REVOLUTIONIZING ADVANCED THREAT PROTECTION

Transcription

1 REVOLUTIONIZING ADVANCED THREAT PROTECTION A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group GRANT ASPLUND Senior Technology Evangelist 1

2 WHY DO I STAND ON MY DESK? "...I stand upon my desk to remind myself that we must constantly look at things in a different way... 2

3 3

4 TODAY S DIGITAL ENTERPRISE IS DRIVING A NEW IT PARADIGM Cloud / Virtualization SaaS Big Data Analytics Mobility Enterprise Social Security 4

5 AND A WHOLE NEW SET OF IT CHALLENGES YESTERDAY S IT TODAY S IT Few apps with predictable behavior Millions of unknown and risky Apps Manageable data Big data explosion Infrastructure that s on-premise Cloud and hybrid infrastructure Traditional threat environment Advanced threat environment 5

6 EVOLVING LANDSCAPE OF MODERN THREATS IPs SIEM TODAY S ADVANCED THREAT LANDSCAPE URL Filtering DLP Integrity Availability Confidentiality Security Host Firewall VPN NAC 6

7 ADVANCED THREATS Copyright Blue Coat Systems Inc. All Rights Reserved. 7

8 IMPROVED SOPHISTICATED THREATS Virtual machine Detection Line-by-line debugger detection Re-writes host file Multi-packed, one time, encrypted Smarter Faster Stronger Rootkits Fuzzing Reverse Engineering Code Auditing 8

9 THE INVISIBLE THREATS Threats we can t see 20-70% of Traffic is Encrypted Majority of APTs Operate Over SSL 9

10 10

11 POST-PREVENTION SECURITY GAP Threat Actors Nation States Cybercriminals Hactivists Insider-Threats Traditional Advanced Threats Known Novel Malware Threats Known Zero-Day Malware Known Threats Files Known Targeted IPs/URLs Attacks Modern TTPs NGFW IDS / IPS Host AV Web Gateway SIEM Gateway DLP Web Application Firewall Advanced Threat Protection Content Detection Analytics Context Visibility Analysis Intelligence SIGNATURE-BASED DEFENSE-IN-DEPTH TOOLS 11

12 TIME AND THE WINDOW OF OPPORTUNITY Initial Attack to Compromise Initial Compromise to Discovery Days 13% weeks 2% Seconds Hours 60% 11% Minutes 13% Years 4% Months 62% Hours 9% Days 11% Weeks 12% 84% 78% 12

13 PROOF OF THE PROBLEM: BREACH UNDETECTED FOR FIVE MONTHS 13

14 POST-PREVENTION SECURITY GAP Percentage of Enterprise IT Security Budgets Allocated to Rapid Response Approaches by Gartner

15 MAPPING THE ADAPTIVE PROTECTION PROCESS TO THE LIFECYCLE OF AN ATTACK Source: Gartner (February 2014) 15

16 MODERN COUNTER- MEASURES 16

17 REQUIRED TECHNOLOGIES FOR MODERN ADVANCED THREAT PROTECTION Complete Web Control Web Security, Content Analysis, Real-time Blocking Advanced Malware Detection White/Blacklists, Sandboxing, Feeds Visual Insight Context, Real-time Awareness, IOCs, Alerts Full Packet Capture Layer 2 7 Indexing & Classification Blocking and Enforcement Security & SSL Visibility Global Threat Data Integration Layer Detection & Threat Intelligence Big Data Security Analytics 17

18 INTELLIGENT DEFENSE IN DEPTH Block Known Web Block Known Threats Web Threats ProxySG ProxySG Allow Known Good Content Allow Known Analysis System Good Content with Analysis Application System with Application Whitelisting Whitelisting Block Known Bad Block Known Bad Downloads Downloads Content Analysis System Content Analysis System with Malware Scanning with Malware Scanning Analyze Analyze Unknown Unknown Threats Threats Malware Analysis Appliance Block all known sources/malnets and threats before they are on the network Free up resources to focus on advanced threat analysis Reduce threats for incident containment and resolution Discover new threats and then update you gateways 18

19 ADVANCED THREAT PROTECTION BLUE COAT LIFECYCLE DEFENSE ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE 3 Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication GLOBAL INTELLIGENCE NETWORK 1Ongoing Operations Detect & Protect Block All Known Threats 2Incident Containment Analyze & Mitigate Novel Threat Interpretation 19

20 ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE Ongoing Incident Incident Operations Containment Resolution ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE 3 Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication GLOBAL INTELLIGENCE NETWORK 1Ongoing Operations Detect & Protect Block All Known Threats 2Incident Containment Analyze & Mitigate Novel Threat Interpretation 20

21 STAGE 1: 1 2 Ongoing Incident DETECT & PROTECT 3 Incident Operations Containment Resolution Block All Known Threats Accurate Web Filtering and Categorization Identify and Block Malnets Robust Application and Policy Controls Proactive Threat Prevention across all users, networks and devices 21

22 STAGE 1: 1 2 Ongoing Incident DETECT & PROTECT 3 Incident Operations Containment Resolution Policy Based SSL Visibility Granular Policy Management Feed Multiple Security Systems Industry-leading Performance Full visibility into encrypted traffic and threats 22

23 ENHANCES EXISTING CUSTOMER SECURITY SOLUTIONS Forensics / Compliance / IDS Soon Inline IPS, XPS, Malware Copy Network In Network Out Decrypt once - Feed many! 23

24 STAGE 1: 1 2 Ongoing Incident DETECT & PROTECT 3 Incident Operations Containment Resolution Advanced AV/Malware Inspection Increased Malware Analysis and Blocking Higher Detection Accuracy Sandboxing Optimization Block known threats and analyze the unknown for Advanced Threat Protection at the perimeter 24

25 ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE Ongoing Incident Incident Operations Containment Resolution ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE 3 Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication GLOBAL INTELLIGENCE NETWORK 1Ongoing Operations Detect & Protect Block All Known Threats 2Incident Containment Analyze & Mitigate Novel Threat Interpretation 25

26 STAGE 2: ANALYZE & MITIGATE 1 2 Ongoing Incident Operations Containment 3 Incident Resolution Contain and Analyze The Unknown PC Emulator Virtual Machine Dual-Detection Hybrid Analysis of Suspicious Samples Closely Replicates Customer s Gold Configurations Automated Risk Scoring and Rich Analysis Quickly analyze and prioritize advanced and zero-day threats for remediation and continuous security improvement 26

27 ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE 1 Ongoing Operations 2 3 Incident Incident Containment Resolution ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE 3 Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication GLOBAL INTELLIGENCE NETWORK 1Ongoing Operations Detect & Protect Block All Known Threats 2Incident Containment Analyze & Mitigate Novel Threat Interpretation 27

28 STAGE 3: INVESTIGATE & REMEDIATE Ongoing Incident Incident Operations Containment Resolution Security Analytics Full Security Visibility of All Network Traffic Forensic Details Before, During and After an Alert Reduce Time-to- Resolution and Breach Impact The Security Camera for Your Network 28

29 SECURITY CAMERA FOR YOUR NETWORK Ongoing Incident Incident Operations Containment Resolution Know what happened before, during and after an alert, with complete, clear supporting evidence Multiple sources for real-time integrity & reputation of URL, IP address, file hash or address Forensic Details Before, During and After an Alert Trace back and discover Tactics, Techniques & Procedures and identify Indicators of Compromise Integrated workflows with leading network security tools to add context and improve effectiveness 29

30 ADVANCED THREAT PROTECTION FILE ANALYSIS Internet SSL Visibility Appliance Application Whitelisting ProxySG ICAP / S-ICAP CONTENT ANALYSIS SYSTEM Application Whitelisting Encrypted & Unencrypted Traffic Malware Signature Databases Blue Coat Malware Analysis Appliance Security Analytics Platform Global Intelligence Network MALICIOUS UPDATE & ALERT NOT MALICIOUS Non-Blue Coat Sandbox Threat Data Sent To WebPulse and Security Analytics Platform : - File HASH, URL, Time Stamp, File Name 30

31 ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE ProxySG & SG-VA Malware Analysis Security Resolution & Policy Reporter Web SW Security Service Intelligence SSL Center Visibility Enforcement Center Center Reporter Service WebFilter Advanced Content Threat Analysis, Protection DLP Content Analysis Appliance FW/IDS on X-Series Resolution Center Reporter SW Reporter Service Intelligence Center Advanced Threat Protection Appliance Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication GLOBAL INTELLIGENCE NETWORK Ongoing Operations Detect & Protect Block All Known Threats Known threats blocked at gateway Increased system performance through fewer malware scans Fewer threats to contain and resolve Incident Containment Analyze & Mitigate Novel Threat Interpretation More robust threat analysis with fewer false positives 31

32 GLOBAL INTELLIGENCE NETWORK +75 Million users +1 Billion daily categorized web requests +3.3 Million threats blocked daily +84 categories 55 languages Central cloud database Dynamic Real- Time Rating Malware detection Anti-virus AV scanning Sandboxing (coming soon) Malware experts 3 rd party feeds Quality checks Effec%ve Advanced Threat Protec%on Real-time Cloud-based Zero-day Response Performance and Scalablity Communitybased Blocks 3.3 million threats per day 32

33 PEACE-OF-MIND FOR THE C-SUITE EXECUTIVE DASHBOARD CRM ADVANCED THREAT PROTECTION P&L ERP 33

34 MORE ON ADVANCED THREAT PROTECTION BLUE COAT EXCLUSIV E GET YOUR COPY! bluecoat.com/atplifecycle 34

35 35

36 Thank You! Grant Asplund LinkedIn: 36