Slide 1

1 Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Confidential For Internal and Official Channel Partner Use Only
SECURITY ANALYTICS
PLATFORM
REFERENCE
ARCHITECTURE




Slide 2

2 Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Confidential For Internal and Official Channel Partner Use Only
SECURITY ANALYTICS PLATFORM:
FUNCTIONS
Integrated Workflow
ThreatBLADES Pattern Matching Anomaly Detection White/Black Lists
Web
Enrich
Mail File
Malware Analysis
Global Intelligence Network
Data
Visual Insight Advanced Reporting Statistical Analysis (Roadmap)
Feedback Loop
Alerts and Logging
File Brokering
Analyze
Action
Detect and Block
- Full Packet Capture
- Layer 2-7 Indexing / Classification
- Patented Database
- Full Session Reconstruction
L
a
s
t

U
p
d
a
t
e
d
:

2
0
.
1
2
.
2
0
1
3


Last Updated: 20.12.2013

Data Process of capturing, indexing, storing and extracting files and sessions
Full Packet Capture All traffic is recorded from a monitoring point
Layer 2-7 Index and Classification Packets are passed through DPI engine as they arrive for classification and
metadata extraction
Patented Database Data warehousing of all captured traffic is stored to disk in a very optimized method
Full Session Reconstruction Complete session reconstruction including emails, IM and web transactions

Enrich Taking extracted data and determining known information about artifacts, both good and bad
Web, Mail, File ThreatBLADES Threat Intelligence on IP/URL, Files, emails and forward suspicious files
crossing all major transport protocols to Blue Coat or Third Party Sandbox
Malware Analysis Known virus lookups based and hand-off potentially bad content in HTTP,SMTP and FTP to
MAA for 0-day malware analysis
Pattern Matching, Anomaly Detection, White/Black Lists Using known malware signature, traffic inspection
for deviations in expected protocols, and the use of white and black lists for files, IP Addresses and domains for
analyzing potential threats
Integrated Workflow Direct pivoting from IPS, Sandbox, NGFW for full enrichment to security events
Global Intelligence Network Continuously updated with network effect of 75M users Blue Coat GIN for
analyzing known malware, bad domains, or suspicious IP address

Analyze Using the UI to see reports and visual the data
Visual Insight Graphs, charts and lists to see data represented by user defined criteria
Advanced Reporting Detail reports of many of the protocols and meta data, can be user ran or automated
Statistical Analysis Visual statistics, baseline comparisons (Roadmap)

Action Post processing of data alerts, block and inform
Alerts and Logging The UI can show alerts, emails can be sent, or syslog/CEF events can be sent to a SIEM
Detect and Block Detection of threats can be shared with the Global Intelligent Network to update other
Blue Coat device for blocking this traffic
File Brokering SA device can be configured to broker files using real time file extraction
Feedback Loop Information sent out and shared can in turn be digested by the system for proactive defense
measures




Slide 3

3 Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Confidential For Internal and Official Channel Partner Use Only
SECURITY ANALYTICS PLATFORM:
DATA & WORKFLOW
Capture /
Classify
Detect
&
Analyze
Enrich
Standard
Threat
Intelligence
ThreatBLADES
Alert
Report
Update
Email
Alerts
SYSLOG / CEF / LEEF
PROXY SG
SSL VISIBILITY
APPLIANCE
GLOBAL INTELLIGENCE
NETWORK
INTERNET
WEB MAIL FILE
MALWARE
ANALYSIS
APPLIANCE*
SECURITY
ANALYTICS
PLATFORM
MALWARE ANALYSIS
APPLICANCE*
CONTENT
ANALAYSIS
* Same Malware
Analysis Appliance
is used by both CAS
and Security
Analytics Platform
Integrated Ecosystem NGFW,
IPS, SIEM, & Third Party Sandbox
THIRD-PARTY
SANDBOX
L
a
s
t

U
p
d
a
t
e
d
:

2
0
.
1
2
.
2
0
1
3


Last Updated: 20.12.2013

Internet - Packets for analysis and generated from a source, in the diagram we show the internet but really any
area within a network that can provide a span/tap port can be monitored
ProxySG - This is the main blocking device in Blue Coat product portfolio and is used in ATP for blocking as well
as web security
SSL Visibility - SSL decryption is key in getting all packets to security analytics platform so it can perform L2-L7
analysis and provide threat intelligence on all the traffic
Classify/Index/Store - As packets arrive they are run through the DPI engine. This process will index the traffic,
classify it, and store it appropriately on the file system
Enrich - Enriching traffic allows meta data and artifacts to be run through the rules defined on the system.
These rules will either perform matching based on metadata attributes or will hand them off for data
enrichment to do further analysis on the traffic and artifacts. While there are many different types of
enrichment, they mainly fall under 2 categories:
Standard Threat Intelligence The default analytics use open source and 3rd party integration. Part of this
enrichment includes running file hashes against VirusTotal, checking against Bit9's white list , and querying
against SANS ISC threat information
ThreatBLADES Additional licensed component to examine traffic against Web Threats, Email threats, File
Threats, or Zero day Malware analysis, with future additional blades
Detect and Analyze This process refers to the analysis on the system both automated and manual. The
analytics refers to using the UI to search through traffic, looking at dashboards and reports, running manual
threat analysis, and using the root cause feature to trace back events. Detect and analyze is also used to
provide complete incident resolution. Detection also includes creating standard and custom favorites which
are used in security polices and rules
Report/Alert/Update Based on information generally determined through the enrichment phase, alerts will
be generated by the system. These alerts will be displayed locally in the UI, but they can also be sent via
syslog/CEF/LEEF to an SIEM or other log management device. Alerts can also be email. Reports can be sent out
based on general traffic information contained under the reporting tab. The system will update its own
analytics engine based on results and the information can be sent as an update to WebPulse as well


Global Intelligence Network Cloud portal containing threat information and information shared and read by
users. This information will be used in the ThreatBlades and based on detection within a Solera system
this information may be shared with a global community.




Slide 4
4 Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Confidential For Internal and Official Channel Partner Use Only
SECURITY ANALYTICS PLATFORM:
TOPOLOGY
GLOBAL INTELLIGENCE
NETWORK
BIG DATA SECURITY ANALYTICS PLATFORM
SECURITY ANALYTICS
APPLIANCE
PROXY SG
PROXY SG
PROXY SG
FIREWALL
SECURITY
ANALYTICS
VIRTUAL
APPLIANCE
STORAGE
SECURITY
ANALYTICS
CENTRAL
MANAGER
SIEM
SSL VISIBILITY
APPLIANCE
INTERNET
CONTENT ANALYSIS SYSTEM
SECURITY ANALYTICS
SOFTWARE ON CERTIFIED
HARDWARE
BLUECOAT
THREATBLADES
MALWARE ANALYSIS
APPLIANCE
L
a
s
t

U
p
d
a
t
e
d
:

2
0
.
1
2
.
2
0
1
3


Last Updated: 20.12.2013

This network topology shows all the components of advanced threat protection deployed in an enterprise
network. Security Analytics Platform is also deployed in the internal network not just at perimeter.



Slide 5

5 Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Confidential For Internal and Official Channel Partner Use Only