysis

SOLUTION

• Reduced threat identification time by 60%

• Reduced threat remediation time by 75%

• Allowed for more unified threat management across disparate,

internal teams through the use of reporting

VALUE

JEFFERIES GLOBAL INVESTMENT BANKING

• Streamline monitoring of a dozen international locations

• Provide workflow that supports multiple analysts

• Integrate with FireEye and Blue Coat ProxySG,

WebPulse & SSL Visibility

REQUIREMENTS

• Consolidated incident detection and response

• Supported several months of packet and metadata retention

• Improved ROI & ROSI through integration

SOLUTION

• Improved incident responder workflow with reduced response times

• Leveraged fewer FTEs for tactical analysis: strategically

repurpose other FTEs

• Achieved holistic visibility across network traffic, users and data

(files, IM, voice, etc.)

VALUE

US AIR FORCE

• Monitor all major Internet gateways

• Support over 50 concurrent analysts with disparate privileges/visibility

• Use APIs to integrate with COTS, GOTS, and open source security

solutions

REQUIREMENTS

• Provided tiered, centralized management

• Supported lossless capture on multiple 10 gigabit networks

• Integrated with 3rd party solutions such as ArcSight

SOLUTION

• Deployed with 100% situational awareness with a small (green) footprint

• Utilized RBAC via LDAP for granular access control

• Passed multiple, stringent military testing and certification criteria

• Replaced incumbent solution based on scalability, capability

and footprint

VALUE

GET YOUR COPY! www.bluecoat.com/atplifecycle

READING

http://www.isc2.e-symposium.com/index.php

Grant Asplund 206-612-8652

grant.asplund@bluecoat.com

Twitter: @gasplund

LinkedIn: http://www.linkedin.com/in/grantasplund/

THANK YOU!