SECURITY ANALYTICS FOR SECURITY OPERATION CENTER 2.0 A TECHNICAL OVERVIEW

Transcription

1 A TECHNICAL OVERVIEW

2 BLUE COAT: SECURITY EMPOWERS BUSINESS Blue Coat empowers enterprises to safely and securely choose the best applications, services, devices, data sources, and content the world has to offer, so they can create, communicate, collaborate, innovate, execute, compete, and win in their markets. Blue Coat has a long history of protecting organizations, their data and their employees, and is the trusted brand to 15,000 customers worldwide, including 86 percent of the Fortune Global 500. With a robust portfolio of intellectual property anchored by more than 200 patents and patents pending, the company continues to drive innovations that assure business continuity, agility, and governance. Platform by Blue Coat Blue Coat provides the industry s leading security intelligence and analytics solution. Its award-winning Platform (formerly known as Solera DeepSee) levels the battlefield against advanced targeted attacks and zero-day malware. The Analytics Platform enables the security operations center to deliver clear and concise answers to the toughest security questions. The Platform is powered by next-generation deep-packet inspection and indexing technologies, full-packet capture, file brokering, and advanced malware analysis, as well as real-time threat intelligence and alerting capabilities. operations centers at leading global 2000 enterprises, cloud service providers and government agencies rely on the Analytics Platform for real-time situational awareness, security incident response, advanced malware detection, and data loss monitoring and analysis. In addition, the product provides organizational policy compliance and security assurance, empowering security operation centers in IT Governance and Risk and Compliance Management to detect and respond quickly and intelligently to advanced threats and targeted attacks, while also protecting critical information assets and minimizing exposure, loss, and business liabilities. Blue Coat as Part of an Advanced Threat Protection Lifecycle Defense Today s threat landscape is populated by increasingly sophisticated intrusions that take the form of advanced persistent threats, advanced targeted attacks, advanced malware, unknown malware and zero-day threats. Enterprises are experiencing material security breaches as a result of these attacks, because advanced security operations teams as well as the defenses they deploy operate in silos with no ability to share information across the entire security organization or environment. Consequently, there is a shift towards a new approach that integrates real-time protection, dynamic analysis, and post-breach investigation and remediation. This approach closes the gap that exists between ongoing security operations and incident discovery, containment, and resolution. The net result: your business can move beyond fear and start focusing on possibilities. Blue Coat: Uniquely Capable of Addressing the Requirements The Blue Coat Advanced Threat Protection solution integrates technologies from the Blue Coat and Policy Enforcement Center and the Resolution Center to deliver a comprehensive lifecycle defense that fortifies the network. The solution: 2

3 Blocks known advanced persistent threats Proactively detects unknown and already-present malware Automates post-intrusion incident containment and resolution This makes it possible for day-to-day security operations and advanced security teams to work together to protect and empower the business. Incident Resolution Platform Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication Escalation Retrospective Fortify & Operationalize GLOBAL INTELLIGENCE NETWORK Incident Containment Analyze & Mitigate Novel Threat Interpretation Ongoing Operations Detect & Protect Block All Known Threats Unknown Event Escalation Ongoing Operations SSL Visibility Appliance ProxySG SWG Content Analysis System Blue Coat develops solutions that enable security operation centers to hasten this shift in the security paradigm. The Platform records and classifies every packet of network traffic layer 2 through layer 7. The product indexes and stores all network data to provide 20:20 visibility of network events all with clear, actionable intelligence. As a security camera for the network, Platform provides swift and targeted responses to any threat or breach by providing a complete copy of all the traffic going in and out of the network complete with reconstruction of the activity related to an event or breach. Blue Coat Value Proposition The award-winning Platform prepares organizations for advanced malware and targeted attacks by allowing security professionals to answer the most important post breach questions, including the Who?, What?, When?, Where?, Why? and How? of a successful security breach. The Platform delivers realworld use cases for the next generation security operation centers: Incident Containment Situational Awareness Platform with ThreatBLADES Malware Analysis Appliance Figure 1: Blue Coat Advanced Threat Protection Lifecycle IT Governance, Risk Management and Compliance Continuous Monitoring Overview Organizations are losing the battle against advanced malware and targeted attacks. Sensitive data is being stolen and networks are successfully attacked every day. professionals have been blind to the activities of attackers on their networks and are realizing that their prevention-based technologies alone are unable to prevent security breaches, advanced malware, and zero-day attacks. That is why advanced threat detection, prevention, and preparedness have become urgent priorities as organizations accept the inevitably of successful security breaches. operation centers need to rely on new security technologies that allow them to gain real-time situational awareness, context, intelligence, and visibility. Blue Coat Analytics is needed not only to detect advanced threats but also to respond to major security events and attacks in a comprehensive way. Web Traffic Monitoring and Analysis Data Loss Monitoring and Analysis Advanced Malware Detection Figure 2: Blue Coat Delivers Real World Use Cases Incident Response and Resolution The Platform is the only solution capable of meeting the demands for high-performance networks operating at wire speeds. Its flexible cost-effective options include: Software-only delivery to optimize TCO and minimize capital expenses 3

4 Certified 10Gbps performance A patented database supporting 2M+ input/output operations per second (IOPS) Scalable storage options for very large deployments, scaling to multiple petabytes Application classification and discovery of more than 2000 applications Customizable analytics to meet specific requirements of any enterprise network Direct integration with best-of-breed security technologies such as NGFW, IPS, and SIEM to create a highly efficient security ecosystem Global 2000 enterprises and government agencies use these militarygrade solutions to save valuable time for incident response, provide detailed accounts of what and how information was ex-filtrated, and protect intellectual property and the company s reputation from modern malware-based attacks. Understanding whether data has been compromised is an increasingly important component to complying with information security mandates. Customers who have Blue Coat products gain awareness of attacks and can respond swiftly and intelligently. Product and Solution Overview The patented architecture of the Platform enables open interoperability, extensible storage, and portability to any network, giving security operation centers flexible deployment options to leverage their existing investments. Key products include: Software Flexible software-only option to achieve high-performance at a lower TCO and capital expense Appliances Turn-key appliances with full network capture, classification, and indexing at up to 10Gbps with onboard storage up to 22TB, with a scalable architecture supporting multipetabyte capacities Virtual Appliance The only virtual security appliance in the market that provides complete visibility into all virtual traffic, supporting VMware ESX server environments Central Manager A centralized platform that provides aggregated views from multiple security analytics sensors in a single-pane-of-glass Storage Modules Modular storage capacity modules to attain highly-scalable retention of data on a single security analytics sensor Virtual Appliance Total network, visibility Absolute flexibility Central Manager Manage multiple appliances/vms Software Flexible and easy-to-deploy on leading platforms Storage Modules Scale to any retention requirement or need Figure 3: Blue Coat Product Portfolio Appliances Comprehensive, pre-configured appliances (2G and 10G) Context-aware Integration Blue Coat products integrate with leading security solutions from HP ArcSight, Dell SonicWALL, FireEye, McAfee, Palo Alto Networks, Splunk, Sourcefire, and many others. Why by Blue Coat? Blue Coat differentiates itself from other security solutions in the following ways: Application Identification with Advanced Deep Packet Inspection Most enterprises have hundreds or thousands of applications running on their network, and their security operation centers are not fully aware of these applications. solutions from Blue Coat have the unique capability of not only classifying and identifying thousands of applications but also extracting attributes from them. The identification is based on stateful inspection of protocol conversations that yield precise classification with no false positives. Furthermore, the advanced DPI engine extracts and indexes thousands of sessionflow attributes enabling efficient reports of all activity associated with 4

5 any indicator. This ability empowers IT organizations with information on all applications running on their network, which hosts, users and artifacts are associated with them to reveal the complete context for any investigation. Application security should be a top priority for any IT organization. A variety of applications most commonly web applications are used to penetrate and carry out advanced targeted attacks. The basic step of knowing all the applications in a network is critically important in preventing and protecting all the assets and critical information in an enterprise network. solutions deliver unrivaled and comprehensive application and protocol intelligence, enabling IT organizations to regain application control and security in their networks. Threat Intelligence with Alerts and Services The Actions and Alerts engine allows security professionals to automate the notification of targeted events in real time. Actions can be created for suspicious, malicious, or prohibited behavior, and the analyst will be notified immediately of violations. Analytics Actions and Alerts enables analysts to automate common tasks such as checking for traffic against a list of known bad websites, receiving notification of unknown applications on the network, or alerting about the presence of encrypted traffic on non-standard ports. Blue Coat ThreatBLADES in the Platform integrates with the Blue Coat Global Intelligence Network and other industrystandard reputation and malware feeds, providing real-time threat intelligence services. With a simple right-click, analysts can check the integrity and reputation of any URL, IP address, file-hash, malware sample, or address against multiple services at once. Real-time File Brokering to Sandbox Technologies The Analytics Platform extracts files in real time, and if a file is not found in local known good or known bad file databases, it is immediately delivered to a Sandbox. The Platform then updates the Blue Coat Global Intelligence Network with the verdict from the Sandbox. The Platform is directly integrated with the Blue Coat Malware Analysis Appliance and other industry-leading sandbox technologies. Layer 2-7 Analysis with The Platform provides a variety of analytics across the network layer from packets, ports/protocols, applications, and user sessions to files to strengthen security incident response with comprehensive and conclusive analysis. Examples of security-related analytics include: Always-on Classification and Extraction All protocol and application classifiers are enabled to provide complete visibility and context of network activity, exposing session-level details from layers 2 through 7 Session reconstruction Reconstructs the full session from packet data, including web, , and chat sessions along with associated files, so analysts can easily investigate security incidents without the need for packet expertise Media Panel Displays all the images, video and voice sessions traversing the network during a given time, including details such as Initiator and Responder IP addresses Artifacts and Timeline Reconstructs numerous artifacts in chronological order, such as File Transfers, PDF, Word, Excel, and many more, making it easy to track the file exploit distribution and filetype activity over time for a single user or all users Root Cause Explorer Quickly identifies the source of an exploit or compromise and reduces time-to-resolution Built-In Packet Analyzer The Platform includes a full-featured packet analyzer integrated into the interface, eliminating the need to transfer huge PCAP files over the network PCAP Import Allows analysts to import data, making it easy to analyze historical data and compare captured data to a known-good baseline; also allows playback of captures to verify the effectiveness of remediation measures and security enforcement tools Complex Rules Alerting Enables analysts to build granular, stateful alerts, based on sequences of activity exposed by the advanced DPI engine and are delivered via , CEF, Syslog and/or SNMP Role Based Access Control (RBAC) Sensitive information collected in the Platform can be masked, limiting views to specific areas-of-responsibility (AoR) Strong Authentication Uses LDAP/AD and/or RADIUS authentication for access control, PKI x509 certificate is fully supported 5

6 Central Management Blue Coat ThreatBLADES Unified, Single Pane-of-Glass Advanced Reporting - Dynamic, Inferential, Visual Insight WebPulse Global Intelligence Network WebThreat Web protocol scanning and file extraction FileThreat File protocol scanning and file extraction MailThreat Mail protocol scanning and file extraction and many other vendors. This integration with next-generation firewall (NGFW), intrusion prevention system (IPS), and security information event management (SIEM) vendors leverages a security operations center s existing investments while providing context to alerts and logs and expediting incident response. Analytics Platform Threat Profiler Engine/Patented Database Full Packet Capture L2-L7 Indexing DPI/ Classification Scalable Storage Figure 4: Blue Coat Architecture Common Criteria EAL 3+ Certification The Analytics Platform with Central Manager has been awarded Common Criteria Evaluation Assurance Level (EAL) 3+ certification. Common Criteria certification is recognized in over 25 countries as a critical validation of security technology, allowing the Platform to be more accessible to federal agencies and commercial enterprises. Flexible Deployment Options Blue Coat s integrated appliances, software, and virtual appliances enable flexible, easy deployment with enterprise-wide visibility and awareness. sensors are deployed throughout the network with the capability of monitoring thousands of networks segments from datacenters to cloud to remote offices. A central management system provides a single pane-of-glass view across multiple sensors. In addition to the ability to span across the network, sensors offer multiple optimized storage options. This gives IT organizations the ability to maintain back-in-time visibility to fully analyze an attack or breach from its inception. Augment Traditional with Integration The Platform integrates with best-of-breed network security products to pivot directly from an alert to obtain full-payload detail of the event, before, during and after the alert. The open web services REST API enables integration with products from companies such as HP ArcSight, McAfee, FireEye, Splunk, Sourcefire, Palo Alto Networks, SonicWALL, Figure 5: Comprehensive Integrated Partner Ecosystem Blue Coat Platform delivers unprecedented visibility and control over packet, application, session, protocol, and user data traversing the network, while enhancing and providing added value to existing security investments. Automated Deep Packet Analysis in Blue Coat Analytics Next-generation threats ignore standards of communication and take advantage of systems that rely only on simple signature-based analysis. Today s SOC 2.0 must be able to classify network traffic by protocol and application and by the attributes within them in order to have the visibility needed to discover and remediate next generation threats. operation centers need solutions that can provide advanced deep packet inspection (DPI), application, and attribute classification of all network traffic, in real time. The ability to extract data from network traffic at this depth provides a richness and accuracy that paints a vivid picture for analysts and investigators to help them find anomalies and threats. The Platform implements DPI using protocol 6

7 parsers that track state transitions to precisely classify flows and extract rich metadata to present a complete context of flows for advanced threat detection. The Platform helps you visualize and analyze network data and uncover specific network activity without requiring specific knowledge of networking protocols and packet analysis methods. Its powerful features let you locate and reconstruct specific communication flows, as well as network and user activities, within seconds. The platform does this by classifying captured network traffic packets and identifying meaningful data flows. A flow is the collection of packets that comprises a single communication between two specific network entities. Within a particular data flow, you can then identify and examine network artifacts such as image files, Word documents, s, and video, as well as executable files, HTML files, and more. The Analytics Platform also allows you to reconstruct HTML pages, s, and instant messaging conversations. The Platform also provides the ability to do realtime, policy-based artifact extraction, and is not limited to any specific operating system (OS) environment. Extracted artifacts can be automatically placed in centralized network repositories for analysis by superior forensics tools within the Platform. These artifacts are hashed and stored for future retrospection on newly discovered malware variants and provide a method to understand relatedness to preexisting hashes. The Platform can be deployed as dedicated hardware appliances or virtual machines. They can even be deployed inside a virtual network composed of intercommunicating virtual machines, enabling them to expose their virtual traffic to external physical security tools for analysis. The Central Manager facilitates federated queries on hundreds of sensors to provide a 360-degree view of activity across the entire enterprise network including perimeter, data centers, and remote offices. demanding environments with many deployments across Global 2000 companies. At its most basic level, the solution takes network data packets from a network interface card (NIC), classifies the network flows, and then moves that data to storage in a specialized format that has been optimized for extremely high throughput, accuracy, manageability, and security. In addition to enabling organizations to capture 100% of network traffic, the appliances also provide complete control over the type of traffic captured using Berkeley Packet Filters (BPFs), providing the ability to filter network traffic, either during capture or when replaying captured traffic at a later time, inclusively or exclusively. As a sensor captures and stores each packet, reference and metadata is extracted and stored, providing highlyefficient query and response of captured packet data. These attributes include data related to the packet, applications, users, and session flow, providing full context surrounding the network traffic. These include attributes such as IP and MAC address, protocols, ports, application names, user identities, actions, attributes, and thousands of other metadata. The File System is a custom-built file system that contains all network packets, both header and payload. It is based on a Slot Architecture of N*64MB slots, which corresponds directly to associated ring buffer in memory. Captured data is formatted and moved to disk using direct memory access (DMA). System Architecture and Performance The Appliances, Virtual Appliances, and Software meet the requirements of small to large enterprises. sensors are able to achieve this based on the underlying file and system architecture that were designed with efficient capture and query performance from its genesis. This architecture has proven scalability in As shown in the graphic above, the DB Bitmask & Hash layer (top) maps metadata and other search attributes to each and every 64MB memory or storage slot that contains relevant data. 7

8 The DB Index layer (middle) contains the data necessary to find and reconstruct packets, flows, and entire network sessions in perfect fidelity (lossless). Search queries are processed using a proprietary algorithm that generates hash values used by the top layer of the search engine (bitmask & hash) to quickly determine which 64MB slots the data are in. When a sensor has captured a network traffic stream, the stream becomes immediately available for replay and analysis. not only performs full packet capture, but also provides a tremendous amount of metadata derived from DPI and other methods of packet and flow analysis. Simultaneously with full packet capture, indexes thousands of elements of metadata into DB, a highly optimized custom database. This performance enhancement provides for highly accelerated and efficient queries. These queries drive much of the user interface, an intuitive, operating system and browser-agnostic Web UI that provides a contextual view to the security analyst. User-defined dashboards provide instant situational awareness of network activity and events, and a front-end to the system s ability to deep-dive into network flows. As packets are captured, attributes such as protocol, source/destination MAC/IP, port, VLAN, and packet length are inserted into the Analytics DB. The DB then serves as the data source to the GaugeFS virtual file system, allowing near instantaneous access to any captured data navigable through a familiar folder hierarchy. Unlike files on a conventional file system, the data available through GaugeFS does not occupy any space; instead, it dynamically retrieves packets by querying the DB for the location of the requested packets directly from the DSFS capture file system. The virtual file system also provides the capability to instantiate any to any relationships between all metadata (applications, filenames, etc.) and quickly presents the full context of all activity surrounding a given set of search criteria. Metadata and indices are always stored on a separate disk array for performance reasons, and metadata can generally be stored 3-5 times longer than packet data. By using the available metadata, analysts are able to efficiently narrow their search criteria and minimize the amount of packet data needed to perform detailed incident response or artifact extraction. Other unique characteristics of GaugeFS are the inclusion of timespans, Boolean query logic, and ranges. Timespans are an optional top-level path within the GaugeFS hierarchy. If a timespan is not used, then all packets within the DSFS capture file system matching the attributes described by the GaugeFS path will be presented in the result data. In many cases, it is desirable to constrain the data retrieval to a specific time-domain. Descending into a timespan path provides this sort of constraint so that the resulting pcap matches not only packet attributes but also time attributes. Although each model of a sensor is slightly different, they all have a common overall structure. There is a collection of hard drives, which are separated into three distinct functional areas. The largest is the storage array. This collection of disks is where all the incoming raw data is stored. The next largest is the indexing array, which contains the custom database which stores all the metadata about the packets (where they came from, where they were going to, their time, and so on). The smallest is the system array, which contains the operating system and related storage. This is also where any artifacts and reports are created. Storage Array DSFS File System Hard Drive Array Indexing Array DB System Array Operating System Storage Array Raw network data, stored as received across multiple HDs. Indexing Array Metadata stored and indexed using multiple HDs System Array Linux operating system on multiple HDs As packet capture data is collected, the Platform performs the following functions: 8

9 Stores the full contents of the packet capture data in the DSFS system Records the data reference and the metadata about each packet (size, IP addresses, ports, etc.) Builds an index of the data and metadata in each conversation (time, ports, URLs, login information, application ID, etc.) in the Analytics DB The combination of the patented packet capture file systems, multiple indexes, application classification, metadata extraction, and the underlying hardware components enable superior performance and scalability. Integration using the REST API for Platform: The Platform provides a REST API, allowing packet capture data to be described and retrieved though a simple HTTPS request. This allows for the easy integration into other software platforms, such as an IDS/IPS, Firewall and SIEM. The Platform also provides JSON data sources to start or stop captures, retrieve interface statistics, artifact extraction, capture status, capture filters and reporting. The platform provides the freedom to integrate current and future tools/equipment with an open architecture utilizing industry standard protocols. Wide-Area System Management with each link between a Managed Sensors and the Central Manager having its own separate VPN connection operating within a common VPN subnet. Communications over the VPN subnet are protected by industry-standard SSL/TLS encryption using strong encrypted keys. In order to complete the connection between the Central Manager and Managed Sensors, the Managed Sensor must be able to connect to the Central Manager via HTTPS. The Central Manager will support over 200 Analytics Managed Sensors. The Central Managers are capable of operating in an Active/Active clustered and decentralized configuration, providing Continuity of Operations (COOP), with each Central Manager maintaining full state of the other in case of a failure condition. A heartbeat method is implemented to verify health and state of the CM. Managed Sensors also utilize the cluster failover capability based on heartbeat and response from the primary CM. Failover occurs within a 5 second window. Appliance Software Virtual Appliance The Central Manager is a dedicated instance of (Software, Appliance or Virtual Appliance) running the Central Manager Software. This Central Manager provides a centralized Query, Reporting and Management Interface for all Managed Sensors connected to the Central Manager. The Central Manager provides: Distributed Network Single view of Query, Result and Report data for all Managed Sensors Parallel Query execution for all Managed Sensors Centralized Configuration and Management for all Managed Sensors Centralized Provisioning of User, RBAC, and Authentication Central Software upgrade host for all Managed Sensors All communications between the Managed Sensors and Central Manager are conducted over a dedicated Virtual Private Network (VPN), Single point of management Central access Directed searches Aggregate searches Arbitrary groups and sub-groups Central Manager Figure 6: Blue Coat Scalable Architecture 9

10 How the Solution Works The solution allows end users to achieve full situational awareness and investigate security incidents in real-time using the Platform. Blue Coat s unique architecture allows the sensors to query all network data utilizing parallel query architecture. Given the expense of staffing a skilled incident response team, the ability of the proposed solution to reduce time-to-insight by orders of magnitude will make the incident responders much more productive. The Blue Coat architecture scales better than any comparable architecture, primarily because it requires only a single device for all operations, while the nearest competitor requires multiple devices, such as a packet capture devices and a separate device for meta-data. In summary, Blue Coat offers the most efficient packet capture appliances and the most advanced enterprise architecture in the industry. The ability for each appliance to handle data rates at 10GB, with only a single appliance and a high-performance storage subsystem, gives Blue Coat the clear technology advantage as a solution to meet the increasingly demanding requirements of advanced threat detection, protection and mitigation. Users TAP/SPAN Reports Application Servers Mobile Devices Alerts Management Network Artifact Timeline Sensor Dashboard Root Cause Explorer Threat Analysis PCAP Import Figure 7: Typical Deployment Of Solution Optional Storage Comparative Reporting Reputation Services more... 10

11 Blue Coat Systems Inc. Corporate Headquarters Sunnyvale, CA Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV, ProxyClient, SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, See Everything. Know Everything.,, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical data referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. v.wp-security-analytics-for-soc2.0-en-v1e-0914 EMEA Headquarters Hampshire, UK APAC Headquarters Singapore