Data – Process of capturing, indexing, storing and extracting files and sessions
•Full Packet Capture – All traffic is recorded from a monitoring point
•Layer 2-7 Index and Classification – Packets are passed through DPI engine as they arrive for classification and
metadata extraction
• Patented Database – Data warehousing of all captured traffic is stored to disk in a very optimized method
•Full Session Reconstruction – Complete session reconstruction including emails, IM and web transactions
Enrich – Taking extracted data and determining known information about artifacts, both good and bad
•Web, Mail, File ThreatBLADES – Threat Intelligence on IP/URL, Files, emails and forward suspicious files
crossing all major transport protocols to Blue Coat or Third Party Sandbox
•Malware Analysis – Known virus lookups based and hand-off potentially bad content in HTTP,SMTP and FTP to
MAA for 0-day malware analysis
• Pattern Matching, Anomaly Detection, White/Black Lists – Using known malware signature, traffic inspection
for deviations in expected protocols, and the use of white and black lists for files, IP Addresses and domains for
analyzing potential threats
•Integrated Workflow – Direct pivoting from IPS, Sandbox, NGFW for full enrichment to security events
•Global Intelligence Network – Continuously updated with network effect of 75M users Blue Coat GIN for
analyzing known malware, bad domains, or suspicious IP address
Analyze – Using the UI to see reports and visual the data
•Visual Insight – Graphs, charts and lists to see data represented by user defined criteria
• Advanced Reporting – Detail reports of many of the protocols and meta data, can be user ran or automated
•Statistical Analysis – Visual statistics, baseline comparisons (Roadmap)
Action – Post processing of data – alerts, block and inform
•Alerts and Logging – The UI can show alerts, emails can be sent, or syslog/CEF events can be sent to a SIEM
•Detect and Block – Detection of threats can be shared with the Global Intelligent Network to update other
Blue Coat device for blocking this traffic
•File Brokering– SA device can be configured to broker files using real time file extraction
•Feedback Loop – Information sent out and shared can in turn be digested by the system for proactive defense
measures
Internet - Packets for analysis and generated from a source, in the diagram we show the internet but really any
area within a network that can provide a span/tap port can be monitored
ProxySG - This is the main blocking device in Blue Coat product portfolio and is used in ATP for blocking as well
as web security
SSL Visibility - SSL decryption is key in getting all packets to security analytics platform so it can perform L2-L7
analysis and provide threat intelligence on all the traffic
Classify/Index/Store - As packets arrive they are run through the DPI engine. This process will index the traffic,
classify it, and store it appropriately on the file system
Enrich - Enriching traffic allows meta data and artifacts to be run through the rules defined on the system.
These rules will either perform matching based on metadata attributes or will hand them off for data
enrichment to do further analysis on the traffic and artifacts. While there are many different types of
enrichment, they mainly fall under 2 categories:
Standard Threat Intelligence – The default analytics use open source and 3rd party integration. Part of this
enrichment includes running file hashes against VirusTotal, checking against Bit9's white list , and querying
against SANS ISC threat information
ThreatBLADES – Additional licensed component to examine traffic against Web Threats, Email threats, File
Threats, or Zero day Malware analysis, with future additional blades
Detect and Analyze – This process refers to the analysis on the system both automated and manual. The
analytics refers to using the UI to search through traffic, looking at dashboards and reports, running manual
threat analysis, and using the root cause feature to trace back events. Detect and analyze is also used to
provide complete incident resolution. Detection also includes creating standard and custom favorites which
are used in security polices and rules
Report/Alert/Update – Based on information generally determined through the enrichment phase, alerts will
be generated by the system. These alerts will be displayed locally in the UI, but they can also be sent via
syslog/CEF/LEEF to an SIEM or other log management device. Alerts can also be email. Reports can be sent out
based on general traffic information contained under the reporting tab. The system will update its own
analytics engine based on results and the information can be sent as an update to WebPulse as well
Global Intelligence Network – Cloud portal containing threat information and information shared and read by
users. This information will be used in the ThreatBlades and based on detection within a Solera system
this information may be shared with a global community.
This network topology shows all the components of advanced threat protection deployed in an enterprise
network. Security Analytics Platform is also deployed in the internal network not just at perimeter.