Post on 28-Feb-2018
transcript
REVOLUTIONIZING
ADVANCED THREAT PROTECTION
A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group
GRANT ASPLUND Senior Technology Evangelist
EVOLVING LANDSCAPE OF MODERN THREATS
TODAY’S
ADVANCED
THREAT
LANDSCAPE
IMPROVED
Smarter | Faster | Stronger
Rootkits Virtual machine
Detection
Line-by-line debugger
detection
Re-writes
host file
Multi-packed,
one time, encrypted
Fuzzing
Reverse Engineering
Code Auditing
Average Number of
Personal Mobile Devices
Used for Work By
Enterprise Employees.
TODAY’S ENTERPRISE USER
POST-PREVENTION SECURITY GAP
Threat
Actors
Nation States
Cybercriminals
Hactivists
Insider-Threats
Host A
V
NG
FW
IDS
/ I
PS
Signature-based Security Picket Fence
DL
P
SIE
M
Em
ail
Ga
tew
ay
Web A
pp
lica
tion F
ire
wa
ll
Web G
ate
wa
y
Traditional
Threats
Known Threats
Known Malware
Known Files
Known
IPs/URLs
Advanced
Threats
Novel Malware
Zero-Day
Threats
Targeted
Attacks
Modern TTPs
Modern, Post-
Prevention
Security
• Context
• Content
• Visibility
• Detection
• Intelligence
THE WINDOW OF OPPORTUNITY
Hours
60%
Days
13%
weeks
2% Seconds
11% Minutes
13%
84%
Initial Attack to Compromise
Months
62% Weeks
12%
78%
Initial Compromise to Discovery
Days
11%
Hours
9% Years
4%
CURRENT SOLUTIONS OPERATE IN SILOS
Technology and Organizational Silos Limit Current Defenses
DREADED QUESTIONS FROM CISO
Who did this to us?
How did they do it?
What systems and data were affected?
Can we be sure it is over?
Can it happen again?
PROTECTING AGAINST ADVANCED
THREATS WITH CRIME
‘CRIME’ METHODOLOGY
• Faster time-to-action
• Faster time-to-
react/respond
• Greater ability to
reduce/minimize/elim
inate impact!
ERADICATION CONTEXT
MITIGATION ROOT CAUSE
IMPACT
Percentage of Enterprise IT
Security Budgets Allocated to
Rapid Response Approaches
by 2020. — Gartner 2013
SECURITY SHIFTS TO SWIFT RESPONSE
ADVANCED THREAT PROTECTION USE CASES
Who? When? What? Where? How?
Target(s)? Who
Else? Is It Over? What Else? How Long?
Continuous
Monitoring
Situational
Awareness
Incident
Response
Data Loss Monitoring & Analysis
Policy
Compliance
Cyber Threat
Protection
SITUATION
BIG DATA SECURITY IS HERE – Volume, velocity and variety 0 0 1 1 0 0 0 0 1 0 0 0 1 1 1 1 0 1 1 0 1 1 0 1
1 0 1 0 0 1 0 1 1 0 1 1 0 0 1 1 0 0 1 0 0 0 1 1 0 1 1 0
0 0 1 0 0 0 1
0 0
WHAT KEPT US SECURE – Has stopped working
GOOD OR BAD SECURITY – Is irrelevant with an attacker’s resources & motivation
MODERN ADVANCED THREAT PROTECTION – Is the new imperative
POSITION
“ ” — General George S. Patton
Fixed fortifications
are monuments
to man’s stupidity.
BUSINESS ASSURANCE TECHNOLOGY
Web Gateway &
Orchestration(SWG)
Web & Network
Protection
SSL Interception
Security &
Policy
Enforcement
Center
Web Gateway
Mobile Expander
Mobile Protection
Mobility
Empowerment
Center
Application
Management
Business
Application
Enablement
Trusted
Applications
Center
WAN/Video
Optimization
Cache optimization
Shaping
Performance
Center
Vulnerability
Expertise Services
Case Analyst
Workflow
Reporting and
Management
Resolution
Center
Cloud Mobility
Security Analytics Platform by Solera (formerly DeepSee)
• Cloud
• 15,000 Customers
• 80M Users
• VM, Appliance, X-Beam platforms
Business
Assurance
Platform
• 33 Worldwide PoP’s
• 84% of Fortune 500, 90% FedGov
ThreatBLADES Blue Coat
Advanced
Threat
Protection
WebThreat MailThreat FileThreat
ATP Suite
Custom Analytics
Malware Analysis
SSL Visibility
Content Analysis System
MODERN ADVANCED THREAT PROTECTION
Complete Web Control Web Security, Content Analysis,
Real-time Blocking
Advanced Malware
Detection White/Blacklists, Sandboxing, Feeds
Visual Insight Context, Real-time Awareness, IOCs,
Alerts
Full Packet Capture Layer 2 – 7 Indexing & Classification
Threat
Intelligence
Security
Visibility
Big Data
Security
Analytics
Blocking and
Enforcement
Network
Effect
Integration
Layer
MODERN ADVANCED THREAT PROTECTION
Security
Visibility
Security Visibility
• Full packet capture
• Layers 2-7 indexing
• Deep packet inspection
• Session reconstruction
• Scalability and performance
• Single pane-of-glass
Security
Visibility
Big Data
Security
Analytics
Big Data Security Analytics
• Heuristic detection
• Statistical analysis
• Inferential reporting
• Context-aware analysis
• IOC’s & TTP’s
• Visual insight
MODERN ADVANCED THREAT PROTECTION
Threat
Intelligence
Security
Visibility
Big Data
Security
Analytics
Threat Intelligence
• Real-time white/black lists
• Sandbox detonation
• On-premises or cloud-based
• External data enrichment
• Dynamic Intelligence Cloud
• Machine-learning architecture
MODERN ADVANCED THREAT PROTECTION
Threat
Intelligence
Security
Visibility
Big Data
Security
Analytics
Blocking and
Enforcement
Blocking and Enforcement
• Scan, block and cache
• Inline AV with feedback loop
• Obscure sensitive data or block
• Web and application controls
• Best-of-breed perimeter blocking
• Granular customization
MODERN ADVANCED THREAT PROTECTION
Threat
Intelligence
Security
Visibility
Big Data
Security
Analytics
Blocking and
Enforcement
Network
Effect
Integration
Layer
Network Effect and Integration Deliver:
• Security Ecosystem • Context-Aware Security • Adaptive Security • Enhance existing
investments • Integrated workflow
automation
MODERN ADVANCED THREAT PROTECTION
Real-time & Retrospective Analysis & Resolution
Simple, Flexible & Extensible
BLUE COAT ADVANCED THREAT PROTECTION THE SECURITY CAMERA FOR YOUR NETWORK
Turing Complexity into Context
Full Visibility: Before, During & After the Attack
Big Data Security Analytics: Collect, Analyze & Store
Threat Intelligence: Web, File, Email & Malware Reputation
Advanced Threat Protection
Improving Real-World Use Cases
INTEGRATED ECOSYSTEM
Situational Awareness
Incident Response
Policy & ITGRC
Data Loss Monitoring &
Analysis
Advanced Malware Detection
Continuous Monitoring
ANALYTICS AND
INTELLIGENCE
• Collect &
Warehouse
• Investigate
• Alert & Report
ENRICHMENT
• Technology
Partners
• File Analysis & IP
Reputation
• Malware
Sandboxing
FLEXIBLE FORM
FACTORS
• Hardware
• Software
• Virtual Machines
Web Control and Security Enforcement
Three new ThreatBLADES for unbeatable
Advanced Threat Protection…
BLUE COAT THREATBLADES
WEB, MAIL & FILE THREAT IDENTIFICATION
If no clear verdict on content, suspicious files are delivered to a hybrid sandbox for analysis
Malware
Analysis
Appliance
WebThreat BLADE inspects all HTTP or HTTPS
traffic and identifies malicious
communications and files
FileThreat BLADE inspects all FTP and SMB
traffic for malicious
communications and files
MailThreat BLADE inspects all SMTP, POP3 and
IMAP traffic for malicious
communications and files
Resolution Center
Reporter SW
Reporter Service
Intelligence Center
Advanced Threat Protection Appliance
Incident Resolution Investigate &
Remediate Breach Threat Profiling & Eradication
Ongoing Operations
Detect & Protect Block All
Known Threats
Incident Containment Analyze & Mitigate
Novel Threat Interpretation
ADVANCED THREAT PROTECTION
LIFECYCLE DEFENSE
GLOBAL INTELLIGENCE
NETWORK
Security & Policy Enforcement
Center
ProxySG & SG-VA
Web Security Service
WebFilter
Content Analysis
Malware Analysis
SSL Visibility
Content Analysis, DLP
FW/IDS on X-Series
Resolution Center
Reporter SW
Reporter Service
Intelligence Center
Advanced Threat Protection Appliance
Now known threats blocked at gateway
Fewer threats to contain and
resolve
Increased system performance through fewer malware scans
More robust threat analysis with fewer
false positives
OVERSTOCK.COM
…using root cause
analysis from Solera
Networks, we were able
to pinpoint how the exploit
occurred, understand the
full scope of the problem,
and completely prevent
that exploit from ever
happening again....
– Overstock.com
“
”
• Identify attacks that passed preventative controls
• Remediate all infected systems quickly
• Ensure that preventative controls are working
REQUIREMENTS
• Deployed various Solera Security Analytics form factors
• Built an IR process around Solera Security Analytics
• Integrated Solera with log management and IPS
SOLUTION
• Identified nefarious activity sourced from inside and outside
the network
• Pinpointed “all” compromised systems through root cause analysis
• Conducted assurance testing on preventative controls by replaying
malicious packets on a shadow network
VALUE
US COAST GUARD
• Enhance threat detection
• Reduce threat acquisition window
• Improve team effectiveness
REQUIREMENTS
• Integrated with existing McAfee NSM (IPS) solution
• Employed 100% data capture
• Built custom reports for rapid analysis
SOLUTION
• Reduced threat identification time by 60%
• Reduced threat remediation time by 75%
• Allowed for more unified threat management across disparate,
internal teams through the use of reporting
VALUE
JEFFERIES GLOBAL INVESTMENT BANKING
• Streamline monitoring of a dozen international locations
• Provide workflow that supports multiple analysts
• Integrate with FireEye and Blue Coat ProxySG,
WebPulse & SSL Visibility
REQUIREMENTS
• Consolidated incident detection and response
• Supported several months of packet and metadata retention
• Improved ROI & ROSI through integration
SOLUTION
• Improved incident responder workflow with reduced response times
• Leveraged fewer FTEs for tactical analysis: strategically
repurpose other FTEs
• Achieved holistic visibility across network traffic, users and data
(files, IM, voice, etc.)
VALUE
US AIR FORCE
• Monitor all major Internet gateways
• Support over 50 concurrent analysts with disparate privileges/visibility
• Use APIs to integrate with COTS, GOTS, and open source security
solutions
REQUIREMENTS
• Provided tiered, centralized management
• Supported lossless capture on multiple 10 gigabit networks
• Integrated with 3rd party solutions such as ArcSight
SOLUTION
• Deployed with 100% situational awareness with a small (green) footprint
• Utilized RBAC via LDAP for granular access control
• Passed multiple, stringent military testing and certification criteria
• Replaced incumbent solution based on scalability, capability
and footprint
VALUE
Grant Asplund 206-612-8652
grant.asplund@bluecoat.com
Twitter: @gasplund
LinkedIn: http://www.linkedin.com/in/grantasplund/
THANK YOU!