NEXT GENERATION

SECURITY ANALYTICS:
REAL WORLD USE CASES
KEY FEATURES AND NEW USES FOR THE
BLUE COAT SECURITY ANALYTICS PLATFORM
 WHITEPAPER
Security
SECURITY ANALYTICS: MUCH MORE THAN NETWORK FORENSICS
Empowers Prior generations of security analytics products were mostly used as tools by incident response teams to perform
Business retrospective analysis and forensics on breaches after the fact. This is still an important function, but today’s
security analytics solutions have evolved to deliver business value across a much broader range of circumstances,
and to address a number of critical issues faced by IT and security teams of all sizes.
This white paper briefly discusses the need for security analytics, provides a brief overview of the next-generation
security analytics platform offered by Blue Coat, and describes how a modern security analytics solution can
address seven important, real-world use cases:
1. Situational awareness 5. Data loss monitoring and analysis
2. Continuous monitoring 6. Web traffic monitoring and analysis
3. Security incident response and resolution 7. IT governance, risk management and compliance
4. Advanced malware detection

Situational Awareness

IT Governance,
Continuous
Risk Management
Monitoring
and Compliance

Web Traffic Security Incident

Monitoring Response and
and Analysis Resolution

Data Loss Advanced

Monitoring Malware
NEXT GENERATION SECURITY and Analysis Detection
ANALYTICS: REAL WORLD USE CASES
©
BLUE COAT SYSTEMS, INC
2

Security The Need for Security Analytics
Empowers Until recently, most enterprises relied primarily on preventative
Business signature-based tools for network security, tools such as next-
generation firewalls, intrusion prevention systems, secure web
gateways, and network anti-malware gateways.
While these products can be effective against known threats,
cybercriminals and hackers have developed many techniques to
evade these products. These include zero-day attacks, polymorphic
malware, encryption, targeted attacks that utilize social engineering,
and advanced, persistent, multi-stage attacks. These techniques strike
before signatures can be developed, obfuscate malware and attacks so
they cannot be matched to signatures, or link together actions which
individually appear to be legitimate.
Most IT security experts today agree that no enterprise can stop all
security threats at the network perimeter. Instead, they must assume
that some attacks will get through, and take appropriate measures to
monitor activities and to detect patterns that indicate attacks. As Mike
Rothman, President of IT security firm Securosis states: “The difference
between success and failure breaks down to how quickly you can isolate
the attack, contain the damage, and then remediate the issue.”
“We cannot assume we can stop the attackers, so we have to plan
for a compromise. The difference between success and failure
breaks down to how quickly you can isolate the attack, contain
the damage, and then remediate the issue. So we build our core
security philosophy around monitoring critical networks and
devices, facilitating our ability to find the root cause of any attack.”
Mike Rothman, President of Securosis, blog post
In fact, the need for better information about attacks is urgent. In one
recent survey, more than half of enterprises reported that they did not
have adequate intelligence about attacks and could not identify root
causes. A third of them said they could not determine exactly what
information had been lost when they had a data breach.
NEXT GENERATION SECURITY
ANALYTICS: REAL WORLD USE CASES
©
BLUE COAT SYSTEMS, INC
WHITEPAPER
Companies do not have adequate intelligence
• 59% of companies [surveyed] do not have adequate
intelligence…about attempted attacks and their impact.
• 51% say their security solutions do not inform them…about the
root causes of attacks.
• 55% of those who had lost sensitive or confidential information
did not know exactly what data had been stolen.
Ponemon Institute: “Exposing the Cybersecurity Cracks:
A Global Perspective, Part I,” April 2014
Overview of a “Next-Generation” Security Analytics
Platform
Security Analytics solutions help organizations derive contextual and
actionable intelligence from massive volumes of security and network
data. They capture all types of data entering and leaving the network.
They organize that data so that administrators, security analysts,
incident responders, compliance officers and others can detect
advanced threats in real-time, conduct detailed analysis, measure and
remediate breaches, and prevent future compromises.
The key capabilities of the Blue Coat Security Analytics Platform include:
Full packet capture: Recording, classifying and indexing every packet
that enters, leaves and travels within the network, even on today’s high-
speed networks.
Deep Packet Inspection: Visibility into all layers of the OSI stack from
layer 2 to layer 7, including application data and payload data.
Application classification: Identifying traffic from specific commercial
and custom applications, including application traffic over non-standard
ports.
Real-time threat intelligence: Enriching analysis with real-time threat
information feeds from Blue Coat Global Intelligence Network (which
compiles intelligence from 15,000 customers and 75 million endpoints)
and other reputation feeds, from IP geo-location services, and from
more than 40 industry-leading intelligence sources.
3

Security Session and object reconstruction: The ability to convert traffic from
Empowers raw packets to meaningful artifacts like files, emails, instant messages,
VoIP conversations and even complex PHP, Ajax and JavaScript files.
Business Context-aware security: Correlating meta-data about users, files and
sessions with real-time threat information, and using the correlations to
provide situational awareness and alerts.
Layer 2-7 analysis: Tools to analyze metadata about packets, ports,
protocols, applications, user sessions and files.
Integration with traditional security products: Connectors and APIs to
incorporate data from best-of-breed security and network technologies,
including dynamic analysis (“sandboxing”) products, next-generation
firewalls, intrusion prevention systems, security information and event
management products, and data loss prevention tools.
File brokering: Features to identify known threats and deliver only
suspicious files to sandboxing technologies for optimized advanced
malware analysis and threat detection.
Real-time alerting: The ability to create rules to notify designated
administrators and security staff when suspicious and prohibited
behaviors are detected, or when baseline thresholds are exceeded.
Playback: Facilities to replay network traffic and transmit captured data
flows to third party tools for further analysis.
Root cause exploration: Reconstruction of complete attack timelines,
pinpointing the root cause attributes and metadata of an attack such as
the originating file, server or user.
Dashboards and centralized management: Tools to see threats and
trends at a glance, and to monitor thousands of network segments from
a single pane of glass.
For more information on the features of the Security Analytics Platform,
please see the solution brief, data sheet and white papers at http://www.
bluecoat.com/products/atp-security-analytics-platform.
NEXT GENERATION SECURITY
ANALYTICS: REAL WORLD USE CASES
1
Dominguez, C., Vidulich, M., Vogel, E. & McMillan, G. (1994). Situation awareness: Papers and annotated bibliography. Armstrong Laboratory, Human System Center, ref. AL/
©
BLUE COAT SYSTEMS, INC CF-TR-1994-0085.
WHITEPAPER
Use Case #1: Situational Awareness
“Situational awareness (SA) is the ability to extract
information from the environment, integrate that
information with relevant internal knowledge, and use the
resulting mental picture to anticipate future events.”1
For information security professionals, situational awareness means
being able to extract and decipher as much information as possible
from networks, to have the tools to differentiate suspicious behaviors
and anomalies from legitimate computing activities, and to generate
actionable intelligence from that analysis. Essentially it is having the data
and tools to visualize all network-related events, to establish what is
normal, and to recognize departures from normality.
Those are exactly the capabilities provided by a next-generation
security analytics solution. Security professionals can take advantage
of features like full packet capture, deep packet inspection, application
classification and session and object reconstruction to obtain
complete visual insight into packets, protocols, network flows, files and
applications across the entire network. Through next generation security
analytics features such as artifact timelines, media panel displays,
geolocation, inferential reporting and other analysis tools, they gain
complete visibility into all aspects of their operational domain.
For example, a security analytics solution might show archived files
being transmitted via FTP from an internal PC to a server in a location
known to harbor cybercriminals. It could flag this as suspicious activity,
and even reconstruct the files and the network sessions. A security
analyst could use this information to determine if the file transfers
represented ordinary business activity or were part of an advanced
attack.
An Example: Situational Awareness in the Military
An organization in the U.S. armed forces uses Blue Coat Security
Analytics Platform to monitor the Internet traffic of a large group of
military analysts and ensure that their activities are consistent with
each person’s role and security privileges.
4

Security Use Case #2: Continuous Monitoring
Empowers Continuous monitoring is the ability to capture, index and
Business play back all network data, and to provide administrators
and security professionals with timely, targeted and
prioritized information.
While the idea of continuous monitoring sounds simple, it is difficult
to put into practice in today’s enterprises. A modern security analytics
solution needs to be able to capture all types of data, not just security
events. It must be able to handle gigabytes of network traffic every
second without losing a packet, and to provide the capacity to store
hundreds of terabytes or even petabytes of data.
When continuous monitoring is implemented, it provides tremendous
benefits, resembling those of a security camera in a bank. Analysts can
“play back” network activities related to an attack in their chronological
sequence. This unique capability of security analytics solutions provides
deep insights into attacks, helps assess the damage done by breaches,
and lets analysts go back in time to determine the full scope of the
attacks.
Continuous Monitoring at a Leading Financial Firm
A large investment bank uses Blue Coat Security Analytics Platform
to monitor a dozen international locations and to achieve complete
visibility into network traffic, users and data. The Security Analytics
Platform also provides context to information available from other
security systems, including a third-party sandbox product, Blue
Coat ProxySG, and the Blue Coat SSL Visibility Appliance. These
capabilities have significantly reduced incident response times.
NEXT GENERATION SECURITY
ANALYTICS: REAL WORLD USE CASES
©
BLUE COAT SYSTEMS, INC 2
Based on Blue Coat customer case studies.
WHITEPAPER
Use Case #3:
Security Incident Response and Resolution
Security incident response, which involves quickly
analyzing, identifying and resolving cyber attacks and
breaches, remains the most popular use case for security
analytics solutions.
A security analytics solution provides incident responders with
invaluable tools for incident response, including session and object
reconstruction, session playback, root cause exploration, and integration
with other security products such as SIEM and next-generation firewall
systems. These tools help answer questions such as:
• Who is responsible for the attack and what exactly did they do?
• What systems were affected and what data was compromised?
• Is the attack continuing, and if so, how can we stop it immediately?
• Is the attack over, and if so, how can we prevent a recurrence?
This is an area where time-to-resolution is critical. Many attacks are
persistent, and in many cases costs to the enterprise are proportional
to the length of time the attack remains undiscovered. The longer the
attack lasts, the greater the number of credentials that will be captured,
the more systems and applications that will be compromised, and the
higher volume of sensitive data that will be exfiltrated.
By providing precise, actionable intelligence faster, a security analytics
solution produces savings in revenue, corporate reputation, breach
notification costs and fines, and clean-up costs.
Next-Generation Security Analytics Solutions can reduce mean-
time to resolution by up to 85%.2
5

Security
Empowers Incident Response at a Major Online Retailer
“…using root cause analysis from [Blue Coat], we were able to
Business pinpoint how the exploit occurred, understand the full scope of the
problem, and completely prevent that exploit from ever happening
again...”
A large online retailer built its security operations center and
incident response process around the Security Analytics Platform.
They use it to identify malicious activity inside and outside the
network, to pinpoint all compromised systems through root cause
analysis, and to conduct assurance testing on preventative controls
by replaying attacks in a lab environment. The Security Analytics
Platform provides much-needed context to alerts, including alerts
from their new advanced malware analysis appliances.
NEXT GENERATION SECURITY
ANALYTICS: REAL WORLD USE CASES
©
BLUE COAT SYSTEMS, INC
WHITEPAPER
Use Case #4: Advanced Malware Detection
Until recently, security analytics solutions were brought
into play after a breach had been detected, and used
almost exclusively for retrospective analysis and
forensics. But that has changed. Blue Coat has added
real-time threat detection to the Security Analytics
Platform with add-on software modules called Blue Coat ThreatBLADES.
ThreatBLADES provide real-time threat intelligence services. Each one is
optimized to scan specific protocols (HTTP, SMTP, POP3, Webmail, FTP,
etc.), detect and extract objects (files, URLs, IP addresses, etc.), inspect
and categorize those objects as good, bad (malicious), or unknown, and
take appropriate actions in real-time.
Those actions can include alerting administrators in real time to
malware, querying the Blue Coat Global Intelligence Network about
unknown files, “brokering” unknown files to Blue Coat’s Malware
Analysis Appliance for detailed analysis in a “sandbox,” and adding file
signatures to a white list or black list.
Malware is often a component of advanced multi-stage attacks. By
identifying malware in real time, ThreatBLADES help security analysts
and incident responders get a jump on finding and analyzing advanced
threats and zero-day attacks.
For more information on Blue Coat ThreatBLADES and how they help
with malware detection, see the white paper Security Analytics Moves to
Real-Time Protection.
Global Dynamic
Intelligence Malware
Network Sandboxing
Security Analytics combines
Security many forms of threat intelligence
to deliver accurate and complete
Analytics malware detection and analysis
Built-in Threat
Knowledge- Intelligence
base Services
6

Security Use Case #5: Data Loss Monitoring and Analysis
Empowers In the Ponemon Institute study mentioned earlier, more
Business than a third of IT managers reported that when their
company had a data breach they could not determine
exactly what information had been lost.
The ability to precisely identify data losses can produce major cost
savings. Breach notification costs and regulatory fines are often
proportional to the amount of data compromised in an attack.
Enterprises can realize large savings by demonstrating that only a few
files were exfiltrated, and not an entire file store, or that only a small
portion of a database was accessed by the attacker. Also, identifying
exactly what systems have been compromised in an attack can
dramatically reduce post-breach clean-up costs.
The Security Analytics Platform provides a powerful set of tools to
determine the full extent of attacks and data losses. For example,
administrators and security analysts can monitor and record all the
common media used to exfiltrate sensitive data, such as emails, file
attachments, instant messages, chat sessions, web activity and other
traffic arriving and leaving the network. They can quickly evaluate any
session that appears to be suspicious. They can monitor database
queries and file requests, relate them to their sources, and then “pivot”
to reconstruct all of the activities carried out by those sources. Incident
responders can list and recreate all of the files accessed over the course
of a persistent attack, and view the sequence of all of the emails, SMS
messages and files exchanged during a phishing attack.
The Security Analytics Platform also reduces the extent and duration of
attacks by working with data loss prevention (DLP) products to issue
real-time alerts when sensitive files and data leave the network.
Data Loss Monitoring at a Leading-Edge Technology Company
A technology company with world-famous consumer electronics
products and a soaring stock price uses Blue Coat Security
Analytics Platform to ensure that employees and contractors do not
leak intellectual property, confidential business plans or corporate
NEXT GENERATION SECURITY financial information. They also use it to determine material impact
when information leakage does occur.
ANALYTICS: REAL WORLD USE CASES
©
BLUE COAT SYSTEMS, INC
WHITEPAPER
Use Case #6: Web Traffic Monitoring and Analysis
Most web traffic monitoring is performed by secure
web gateways, next-generation firewalls, and other
technologies that inspect web traffic. However, security
analytics solutions also play an important role in this area.
The Blue Coat WebThreat BLADE, one of the ThreatBLADES discussed
in the Advanced Malware Detection use case, monitors HTTP traffic
(and HTTPS traffic decrypted by the Blue Coat SSL Visibility Appliance).
It uses IP, URL, domain, and file reputation information, together with
threat intelligence from the Blue Coat Global Intelligence Network,
to identify traffic to and from botnets, command-and-control (CnC)
callbacks, and evidence of web-based advanced persistent threats
(APTs). The WebThreat BLADE can also help enforce web usage policies
by monitoring access to web sites that fall into categories such as
gambling, shopping, pornography and entertainment.
The Security Analytics Platform also allows administrators to create
rules to identify indicators of compromise (IOCs) based on anomalous
web traffic patterns and inferential reporting. Information about
advanced web attacks can be relayed to secure web gateways to thwart
further attacks.
Evasive Botnet Detected and Crushed
The Blue Coat Threat Research Team used the Security Analytics
Platform to identify a malicious botnet, as well as all the victim
hosts that were communicating with the botnet’s command and
control servers across the globe. Government authorities used this
information to take down the botnet servers and all associated
domains.
7
 WHITEPAPER
Security Use Case #7:
Empowers IT Governance, Risk Management and Compliance

Business Enterprises need to ensure that employees and other

computer users comply with acceptable use policies
(AUPs), and to demonstrate to auditors and regulators
that they are in compliance with government and industry
regulations and standards.
Security analytics solutions play a major role in enforcing and
proving compliance with organizational policies. Through application
classification, they can quickly identify employees using unapproved
applications or using applications in ways that violate policies (for
example, exporting files through a chat service). They can monitor users
and sessions accessing databases and file stores holding confidential
information, to identify unauthorized access. In the event that there is
a data breach or policy violation, the complete record of all network
activity is used to determine exactly what information has been lost (see
the discussion of Data Loss Monitoring and Analysis).
A media panel helps administrators find policy violations related to images, audio files
The Security Analytics Platform also includes a “media panel” that lets
and video files
administrators monitor images, audio files and video files, to ensure that
employees are not viewing inappropriate or illegal content, or abusing
online games and entertainment media during work hours. Continuous Monitoring, Situational Awareness and Risk
Mitigation
Situational awareness through full network visibility is a key means
for mitigating risk. In testimony about real risk reduction to come
about through continuous monitoring, the State Department reports
a 90 percent improvement in its risk posture after implementing a
continuous monitoring program.
SANS Institute: Continuous Monitoring:
What It Is, Why It Is Needed, and How to Use It

NEXT GENERATION SECURITY

ANALYTICS: REAL WORLD USE CASES
©
BLUE COAT SYSTEMS, INC
8
 WHITEPAPER
Security Summary 5. Data loss monitoring and analysis: The Blue Coat Security Analytics
Empowers Today, a security analytics solution like the Blue Coat Security Analytics
Platform allows administrators to monitor and extract all files leaving
an enterprise network, across communication channels such as email,
Business Platform is for much more than just network forensics. In fact, it provides
substantial value for seven use cases:
HTTP uploads, instant messaging chats and more. Along with a built-
in alerting system, this provides a powerful capability for corporations
1. Situational awareness: Security professionals gain complete 360°, worried about sensitive data loss.
20:20 visibility into their operational domain. The Blue Coat Security
6. Web traffic monitoring and analysis: Blue Coat’s security analytics
Analytics Platform delivers unprecedented views and visual insights
solution provides detailed web traffic analysis to identify advanced
into all activity on an enterprise network.
web-based threats, including botnets, command and control activity,
2. Continuous monitoring: The Security Analytics Platform is like a malicious websites, embedded malware and more.
security camera for networks. Security analysts can have access to
7. IT governance, risk management and compliance: The Blue Coat
terabytes of all types of historical network and security data, and can
Security Analytics Platform can monitor application use and data
play back any activity of interest at the click of a button.
access to ensure that employees are complying with company and
3. Security incident response and resolution: Blue Coat’s security government policies. It also allows policy owners such as Human
analytics solution provides incident responders with invaluable tools Resources Directors and Chief Financial Officers to demonstrate
such as session and object reconstruction, session playback and root compliance with government regulations and industry standards.
cause exploration. These tools allow them to quickly and accurately
For more information on the concepts and products discussed in this
answer critical post-breach “who?”, “why?”, “ what?”, “ when?”, and
white paper, please visit the Security Analytics Platform section of the
“how?” questions and greatly reduce time-to-resolution.
Blue Coat website, and try the Security Analytics Virtual Appliance for
4. Advanced malware detection: Blue Coat ThreatBLADES, which run 30 days.
on the Security Analytics Platform, can detect and extract files from
traffic on all major protocols, send alerts when malware is detected,
and send unknown files to a “sandbox” for dynamic malware analysis.

NEXT GENERATION SECURITY

ANALYTICS: REAL WORLD USE CASES
©
BLUE COAT SYSTEMS, INC
9
 WHITEPAPER
Security
Empowers
Business

© 2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue
Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter,
CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5,
Packetwise, Policycenter, ProxyAV, ProxyClient, SGOS, WebPulse,
Solera Networks, the Solera Networks logos, DeepSee, “See Everything.
Know Everything.”, “Security Empowers Business”, and BlueTouch are
registered trademarks or trademarks of Blue Coat Systems, Inc. or its
affiliates in the U.S. and certain other countries. This list may not be
complete, and the absence of a trademark from this list does not mean it
is not a trademark of Blue Coat or that Blue Coat has stopped using the
trademark. All other trademarks mentioned in this document owned by
third parties are the property of their respective owners. This document is
for informational purposes only. Blue Coat makes no warranties, express,
implied, or statutory, as to the information in this document. Blue Coat
products, technical services, and any other technical data referenced
in this document are subject to U.S. export control and sanctions laws,
regulations and requirements, and may be subject to export or import
regulations in other countries. You agree to comply strictly with these
laws, regulations and requirements, and acknowledge that you have the
Blue Coat Systems Inc. responsibility to obtain any licenses, permits or other approvals that may
www.bluecoat.com be required in order to export, re-export, transfer in country or import after
delivery to you.
Corporate Headquarters
v.WP-NEXT-GEN-SECURITY-ANALYTICS:REAL-WORLD-USE-CASES-
Sunnyvale, CA
+1.408.220.2200 EN-v1d-0714

EMEA Headquarters
Hampshire, UK
+44.1252.554600

APAC Headquarters
Singapore
+65.6826.7000
10