380 likes | 642 Views
Revolutionizing Advanced Threat Protection. a New, modern approach. Sr Systems Engineer. `. Christopher Williams, CISSP. landscape Advanced Threats Counter measures. Threat Landscape: modern threats. Targeted Attacks. Nation States. Advanced Malware. Data Theft. DDOS. APTs.
E N D
Revolutionizing Advanced Threat Protection a New, modern approach Sr Systems Engineer ` Christopher Williams, CISSP
landscape Advanced Threats Counter measures
Threat Landscape:modern threats Targeted Attacks Nation States Advanced Malware Data Theft DDOS APTs Zero Day Threats SIEM IPs Web Gateway Next Gen Firewall Visibility Context Ransom and Fraud Adv. Threat Protection Today’sAdvancedThreatLandscape Today’s Security Gap Hacktivists Email Security URL Filtering Inside Threats Integrity Availability Host Firewall DLP Confidentiality AntiSpam Encryption VPN NAC Cybercriminals
Advanced Persistent Threats
advanced:Improved Sophisticated threats Rootkits Virtual machine Detection Line-by-line debugger detection Fuzzing Re-writes host file Reverse Engineering Multi-packed, one time, encrypted Smarter | Faster | Stronger Code Auditing
persistent: Time and the window of opportunity Initial Attack to Compromise Initial Compromise to Discovery Minutes 1% Months 1% weeks2% Years4% Hours9% Seconds11% Days13% Days11% Minutes13% Months62% Weeks12% Hours60% 84% 78%
Proof of the problem: Breach Undetected for Five Months Only 28% of breaches are detected with forensic tools 15% are notified by law enforcement 9% are detected accidently Ponemon Institute Report
Threats:Stealthy and undetectable Threats we can’t see… 20-70% of Traffic is Encrypted Majority of APTs Operate Over SSL
Post-prevention security gap NGFW IDS / IPS Host AV Web Gateway SIEM Email Gateway DLP Web Application Firewall • Advanced Threat Protection • Content • Detection • Analytics • Context • Visibility • Analysis • Intelligence ThreatActors TraditionalThreats AdvancedThreats Known Threats Known Malware Known Files Known IPs/URLs Novel Malware Zero-Day Threats Targeted Attacks Modern TTPs Nation States Cybercriminals Hactivists Insider-Threats Signature-based Defense-in-Depth Tools
Mapping the Adaptive Protection Process to the LifeCycleof an Attack Source: Gartner (February 2014)
ADVANCED THREAT PROTECTION Blue Coat Lifecycle Defense 3 Fortify &Operationalize 1 Unknown Event Escalation • IncidentResolutionInvestigate & Remediate Breach • Threat Profiling& Eradication OngoingOperations Detect & Protect Block AllKnown Threats ADVANCED THREAT PROTECTION Lifecycle Defense Retrospective Escalation Global IntelligenceNetwork 2 Incident ContainmentAnalyze & Mitigate Novel ThreatInterpretation
ADVANCED THREAT PROTECTION Lifecycle Defense 3 Fortify &Operationalize 2 1 3 1 Unknown Event Escalation • IncidentResolutionInvestigate & Remediate Breach • Threat Profiling& Eradication OngoingOperations Detect & Protect Block AllKnown Threats IncidentContainment IncidentResolution OngoingOperations ADVANCED THREAT PROTECTION Lifecycle Defense Retrospective Escalation Global IntelligenceNetwork 2 Incident ContainmentAnalyze & Mitigate Novel ThreatInterpretation
Stage 1: Detect & Protect Block All Known Threats 2 1 3 IncidentContainment IncidentResolution OngoingOperations Accurate Web Filtering and Categorization Identify and Block Malnets Robust Application and Policy Controls Proactive Threat Prevention across all users, networks and devices
Stage 1: Detect & Protect Blue Coat Global Intelligence Network • ProxySG Application Whitelisting 1 2 3 Internet IncidentContainment IncidentResolution OngoingOperations Encrypted & Unencrypted User Traffic Proactive Threat Prevention across all users, networks and devices
Stage 1: Detect & Protect Policy Based SSL Visibility 2 1 3 IncidentContainment IncidentResolution OngoingOperations Granular Policy Management Feed Multiple Security Systems Industry-leading Performance Full visibility into encrypted traffic and threats
Stage 1: Detect & Protect Blue Coat Global Intelligence Network • ProxySG Application Whitelisting 3 1 2 Internet IncidentContainment IncidentResolution OngoingOperations Encrypted & Unencrypted User Traffic Copy of Decrypted Traffic Secure ICAP Forensics / Compliance / IDS DLPSolution Full visibility into encrypted traffic and threats
ENHANCES EXISTING CUSTOMER SECURITY Solutions Forensics / Compliance / IDS Inline IPS, XPS, Malware Copy Network In Network Out Decrypt once - Feed many !
Stage 1: Detect & Protect SSL Visibility Appliance Blue Coat Global Intelligence Network • ProxySG Application Whitelisting 1 3 2 Internet IncidentContainment IncidentResolution OngoingOperations Encrypted & Unencrypted User Traffic InlineDecrypted Traffic Copy of Decrypted Traffic Forensics / Compliance / IDS Inline IPS, XPS, Malware Full visibility into encrypted traffic and threats
Stage 1: Detect & Protect Advanced AV/Malware Inspection 2 1 3 IncidentContainment IncidentResolution OngoingOperations Increased Malware Analysis and Blocking Higher Detection Accuracy Sandboxing Optimization Block known threats and analyze the unknown for Advanced Threat Protection at the perimeter
Stage 1: Detect & Protect SSL Visibility Appliance Blue Coat Global Intelligence Network • ProxySG Application Whitelisting 1 2 3 Internet IncidentContainment IncidentResolution OngoingOperations Encrypted & Unencrypted User Traffic Higher Detection Accuracy Increased Malware Analysis and Blocking CONTENT ANALYSIS SYSTEM Block known threats and analyze the unknown for Advanced Threat Protection at the perimeter
Stage 1: Detect & Protect SSL Visibility Appliance Blue Coat Global Intelligence Network • ProxySG Application Whitelisting 1 3 2 Internet IncidentContainment IncidentResolution OngoingOperations Encrypted & Unencrypted User Traffic Application Whitelisting Non Blue CoatSandbox Malware Signature Databases Blue CoatSandbox CONTENT ANALYSIS SYSTEM Block known threats and analyze the unknown for Advanced Threat Protection at the perimeter
ADVANCED THREAT PROTECTION Lifecycle Defense 3 Fortify &Operationalize 1 2 3 1 Unknown Event Escalation • IncidentResolutionInvestigate & Remediate Breach • Threat Profiling& Eradication OngoingOperations Detect & Protect Block AllKnown Threats IncidentContainment IncidentResolution OngoingOperations ADVANCED THREAT PROTECTION Lifecycle Defense Retrospective Escalation Global IntelligenceNetwork 2 Incident ContainmentAnalyze & Mitigate Novel ThreatInterpretation
Stage 2: analyze & Mitigate Contain and Analyze The Unknown 01010 10101 00101 10010 3 1 2 IncidentContainment IncidentResolution OngoingOperations PC Emulator Virtual Machine Dual-Detection Hybrid Analysis of Suspicious Samples Closely Replicates Customer’s Gold Configurations Automated Risk Scoring and Rich Analysis Quickly analyze and prioritize advanced and zero-day threats for remediation and continuous security improvement
Stage 1: Detect & Protect SSL Visibility Appliance Blue Coat Global Intelligence Network • ProxySG Application Whitelisting 3 1 2 3 1 2 Internet IncidentContainment IncidentContainment IncidentResolution IncidentResolution OngoingOperations OngoingOperations Encrypted & Unencrypted User Traffic Higher Detection Accuracy Increased Malware Analysis and Blocking Blue CoatSandbox CONTENT ANALYSIS SYSTEM Block known threats and analyze the unknown for Advanced Threat Protection at the perimeter
Intelligent Defense in Depth Block Known Web Threats ProxySG Block all known sources/malnets and threats before they are on the network Block Known Web Threats ProxySG Allow Known Good Content Analysis System with Application Whitelisting Allow Known Good Content Analysis System with Application Whitelisting Free up resources to focus on advanced threat analysis Block Known Bad Downloads Content Analysis System with Malware Scanning Block Known Bad Downloads Content Analysis System with Malware Scanning Reduce threats for incident containment and resolution Analyze Unknown Threats Malware Analysis Appliance AnalyzeUnknown Threats Malware Analysis Appliance Discover new threats and then update you gateways
ADVANCED THREAT PROTECTION Lifecycle Defense 3 Fortify &Operationalize 3 1 2 1 Unknown Event Escalation • IncidentResolutionInvestigate & Remediate Breach • Threat Profiling& Eradication OngoingOperations Detect & Protect Block AllKnown Threats IncidentContainment IncidentResolution OngoingOperations ADVANCED THREAT PROTECTION Lifecycle Defense Retrospective Escalation Global IntelligenceNetwork 2 Incident ContainmentAnalyze & Mitigate Novel ThreatInterpretation
Stage 3: Investigate & Remediate Security Analytics 1 2 3 IncidentContainment IncidentResolution OngoingOperations Full Security Visibility of All Network Traffic Forensic Details Before, During and After an Alert Reduce Time-to-Resolution and Breach Impact The Security Camera for Your Network
Security Camera for your Network • Know what happened before, during and after an alert, with complete, clear supporting evidence • Multiple sources for real-time integrity & reputation of URL, IP address, file hash or email address • Trace back and discover Tactics, Techniques & Procedures and identify Indicators of Compromise • Integrated workflows with leading network security tools to add context and improve effectiveness 1 2 3 IncidentContainment IncidentResolution OngoingOperations Forensic Details Before, During and After an Alert
Security Camera for your Network 1 2 3 IncidentContainment IncidentResolution OngoingOperations
Stage 3: Investigate & Remediate SSL Visibility Appliance Blue Coat Global Intelligence Network • ProxySG Application Whitelisting 3 1 2 Internet IncidentContainment IncidentResolution OngoingOperations Encrypted & Unencrypted User Traffic Security AnalyticsPlatform Higher Detection Accuracy Increased Malware Analysis and Blocking Blue CoatSandbox The Security Camera for Your Network
global intelligence network +75 Million users Anti-virus AV scanning Malware experts +1 Billion daily categorized web requests Central cloud database Effective Advanced Threat Protection Dynamic Real-Time Rating +3.3 Millionthreats blocked daily Quality checks Malware detection 3rd party feeds +84 categories Sandboxing 55 languages Real-time Cloud-based Zero-day Response Performance and Scalablity Community-based Blocks 3.3 million threats per day
More on Advanced Threat Protection BLUE COAT EXCLUSIVE Get Your Copy! bluecoat.com/atplifecycle
Thank You! Christopher Williams chris.williams@bluecoat.com http://www.linkedin.com/in/christopherswilliams/