Advanced Threat Protection - Sandboxing 101
-
Upload
blue-coat -
Category
Technology
-
view
1.166 -
download
6
description
Transcript of Advanced Threat Protection - Sandboxing 101
1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
ADVANCED THREAT PROTECTION
SANDBOXING 101
KEVIN FLYNN
PRODUCT MARKETING
OCTOBER, 2013
2Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
ADVANCED THREAT PROTECTION SOLUTION
LIFECYCLE DEFENSEThe Blue Coat ATP solution delivers the industry’s most comprehensive protection through the following:
1) Lifecycle Defense: Protection that maps to three threat stages: Real-time blocking for known threats and malware sources (malnets); Advanced threat analysis for unknown threats; and Dwell time reduction for latent threats
2) Adaptive Malware Analysis: Dynamic APT protection that analyzes unknown threats and shares information with other systems in the security infrastructure to increase protection efficiency for unknown and latent threats
3) Network Effect: APT information sharing between 75M users in 15,000 organizations through a feedback loop into the Blue Coat Global Intelligence Network
STAGE 3Resolve & Remediate
Threats Discovered on the Network
STAGE 1Block &
Enforce All Known Threats
STAGE 2Detect & Analyze
Unknown Threats
GLOBAL INTELLIGENCE
NETWORK
3Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
WHY SANDBOXING?DETECTING & ANALYZING UNKNOWN
THREATS
Traditional network defenses are great at dealing with known-threats, terrible at dealing with unknown-threats
Unknown threats require dynamic analysis (aka detonation) in the form of a virtual machine and/or bare-metal or emulation sandbox
Tight integration is necessary between the sandbox and your web gateway
4Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
Hybrid Analysis
Unmatched intelligence
SandBox emulation
IntelliVM virtualization
Behavioral Patterns
Expose targeted attacks
Detection patterns
Open source patterns
Custom patterns
Plug-in Architecture
Extend detection and processing
Interact with running malware
Click-through dialogs and installers
BLUECOAT SANDBOXMALWARE ANALYSIS APPLIANCE
CORE TECHNOLOGY
SandBox IntelliVM
Software x86 emulator
Full Windows XP or Win 7 licensed software
Hardware emulation Hardware virtualization
Generates numerous low-level events – page faults, exceptions, etc.
Generates high-level events – file, registry, network, process, etc.
Emulated network access and services
Real network access and services
Hook-based event introspection
KernelScout filter driver captures low-level events
Add your own patterns
Add your own patterns
Supports EXEs and DLLs
Wide range of file support
Portable executable memory dumps
Extend processing with plugins
5Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
INTELLIVM PROFILES AND PLUGINS
BEHAVIORAL DETECTION PATTERNS
Generic and malware campaign specific patterns• Trojan, spyware, worm, ransomware
Extensive pattern library• Core patterns (incl. WebPulse info)
• Create your own patterns
• All matching patterns will trigger
• Global and user-specific patterns
Risk scoring• Set by highest matched pattern
• Scores update with new patterns
• Script notification triggers for further action
Patterns can detect targeted and single-use malware, and do not rely on signature-based
detection methodologies
6Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
MALWARE APPLIANCEKEY FEATURES
Malware Appliance
Enterprise Scalability – Approximately 50,000 analysis tasks per day per appliance – Automated bulk sample processing and risk scoring – Parallel processing on up to 40 virtual machines per appliance
Hybrid Analysis – Superior threat dual-detection methodology using SandBox and VM
IntelliVMs – Replicate actual production environments including custom applications
Plugins – Interact with malware, click through installers, extend custom processing
Best-in-class full-featured Web-UI, Analysis Desktop, searching and data mining
Open Patterns – Detection criteria is never hidden; Users can add custom patterns
Powerful RESTful API – Full programmatic access for integration and automation
Pub-Sub API – Secure notifications of analysis task status and task completion
Remote management, security, and health status monitoring eases deployment
7Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
BLOCKING, DETECTION & ANALYSIS
ProxySG + CAS + Malware Analysis Appliance (Sandbox)
Content Analysis System
Proxy SG
Malware Analysis System
8Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only
WWW.BLUECOAT.COM