Professional Documents
Culture Documents
WHITEPAPER
Security
Empowers
Business
WHITEPAPER
Incident Resolution
Incident
Resolution
Fortify &
rationaliz
Ope
e
Ongoing Operations
Ongoing
Operations
Investigate &
Remediate Breach
Threat Profiling
& Eradication
e
tiv
ec n
R etro splatio
Esca
GLOBAL
INTELLIGENCE
NETWORK
ca w n
la E v
tio e n t
n
Security
Empowers
Business
o
kn
U n Es
Incident
Containment
Analyze & Mitigate
Novel Threat
Interpretation
Incident Containment
IT Governance,
Risk Management
and Compliance
Web Traffic
Monitoring
and Analysis
Data Loss
Monitoring
and Analysis
Continuous
Monitoring
Security Incident
Response and
Resolution
Advanced
Malware
Detection
Figure 2: Blue Coat Security Analytics Delivers Real World Use Cases
WHITEPAPER
Security
Empowers
Business
Security Analytics
Software
Security Analytics
Appliances
Comprehensive, pre-configured
appliances (2G and 10G)
Security Analytics
Central Manager
Security Analytics
Storage Modules
Manage multiple
appliances/VMs
WHITEPAPER
Security
Empowers
Business
WHITEPAPER
Security
Empowers
Business
Central
Management
Blue Coat
ThreatBLADES
Security
Analytics
Platform
WebThreat
Web protocol
scanning and file
extraction
Full Packet
Capture
FileThreat
File protocol scanning
and file extraction
L2-L7 Indexing
MailThreat
Mail protocol
scanning and file
extraction
DPI/
Classification
Scalable
Storage
WHITEPAPER
Security
Empowers
Business
parsers that track state transitions to precisely classify flows and extract
rich metadata to present a complete context of flows for advanced
threat detection.
The Security Analytics Platform helps you visualize and analyze network
data and uncover specific network activity without requiring specific
knowledge of networking protocols and packet analysis methods. Its
powerful features let you locate and reconstruct specific communication
flows, as well as network and user activities, within seconds. The
platform does this by classifying captured network traffic packets and
identifying meaningful data flows. A flow is the collection of packets
that comprises a single communication between two specific network
entities. Within a particular data flow, you can then identify and examine
network artifacts such as image files, Word documents, emails, and
video, as well as executable files, HTML files, and more. The Security
Analytics Platform also allows you to reconstruct HTML pages, emails,
and instant messaging conversations.
The Security Analytics Platform also provides the ability to do realtime, policy-based artifact extraction, and is not limited to any specific
operating system (OS) environment. Extracted artifacts can be
automatically placed in centralized network repositories for analysis
by superior forensics tools within the Security Analytics Platform.
These artifacts are hashed and stored for future retrospection on newly
discovered malware variants and provide a method to understand
relatedness to preexisting hashes.
The Security Analytics Platform can be deployed as dedicated hardware
appliances or virtual machines. They can even be deployed inside a
virtual network composed of intercommunicating virtual machines,
enabling them to expose their virtual traffic to external physical security
tools for analysis. The Central Manager facilitates federated queries on
hundreds of Security Analytics sensors to provide a 360-degree view of
activity across the entire enterprise network including perimeter, data
centers, and remote offices.
WHITEPAPER
Security
Empowers
Business
The virtual file system also provides the capability to instantiate any
to any relationships between all metadata (applications, filenames,
etc.) and quickly presents the full context of all activity surrounding a
given set of search criteria. Metadata and indices are always stored
on a separate disk array for performance reasons, and metadata can
generally be stored 3-5 times longer than packet data. By using the
available metadata, analysts are able to efficiently narrow their search
criteria and minimize the amount of packet data needed to perform
detailed incident response or artifact extraction.
Storage Array
Indexing Array
System Array
Security Analytics DB
Operating System
WHITEPAPER
Security
Empowers
Business
Stores the full contents of the packet capture data in the DSFS
system
Records the data reference and the metadata about each packet (size,
IP addresses, ports, etc.)
Builds an index of the data and metadata in each conversation (time,
ports, URLs, login information, application ID, etc.) in the Security
Analytics DB
The combination of the patented packet capture file systems, multiple
indexes, application classification, metadata extraction, and the
underlying hardware components enable superior performance and
scalability.
Integration using the REST API for Security Analytics Platform:
The Security Analytics Platform provides a REST API, allowing packet
capture data to be described and retrieved though a simple HTTPS
request. This allows for the easy integration into other software
platforms, such as an IDS/IPS, Firewall and SIEM. The Security Analytics
Platform also provides JSON data sources to start or stop captures,
retrieve interface statistics, artifact extraction, capture status, capture
filters and reporting. The platform provides the freedom to integrate
current and future tools/equipment with an open architecture utilizing
industry standard protocols.
with each link between a Managed Sensors and the Central Manager
having its own separate VPN connection operating within a common
VPN subnet. Communications over the VPN subnet are protected by
industry-standard SSL/TLS encryption using strong encrypted keys. In
order to complete the connection between the Central Manager and
Managed Sensors, the Managed Sensor must be able to connect to the
Central Manager via HTTPS.
The Security Analytics Central Manager will support over 200 Security
Analytics Managed Sensors. The Central Managers are capable of
operating in an Active/Active clustered and decentralized configuration,
providing Continuity of Operations (COOP), with each Central Manager
maintaining full state of the other in case of a failure condition. A
heartbeat method is implemented to verify health and state of the CM.
Managed Sensors also utilize the cluster failover capability based on
heartbeat and response from the primary CM. Failover occurs within a 5
second window.
Security Analytics
Appliance
Security Analytics
Software
Security Analytics
Virtual Appliance
Distributed
Network
Single point of
management
Central access
Directed searches
Aggregate searches
Arbitrary groups and
sub-groups
Security Analytics
Central Manager
WHITEPAPER
Security
Empowers
Business
In summary, Blue Coat Security Analytics offers the most efficient packet
capture appliances and the most advanced enterprise architecture in
the industry. The ability for each appliance to handle data rates at 10GB,
with only a single appliance and a high-performance storage subsystem,
gives Blue Coat Security Analytics the clear technology advantage as a
solution to meet the increasingly demanding requirements of advanced
threat detection, protection and mitigation.
Users
Reports
TAP/SPAN
Application Servers
Alerts
Mobile Devices
Artifact
Timeline
Management
Network
Security Analytics
Sensor
Security Analytics
Dashboard
Comparative Reporting
Reputation Services
more...
Optional Storage
10
WHITEPAPER
Security
Empowers
Business
2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue
Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter,
CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5,
Packetwise, Policycenter, ProxyAV, ProxyClient, SGOS, WebPulse,
Solera Networks, the Solera Networks logos, DeepSee, See Everything.
Know Everything., Security Empowers Business, and BlueTouch are
registered trademarks or trademarks of Blue Coat Systems, Inc. or its
affiliates in the U.S. and certain other countries. This list may not be
complete, and the absence of a trademark from this list does not mean it
is not a trademark of Blue Coat or that Blue Coat has stopped using the
trademark. All other trademarks mentioned in this document owned by
third parties are the property of their respective owners. This document is
for informational purposes only. Blue Coat makes no warranties, express,
implied, or statutory, as to the information in this document. Blue Coat
products, technical services, and any other technical data referenced
in this document are subject to U.S. export control and sanctions laws,
regulations and requirements, and may be subject to export or import
regulations in other countries. You agree to comply strictly with these
laws, regulations and requirements, and acknowledge that you have the
responsibility to obtain any licenses, permits or other approvals that may
be required in order to export, re-export, transfer in country or import after
delivery to you.
v.WP-SECURITY-ANALYTICS-FOR-SOC2.0-EN-v1e-0914
EMEA Headquarters
Hampshire, UK
+44.1252.554600
APAC Headquarters
Singapore
+65.6826.7000
11