1. Security
Empowers
Business
SOLUTIONBRIEF
Challenge
A threat event is often just the start of an intense incident response process. When such an event occurs, the
security team must move quickly to verify a compromise, prevent malware propagation, and most importantly,
block extraction of sensitive data. However, taking such action requires more context than is typically included
in the records of even a sophisticated operational intelligence platform such as Splunk Enterprise. How was the
user manipulated into clicking a malware link? After the download, did the client connect to a botnet and was
sensitive data leaked? Quickly understanding what happened before, during, and after an attack event is critical
to effective incident response.
Solution Overview
The Blue Coat Security Analytics Platform provides Splunk Enterprise
with the context that incident response teams need to quickly respond to
threats with targeted precision.
Splunk Enterprise provides an easy, fast and secure way to analyze
the massive streams of machine data generated by IT systems and
technology infrastructure – whether it’s physical, virtual or in the cloud.
Blue Coat’s Security Analytics Splunk App allows Splunk to import
metadata and alert information for all the traffic being recorded by the
Security Analytics Platform in your network architecture.
When Splunk is being used as the single pane of glass, it provides
security analysts, incident responders, and network and security
operations personnel with views into several overview and threat
dashboards. Overview dashboards provide top network and web access
for viewing what activity is most common on your network and who the
top internal and external users are. These grouped network views help
provide situational awareness across the different layers of network
connections. The Threat Dashboard displays information generated
from the Blue Coat ThreatBLADES or threat intelligence actions. The
information is clickable to pivot directly from Splunk to the Security
Analytics user interface to further search or look up context information
around the security event reported by Splunk.
The Security Analytics Platform extracts and reconstructs every detail
associated with advanced malware and zero-day threats – including
source and destination IPs, every packet, flow, file, application, and server
information. Combining Security Analytics with the Blue Coat Malware
Analysis Appliance provides Splunk Enterprise with details of previously
unknown malware that has been thoroughly analyzed by next-generation
sandboxing and malware detonation.
Security Analytics also leverages the Blue Coat Global Intelligence
Network – aggregated threat intelligence from 15,000 customers and
75 million users – and Blue Coat ThreatBLADES that provide instant,
actionable intelligence on web, email, or file-based threats. Armed with
this analysis, incident response teams can assess damage, contain
malware, mitigate data loss, and prevent subsequent attacks by fortifying
the network.
How it Works
The Blue Coat Security Analytics Platform acts like a security camera
on the network, using network taps or SPAN ports to record and index
full packet captures of all activity – even on today’s fastest networks.
The Security Analytics App for Splunk imports all event metadata and
alert information using the open API into Security Analytics. The data is
returned as Splunk events.
The Splunk App provides several dashboards to view the events that
have been ingested and also adds a powerful “Investigate” button to
BLUE COAT TECHNOLOGY PARTNER:
SPLUNK
Partner: Splunk
Partner Product: Splunk Enterprise
Blue Coat Product: Security Analytics Platform