NEXT GENERATION SECURITY ANALYTICS: REAL WORLD USE CASES KEY FEATURES AND NEW USES FOR THE BLUE COAT SECURITY ANALYTICS PLATFORM

Transcription

1 NEXT GENERATION SECURITY ANALYTICS: REAL WORLD USE CASES KEY FEATURES AND NEW USES FOR THE BLUE COAT SECURITY ANALYTICS PLATFORM

2 SECURITY ANALYTICS: MUCH MORE THAN NETWORK FORENSICS Prior generations of security analytics products were mostly used as tools by incident response teams to perform retrospective analysis and forensics on breaches after the fact. This is still an important function, but today s security analytics solutions have evolved to deliver business value across a much broader range of circumstances, and to address a number of critical issues faced by IT and security teams of all sizes. This white paper briefly discusses the need for security analytics, provides a brief overview of the next-generation security analytics platform offered by Blue Coat, and describes how a modern security analytics solution can address seven important, real-world use cases: 1. Situational awareness 2. Continuous monitoring 3. incident response and resolution 4. Advanced malware detection 5. Data loss monitoring and analysis 6. Web traffic monitoring and analysis 7. IT governance, risk management and compliance Situational Awareness IT Governance, Risk Management and Compliance Continuous Monitoring Web Traffic Monitoring and Analysis Incident Response and Resolution Data Loss Monitoring and Analysis Advanced Malware Detection 2

3 The Need for Analytics Until recently, most enterprises relied primarily on preventative signature-based tools for network security, tools such as nextgeneration firewalls, intrusion prevention systems, secure web gateways, and network anti-malware gateways. While these products can be effective against known threats, cybercriminals and hackers have developed many techniques to evade these products. These include zero-day attacks, polymorphic malware, encryption, targeted attacks that utilize social engineering, and advanced, persistent, multi-stage attacks. These techniques strike before signatures can be developed, obfuscate malware and attacks so they cannot be matched to signatures, or link together actions which individually appear to be legitimate. Most IT security experts today agree that no enterprise can stop all security threats at the network perimeter. Instead, they must assume that some attacks will get through, and take appropriate measures to monitor activities and to detect patterns that indicate attacks. As Mike Rothman, President of IT security firm Securosis states: The difference between success and failure breaks down to how quickly you can isolate the attack, contain the damage, and then remediate the issue. We cannot assume we can stop the attackers, so we have to plan for a compromise. The difference between success and failure breaks down to how quickly you can isolate the attack, contain the damage, and then remediate the issue. So we build our core security philosophy around monitoring critical networks and devices, facilitating our ability to find the root cause of any attack. Mike Rothman, President of Securosis, blog post In fact, the need for better information about attacks is urgent. In one recent survey, more than half of enterprises reported that they did not have adequate intelligence about attacks and could not identify root causes. A third of them said they could not determine exactly what information had been lost when they had a data breach. Companies do not have adequate intelligence 59% of companies [surveyed] do not have adequate intelligence about attempted attacks and their impact. 51% say their security solutions do not inform them about the root causes of attacks. 55% of those who had lost sensitive or confidential information did not know exactly what data had been stolen. Ponemon Institute: Exposing the Cybersecurity Cracks: A Global Perspective, Part I, April 2014 Overview of a Next-Generation Analytics Platform Analytics solutions help organizations derive contextual and actionable intelligence from massive volumes of security and network data. They capture all types of data entering and leaving the network. They organize that data so that administrators, security analysts, incident responders, compliance officers and others can detect advanced threats in real-time, conduct detailed analysis, measure and remediate breaches, and prevent future compromises. The key capabilities of the Blue Coat Analytics Platform include: Full packet capture: Recording, classifying and indexing every packet that enters, leaves and travels within the network, even on today s highspeed networks. Deep Packet Inspection: Visibility into all layers of the OSI stack from layer 2 to layer 7, including application data and payload data. Application classification: Identifying traffic from specific commercial and custom applications, including application traffic over non-standard ports. Real-time threat intelligence: Enriching analysis with real-time threat information feeds from Blue Coat Global Intelligence Network (which compiles intelligence from 15,000 customers and 75 million endpoints) and other reputation feeds, from IP geo-location services, and from more than 40 industry-leading intelligence sources. 3

4 Session and object reconstruction: The ability to convert traffic from raw packets to meaningful artifacts like files, s, instant messages, VoIP conversations and even complex PHP, Ajax and JavaScript files. Context-aware security: Correlating meta-data about users, files and sessions with real-time threat information, and using the correlations to provide situational awareness and alerts. Layer 2-7 analysis: Tools to analyze metadata about packets, ports, protocols, applications, user sessions and files. Integration with traditional security products: Connectors and APIs to incorporate data from best-of-breed security and network technologies, including dynamic analysis ( sandboxing ) products, next-generation firewalls, intrusion prevention systems, security information and event management products, and data loss prevention tools. File brokering: Features to identify known threats and deliver only suspicious files to sandboxing technologies for optimized advanced malware analysis and threat detection. Real-time alerting: The ability to create rules to notify designated administrators and security staff when suspicious and prohibited behaviors are detected, or when baseline thresholds are exceeded. Playback: Facilities to replay network traffic and transmit captured data flows to third party tools for further analysis. Root cause exploration: Reconstruction of complete attack timelines, pinpointing the root cause attributes and metadata of an attack such as the originating file, server or user. Dashboards and centralized management: Tools to see threats and trends at a glance, and to monitor thousands of network segments from a single pane of glass. For more information on the features of the Analytics Platform, please see the solution brief, data sheet and white papers at bluecoat.com/products/atp-security-analytics-platform. Use Case #1: Situational Awareness Situational awareness (SA) is the ability to extract information from the environment, integrate that information with relevant internal knowledge, and use the resulting mental picture to anticipate future events. 1 For information security professionals, situational awareness means being able to extract and decipher as much information as possible from networks, to have the tools to differentiate suspicious behaviors and anomalies from legitimate computing activities, and to generate actionable intelligence from that analysis. Essentially it is having the data and tools to visualize all network-related events, to establish what is normal, and to recognize departures from normality. Those are exactly the capabilities provided by a next-generation security analytics solution. professionals can take advantage of features like full packet capture, deep packet inspection, application classification and session and object reconstruction to obtain complete visual insight into packets, protocols, network flows, files and applications across the entire network. Through next generation security analytics features such as artifact timelines, media panel displays, geolocation, inferential reporting and other analysis tools, they gain complete visibility into all aspects of their operational domain. For example, a security analytics solution might show archived files being transmitted via FTP from an internal PC to a server in a location known to harbor cybercriminals. It could flag this as suspicious activity, and even reconstruct the files and the network sessions. A security analyst could use this information to determine if the file transfers represented ordinary business activity or were part of an advanced attack. An Example: Situational Awareness in the Military An organization in the U.S. armed forces uses Blue Coat Analytics Platform to monitor the Internet traffic of a large group of military analysts and ensure that their activities are consistent with each person s role and security privileges. 1 Dominguez, C., Vidulich, M., Vogel, E. & McMillan, G. (1994). Situation awareness: Papers and annotated bibliography. Armstrong Laboratory, Human System Center, ref. AL/ CF-TR

5 Use Case #2: Continuous Monitoring Continuous monitoring is the ability to capture, index and play back all network data, and to provide administrators and security professionals with timely, targeted and prioritized information. While the idea of continuous monitoring sounds simple, it is difficult to put into practice in today s enterprises. A modern security analytics solution needs to be able to capture all types of data, not just security events. It must be able to handle gigabytes of network traffic every second without losing a packet, and to provide the capacity to store hundreds of terabytes or even petabytes of data. When continuous monitoring is implemented, it provides tremendous benefits, resembling those of a security camera in a bank. Analysts can play back network activities related to an attack in their chronological sequence. This unique capability of security analytics solutions provides deep insights into attacks, helps assess the damage done by breaches, and lets analysts go back in time to determine the full scope of the attacks. Continuous Monitoring at a Leading Financial Firm A large investment bank uses Blue Coat Analytics Platform to monitor a dozen international locations and to achieve complete visibility into network traffic, users and data. The Analytics Platform also provides context to information available from other security systems, including a third-party sandbox product, Blue Coat ProxySG, and the Blue Coat SSL Visibility Appliance. These capabilities have significantly reduced incident response times. Use Case #3: Incident Response and Resolution incident response, which involves quickly analyzing, identifying and resolving cyber attacks and breaches, remains the most popular use case for security analytics solutions. A security analytics solution provides incident responders with invaluable tools for incident response, including session and object reconstruction, session playback, root cause exploration, and integration with other security products such as SIEM and next-generation firewall systems. These tools help answer questions such as: Who is responsible for the attack and what exactly did they do? What systems were affected and what data was compromised? Is the attack continuing, and if so, how can we stop it immediately? Is the attack over, and if so, how can we prevent a recurrence? This is an area where time-to-resolution is critical. Many attacks are persistent, and in many cases costs to the enterprise are proportional to the length of time the attack remains undiscovered. The longer the attack lasts, the greater the number of credentials that will be captured, the more systems and applications that will be compromised, and the higher volume of sensitive data that will be exfiltrated. By providing precise, actionable intelligence faster, a security analytics solution produces savings in revenue, corporate reputation, breach notification costs and fines, and clean-up costs. Next-Generation Analytics Solutions can reduce meantime to resolution by up to 85%. 2 2 Based on Blue Coat customer case studies. 5

6 Incident Response at a Major Online Retailer using root cause analysis from [Blue Coat], we were able to pinpoint how the exploit occurred, understand the full scope of the problem, and completely prevent that exploit from ever happening again... A large online retailer built its security operations center and incident response process around the Analytics Platform. They use it to identify malicious activity inside and outside the network, to pinpoint all compromised systems through root cause analysis, and to conduct assurance testing on preventative controls by replaying attacks in a lab environment. The Analytics Platform provides much-needed context to alerts, including alerts from their new advanced malware analysis appliances. Use Case #4: Advanced Malware Detection Until recently, security analytics solutions were brought into play after a breach had been detected, and used almost exclusively for retrospective analysis and forensics. But that has changed. Blue Coat has added real-time threat detection to the Analytics Platform with add-on software modules called Blue Coat ThreatBLADES. ThreatBLADES provide real-time threat intelligence services. Each one is optimized to scan specific protocols (HTTP, SMTP, POP3, Webmail, FTP, etc.), detect and extract objects (files, URLs, IP addresses, etc.), inspect and categorize those objects as good, bad (malicious), or unknown, and take appropriate actions in real-time. Those actions can include alerting administrators in real time to malware, querying the Blue Coat Global Intelligence Network about unknown files, brokering unknown files to Blue Coat s Malware Analysis Appliance for detailed analysis in a sandbox, and adding file signatures to a white list or black list. Malware is often a component of advanced multi-stage attacks. By identifying malware in real time, ThreatBLADES help security analysts and incident responders get a jump on finding and analyzing advanced threats and zero-day attacks. For more information on Blue Coat ThreatBLADES and how they help with malware detection, see the white paper Analytics Moves to Real-Time Protection. Global Intelligence Network Dynamic Malware Sandboxing Analytics Analytics combines many forms of threat intelligence to deliver accurate and complete malware detection and analysis Built-in Knowledgebase Threat Intelligence Services 6

7 Use Case #5: Data Loss Monitoring and Analysis In the Ponemon Institute study mentioned earlier, more than a third of IT managers reported that when their company had a data breach they could not determine exactly what information had been lost. The ability to precisely identify data losses can produce major cost savings. Breach notification costs and regulatory fines are often proportional to the amount of data compromised in an attack. Enterprises can realize large savings by demonstrating that only a few files were exfiltrated, and not an entire file store, or that only a small portion of a database was accessed by the attacker. Also, identifying exactly what systems have been compromised in an attack can dramatically reduce post-breach clean-up costs. The Analytics Platform provides a powerful set of tools to determine the full extent of attacks and data losses. For example, administrators and security analysts can monitor and record all the common media used to exfiltrate sensitive data, such as s, file attachments, instant messages, chat sessions, web activity and other traffic arriving and leaving the network. They can quickly evaluate any session that appears to be suspicious. They can monitor database queries and file requests, relate them to their sources, and then pivot to reconstruct all of the activities carried out by those sources. Incident responders can list and recreate all of the files accessed over the course of a persistent attack, and view the sequence of all of the s, SMS messages and files exchanged during a phishing attack. The Analytics Platform also reduces the extent and duration of attacks by working with data loss prevention (DLP) products to issue real-time alerts when sensitive files and data leave the network. Use Case #6: Web Traffic Monitoring and Analysis Most web traffic monitoring is performed by secure web gateways, next-generation firewalls, and other technologies that inspect web traffic. However, security analytics solutions also play an important role in this area. The Blue Coat WebThreat BLADE, one of the ThreatBLADES discussed in the Advanced Malware Detection use case, monitors HTTP traffic (and HTTPS traffic decrypted by the Blue Coat SSL Visibility Appliance). It uses IP, URL, domain, and file reputation information, together with threat intelligence from the Blue Coat Global Intelligence Network, to identify traffic to and from botnets, command-and-control (CnC) callbacks, and evidence of web-based advanced persistent threats (APTs). The WebThreat BLADE can also help enforce web usage policies by monitoring access to web sites that fall into categories such as gambling, shopping, pornography and entertainment. The Analytics Platform also allows administrators to create rules to identify indicators of compromise (IOCs) based on anomalous web traffic patterns and inferential reporting. Information about advanced web attacks can be relayed to secure web gateways to thwart further attacks. Evasive Botnet Detected and Crushed The Blue Coat Threat Research Team used the Analytics Platform to identify a malicious botnet, as well as all the victim hosts that were communicating with the botnet s command and control servers across the globe. Government authorities used this information to take down the botnet servers and all associated domains. Data Loss Monitoring at a Leading-Edge Technology Company A technology company with world-famous consumer electronics products and a soaring stock price uses Blue Coat Analytics Platform to ensure that employees and contractors do not leak intellectual property, confidential business plans or corporate financial information. They also use it to determine material impact when information leakage does occur. 7

8 Use Case #7: IT Governance, Risk Management and Compliance Enterprises need to ensure that employees and other computer users comply with acceptable use policies (AUPs), and to demonstrate to auditors and regulators that they are in compliance with government and industry regulations and standards. analytics solutions play a major role in enforcing and proving compliance with organizational policies. Through application classification, they can quickly identify employees using unapproved applications or using applications in ways that violate policies (for example, exporting files through a chat service). They can monitor users and sessions accessing databases and file stores holding confidential information, to identify unauthorized access. In the event that there is a data breach or policy violation, the complete record of all network activity is used to determine exactly what information has been lost (see the discussion of Data Loss Monitoring and Analysis). The Analytics Platform also includes a media panel that lets administrators monitor images, audio files and video files, to ensure that employees are not viewing inappropriate or illegal content, or abusing online games and entertainment media during work hours. A media panel helps administrators find policy violations related to images, audio files and video files Continuous Monitoring, Situational Awareness and Risk Mitigation Situational awareness through full network visibility is a key means for mitigating risk. In testimony about real risk reduction to come about through continuous monitoring, the State Department reports a 90 percent improvement in its risk posture after implementing a continuous monitoring program. SANS Institute: Continuous Monitoring: What It Is, Why It Is Needed, and How to Use It 8

9 Summary Today, a security analytics solution like the Blue Coat Analytics Platform is for much more than just network forensics. In fact, it provides substantial value for seven use cases: 1. Situational awareness: professionals gain complete 360, 20:20 visibility into their operational domain. The Blue Coat Analytics Platform delivers unprecedented views and visual insights into all activity on an enterprise network. 2. Continuous monitoring: The Analytics Platform is like a security camera for networks. analysts can have access to terabytes of all types of historical network and security data, and can play back any activity of interest at the click of a button. 3. incident response and resolution: Blue Coat s security analytics solution provides incident responders with invaluable tools such as session and object reconstruction, session playback and root cause exploration. These tools allow them to quickly and accurately answer critical post-breach who?, why?, what?, when?, and how? questions and greatly reduce time-to-resolution. 4. Advanced malware detection: Blue Coat ThreatBLADES, which run on the Analytics Platform, can detect and extract files from traffic on all major protocols, send alerts when malware is detected, and send unknown files to a sandbox for dynamic malware analysis. 5. Data loss monitoring and analysis: The Blue Coat Analytics Platform allows administrators to monitor and extract all files leaving an enterprise network, across communication channels such as , HTTP uploads, instant messaging chats and more. Along with a builtin alerting system, this provides a powerful capability for corporations worried about sensitive data loss. 6. Web traffic monitoring and analysis: Blue Coat s security analytics solution provides detailed web traffic analysis to identify advanced web-based threats, including botnets, command and control activity, malicious websites, embedded malware and more. 7. IT governance, risk management and compliance: The Blue Coat Analytics Platform can monitor application use and data access to ensure that employees are complying with company and government policies. It also allows policy owners such as Human Resources Directors and Chief Financial Officers to demonstrate compliance with government regulations and industry standards. For more information on the concepts and products discussed in this white paper, please visit the Analytics Platform section of the Blue Coat website, and try the Analytics Virtual Appliance for 30 days. 9

10 Blue Coat Systems Inc. Corporate Headquarters Sunnyvale, CA Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV, ProxyClient, SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, See Everything. Know Everything.,, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical data referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. v.wp-next-gen-security-analytics:real-world-use-cases- EN-v1d-0714 EMEA Headquarters Hampshire, UK APAC Headquarters Singapore