advanced threat protection - sandboxing 101
DESCRIPTION
Advanced Threat Protection Solution Lifecycle DefenseTRANSCRIPT
![Page 1: Advanced Threat Protection - Sandboxing 101](https://reader033.vdocuments.us/reader033/viewer/2022052410/5555e949d8b42a8a5f8b47c8/html5/thumbnails/1.jpg)
1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
ADVANCED THREAT PROTECTION
SANDBOXING 101
KEVIN FLYNN
PRODUCT MARKETING
OCTOBER, 2013
![Page 2: Advanced Threat Protection - Sandboxing 101](https://reader033.vdocuments.us/reader033/viewer/2022052410/5555e949d8b42a8a5f8b47c8/html5/thumbnails/2.jpg)
2Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
ADVANCED THREAT PROTECTION SOLUTION
LIFECYCLE DEFENSEThe Blue Coat ATP solution delivers the industry’s most comprehensive protection through the following:
1) Lifecycle Defense: Protection that maps to three threat stages: Real-time blocking for known threats and malware sources (malnets); Advanced threat analysis for unknown threats; and Dwell time reduction for latent threats
2) Adaptive Malware Analysis: Dynamic APT protection that analyzes unknown threats and shares information with other systems in the security infrastructure to increase protection efficiency for unknown and latent threats
3) Network Effect: APT information sharing between 75M users in 15,000 organizations through a feedback loop into the Blue Coat Global Intelligence Network
STAGE 3Resolve & Remediate
Threats Discovered on the Network
STAGE 1Block &
Enforce All Known Threats
STAGE 2Detect & Analyze
Unknown Threats
GLOBAL INTELLIGENCE
NETWORK
![Page 3: Advanced Threat Protection - Sandboxing 101](https://reader033.vdocuments.us/reader033/viewer/2022052410/5555e949d8b42a8a5f8b47c8/html5/thumbnails/3.jpg)
3Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
WHY SANDBOXING?DETECTING & ANALYZING UNKNOWN
THREATS
Traditional network defenses are great at dealing with known-threats, terrible at dealing with unknown-threats
Unknown threats require dynamic analysis (aka detonation) in the form of a virtual machine and/or bare-metal or emulation sandbox
Tight integration is necessary between the sandbox and your web gateway
![Page 4: Advanced Threat Protection - Sandboxing 101](https://reader033.vdocuments.us/reader033/viewer/2022052410/5555e949d8b42a8a5f8b47c8/html5/thumbnails/4.jpg)
4Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
Hybrid Analysis
Unmatched intelligence
SandBox emulation
IntelliVM virtualization
Behavioral Patterns
Expose targeted attacks
Detection patterns
Open source patterns
Custom patterns
Plug-in Architecture
Extend detection and processing
Interact with running malware
Click-through dialogs and installers
BLUECOAT SANDBOXMALWARE ANALYSIS APPLIANCE
CORE TECHNOLOGY
SandBox IntelliVM
Software x86 emulator
Full Windows XP or Win 7 licensed software
Hardware emulation Hardware virtualization
Generates numerous low-level events – page faults, exceptions, etc.
Generates high-level events – file, registry, network, process, etc.
Emulated network access and services
Real network access and services
Hook-based event introspection
KernelScout filter driver captures low-level events
Add your own patterns
Add your own patterns
Supports EXEs and DLLs
Wide range of file support
Portable executable memory dumps
Extend processing with plugins
![Page 5: Advanced Threat Protection - Sandboxing 101](https://reader033.vdocuments.us/reader033/viewer/2022052410/5555e949d8b42a8a5f8b47c8/html5/thumbnails/5.jpg)
5Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
INTELLIVM PROFILES AND PLUGINS
BEHAVIORAL DETECTION PATTERNS
Generic and malware campaign specific patterns• Trojan, spyware, worm, ransomware
Extensive pattern library• Core patterns (incl. WebPulse info)
• Create your own patterns
• All matching patterns will trigger
• Global and user-specific patterns
Risk scoring• Set by highest matched pattern
• Scores update with new patterns
• Script notification triggers for further action
Patterns can detect targeted and single-use malware, and do not rely on signature-based
detection methodologies
![Page 6: Advanced Threat Protection - Sandboxing 101](https://reader033.vdocuments.us/reader033/viewer/2022052410/5555e949d8b42a8a5f8b47c8/html5/thumbnails/6.jpg)
6Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
MALWARE APPLIANCEKEY FEATURES
Malware Appliance
Enterprise Scalability – Approximately 50,000 analysis tasks per day per appliance – Automated bulk sample processing and risk scoring – Parallel processing on up to 40 virtual machines per appliance
Hybrid Analysis – Superior threat dual-detection methodology using SandBox and VM
IntelliVMs – Replicate actual production environments including custom applications
Plugins – Interact with malware, click through installers, extend custom processing
Best-in-class full-featured Web-UI, Analysis Desktop, searching and data mining
Open Patterns – Detection criteria is never hidden; Users can add custom patterns
Powerful RESTful API – Full programmatic access for integration and automation
Pub-Sub API – Secure notifications of analysis task status and task completion
Remote management, security, and health status monitoring eases deployment
![Page 7: Advanced Threat Protection - Sandboxing 101](https://reader033.vdocuments.us/reader033/viewer/2022052410/5555e949d8b42a8a5f8b47c8/html5/thumbnails/7.jpg)
7Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
BLOCKING, DETECTION & ANALYSIS
ProxySG + CAS + Malware Analysis Appliance (Sandbox)
Content Analysis System
Proxy SG
Malware Analysis System
![Page 8: Advanced Threat Protection - Sandboxing 101](https://reader033.vdocuments.us/reader033/viewer/2022052410/5555e949d8b42a8a5f8b47c8/html5/thumbnails/8.jpg)
8Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
WWW.BLUECOAT.COM