Security Analytics Platform
Unifying Big Data Security Analytics, Security Visibility and Threat Intelligence for Advanced Threat Protection
Security Analytics Platform by Solera—an integral part of Blue Coat Advanced Threat Protection—gives security professionals clear and concise answers to the toughest security questions. This award-winning platform can be deployed on your hardware of choice, as pre-configured appliances or as a virtual appliance that records and classifies every packet of network traffic—from Layer 2 through Layer 7—while indexing and storing the data to provide comprehensive threat intelligence and post-breach analytics on any security event. The result is clear, actionable evidence for real-time situational awareness, continuous monitoring, advanced malware detection, security incident response, data loss monitoring and analysis, organization policy compliance, and security assurance.
Security Analytics Platform is the only solution that is flexible, cost-effective and hardware independent—while meeting the demands for high-performance and comprehensive advanced threat protection. This solution delivers:
- Flexible deployment options to optimize total cost of ownership (TCO) and minimize capital expenditures (CapEx)
- Certified 10 Gbps performance through a patented database supporting more than 2 million input/output operations per second (IOPS)
- Scalable storage options for large deployments (200+ terabytes)
- Full security visibility, much like deploying a security camera on your network
- Comprehensive deep packet inspection (DPI), classification, search and real-time file extraction for instant delivery of recognizable evidence of any security breach or malware attack
- Seamless integration with the Blue Coat ThreatBLADES to provide real-time intelligence on threats originating from web and file-based activity or delivered via advanced, targeted malware
- Direct integration with best-of-breed intrusion prevention systems (IPS), data loss prevention (DLP), security information and event management (SIEM), log management, next-generation firewalls, malware detonation tools, and more
- Gain full security visibility before, during and after an attack, and 100% situational awareness of any network activity
- Add full context to any alert from leading security solutions and understand the how, what, why
- Protect existing investments in leading security ecosystem technologies
- Simplify procurement through flexible licensing options: perpetual, term, or enterprisewide
- Avoid high-overhead capital investments with a cost-effective software-based deployment model
- Simplify and accelerate deployment and gain 20/20 visibility into all corners of the network
- Achieve faster time-to-action/ response and greater ability to minimize/eliminate the impact of security breaches
Security Analytics Dashboard
Security Analytics Dashboard gives you the freedom to create customized views for your different workflows. You can start with the pre-built defaults and modify them or create your own by adding new report widgets that display summary data in table, pie, bar, or column chart. Drag and drop widgets to create your preferred view. No matter your preference, the summary view gives you complete situational awareness in a single view.
Actions and Alerts
The Actions and Alerts engine allows security professionals to automate notifications of targeted events in real-time. Actions can be created for suspicious, malicious, or prohibited behavior and the analyst will be notified immediately upon rule trigger. Actions are created using standard Berkeley Packet Filtering (BPF) language, allowing you to easily create or import filters that trigger certain actions.
With Actions and Alerts security analysts can automate common tasks such as checking for traffic against a list of known bad sites, notification of unknown applications on the network, or alerting on the presence of encrypted traffic on non-standard encrypted ports. Automating the execution of certain established workflows saves valuable time and the real-time alerts enable instant response and swift resolution to security events.
Every second matters when battling network security threats. The comprehensive reports available in the Security Analytics Platform allow you to pivot instantly from the summary view to a full report on any network activity recorded by the solution. Reports deliver instant and accurate information, giving you the freedom to work with results the moment they are returned and allowing you to respond to incidents as they unfold. Sample reports include Applications, Email Sender/Receiver, Social Persona, File Names, IPv4 Source / Destination, HTTP Referrer, and many more.
Root Cause Explorer
Root Cause Explorer is the incident responder “Easy Button.” Using extracted network objects, this tool reconstructs a timeline of suspect web sessions, emails, and chat conversations. By automatically enumerating these events, Root Cause Explorer helps the analyst quickly identify the source of an infection, attack, or compromise and reduces time-to-resolution.
Security Analytics integrates with freely available and commercial reputation and malware feeds. With a simple right-click, the analyst can check the integrity and reputation of any URL, IP address, file hash, or email address against multiple services at once. Current integrations include ISC/SANS, VirusTotal, and ClamAV and more. Additional integration are being added on a regular basis.
Extractions and Artifacts
The Security Analytics Platform reconstructs recorded network traffic into the original documents, images, messages, and files that traversed the network, making full event reconstruction possible with impressive speed. Every packet is recorded, classified, and indexed, making quick discovery, reconstruction, and delivery of files in their original formats easy and intuitive. Reconstruct email attachments, windows file transfers, PDF, Word, PowerPoint, Excel, and more, giving you full visibility into everything on your network.
In the artifact timeline view, the analyst can easily track file trends. Show all activity over time for a single user or all file-type activity over time for all users.
Web, Email, and Chat Reconstruction
See the web page as the user saw it. Review IM and email conversations for clues to identify the source of a security event. Because the Security Analytics Platform captures every packet crossing your network, users are able to reconstruct the historical view of web pages, not just provide a link to today’s current view. The source to many of today’s threats begin with a compromised website or malicious link in an email or IM. Trace the threat back to its origin and view exactly what a user saw or clicked.
Nothing tells a story like a picture. When it comes to enforcing acceptable use policies, Media Panel lets you quickly view every image (along with all associated image metadata), that crosses your network and more importantly, helps you identify who is viewing those images.
Favorites and Groups
Just like saving favorites in your browser, Security Analytics lets you save custom search queries or filters for future use. Quickly execute popular searches to uncover common threats, malware, or suspicious traffic. Import lists of open source or internally generated threat data to use in searches throughout all of your captured data to identify, correlate, and corroborate suspicious events or behavior. You can also pre-define criteria for active surveillance on an individual, server, or any network segment.
Once a favorite is defined, it can be used anywhere in Security Analytics UI by entering it’s name in the filter bar. The platform includes many pre-configured common Favorites, which you can use as templates to customize and view quick and accurate results.
In addition to storing many days of full packet data for complete near-term analysis, security and incident responders prefer long-term trend analysis on network traffic to evaluate anomalous or suspicious behavior. Unfortunately, storing a full year of full packet data is often not realistic given the amount of storage required. With Configurable Metadata Retention, analysts can devote a portion of storage in a Security Analytics Appliance to full-packet capture and another portion to metadata storage. This allows an analyst to optimize their system to retain an appropriate window of full-packet data–maybe a week or month’s worth–while still allowing them to maintain a year’s worth of network metadata for long-term trending analysis.
PCAP Import allows the user to import data from any network sniffer into the Security Analytics Appliance for analysis using the same rich toolset as if the appliance had directly captured the data. Data can be imported from any industry standard PCAP file. PCAP Import is a great tool for analysis of historical data, comparing captured data to a “known good” baseline, and to play captures back onto the wire to verify the effectiveness of remediation measures and policy enforcement tools.
With the detailed geolocation mapping and Google® Earth integration you have an unprecedented view of the origin and destination for all network traffic. Identify patterns and concentrations of traffic traveling to and from non-traditional locations. Zoom in on specific paths and flag IP addresses, locations, or even countries that come across as suspicious. View abnormal traffic patterns, reducing your time to resolution, and export any network traffic as a .kml file to import directly into Google Earth.
No need to transfer huge PCAP files over the network. Security Analytics Platform includes a full-featured packet sniffer and analyzer integrated into the web interface. With the Wireshark filter syntax, you’ll never have to leave the intuitive UI to conduct your deep analysis. Filtered results are always one click away.
Not sure how to structure a query in the Security Analytics Platform? Auto complete gives you a head start for creating effective search or display filters. For example, start typing “ipv” and you will be presented with proper search syntax options like ipv4_destination, ipv4_initiatior, ipv4_responder, etc.—allowing you to get the results you want quickly.