Bcs RA Security Analytics Platform May 2014

8/11/2019 Bcs RA Security Analytics Platform May 2014

http://slidepdf.com/reader/full/bcs-ra-security-analytics-platform-may-2014 1/7

Slide 1

1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – For Internal and Official Channel Partner Use Only

SECURITY ANALYTICSPLATFORM

REFERENCE

ARCHITECTURE



Slide 2


SECURITY ANALYTICS PLATFORM:

FUNCTIONS

Integrated Workflow

ThreatBLADES– Pattern Matching – Anomaly Detection – White/Black Lists

Web

Enrich

Mail File

Malware Analysis

Global Intelligence Network

Data

Visual Insight Advanced Reporting Statistical Analysis (Roadmap)

Feedback Loop

Alerts and Logging

File Brokering

Analyze

ActionDetect and Block

- Full Packet Capture

- Layer 2-7 Indexing / Classification

- Patented Database

- Full Session Reconstruction

L a s t U p d a t e d : 2 0 .1 2 .2 0 1 3

Last Updated: 20.12.2013

Data – Process of capturing, indexing, storing and extracting files and sessions

•Full Packet Capture – All traffic is recorded from a monitoring point

•Layer 2-7 Index and Classification – Packets are passed through DPI engine as they arrive for classification and

metadata extraction

• Patented Database – Data warehousing of all captured traffic is stored to disk in a very optimized method

•Full Session Reconstruction – Complete session reconstruction including emails, IM and web transactions

Enrich – Taking extracted data and determining known information about artifacts, both good and bad

•Web, Mail, File ThreatBLADES – Threat Intelligence on IP/URL, Files, emails and forward suspicious files

crossing all major transport protocols to Blue Coat or Third Party Sandbox

•Malware Analysis – Known virus lookups based and hand-off potentially bad content in HTTP,SMTP and FTP to

MAA for 0-day malware analysis



• Pattern Matching, Anomaly Detection, White/Black Lists – Using known malware signature, traffic inspection

for deviations in expected protocols, and the use of white and black lists for files, IP Addresses and domains for

analyzing potential threats

•Integrated Workflow – Direct pivoting from IPS, Sandbox, NGFW for full enrichment to security events

•Global Intelligence Network – Continuously updated with network effect of 75M users Blue Coat GIN for

analyzing known malware, bad domains, or suspicious IP address

Analyze – Using the UI to see reports and visual the data

•Visual Insight – Graphs, charts and lists to see data represented by user defined criteria

• Advanced Reporting – Detail reports of many of the protocols and meta data, can be user ran or automated

•Statistical Analysis – Visual statistics, baseline comparisons (Roadmap)

Action – Post processing of data – alerts, block and inform

•Alerts and Logging – The UI can show alerts, emails can be sent, or syslog/CEF events can be sent to a SIEM

•Detect and Block – Detection of threats can be shared with the Global Intelligent Network to update other

Blue Coat device for blocking this traffic

•File Brokering– SA device can be configured to broker files using real time file extraction

•Feedback Loop – Information sent out and shared can in turn be digested by the system for proactive defense

measures



Slide 3



DATA & WORKFLOW

Capture /

Classify

Detect& Analyze

Enrich

Standard

Threat

Intelligence

ThreatBLADES

Alert

Report

Update

Email

Alerts

SYSLOG / CEF / LEEF

PROXY SG

SSL VISIBILITY

APPLIANCE

GLOBAL INTELLIGENCE

NETWORK

INTERNET

WEB MAIL FILE

MALWARE

ANALYSIS

APPLIANCE*

SECURITY

ANALYTICS

PLATFORM

MALWARE ANALYSIS

APPLICANCE*

CONTENT

ANALAYSIS

* Same Malware

Analysis Appliancis used by both CAS

and Security Analytics Platform

Integrated Ecosystem – NGFW,

IPS, SIEM, & Third Party Sandbox THIRD-PARTY

SANDBOX


Internet - Packets for analysis and generated from a source, in the diagram we show the internet but really any

area within a network that can provide a span/tap port can be monitored

ProxySG - This is the main blocking device in Blue Coat product portfolio and is used in ATP for blocking as well

as web security

SSL Visibility - SSL decryption is key in getting all packets to security analytics platform so it can perform L2-L7

analysis and provide threat intelligence on all the traffic

Classify/Index/Store - As packets arrive they are run through the DPI engine. This process will index the traffic,

classify it, and store it appropriately on the file system

Enrich - Enriching traffic allows meta data and artifacts to be run through the rules defined on the system.

These rules will either perform matching based on metadata attributes or will hand them off for data

enrichment to do further analysis on the traffic and artifacts. While there are many different types of



enrichment, they mainly fall under 2 categories:

Standard Threat Intelligence – The default analytics use open source and 3rd party integration. Part of this

enrichment includes running file hashes against VirusTotal, checking against Bit9's white list , and querying

against SANS ISC threat information

ThreatBLADES – Additional licensed component to examine traffic against Web Threats, Email threats, File

Threats, or Zero day Malware analysis, with future additional blades

Detect and Analyze – This process refers to the analysis on the system both automated and manual. The

analytics refers to using the UI to search through traffic, looking at dashboards and reports, running manual

threat analysis, and using the root cause feature to trace back events. Detect and analyze is also used to

provide complete incident resolution. Detection also includes creating standard and custom favorites which

are used in security polices and rules

Report/Alert/Update – Based on information generally determined through the enrichment phase, alerts will

be generated by the system. These alerts will be displayed locally in the UI, but they can also be sent via

syslog/CEF/LEEF to an SIEM or other log management device. Alerts can also be email. Reports can be sent out

based on general traffic information contained under the reporting tab. The system will update its own

analytics engine based on results and the information can be sent as an update to WebPulse as well

Global Intelligence Network –

Cloud portal containing threat information and information shared and read by

users. This information will be used in the ThreatBlades and based on detection within a Solera system

this information may be shared with a global community.



Slide 4



TOPOLOGY

GLOBAL INTELLIGENCE

NETWORK

BIG DATA SECURITY ANALYTICS PLATFORM

SECURITY ANALYTICS

APPLIANCE

PROXY SG

PROXY SG

PROXY SG

FIREWALL

SECURITY

ANALYTICS

VIRTUAL

APPLIANCE

STORAGE

SECURITY

ANALYTICS

CENTRAL

MANAGER

SIEM

SSL VISIBILITY

APPLIANCE

INTERNET

CONTENT ANALYSIS SYSTEM

SECURITY ANALYTICS

SOFTWARE ON CERTIFIED

HARDWARE

BLUECOAT

THREATBLADES

MALWARE ANALYSIS

APPLIANCE

p


This network topology shows all the components of advanced threat protection deployed in an enterprise

network. Security Analytics Platform is also deployed in the internal network not just at perimeter.



Slide 5


Documents

Bcs RA Security Analytics Platform May 2014