SECURITY ANALYTICS FOR

SECURITY OPERATION CENTER 2.0

A TECHNICAL OVERVIEW

WHITEPAPER

Security
Empowers
Business

BLUE COAT: SECURITY EMPOWERS BUSINESS

Blue Coat empowers enterprises to safely and securely choose the best applications, services, devices, data
sources, and content the world has to offer, so they can create, communicate, collaborate, innovate, execute,
compete, and win in their markets.
Blue Coat has a long history of protecting organizations, their data and their employees, and is the trusted brand to
15,000 customers worldwide, including 86 percent of the Fortune Global 500. With a robust portfolio of intellectual
property anchored by more than 200 patents and patents pending, the company continues to drive innovations
that assure business continuity, agility, and governance.

Security Analytics Platform by Blue Coat

Blue Coat provides the industrys leading security intelligence and
analytics solution. Its award-winning Security Analytics Platform
(formerly known as Solera DeepSee) levels the battlefield against
advanced targeted attacks and zero-day malware. The Security
Analytics Platform enables the security operations center to deliver
clear and concise answers to the toughest security questions. The
Security Analytics Platform is powered by next-generation deep-packet
inspection and indexing technologies, full-packet capture, file brokering,
and advanced malware analysis, as well as real-time threat intelligence
and alerting capabilities.

SECURITY ANALYTICS FOR

SECURITY OPERATION CENTER 2.0
A TECHNICAL OVERVIEW

Security operations centers at leading global 2000 enterprises, cloud

service providers and government agencies rely on the Security
Analytics Platform for real-time situational awareness, security incident
response, advanced malware detection, and data loss monitoring
and analysis. In addition, the product provides organizational policy
compliance and security assurance, empowering security operation
centers in IT Governance and Risk and Compliance Management to
detect and respond quickly and intelligently to advanced threats and
targeted attacks, while also protecting critical information assets and
minimizing exposure, loss, and business liabilities.

Blue Coat Security Analytics as Part of an Advanced

Threat Protection Lifecycle Defense
Todays threat landscape is populated by increasingly sophisticated
intrusions that take the form of advanced persistent threats, advanced
targeted attacks, advanced malware, unknown malware and zero-day
threats. Enterprises are experiencing material security breaches as a
result of these attacks, because advanced security operations teams
as well as the defenses they deploy operate in silos with no ability to
share information across the entire security organization or environment.
Consequently, there is a shift towards a new approach that integrates
real-time protection, dynamic analysis, and post-breach investigation
and remediation. This approach closes the gap that exists between
ongoing security operations and incident discovery, containment, and
resolution. The net result: your business can move beyond fear and start
focusing on possibilities.

Blue Coat: Uniquely Capable of Addressing the Requirements

The Blue Coat Advanced Threat Protection solution integrates
technologies from the Blue Coat Security and Policy Enforcement
Center and the Resolution Center to deliver a comprehensive lifecycle
defense that fortifies the network. The solution:

BLUE COAT SYSTEMS, INC

2

WHITEPAPER

Blocks known advanced persistent threats

Proactively detects unknown and already-present malware
Automates post-intrusion incident containment and resolution
This makes it possible for day-to-day security operations and advanced
security teams to work together to protect and empower the business.

Incident Resolution

Incident
Resolution

Fortify &
rationaliz
Ope
e

Security Analytics Platform

Ongoing Operations
Ongoing
Operations

Investigate &
Remediate Breach
Threat Profiling
& Eradication

Detect & Protect

Block All Known
Threats

e
tiv
ec n
R etro splatio
Esca

GLOBAL
INTELLIGENCE
NETWORK

SSL Visibility Appliance

ProxySG SWG
Content Analysis System

ca w n
la E v
tio e n t
n

Security
Empowers
Business

o
kn
U n Es
Incident
Containment
Analyze & Mitigate
Novel Threat
Interpretation

Blue Coat develops Security Analytics solutions that enable security

operation centers to hasten this shift in the security paradigm. The
Security Analytics Platform records and classifies every packet of
network traffic layer 2 through layer 7. The product indexes and stores
all network data to provide 20:20 visibility of network events all with
clear, actionable intelligence. As a security camera for the network,
Security Analytics Platform provides swift and targeted responses to
any threat or breach by providing a complete copy of all the traffic going
in and out of the network complete with reconstruction of the activity
related to an event or breach.

Blue Coat Value Proposition

The award-winning Security Analytics Platform prepares organizations
for advanced malware and targeted attacks by allowing security
professionals to answer the most important post breach questions,
including the Who?, What?, When?, Where?, Why? and How? of a
successful security breach. The Security Analytics Platform delivers realworld use cases for the next generation security operation centers:
Situational Awareness

Incident Containment

Security Analytics Platform with ThreatBLADES

Malware Analysis Appliance

Figure 1: Blue Coat Advanced Threat Protection Lifecycle

Security Analytics Overview

Organizations are losing the battle against advanced malware and
targeted attacks. Sensitive data is being stolen and networks are
successfully attacked every day. Security professionals have been blind
to the activities of attackers on their networks and are realizing that their
prevention-based technologies alone are unable to prevent security
breaches, advanced malware, and zero-day attacks.

SECURITY ANALYTICS FOR

SECURITY OPERATION CENTER 2.0
A TECHNICAL OVERVIEW

BLUE COAT SYSTEMS, INC

That is why advanced threat detection, prevention, and preparedness

have become urgent priorities as organizations accept the inevitably of
successful security breaches. Security operation centers need to rely on
new security technologies that allow them to gain real-time situational
awareness, context, intelligence, and visibility. Blue Coat Security
Analytics is needed not only to detect advanced threats but also to
respond to major security events and attacks in a comprehensive way.

IT Governance,
Risk Management
and Compliance
Web Traffic
Monitoring
and Analysis
Data Loss
Monitoring
and Analysis

Continuous
Monitoring

Security Incident
Response and
Resolution
Advanced
Malware
Detection

Figure 2: Blue Coat Security Analytics Delivers Real World Use Cases

The Security Analytics Platform is the only solution capable of meeting

the demands for high-performance networks operating at wire speeds.
Its flexible cost-effective options include:
Software-only delivery to optimize TCO and minimize capital
expenses

WHITEPAPER

Security
Empowers
Business

Certified 10Gbps performance

A patented database supporting 2M+ input/output operations per
second (IOPS)
Scalable storage options for very large deployments, scaling to
multiple petabytes

Security Analytics Storage Modules Modular storage capacity

modules to attain highly-scalable retention of data on a single security
analytics sensor
Security Analytics
Virtual Appliance

Security Analytics
Software

Security Analytics
Appliances

Total network, visibility

Absolute flexibility

Flexible and easy-to-deploy on

leading platforms

Comprehensive, pre-configured
appliances (2G and 10G)

Security Analytics
Central Manager

Security Analytics
Storage Modules

Manage multiple
appliances/VMs

Scale to any retention

requirement or need

Application classification and discovery of more than 2000

applications
Customizable analytics to meet specific requirements of any
enterprise network
Direct integration with best-of-breed security technologies such as
NGFW, IPS, and SIEM to create a highly efficient security ecosystem
Global 2000 enterprises and government agencies use these militarygrade solutions to save valuable time for incident response, provide
detailed accounts of what and how information was ex-filtrated,
and protect intellectual property and the companys reputation from
modern malware-based attacks. Understanding whether data has been
compromised is an increasingly important component to complying with
information security mandates. Customers who have Blue Coat products
gain awareness of attacks and can respond swiftly and intelligently.

Product and Solution Overview

The patented architecture of the Security Analytics Platform enables
open interoperability, extensible storage, and portability to any network,
giving security operation centers flexible deployment options to leverage
their existing investments. Key products include:
Security Analytics Software Flexible software-only option to achieve
high-performance at a lower TCO and capital expense
Security Analytics Appliances Turn-key appliances with full network
capture, classification, and indexing at up to 10Gbps with onboard
storage up to 22TB, with a scalable architecture supporting multipetabyte capacities

SECURITY ANALYTICS FOR

SECURITY OPERATION CENTER 2.0
A TECHNICAL OVERVIEW

BLUE COAT SYSTEMS, INC

Security Analytics Virtual Appliance The only virtual security

appliance in the market that provides complete visibility into all virtual
traffic, supporting VMware ESX server environments
Security Analytics Central Manager A centralized platform that
provides aggregated views from multiple security analytics sensors in a
single-pane-of-glass

Figure 3: Blue Coat Security Analytics Product Portfolio

Context-aware Integration Blue Coat Security Analytics products

integrate with leading security solutions from HP ArcSight, Dell
SonicWALL, FireEye, McAfee, Palo Alto Networks, Splunk, Sourcefire,
and many others.

Why Security Analytics by Blue Coat?

Blue Coat Security Analytics differentiates itself from other security
solutions in the following ways:
Application Identification with Advanced Deep Packet Inspection
Most enterprises have hundreds or thousands of applications running
on their network, and their security operation centers are not fully
aware of these applications. Security Analytics solutions from Blue
Coat have the unique capability of not only classifying and identifying
thousands of applications but also extracting attributes from them. The
identification is based on stateful inspection of protocol conversations
that yield precise classification with no false positives. Furthermore,
the advanced DPI engine extracts and indexes thousands of sessionflow attributes enabling efficient reports of all activity associated with

WHITEPAPER

Security
Empowers
Business

any indicator. This ability empowers IT organizations with information

on all applications running on their network, which hosts, users and
artifacts are associated with them to reveal the complete context for any
investigation.
Application security should be a top priority for any IT organization. A
variety of applications most commonly web applications are used
to penetrate and carry out advanced targeted attacks. The basic step
of knowing all the applications in a network is critically important in
preventing and protecting all the assets and critical information in
an enterprise network. Security Analytics solutions deliver unrivaled
and comprehensive application and protocol intelligence, enabling IT
organizations to regain application control and security in their networks.
Threat Intelligence with Security Analytics Alerts and Services
The Security Analytics Actions and Alerts engine allows security
professionals to automate the notification of targeted events in real time.
Actions can be created for suspicious, malicious, or prohibited behavior,
and the analyst will be notified immediately of violations. Security
Analytics Actions and Alerts enables analysts to automate common
tasks such as checking for traffic against a list of known bad websites,
receiving notification of unknown applications on the network, or alerting
about the presence of encrypted traffic on non-standard ports.
Blue Coat ThreatBLADES in the Security Analytics Platform integrates
with the Blue Coat Global Intelligence Network and other industrystandard reputation and malware feeds, providing real-time threat
intelligence services. With a simple right-click, analysts can check the
integrity and reputation of any URL, IP address, file-hash, malware
sample, or email address against multiple services at once.

SECURITY ANALYTICS FOR

SECURITY OPERATION CENTER 2.0
A TECHNICAL OVERVIEW

BLUE COAT SYSTEMS, INC

Real-time File Brokering to Sandbox Technologies The Security

Analytics Platform extracts files in real time, and if a file is not found in
local known good or known bad file databases, it is immediately
delivered to a Sandbox. The Security Analytics Platform then updates
the Blue Coat Global Intelligence Network with the verdict from the
Sandbox. The Security Analytics Platform is directly integrated with
the Blue Coat Malware Analysis Appliance and other industry-leading
sandbox technologies.
Layer 2-7 Analysis with Security Analytics The Security Analytics
Platform provides a variety of analytics across the network layer
from packets, ports/protocols, applications, and user sessions to files

to strengthen security incident response with comprehensive and

conclusive analysis. Examples of security-related analytics include:
Always-on Classification and Extraction All 2000+ protocol and
application classifiers are enabled to provide complete visibility and
context of network activity, exposing session-level details from layers
2 through 7
Session reconstruction Reconstructs the full session from packet
data, including web, email, and chat sessions along with associated
files, so analysts can easily investigate security incidents without the
need for packet expertise
Media Panel Displays all the images, video and voice sessions
traversing the network during a given time, including details such as
Initiator and Responder IP addresses
Artifacts and Timeline Reconstructs numerous artifacts in
chronological order, such as File Transfers, PDF, Word, Excel, and
many more, making it easy to track the file exploit distribution and filetype activity over time for a single user or all users
Root Cause Explorer Quickly identifies the source of an exploit or
compromise and reduces time-to-resolution
Built-In Packet Analyzer The Security Analytics Platform includes a
full-featured packet analyzer integrated into the interface, eliminating
the need to transfer huge PCAP files over the network
PCAP Import Allows analysts to import data, making it easy to
analyze historical data and compare captured data to a known-good
baseline; also allows playback of captures to verify the effectiveness
of remediation measures and security enforcement tools
Complex Rules Alerting Enables analysts to build granular, stateful
alerts, based on sequences of activity exposed by the advanced DPI
engine and are delivered via email, CEF, Syslog and/or SNMP
Role Based Access Control (RBAC) Sensitive information
collected in the Security Analytics Platform can be masked, limiting
views to specific areas-of-responsibility (AoR)
Strong Authentication Uses LDAP/AD and/or RADIUS
authentication for access control, PKI x509 certificate is fully
supported

WHITEPAPER

Security
Empowers
Business

Central
Management

Unified, Single Pane-of-Glass

Advanced Reporting - Dynamic, Inferential, Visual Insight

Blue Coat
ThreatBLADES

WebPulse Global Intelligence Network

Security
Analytics
Platform

Threat Profiler Engine/Patented Database

WebThreat
Web protocol
scanning and file
extraction

Full Packet
Capture

FileThreat
File protocol scanning
and file extraction

L2-L7 Indexing

and many other vendors. This integration with next-generation firewall

(NGFW), intrusion prevention system (IPS), and security information
event management (SIEM) vendors leverages a security operations
centers existing investments while providing context to alerts and logs
and expediting incident response.

MailThreat
Mail protocol
scanning and file
extraction

DPI/
Classification

Scalable
Storage

Figure 4: Blue Coat Security Analytics Architecture

Security Analytics Common Criteria

EAL 3+ Certification The Security
Analytics Platform with Central Manager
has been awarded Common Criteria
Evaluation Assurance Level (EAL) 3+ certification. Common Criteria
certification is recognized in over 25 countries as a critical validation of
security technology, allowing the Security Analytics Platform to be more
accessible to federal agencies and commercial enterprises.
Flexible Deployment Options Blue Coats integrated appliances,
software, and virtual appliances enable flexible, easy deployment with
enterprise-wide visibility and awareness. Security Analytics sensors
are deployed throughout the network with the capability of monitoring
thousands of networks segments from datacenters to cloud to remote
offices. A central management system provides a single pane-of-glass
view across multiple sensors. In addition to the ability to span across
the network, Security Analytics sensors offer multiple optimized storage
options. This gives IT organizations the ability to maintain back-in-time
visibility to fully analyze an attack or breach from its inception.

SECURITY ANALYTICS FOR

SECURITY OPERATION CENTER 2.0
A TECHNICAL OVERVIEW

BLUE COAT SYSTEMS, INC

Augment Traditional Security with Integration The Security Analytics

Platform integrates with best-of-breed network security products to
pivot directly from an alert to obtain full-payload detail of the event,
before, during and after the alert. The open web services REST API
enables integration with products from companies such as HP ArcSight,
McAfee, FireEye, Splunk, Sourcefire, Palo Alto Networks, SonicWALL,

Figure 5: Comprehensive Integrated Partner Ecosystem

Blue Coat Security Analytics Platform delivers unprecedented visibility

and control over packet, application, session, protocol, and user data
traversing the network, while enhancing and providing added value to
existing security investments.

Automated Deep Packet Analysis in Blue Coat Security

Analytics
Next-generation threats ignore standards of communication and take
advantage of systems that rely only on simple signature-based analysis.
Todays SOC 2.0 must be able to classify network traffic by protocol
and application and by the attributes within them in order to have
the visibility needed to discover and remediate next generation threats.
Security operation centers need solutions that can provide advanced
deep packet inspection (DPI), application, and attribute classification of
all network traffic, in real time. The ability to extract data from network
traffic at this depth provides a richness and accuracy that paints a vivid
picture for analysts and investigators to help them find anomalies and
threats. The Security Analytics Platform implements DPI using protocol

WHITEPAPER

Security
Empowers
Business

parsers that track state transitions to precisely classify flows and extract
rich metadata to present a complete context of flows for advanced
threat detection.
The Security Analytics Platform helps you visualize and analyze network
data and uncover specific network activity without requiring specific
knowledge of networking protocols and packet analysis methods. Its
powerful features let you locate and reconstruct specific communication
flows, as well as network and user activities, within seconds. The
platform does this by classifying captured network traffic packets and
identifying meaningful data flows. A flow is the collection of packets
that comprises a single communication between two specific network
entities. Within a particular data flow, you can then identify and examine
network artifacts such as image files, Word documents, emails, and
video, as well as executable files, HTML files, and more. The Security
Analytics Platform also allows you to reconstruct HTML pages, emails,
and instant messaging conversations.
The Security Analytics Platform also provides the ability to do realtime, policy-based artifact extraction, and is not limited to any specific
operating system (OS) environment. Extracted artifacts can be
automatically placed in centralized network repositories for analysis
by superior forensics tools within the Security Analytics Platform.
These artifacts are hashed and stored for future retrospection on newly
discovered malware variants and provide a method to understand
relatedness to preexisting hashes.
The Security Analytics Platform can be deployed as dedicated hardware
appliances or virtual machines. They can even be deployed inside a
virtual network composed of intercommunicating virtual machines,
enabling them to expose their virtual traffic to external physical security
tools for analysis. The Central Manager facilitates federated queries on
hundreds of Security Analytics sensors to provide a 360-degree view of
activity across the entire enterprise network including perimeter, data
centers, and remote offices.

demanding environments with many deployments across Global 2000

companies.
At its most basic level, the solution takes network data packets from
a network interface card (NIC), classifies the network flows, and then
moves that data to storage in a specialized format that has been
optimized for extremely high throughput, accuracy, manageability,
and security. In addition to enabling organizations to capture 100% of
network traffic, the Security Analytics appliances also provide complete
control over the type of traffic captured using Berkeley Packet Filters
(BPFs), providing the ability to filter network traffic, either during
capture or when replaying captured traffic at a later time, inclusively or
exclusively.
As a Security Analytics sensor captures and stores each packet,
reference and metadata is extracted and stored, providing highlyefficient query and response of captured packet data. These attributes
include data related to the packet, applications, users, and session flow,
providing full context surrounding the network traffic. These include
attributes such as IP and MAC address, protocols, ports, application
names, user identities, actions, email attributes, and thousands of other
metadata.
The Security Analytics File System is a custom-built file system that
contains all network packets, both header and payload. It is based
on a Slot Architecture of N*64MB slots, which corresponds directly
to associated ring buffer in memory. Captured data is formatted and
moved to disk using direct memory access (DMA).

System Architecture and Performance

SECURITY ANALYTICS FOR
SECURITY OPERATION CENTER 2.0
A TECHNICAL OVERVIEW

BLUE COAT SYSTEMS, INC

The Security Analytics Appliances, Virtual Appliances, and Software

meet the requirements of small to large enterprises. Security Analytics
sensors are able to achieve this based on the underlying file and
system architecture that were designed with efficient capture and query
performance from its genesis. This architecture has proven scalability in

As shown in the graphic above, the Security Analytics DB Bitmask &

Hash layer (top) maps metadata and other search attributes to each and
every 64MB memory or storage slot that contains relevant data.

WHITEPAPER

Security
Empowers
Business

The Security Analytics DB Index layer (middle) contains the data

necessary to find and reconstruct packets, flows, and entire network
sessions in perfect fidelity (lossless). Search queries are processed
using a proprietary algorithm that generates hash values used by the
top layer of the search engine (bitmask & hash) to quickly determine
which 64MB slots the data are in. When a Security Analytics sensor has
captured a network traffic stream, the stream becomes immediately
available for replay and analysis.
Security Analytics not only performs full packet capture, but also
provides a tremendous amount of metadata derived from DPI and other
methods of packet and flow analysis. Simultaneously with full packet
capture, Security Analytics indexes thousands of elements of metadata
into Security Analytics DB, a highly optimized custom database. This
performance enhancement provides for highly accelerated and efficient
queries. These queries drive much of the Security Analytics user
interface, an intuitive, operating system and browser-agnostic Web UI
that provides a contextual view to the security analyst. User-defined
dashboards provide instant situational awareness of network activity
and events, and a front-end to the systems ability to deep-dive into
network flows.
As packets are captured, attributes such as protocol, source/destination
MAC/IP, port, VLAN, and packet length are inserted into the Security
Analytics DB. The Security Analytics DB then serves as the data source
to the GaugeFS virtual file system, allowing near instantaneous access
to any captured data navigable through a familiar folder hierarchy. Unlike
files on a conventional file system, the data available through GaugeFS
does not occupy any space; instead, it dynamically retrieves packets
by querying the Security Analytics DB for the location of the requested
packets directly from the DSFS capture file system.

SECURITY ANALYTICS FOR

SECURITY OPERATION CENTER 2.0
A TECHNICAL OVERVIEW

BLUE COAT SYSTEMS, INC

The virtual file system also provides the capability to instantiate any
to any relationships between all metadata (applications, filenames,
etc.) and quickly presents the full context of all activity surrounding a
given set of search criteria. Metadata and indices are always stored
on a separate disk array for performance reasons, and metadata can
generally be stored 3-5 times longer than packet data. By using the
available metadata, analysts are able to efficiently narrow their search
criteria and minimize the amount of packet data needed to perform
detailed incident response or artifact extraction.

Other unique characteristics of GaugeFS are the inclusion of timespans,

Boolean query logic, and ranges. Timespans are an optional top-level
path within the GaugeFS hierarchy. If a timespan is not used, then all
packets within the DSFS capture file system matching the attributes
described by the GaugeFS path will be presented in the result data. In
many cases, it is desirable to constrain the data retrieval to a specific
time-domain. Descending into a timespan path provides this sort of
constraint so that the resulting pcap matches not only packet attributes
but also time attributes.
Although each model of a Security Analytics sensor is slightly different,
they all have a common overall structure. There is a collection of hard
drives, which are separated into three distinct functional areas. The
largest is the storage array. This collection of disks is where all the
incoming raw data is stored. The next largest is the indexing array, which
contains the custom database which stores all the metadata about
the packets (where they came from, where they were going to, their
time, and so on). The smallest is the system array, which contains the
operating system and related storage. This is also where any artifacts
and reports are created.

Storage Array

Indexing Array

System Array

DSFS File System

Security Analytics DB

Operating System

Hard Drive Array

Storage Array Raw network data, stored as received across

multiple HDs.
Indexing Array Metadata stored and indexed using multiple HDs
System Array Linux operating system on multiple HDs
As packet capture data is collected, the Security Analytics Platform
performs the following functions:

WHITEPAPER

Security
Empowers
Business

Stores the full contents of the packet capture data in the DSFS
system
Records the data reference and the metadata about each packet (size,
IP addresses, ports, etc.)
Builds an index of the data and metadata in each conversation (time,
ports, URLs, login information, application ID, etc.) in the Security
Analytics DB
The combination of the patented packet capture file systems, multiple
indexes, application classification, metadata extraction, and the
underlying hardware components enable superior performance and
scalability.
Integration using the REST API for Security Analytics Platform:
The Security Analytics Platform provides a REST API, allowing packet
capture data to be described and retrieved though a simple HTTPS
request. This allows for the easy integration into other software
platforms, such as an IDS/IPS, Firewall and SIEM. The Security Analytics
Platform also provides JSON data sources to start or stop captures,
retrieve interface statistics, artifact extraction, capture status, capture
filters and reporting. The platform provides the freedom to integrate
current and future tools/equipment with an open architecture utilizing
industry standard protocols.

Wide-Area System Management

with each link between a Managed Sensors and the Central Manager
having its own separate VPN connection operating within a common
VPN subnet. Communications over the VPN subnet are protected by
industry-standard SSL/TLS encryption using strong encrypted keys. In
order to complete the connection between the Central Manager and
Managed Sensors, the Managed Sensor must be able to connect to the
Central Manager via HTTPS.
The Security Analytics Central Manager will support over 200 Security
Analytics Managed Sensors. The Central Managers are capable of
operating in an Active/Active clustered and decentralized configuration,
providing Continuity of Operations (COOP), with each Central Manager
maintaining full state of the other in case of a failure condition. A
heartbeat method is implemented to verify health and state of the CM.
Managed Sensors also utilize the cluster failover capability based on
heartbeat and response from the primary CM. Failover occurs within a 5
second window.

Security Analytics
Appliance

The Security Analytics Central Manager is a dedicated instance of

Security Analytics (Software, Appliance or Virtual Appliance) running the
Central Manager Software. This Central Manager provides a centralized
Query, Reporting and Management Interface for all Security Analytics
Managed Sensors connected to the Central Manager. The Central
Manager provides:
Single view of Query, Result and Report data for all Managed Sensors
Parallel Query execution for all Managed Sensors
Centralized Configuration and Management for all Managed Sensors

SECURITY ANALYTICS FOR

SECURITY OPERATION CENTER 2.0
A TECHNICAL OVERVIEW

BLUE COAT SYSTEMS, INC

Centralized Provisioning of User, RBAC, and Authentication

Central Software upgrade host for all Managed Sensors
All communications between the Managed Sensors and Central
Manager are conducted over a dedicated Virtual Private Network (VPN),

Security Analytics
Software

Security Analytics
Virtual Appliance

Distributed
Network

Single point of
management
Central access

Figure 6: Blue Coat

Security Analytics Scalable
Architecture

Directed searches
Aggregate searches
Arbitrary groups and
sub-groups

Security Analytics
Central Manager

WHITEPAPER

Security
Empowers
Business

How the Solution Works

The solution allows end users to achieve full situational awareness and
investigate security incidents in real-time using the Security Analytics
Platform. Blue Coats unique architecture allows the Security Analytics
sensors to query all network data utilizing parallel query architecture.
Given the expense of staffing a skilled incident response team, the
ability of the proposed solution to reduce time-to-insight by orders of
magnitude will make the incident responders much more productive.
The Blue Coat Security Analytics architecture scales better than any
comparable architecture, primarily because it requires only a single
device for all operations, while the nearest competitor requires multiple
devices, such as a packet capture devices and a separate device for
meta-data.

In summary, Blue Coat Security Analytics offers the most efficient packet
capture appliances and the most advanced enterprise architecture in
the industry. The ability for each appliance to handle data rates at 10GB,
with only a single appliance and a high-performance storage subsystem,
gives Blue Coat Security Analytics the clear technology advantage as a
solution to meet the increasingly demanding requirements of advanced
threat detection, protection and mitigation.

Users

Reports

TAP/SPAN
Application Servers

Alerts

Mobile Devices

Artifact
Timeline

Management
Network

Security Analytics
Sensor

Security Analytics
Dashboard

Root Cause Explorer

Threat Analysis
PCAP Import

SECURITY ANALYTICS FOR

SECURITY OPERATION CENTER 2.0
A TECHNICAL OVERVIEW

BLUE COAT SYSTEMS, INC

Comparative Reporting
Reputation Services
more...

Figure 7: Typical Deployment Of Security Analytics Solution

Optional Storage

10

WHITEPAPER

Security
Empowers
Business

Blue Coat Systems Inc.

www.bluecoat.com
Corporate Headquarters
Sunnyvale, CA
+1.408.220.2200

2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue
Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter,
CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5,
Packetwise, Policycenter, ProxyAV, ProxyClient, SGOS, WebPulse,
Solera Networks, the Solera Networks logos, DeepSee, See Everything.
Know Everything., Security Empowers Business, and BlueTouch are
registered trademarks or trademarks of Blue Coat Systems, Inc. or its
affiliates in the U.S. and certain other countries. This list may not be
complete, and the absence of a trademark from this list does not mean it
is not a trademark of Blue Coat or that Blue Coat has stopped using the
trademark. All other trademarks mentioned in this document owned by
third parties are the property of their respective owners. This document is
for informational purposes only. Blue Coat makes no warranties, express,
implied, or statutory, as to the information in this document. Blue Coat
products, technical services, and any other technical data referenced
in this document are subject to U.S. export control and sanctions laws,
regulations and requirements, and may be subject to export or import
regulations in other countries. You agree to comply strictly with these
laws, regulations and requirements, and acknowledge that you have the
responsibility to obtain any licenses, permits or other approvals that may
be required in order to export, re-export, transfer in country or import after
delivery to you.
v.WP-SECURITY-ANALYTICS-FOR-SOC2.0-EN-v1e-0914

EMEA Headquarters
Hampshire, UK
+44.1252.554600
APAC Headquarters
Singapore
+65.6826.7000
11