We live in a world with a constantly evolving threat landscape. While cloud and virtualization technologies have enabled rapid scaling of IT, the consequences of security breaches in such an environment are far-reaching. Security administrators have the very daunting task of protecting their IT assets from non-stop, sophisticated and constantly evolving, targeted attacks. These trends are substantiated by the following quantitative facts (Verizon Business 2013):
- 84% of attacks took just seconds, minutes or hours to compromise the network
- 78% of attacks took weeks, months or even years to discover
How do we address this challenge? Well, a solution designed to effectively combat sophisticated attacks must scale to provide the following capabilities:
- Visibility – Continuously classify, monitor and analyze a large portion of data center traffic to precisely identify and extract attributes of all communications – both between clients and servers (also known as “north-south” traffic) as well as high-bandwidth application-to-application (also known as “east-west”) traffic.
- Context – Reconstruct a timeline and artifacts of suspect web sessions, emails and protocol/application conversations to identify the root-cause of detected malicious activity by performing deep analytics. Extraction, reconstruction of artifacts and indexing of session-flow attributes is further enriched by real-time threat intelligence.
- Threat Intelligence – Automatic and constantly updated identification of known threats while providing optimized artifact submission for malware analysis and verdict tracking of novel threats.
Blue Coat & Big Switch Solution for Pervasive Security Monitoring
Blue Coat and Big Switch have partnered to solve this exact problem for customers. The joint solution offers the combined benefits of Blue Coat’s Security Analytics Platform and Big Switch’s SDN-based Big Tap Monitoring Fabric leveraging bare metal switches. Big Tap – next-generation network packet broker (NPB) – enables policy-driven filtering of enterprise-wide network traffic (both north-south and east-west traffic) and forwards traffic to the Security Analytics Platform. Security Analytics then analyzes network exchanges and detects activities associated with known malicious or suspect sites while providing an efficient architecture to analyze and detect novel threats. The joint solution helps to quickly identify advanced and targeted attacks that slip past traditional security tools while leveraging the benefits of a software defined network (SDN)-based fabric for an operationally simple, ultra-low cost, and scalable monitoring environment.
Figure 1: Enterprise-Wide Security Monitoring with Big Tap and Blue Coat Security Analytics Platform
How do IT Organizations benefit from this?
Security operations analysts receive alerts almost constantly. Being able to quickly triage those alerts to determine the urgency of response is critical. Visibility and context, coupled with DVR-like functionality for session-level details and packets, provide the complete before and after detail for expedient investigation.
If you are a security professional who constantly gets paged in the middle of the night to respond to security alerts, this joint solution presents a very compelling value proposition for the following reasons:
Flexible, Scale-out Deployment: Hundreds to thousands of 1G/10G/40G TAP and SPAN ports can be connected to the Big Tap Monitoring Fabric. Any network flow can be directed to any of the connected Blue Coat Security Analytics devices at any time. With this solution, customers can have a multi-fold increase in network traffic monitored for potential security breaches. Moreover, once a threat is detected by Security Analytics in primary data center(s), Big Tap’s remote monitoring capability allows security admins to assess threat exposure at remote DCs/POPs, colocation facilities as well as campus/branch locations by tunneling traffic across a L3 WAN on an as needed basis.
Massive Operational Simplicity: The solution is based on a logically centralized, SDN-based Big Tap Controller controlling and managing all fabric switches. The controller presents a single-pane-of-glass for all fabric-wide operations, policy and tenant management. Scaling of the fabric, tenants or policies can be done seamlessly with minimal operational overhead. The Security Analytics devices can access any data center flow through policies created on the controller.
Event-Triggered Monitoring / Forensic Analysis:Policies in the Big Tap Controller can be dynamically programmed by events that are triggered by the Security Analytics device (when malware is delivered or identified for example). One can set up policies for sending the “suspicious” traffic to additional Security Analytics devices, and have this trigger extended monitoring and analytics related to a victim host. This facilitates very efficient forensic analysis of potentially malicious traffic moving horizontally to infect other datacenter assets, with longer history analytics and capture yielding much better utilization of the storage resources required to scale for large implementations.
In a nutshell, the security operations and risk management teams can be assured that a much larger portion of the network can be monitored with this SDN + bare metal based solution and that a very efficient forensic process is facilitated in the event of potential security breaches. Setting up the necessary automation based on the severity of the alert enables real-time actions to be taken to reduce the risk and/or scope of the breach by having visibility where and when it’s needed. The solution can be deployed to provide precise visibility, context and intelligence, which are critical to determine the root cause and to identify pre and post malicious activity.
This joint solution will be showcased by Blue Coat and Big Switch Networks at the SDN & OpenFlow World Congress in Dusseldorf, Germany to be held Oct 14 – 17, 2014. We look forward to seeing you at the conference.
-- Prashant Gandhi (VP Product Management & Strategy) and Aubrey Merchant, Director, Security Strategy & Architecture, Blue Coat
- Blue Coat and Big Switch Joint Solution Brief. Click here
- Blue Coat Security Analytics Platform: Click here
- Big Tap 4.0: An SDN Replacement to Proprietary Network Packet Brokers (NPBs). Click here
- Register for a free, hands-on experience with Big Tap Monitoring Fabric: Try BSN Labs
- Register for an upcoming Webinar on Oct 17,2014 to learn more about Big Tap