CAP LEVEL2 CERTIFICATION

FOR PARTNER SE

CONTENT ANALYSIS
SYSTEM

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 1
 CONTENT ANALYSIS SYSTEM - AGENDA

1 Introduction

2 Key Features

3 Product Line, Sizing and Licensing

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 2
 INTRODUCTION

Copy right © 2014

2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 3
 DEFINITIONS

 What is Malware ?

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 4
 TAKING A NETWORK-CENTRIC APPROACH

“ Utilize network-based anti-malware tools to

analyze all inbound traffic and filter out malicious
content before it arrives at the endpoint.
“
Critical Controls For Effective Cyber Defense
- SANS Institute, March 2013

“ So ultimately enterprise organizations need both

network and host-based advanced malware
defenses. Yeah, It's a lot of work but it's inevitable.
“
Advanced Malware Protection: Network or Host?
- Network World, July 2012

Network-based anti-malware adds extra layer of defense

against targeted attacks not be detected by mainstream algorithms
Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 5
 WHY CONTENT ANALYSIS ?

 Secure Web Gateway provides security content analysis,

but not 100%
 Adds extra layer of defense – A second content analysis
verdict
 Lack of device-based anti-malware content protection
 Added as an extra layer to ensure performance

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 6
 REAL WORLD RESULTS:
BENEFIT OF ADDING NETWORK BASED
ANTIMALWARE TO SECURE WEB GATEWAY

Global Financial Enterprise

- 243.21 Billion attempts to access websites (allowed+blocked)
- 793.09 Million attempts to access known malicious sites
blocked by WebPulse.
- 89,192 Malicious files blocked by network perimeter
antimalware
12 months ending 4/13. Over 250,000 employees

Enterprise
Network

Internet Secure Web Network

Gateway Antimalware
Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 7
 KEY FEATURES

Copy right © 2014

2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 8
 BLUE COAT CONTENT ANALYSIS SYSTEM

 Blue Coat's next-generation anti-virus, malware, and

spyware management system
 Secure Web Gateway full integration
• iCAP or Secure-iCAP
• Policy scan
– Allow/deny
– File extension
– File size

 Real time scanning; detection and blocking

• Files up to 5GB in size
• Compressed archives up to 99 layers deep

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 9
 BLUE COAT CONTENT ANALYSIS SYSTEM
(CONT.)

 Anti-virus, malware, and spyware scanning with one or two

simultaneous anti-virus vendors:
• Kaspersky
• McAfee
• Sophos
• Automatic updates each 5 minutes
 Sandbox integration with Blue Coat's Malware Analysis or
FireEye

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 10
 WHILE LIST DATABASE

 File Whitelisting feature uses a classification system to

identify files that appear to be suspicious, but are known to
be good
• Developed by Kaspersky
• DB hosted in WebPulse
• Updates in average 4 times a day excluding urgent updates
• Millions of records are updated daily
 CAS boxes send a request to Web Pulse to get a
whitelisting verdict
• Fewer files sent to anti-malware engines and sandbox
• Improved system performance
• Reduction in false-positives on sandbox

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 11

Only allow the downloading
of known good files for
certain users or subnets
I.e. if a user is downloading an
.exe file type, and it is not on
the whitelist, don’t allow it to be
downloaded
 (m ust have arbitrary ICAP parsing in 6.5.2)
USES CASES OF WL
Don’t sandbox or AV scan
files that are on the whitelist
above a certain score
Increases throughput
~700k random files from WebPulse
were run through the Whitelist and
37% of them were known trusted files
with a score of 7 or higher
Whitelisting is a must for sandboxing
Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 12
 CONTENT ANALYSIS SYSTEM
HOW IT WORKS

ProxySG
Content Analysis System

Internet File Whitelisting

Encrypted &
Unencrypted Malware Signature
Traffic
Databases

Threat Data To
WebPulse:
- File HASH
- URL
- Time Stamp
- File Name
• Based on hash (SHA-1)
Global Intelligence • DB hosted in WebPulse
Network • Over 1 billion records update daily
• Feeds from softw are vendors
• Whitelist is a 1-10 score
• Critical w hen enable sandboxing

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 13
 SANDBOXING INTEGRATION

ProxySG
Content Analysis System

Internet File Whitelisting

Encrypted &
Unencrypted Malware Signature
Traffic
Databases

Non-BlueCoat
Sandbox
Blue Coat
Malware Analysis
Malware Analysis Appliance

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 14
 INTELLIGENT DEFENSE IN DEPTH

Block Known Web Threats Block all known sources/malnets and

Secure Web Gateway threats before they are on the network

Allow Known Good

Content Analysis System with Application Free up resources to focus on advanced
Whitelisting threat analysis

Block Known Bad

Downloads
Reduce threats for incident containment
Content Analysis System with and resolution
Malware Scanning

Analyze
Unknown Threats Discover new threats and then update
Malware Analysis you gateways
Appliance

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 15
 WHAT’S NEEDED
ADVANCED THREAT PROTECTION
LIFECYCLE DEFENSE

ProxySG
Incident Ongoing
Resolution Operations
Investigate & Detect & Protect
Rem ediate Breach Block All
Threat Profiling Know n Threats
& Eradication

GLOBAL
Security Analytics INTELLIGENCE
NETWORK

Content Analysis
System
Incident
Containment
Analyze & Mitigate
Novel Threat
Interpretation

Malw are Analysis

Appliance
Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 16
 CAS TOPOLOGY

INTERNET

GLOBAL INTELLIGENCE
NETWORK

MALWARE ANALYSIS

PROXY SG

SWITCH
CONTENT ANALAYSIS

USERS

ADMIN CENTRAL INTERNAL USER

MANAGEMENT MAIL SERVER DIRECTORY

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 17
PRODUCT LINE, SIZING AND LICENSING

Copy right © 2014

2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 18
 CAS – PRODUCT LINE

CAS APPLIANCE

CA-S400-A1 CA-S400-A4 CA-S500-A1

Content CA-S400-A2 CA--S400-A3

Analysis
CAS Appliance CAS Appliance CAS Appliance CAS Appliance CAS Appliance
System 50 Mbps 100Mbps 250 Mbps 500 Mbps 1000 Mbps

CAS SW LICENSE

LICENSE A LICENSE B
Single AV + Whitelist or Dual AV + Whitelist
license (by user) license (by user)

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 19
 CAS - SIZING GUIDE

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 20
 CAS -LICENSING

 Appliance license - A
• Whiltelist + Single AV
• One license per user subscription (1, 3, 5) or per box
 Appliance license - B
• Whiltelist + Dual AV
• One license per user subscription (1, 3, 5) or per box
 Virtual
• Secure Web Gateway and Content Analysis System base license
• Subscription license for 1 or 3 years
• One license per user
• WebFilter license already included
• Add license-A or license-B

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 21
 QUALIFICATION

 Who consider themselves objective of targeted attacks &

advanced persistent threats
 Bluecoat ProxyAV refresh:
• AV 810 is currently EOS
• EOL is scheduled for 30th Nov 2015
• 3211 AV810s under Active Support
• 1560 AV customers that have an AV box > 3 years old
 UpSell:
• Only an estimated 15-20% of accounts have ProxyAV
 FireEye customers

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 22
 CONTENT ANALYSIS SYSTEM:
PARTNER RESOURCES

 https://partners.bluecoat.com/products/content-analysis-
system-spe
 Support Assets
 Datasheets
 Solution Briefs
 Whitepapers

Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 23