Embed Size (px)
Citation preview
Playbook
©2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat Confidential – Internal Use Only.
Advanced Threat Protection Elevator Pitch: Organizations are blind to the activities of Cybercriminals, Hactivists and Nation States because advanced, targeted malware and zero-day attacks fly under the radar of even the most fortified enterprises. These Advanced Persistent Threats (APTs) take only seconds or minutes to compromise a target, but can take weeks, months or years to discover. Blue Coat helps reduce corporate risk by enabling organizations to detect and protect against known threats, analyze and mitigate any new threat, and swiftly investigate and resolve any successful breach.
What to Look For – Customer Pain Points Customer Initiatives and Projects Advanced Threat Protection Reputation damage and financial loss • Can take days, weeks or months to discover source of attack • Massive man hours are required to gain insight into a security
breach because customer only has a snapshot of an attack – a complete picture of before, during and after an attack is needed
• Budget is already tight – “We will have to prioritize on spend and not sure of the best way to protect our enterprise.”
Current security does not protect from dangerous APTs • Has SIEM, NGFW, IPS, etc. but is not enough by themselves • Current detecting and blocking is ineffective – Threat landscape
has changed and advanced threats are getting through defenses
• Security team is reactive and all endpoint AV signatures are not up-to-date – slow at addressing known threats
• Current sandboxing forces to go with standard setup – can’t customize fully to their environment and “gold images”
• Looking at sandboxing, but cannot identify the best solution
Average time to incident resolution is very high • Customer is bombarded with thousands of security events
without full context – difficult to identify and manage risks • Security team does not have a full picture and can’t quickly find
answers to who, what, how, where, when after a security breach
• Delays in identifying root cause limits ability to apply protection • Using outdated tools (Wireshark or Sniffer) to stitch packet data
takes a long time and doesn’t identify malicious activity
Today’s advanced threats may cripple us • Today’s advanced attacks threaten the confidentiality, integrity,
and availability of our business • Even with updates and applied knowledge, organization
remains vulnerable to advanced malware and zero-day attacks • Current solutions do not close the gaps – we have good blocking
tools, but cannot stop and mitigate advanced threats
Customer: Federal Agency – Department of Defense • Federal Information Security Management Act (FISMA) requires
agencies to implement continuous monitoring • US CERT has initiatives that attach to Security Analytics Platform
for incident response and resolution projects • Initiatives such as Trusted Internet Connection (TIC) mandate
Situational Awareness and 20/20 visibility into all traffic Customer: Commercial – Retail, Financial, Health Care • The CMO needs “Security” to support new and competitive revenue
opportunities (routes to market, mobility, social media) • The CIO must consolidate the backend without compromising security
(multiple databases, networks, multi-currency, apps, etc.) • The CISO sees ever-escalating threats and board pressure to manage
risks and adhere to compliance and audit requirements • Network/Infrastructure execs must protect corporate systems and
data and critical infrastructure such as SCADA systems Customer: Existing Blue Coat – ProxySG and Proxy AV • Looking to fortify perimeter security with complete web control,
real-time anti-malware scan and sandbox technology • Existing customers with initiatives to modernize malware analysis
and gain retrospective analysis for incident response and resolution • Customers looking to gain visibility into encrypted traffic and
uncover encrypted attacks Customer: Building a modern SOC with existing ecosystem • SOCs looking for a coordinated operational approach to prevention,
detection, and risk management, while collaborating with NOC • Customer has SIEM and other compliance tools but complains about
the overload of alerts and noise. Those tools integrate with Security Analytics Platform that delivers full context to any event
• Customer has NGFW, IDS/IPS but knows these tools alone are not enough and is looking for advanced malware analysis, SSL traffic management and complete retrospective analysis capabilities
• Customer looking for an organized system and process to share knowledge regarding zero-day threats and targeted attacks
• SOCs looking to have an accurate threat status from discovery to resolution while responding in a timely consistent manner
Why How • Advanced Targeted Attacks • State-Sponsored Espionage • Hactivism • Insider Data Theft • $11.6M – Annualized cost
of a cyber breach (Ponemon Research 2013)
• 200,000 – New malware samples uncovered each day (Kaspersky Labs)
Add CAS + MAA + Security Analytics Platform to ProxySG • Point out the real-time anti-malware scanning and
whitelisting, combined with dynamic, next-generation malware analysis and sandboxing
• Highlight the superiority of our analysis and custom profiles • Compliment ProxySG and Content Analysis System with
Security Analytics Platform and ThreatBLADES Add SSL Visibility + Security Analytics to ProxySG • Point out how critical it is to have full visibility into all
traffic, even encrypted • Highlight the integration of SSL Visibility & Security Analytics • Show the value and cost savings by using SSL Visibility
Appliance as a TAP to effectively combine traffic feeds for analysis and risk management
Adding Security Analytics to ProxySG • Focus on effective forensics and incident response and
emphasize the need for visibility, context and content Emphasize deployment flexibility (software, hardware or virtual) and ease-of-use
• Explain how ThreatBLADES provide comprehensive analysis of all web, mail and file protocols
Best Practice Sales Strategies
Playbook
©2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat Confidential – Internal Use Only.
Advanced Threat Protection
Discovery Questions
Qualifying Questions • What systems or processes have you deployed so far to
address advanced malware, zero-day threats and targeted attacks?
• Do you need an integrated security that’ includes your ticketing system?
• After a security breach, how quickly can you respond to executives regarding; how it happened, who did it, and the extent of damage to data, brand, customers?
• What processes you have in place for security risk management?
• Tell me how you currently manage alerts and incidents from your NGFW, SIEM, IDS/IPS and other log/alerting tools?
• Malware hides in disguised file types – can your NGFW, IPS uncover all file types?
Reputation Damage and Financial loss • What are your obligations for public disclosure
of a breach? What regulations apply? • How would you describe how your brand/image
would be affected if you can’t provide clear details after a breach?
• Are you concerned with potential loss of customers? What is your estimate of potential lost business after a data breach?
• How fast can you remediate a data breach? What is cost in resources and man hours?
• If attacked, do you have full forensic details to reconstruct the attack and mitigate future risks?
Current tools don’t protect from APTs • Can your known blocking tools like NGFW and
IPS detect APTs in SSL traffic at line rates? • Do you have an integrated security ecosystem to
detect zero-day threats and advanced malware? • How quickly are you able to update blocking
tools with new signatures for zero-day attacks? • Do you rely only on endpoint AV security? Can
you block Advanced Malware at the gateway as well?
• Can you explain how your current security tools would protect your organization against a specific, advanced targeted attack?
Average time to resolution is very high • During incident investigation – apart SIEM log –
how do you collect evidence? • How do you reconstruct suspicious activity
of an event/breach to assess the full scope of an attack?
• How are you answering critical post-breach questions – like how, what, when, why, who – to manage current and future risks?
• How do you determine root-cause and material impact of a targeted attack/breach?
• How many man-hours does it take to discover the scope and resolve a breach?
Today’s advanced threats may cripple us • Can your perimeter defenses identify activity
and/or samples that can lead to data breaches? • How do you manage risks within SSL traffic? • How do you currently identify security gaps? • How are you notifying your security controls
regarding advanced threats uncovered by your sandboxing technologies?
• Do you have capabilities to locate all the assets that have been compromised by advanced threats?
• How are you discovering advanced threats that don’t have any signatures and use SSL?
Stage 3: Investigate and Remediate (Incident Resolution) • Blue Coat Security Analytics Platform
Stage 1: Detect and Protect (Ongoing Operations) • Blue Coat Secure Web Gateway (ProxySG) • Blue Coat Content Analysis System with
Dual-AV and Whitelisting • Blue Coat SSL Visibility Appliance
Stage 2: Analyze and Mitigate (Incident Containment) • Blue Coat Malware Analysis Appliance • Blue Coat Security Analytics Platform
with ThreatBLADES
4
We conduct retrospective analysis of previously captured data with newer threat
intelligence
We resolve and remediate underlying
vulnerabilities and mitigate future risks
5 We repeat the
process dynamically
6
We use Security Analytics, ThreatBLADES and Malware Analysis / Sandboxing to
detect and analyze the threats and attacks that get through signature-based
security tools
2
We update signature-based tools with new
threat intelligence, inform our knowledge-
bases and fortify the security ecosystem
3
Global Intelligence
Network and Knowledgebase
Block all the known bad with preventative and signature-based security tools including ProxySG
and Content Analysis System
1
Playbook
©2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat Confidential – Internal Use Only.
“Using the Security Analytics Appliance has saved our company well over 7 figures” – CSO, Fortune 100 Equity Firm
"The speed with which we respond to events now will more than pay for the cost of this device.” – Major Cloud Software Provider
“Blue Coat certainly met our needs in that area” – Jefferies on Blue Coat’s Business Assurance Technology
Advanced Threat Protection By Use Case Value Measurement Questions (identify cost of problem) Situational Awareness
• Do you have full visibility into SSL traffic in multi-gigabit environments? • Rate your ability to apply context to network traffic from a security view? • How far back can you analyze – days, weeks, months or more? • Risk Management – What % of your monitoring tools are obsolete?
Advanced Malware Detection
• How often are you able to detect advanced malware or a targeted attack against your business systems, applications, processes, or users with your current tools?
• Are you utilizing sandboxing tools to identify advanced malware? Are you finding it too costly to deploy throughout the entire organization?
• What are your costs of a data breach? • How would you rate your vulnerability or risk posture against targeted
threats and attacks? What is your estimated cost of a data breach?
Continuous Monitoring
• What would it cost to have an outside agency to perform monitoring of target systems?
• How quickly and accurately could you respond to a subpoena to disclose network activity?
Data Loss Analysis and Monitoring
• How long would it take you to reconstruct the actual evidence to validate data loss through email, IM, files and web traffic? How complete would that evidence be? How much information would be missing?
• Until you can reconstruct the evidence how certain are you of the enormity of a breach?
Web Control and Security Enforcement
• Describe your policy for managing mobile devices. Do you allow BYOD? • How much is it costing you to manage security of personal devices? • How would you rate your ability to authenticate, filter and categorize
web traffic?
Building Modern Security Operations Centers
• How do you deliver a coordinated and collaborative operational approach to deal with advanced threats? How do your SOCs and NOCs interact?
• Does your SOC have all the modern tools to deal with zero-day threats and targeted attacks? How are detecting encrypted advanced malware?
• Does your SOC provide clear evidence of security breaches and violations?
Network Forensics, Security Incident Response and Resolution
• On average, how many man hours are involved in trying to identify the cause of a breach? What is your average cost per hour and per incident?
• Have you paid for an outside agency to assist with incident investigations? • How would a public breach affect your company’s identity? What % of
customer do you think might defect?
Situational Awareness
Network Forensics/Security
Incident Response & Resolution
Building Modern Security Operations
Centers
Data Loss Monitoring &
Analysis
Advanced Malware Detection
Continuous Monitoring
Web Control and Security Enforcement
Many Business Needs. One Solution. Situational Awareness • Risk management and visibility of SSL traffic • Monitor hundreds of network segments • Visibility into thousands of applications • Historical analysis up to weeks and months
Advanced Malware Detection • Integrated malware detonator • Automated file analysis • File reputation Services • Reputation of IP and URLs (Botnet)
Data Loss Analysis and Monitoring • Monitor all in-and-out communications • Reconstruct e-mail, IM and HTTP uploads • Alerts on sensitive files
Continuous Monitoring • 24/7 Surveillance with any event playback • Identify and fix security events • Full fidelity of monitored data
Web Control & Security Enforcement • Granular control of Web and mobile
applications • User authentication, web filtering and web
content categorization • Real-time content analysis — dual AV
scanning, whitelisting, malware blocking
Building Modern SOCs • Coordinated operational approach • Integrated security ecosystem for
complete advanced threat protection • Timely and consistent response for
advanced threats from discovery to resolution
Network Forensics, Security Incident Response and Resolution • Up to 85% faster incident response • Integration into NGFW, IPS and SIEM • Real-time and contextual response
Customer Success Sound Bytes
Playbook
©2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat Confidential – Internal Use Only.
Advanced Threat Protection Key Blue Coat Differentiators Comprehensive Block & Enforce in real-time with ProxySG and Content Analysis System and unlock encrypted traffic
with SSL Visibility Appliance; Detect & Analyze with ThreatBLADES and Malware Analysis Appliance; Resolve & Remediate with Security Analytics Platform. Repeat the cycle to fortify your network
Global Intelligence Network
Collaborative threat intelligence knowledgebase provides up-to-the minute defense and inoculation against zero-day threats, targeted attacks and advanced malware – continuously updated and aggregated from a Network Effect of 15K organizations and 75M users
Flexible Security Analytics
Security Analytics Platform: as turnkey appliance, software-only, virtual appliance or managed service. Blue Coat ThreatBLADES allow for flexible deployment of threat protections for web, email and file. Common Malware Analysis Appliance at perimeter and in-the-network
Next Generation Sandbox
Malware Analysis Appliance leverages a unique dual analysis solution that features both an IntelliiVM virtualized sandbox—with highly customizable environments—as well as a bare metal sandbox emulator for accurate analysis and detection of VM-evasive malware
Situational and Contextual Awareness
24x7 capturing, indexing and parsing of your network “big data” with full context, actionable intelligence, and root-cause for immediate resolution and remediation
Application Aware Ability to decode and classify thousands of applications—including Web 2.0 applications. For example: in an HTTP stream, we will not only identify/reconstruct the HTML traffic, but also identify all other files—like php, ajax, javascript, etc. No other solution has this type of Layer 7 awareness
Real-time File Broker Automated ‘file broker’ detects, extracts, classifies and submits files to internal or external analysis systems—including PC and mobile malware sandboxes, indexing engines and file repositories
Machine-Learning Architecture
Advanced threat profiling engine delivers a dynamic, machine-learning architecture to proactively discover, identify and mitigate advanced threats for enhanced detection accuracy and faster time-to-protection
Best-of-Breed Integrated Ecosystem
Extremely flexible and powerful API Integration Layer that improves work flow while integrating with industry leading security systems including Blue Coat’s own security solution, as well as NGFW, IPS, SIEM, and 3rd-party sandboxing
Retrospective Analysis Industry’s only solution with complete correlation using real-time threat intelligence, network effect with full security visibility – 24/7 Full Packet Capture, Layer 2 to 7 reconstruction and historical big data – for complete retrospective analysis, impact analysis and incident response
Real-time Enforcement and Blocking
Security Analytics
Malware Sandbox
Cloud Threat Intel
SSL Traffic Management
Full Packet Capture
Integrated Security
Ecosystem
RSA NetWitness ✗
Not as vast as
BCS ✗ Not as vast
as BCS Through
Blue Coat Yes – with packet loss @ high rate
SIEMLink (no certified integration)
NIKSUN ✗ Limited ✗ ✗ ✗ Yes – no certified
capture rate
OpenAPI (no certified integration)
FireEye Limited ✗ ✔ Malware only
Through Blue Coat ✗
Solera, SIEM and
others
McAfee ✔ ✗ ✔ ✔ ✗ ✗ Limited
Websense ✔ ✗ ✗ No file or malware
intelligence ✗ ✗ ✗
Check Point ✔ ✗ ✔ ✔ Limited ✗ ✗
Palo Alto Networks ✔ ✗ ✔ ✔ Limited ✗ Limited
Sourcefire ✔ ✗ ✗ ✔ OEM
through Blue Coat
✗ Limited
Blue Coat ✔ ✔ ✔ ✔ ✔ ✔ NGFW,
IPS, SIEM and more
Handling Objections We already have strong network security deployed • Fortify perimeter security with a closed-loop
enforcement and blocking while integrating with existing malware analysis systems
• 78% of breaches took weeks/months/years to discover. 70% discovered by 3rd-parties. – VzB 2013
• Prevention alone falls short and will fail – they can only detect the known. No situational awareness, SSL traffic management, network forensics or effective incident response, as these tools lack retrospective L2-7 analysis and reconstruction
I already have a SIEM that does what you do • SIEM tools do not provide contextual awareness or
visibility into content and can only deliver metadata • SIEM cannot offer risk management without full
packet capture to deliver historical forensics We need to buy NGFW and IPS before we buy Security Analytics or Malware Analysis • Security Analytics provides the needed visibility—
into all network activity and apps, other tools can’t • To uncover today’s threats, Sandboxing is critical
This is not a budgeted project or priority According to Gartner Research • By 2020, 60% of enterprise information security
budgets will be allocated to rapid detection and response approaches — up from < 10% in 2014
• “Big Data Security Analytics will be needed to detect Advanced Targeted Attacks”
We already have either NetWitness, FireEye or are evaluating other solutions • Security Analytics Platform has 3x less footprint
compared to NetWitness and is scalable with a closed-loop architecture that includes blocking
• Blue Coat Content Analysis System improves the effectiveness of your FireEye appliance
• SSL Visibility helps manage risks by exposing encrypted threats
We already use network monitoring • Traditional monitoring solutions do not provide the
threat intelligence, sandboxing, analytics and forensics details that uncover the needed evidence to create an effective, closed-loop Lifecycle Defense
Blocking and Prevention • Blue Coat Proxy SG Appliance, Software- and License-Based • Blue Coat Content Analysis System Dynamic Malware Analysis • Blue Coat Malware Analysis Appliance Visibility into SSL Traffic • Blue Coat SSL Visibility Appliance insects encrypted traffic Security Analytics as CAPEX • Security Analytics 2G and/or 10G Appliances • Security Analytics Filesystem Capacity (optional) • Security Analytics Central Manager Appliance • Annual Maintenance for above items (required) • ThreatBLADES for Security Analytics Subscriptions (optional) Security Analytics as OPEX • Security Analytics Software or Virtual Machine Subscription • Security Analytics Filesystem Capacity Subscription • Security Analytics Central Manager Software or VM
Subscription (optional) • ThreatBLADES for Security Analytics Subscriptions (optional) • Enterprise License Agreement • Volume License Agreement
Deployment Options Integrated Solution
