Weitere ähnliche Inhalte
Ähnlich wie Advanced Threat Protection - Sandboxing 101 (20)
Kürzlich hochgeladen (20)
Advanced Threat Protection - Sandboxing 101
- 1. ADVANCED THREAT PROTECTION
SANDBOXING 101
KEVIN FLYNN
PRODUCT MARKETING
OCTOBER, 2013
Blue Coat Confidential – Internal Use Only
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
1
- 2. ADVANCED THREAT PROTECTION SOLUTION
LIFECYCLE DEFENSE
The Blue Coat ATP solution delivers the
industry’s most comprehensive
protection through the following:
1) Lifecycle Defense: Protection that
maps to three threat stages: Realtime blocking for known threats and
malware sources (malnets);
Advanced threat analysis for
unknown threats; and Dwell time
reduction for latent threats
2) Adaptive Malware Analysis:
Dynamic APT protection that
analyzes unknown threats and
shares information with other
systems in the security infrastructure
to increase protection efficiency for
unknown and latent threats
3) Network Effect: APT information
sharing between 75M users in
15,000 organizations through a
feedback loop into the Blue Coat
Global Intelligence Network
Blue Coat Confidential – Internal Use Only
STAGE 3
STAGE 1
Resolve &
Remediate
Threats
Discovered on
the Network
Block &
Enforce
All Known Threats
GLOBAL
INTELLIGENCE
NETWORK
STAGE 2
Detect &
Analyze
Unknown Threats
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
2
- 3. WHY SANDBOXING?
DETECTING & ANALYZING UNKNOWN THREATS
Traditional network
defenses are great at
dealing with known-threats,
terrible at dealing with
unknown-threats
Unknown threats require
dynamic analysis (aka
detonation) in the form of a
virtual machine and/or
bare-metal or emulation
sandbox
Tight integration is
necessary between the
sandbox and your web
gateway
Blue Coat Confidential – Internal Use Only
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
3
- 4. BLUECOAT SANDBOX
MALWARE ANALYSIS APPLIANCE
CORE TECHNOLOGY
Hybrid Analysis
Unmatched intelligence
SandBox emulation
IntelliVM virtualization
Behavioral Patterns
Expose targeted attacks
Detection patterns
Open source patterns
Custom patterns
Plug-in Architecture
Extend detection and processing
Interact with running malware
Click-through dialogs and installers
Blue Coat Confidential – Internal Use Only
SandBox
IntelliVM
Software x86
emulator
Full Windows XP or
Win 7 licensed
software
Hardware emulation
Hardware virtualization
Generates numerous
low-level events –
page faults,
exceptions, etc.
Generates high-level
events – file, registry,
network, process, etc.
Emulated network
access and services
Real network access
and services
Hook-based event
introspection
KernelScout filter
driver captures lowlevel events
Add your own
patterns
Add your own patterns
Supports EXEs and
DLLs
Wide range of file
support
Portable executable
memory dumps
Extend processing
with plugins
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
4
- 5. BEHAVIORAL DETECTION PATTERNS
INTELLIVM PROFILES AND PLUGINS
Generic and malware campaign specific patterns
• Trojan, spyware, worm, ransomware
Extensive pattern library
•
•
•
•
Core patterns (incl. WebPulse info)
Create your own patterns
All matching patterns will trigger
Global and user-specific patterns
Risk scoring
• Set by highest matched pattern
• Scores update with new patterns
• Script notification triggers for further action
Patterns can detect targeted and single-use
malware, and do not rely on signature-based
detection methodologies
Blue Coat Confidential – Internal Use Only
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
5
- 6. MALWARE APPLIANCE
KEY FEATURES
Malware Appliance
Enterprise Scalability – Approximately 50,000 analysis tasks per day per appliance
– Automated bulk sample processing and risk scoring
– Parallel processing on up to 40 virtual machines per appliance
Hybrid Analysis – Superior threat dual-detection methodology using SandBox and VM
IntelliVMs – Replicate actual production environments including custom applications
Plugins – Interact with malware, click through installers, extend custom processing
Best-in-class full-featured Web-UI, Analysis Desktop, searching and data mining
Open Patterns – Detection criteria is never hidden; Users can add custom patterns
Powerful RESTful API – Full programmatic access for integration and automation
Pub-Sub API – Secure notifications of analysis task status and task completion
Remote management, security, and health status monitoring eases deployment
Blue Coat Confidential – Internal Use Only
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
6
- 7. BLOCKING, DETECTION & ANALYSIS
ProxySG + CAS + Malware Analysis Appliance (Sandbox)
Proxy SG
Content Analysis System
Malware Analysis System
Blue Coat Confidential – Internal Use Only
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
7