1. Security
Empowers
Business
SOLUTIONBRIEF
Challenge
A threat event is often just the start of an intense incident response process. When such an event occurs, the
security team must move quickly to verify a compromise, prevent malware propagation, and most importantly,
block extraction of sensitive data. However, taking such action requires more context than is typically included
in the records of even a sophisticated operational intelligence platform such as Splunk Enterprise. How was the
user manipulated into clicking a malware link? After the download, did the client connect to a botnet and was
sensitive data leaked? Quickly understanding what happened before, during, and after an attack event is critical
to effective incident response.
Solution Overview
The Blue Coat Security Analytics Platform provides Splunk Enterprise
with the context that incident response teams need to quickly respond to
threats with targeted precision.
Splunk Enterprise provides an easy, fast and secure way to analyze
the massive streams of machine data generated by IT systems and
technology infrastructure – whether it’s physical, virtual or in the cloud.
Blue Coat’s Security Analytics Splunk App allows Splunk to import
metadata and alert information for all the traffic being recorded by the
Security Analytics Platform in your network architecture.
When Splunk is being used as the single pane of glass, it provides
security analysts, incident responders, and network and security
operations personnel with views into several overview and threat
dashboards. Overview dashboards provide top network and web access
for viewing what activity is most common on your network and who the
top internal and external users are. These grouped network views help
provide situational awareness across the different layers of network
connections. The Threat Dashboard displays information generated
from the Blue Coat ThreatBLADES or threat intelligence actions. The
information is clickable to pivot directly from Splunk to the Security
Analytics user interface to further search or look up context information
around the security event reported by Splunk.
The Security Analytics Platform extracts and reconstructs every detail
associated with advanced malware and zero-day threats – including
source and destination IPs, every packet, flow, file, application, and server
information. Combining Security Analytics with the Blue Coat Malware
Analysis Appliance provides Splunk Enterprise with details of previously
unknown malware that has been thoroughly analyzed by next-generation
sandboxing and malware detonation.
Security Analytics also leverages the Blue Coat Global Intelligence
Network – aggregated threat intelligence from 15,000 customers and
75 million users – and Blue Coat ThreatBLADES that provide instant,
actionable intelligence on web, email, or file-based threats. Armed with
this analysis, incident response teams can assess damage, contain
malware, mitigate data loss, and prevent subsequent attacks by fortifying
the network.
How it Works
The Blue Coat Security Analytics Platform acts like a security camera
on the network, using network taps or SPAN ports to record and index
full packet captures of all activity – even on today’s fastest networks.
The Security Analytics App for Splunk imports all event metadata and
alert information using the open API into Security Analytics. The data is
returned as Splunk events.
The Splunk App provides several dashboards to view the events that
have been ingested and also adds a powerful “Investigate” button to
BLUE COAT TECHNOLOGY PARTNER:
SPLUNK
Partner: Splunk
Partner Product: Splunk Enterprise
Blue Coat Product: Security Analytics Platform

2. Security
Empowers
Business
SOLUTIONBRIEF
© 2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV, ProxyClient,
SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, “See Everything. Know Everything.”, “Security Empowers Business”, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain
other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties
are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical data
referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and
acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. v.SB-TECHPARTNER-SPLUNK-EN-v1a-1014
Blue Coat Systems Inc.
www.bluecoat.com
Corporate Headquarters
Sunnyvale, CA
+1.408.220.2200
EMEA Headquarters
Hampshire, UK
+44.1252.554600
APAC Headquarters
Singapore
+65.6826.7000
each event found in Splunk. With a single click, users can pivot from any
network event in Splunk to the full packet and payload within Security
Analytics. This captured packet data can then be analyzed to provide
context that enables rapid response to Splunk attack alerts. For example,
when Splunk generates a high-priority alert within its user interface, event
parameters are seamlessly passed to the Security Analytics Platform,
which responds with a complete analysis detailing what occurred before,
during and after the event. The Splunk user can even recreate actual
artifacts (documents, executables, files, etc.) from stored packet data.
Key advantages include:
• Providing data from Security Analytics Platform/Malware Analysis
Appliance into Splunk for the analyst who uses Splunk as their primary
interface for incident investigations (ie. The analyst in a SOC)
• Allowing users to take Security Analytics Platform/Malware Analysis
Appliance data and create their own dashboards or import the data into
other dashboards for deeper context of events
• Efficient workflow by pivoting directly from Splunk into Security
Analytics with specific information that has been pre-filtered for that
alert – speeding analysis and root cause discovery
Many security events are suspicious but may not be definitive attacks.
For example, a Splunk event may indicate an executable shell-code
download. This may be an attack, or it may be legitimate. To clarify, the
Security Analytics Platform provides an immediate reputation analysis
of the captured file that includes scan results from third-party virus
databases and the Global Intelligence Network. If the file is not known to
the Global Intelligence Network or virus databases, it can be forwarded
to the Malware Analysis Appliance or third-party sandboxing solution for
deeper analysis. In either case, the response team is armed with the data
it needs to verify and isolate threats within minutes.
By reconstructing what happened before a compromise, the Security
Analytics Platform determines the root cause and provides the intelligence
needed to prevent others on the network from falling victim to the same
attack. For example, Security Analytics Platform analysis of host activity
prior to a malware download may reveal that the root cause was a bogus
Facebook URL sent to users via instant messaging (IM). In this case, the
Security Analytics Platform identifies the source IM account, IM content,
bogus URL, URL reputation, and more. It can also use captured HTML
to recreate the bogus Facebook page as it appeared at the time of the
incident. With this context, the incident response team can prevent
recurrences by shutting down the source IM account, blocking IM
traffic, and blocking the malicious URL. They can even prevent future
compromises by educating employees with sample IM content and
screen shots of the bogus Facebook page.
By reconstructing what happened after a Splunk event, the Security
Analytics Platform can assess damage that may have already occurred
within the corporate network and prevent data loss going forward. Did
a compromised host connect to a botnet and if so, did it send sensitive
data? Did it connect to other internal hosts to collect data or spread
malware? The Security Analytics Platform quickly answers these and
other post-event questions across thousands of hosts without manually
collecting and analyzing data from each individual host.
Business benefits of the joint Blue Coat and Splunk solution include the
ability to:
• Save critical time and effort by quickly determining false positive
network threat alerts
• Significantly reduce the manual effort involved in identifying, isolating
and remediating potential threats
• Identify the root cause, significantly reduce the time-to-resolution and
contain malicious threats such as unknown malware before any serious
network damage is done
• Prevent sensitive network data loss and ensure compliance with
regulations such as Continuous Monitoring, HIPAA, PCI and SOX
About Splunk
Splunk Inc. (NASDAQ: SPLK) provides the leading software platform for
real-time Operational Intelligence. Splunk®
software searches, monitors,
analyzes and visualizes machine-generated big data coming from
websites, applications, servers, networks, sensors and mobile devices.
More than 7,900 organizations use Splunk software to deepen business
and customer understanding, mitigate cybersecurity risk, prevent fraud,
improve service performance and reduce costs. Splunk products include
Splunk Enterprise, Splunk Cloud™, Splunk Storm®, Hunk™: Splunk
Analytics for Hadoop and premium Splunk Apps. To learn more, please
visit http://www.splunk.com/company.
For More Information
Learn more about Blue Coat technology partners on our website.