Security Analytics 7.1.x Release Notes

Cumulative Release Notes: Security Analytics 7.1.x
This document contains all of the release notes for Security Analytics 7.1.x in reverse chronological order:
Release Notes: Security Analytics 7.1.8 .......................................................................................................................2
Release Notes: Security Analytics 7.1.7 .......................................................................................................................3
Release Notes: Security Analytics 7.1.6 .......................................................................................................................4
Release Notes: Security Analytics 7.1.5 .......................................................................................................................5
Release Notes: Security Analytics 7.1.4 .......................................................................................................................8
Release Notes: Security Analytics 7.1.3 .................................................................................................................... 10
Release Notes: Security Analytics 7.1.1 .................................................................................................................... 13
Release Notes: Security Analytics 7.1.0 .................................................................................................................... 14
Note
There was no 7.1.2 release.
For more information contact Blue Coat Support: www.bluecoat.com/support/technical-support/contact-service-support
1 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this
document are the property of their respective owners.
Release Notes: Security Analytics 7.1.8
Blue Coat Security Analytics Platform 7.1.8 is a patch release to address a few vulnerabilities and to provide some
minor fixes.
Changes
•
Customized pivot-only reputation-providers can be added.
•
High traffic was filling log space too quickly.
•
FireEye results were not being processed properly.
•
Only the first-selected sensor was sending packet analyzer data to the CMC.
•
Some files were not being extracted correctly.
•
PowerPoint files were being extracted as ZIP files.
•
Some MAA ZIP-file tasks were not being processed under heavy load.
•
The ThreatBLADES were not extracting EXE files for mimetype=html.
•
Double-byte characters were not properly interpreted or rendered for the filename attribute.
•
The following vulnerabilities were mitigated by upgrading to OpenSSL 0.9.8zf:
o CVE-2015-0209
o CVE-2015-0286
o CVE-2015-0288
Known Issues
•
When an API query is sent with microseconds in the timespan field, the report may take an extremely long
time to generate.
2 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this
document are the property of their respective owners.
Release Notes: Security Analytics 7.1.7
Blue Coat Security Analytics Platform 7.1.7 is a patch release to address a couple of new vulnerabilities and to
provide some minor fixes.
Changes
•
Patches have been installed to address CVE-2014-3571 and CVE-2015-0235 ("Ghost").
•
Some scheduled reports were being terminated before they had finished.
•
Some long-lived flows were not being reindexed.
•
To help reduce the number of alerts, the WebThreat BLADE will produce alerts only for the following URL
categories: Malicious Sources/Malnets, Malicious Outbound Data/Botnets, and Phishing.
•
CMCs and sensors could not make an initial connection if a proxy had been set up for either device.
•
Adding a firewall rule for SSH would also create a rule for ICMP and vice-versa.
•
Some sensors were experiencing communication issues with their CMCs.
3 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this
document are the property of their respective owners.
Release Notes: Security Analytics 7.1.6
Blue Coat Security Analytics Platform 7.1.6 is a minor release with various fixes and improvements.
Changes
•
When a sample is sent to multiple Blue Coat Malware Analysis Appliance (MAA) profiles, the sample is
submitted once, then tasks are created for each profile instead of sending multiple samples.
•
Samples sent in parallel to the MAA go to the SandBox first, then to the iVM queues if further analysis is
indicated.
•
The first result that is returned by an MAA profile is displayed, rather than waiting for all results to be
returned.
•
Android APK files can be sent to the MAA for detonation.
•
Support for endpoint analysis providers is included.
•
New File Type report: pattern-based detection to approximate the file type transmitted.
•
The Login Correlation Service supports Windows 2012 Server DC.
•
Signature-based scanning is enabled by default (and can be disabled in the GUI).
•
YARA rules for live exploits are available for Local File Analysis.
•
Artifacts can be extracted when application_id~unknown.
•
A new Protocol field is displayed in artifact entries.
•
A fix was included for the CVE-2014-1943 exploit.
•
The Summary screen was not displayed in IE9.
•
The Authentication settings page was taking too long to load in some circumstances.
•
Some reports were not being completed.
•
Invalid dates were being produced in deepsee_reports/index pivots.
Known Issues
•
In some extremely rare cases, *_verdict reports can show double the amount of data in the rows compared to
the total. To resolve the issue, run the report again.
•
Manual extractions (GUI-initiated) may sometimes crash during the cleanup phase of the canceled manual
extraction. This occurrence is noted in /var/log/messages.
•
You cannot create a valid protocol=ftp_data filter by right-clicking FTP Data on the GUI; instead, manually type
protocol=ftp_data in the advanced filter.
•
Data that is replayed from multiple interfaces may replay at a slower speed than selected.
•
If you are using Norman Shark as a third-party, on-demand integration provider and are experiencing issues
with its remote notifications, please contact support.
•
When pivoting to Security Analytics from the Malware Analysis Appliance (MAA), the timespan for the
Summary pages is set at five minutes before and after the task was created on the MAA. If the sample came
from a PCAP with older, retained timestamps or if the sample was submitted manually, the original data for
the sample is not displayed on the Summary pages. Manually selecting a timespan that corresponds to the
original capture date will retrieve the proper data.
4 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this
document are the property of their respective owners.
Release Notes: Security Analytics 7.1.5
Blue Coat Security Analytics Platform 7.1.5 is a cumulative maintenance release that provides faster report
generation, more flexible PCAP downloading, more detailed information on the alerts page — including a direct link to
the detonation report on your MAA — and the Web interface and help files in five languages besides English.
Features
•
Improved indexing method results in general report performance improvement (applies only to data captured
with version 7.1.5 and later).
•
Improved PCAP downloader:
o Can run in the background
o Supports browser download
o Supports saving to remote path (CIFS/NFS)
o Supported via the CMC
•
Known SMB fragments can be viewed or hidden on the Extractions page.
•
GUI and Help Files available in Japanese, French, Italian, Spanish, and German as well as English.
•
Reports and extractions can be stopped on the GUI before completion.
•
Alerts List page shows the alert type: malware
•
A link to the Malware Analysis Appliance (MAA) task
•
Alerts can be filtered by import_id, either directly from the Import PCAP page or in the Advanced Filter on the
Alerts pages.
, file
, URL
, from the cache
.
is available from the alert that the MAA returned.
•
VM detection capability has been upgraded.
•
LDAP anonymous BIND DN is supported.
•
Telnet sessions are extracted and displayed on Analyze > Summary > Extractions. In the artifact preview, the
messages are marked with <server> and <client> tags.
•
MAA data (appliance, profile, task) is sent in syslog messages.
•
Report creation line includes report_id and query_id to facilitate correlation.
•
The Advanced Filters are no longer case-sensitive.
•
Job ID is included on the Retrospective Jobs page.
•
New attribute and report, machine_id, is the combination of two values: NetBIOS Caller and LLMNR.
•
Hostname of the sensor is sent to the MAA along with the sample to be detonated.
•
MPIO (multipath I/O) support for the storage modules has been added.
5 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this
document are the property of their respective owners.
Enable Fuzzy Hash for Data Enrichment
By default, the fuzzy hash is not calculated for data-enrichment operations. To enable fuzzy-hash calculation, edit
the following value in /etc/solera/extractor/extractord.conf:
# Flag to calculate the fuzzy hash
calc_fuzzy_hash=1
Remove the # in front of calc_fuzzy_hash and set the value to one.
Fixes
•
•
Vulnerabilities related to Shellshock, BERserk, and other CVEs have been addressed. For more information,
see RedHat Security Blog, Shellshocker.net, PC Advisor, NIST.gov, or CERT.org.
o CVE-2014-7186
o CVE-2014-6271
o CVE-2014-7187
o CVE-2014-7169
o CVE-2014-6277
o CVE-2014-1568, CERT VU#772676
o CVE-2014-6278
Difference between Active and Inactive icons now discernible by the color blind.
•
Domain Controller autodiscovery for Login Correlation Service was not operable
•
Hourly cron jobs have staggered start times.
•
Non-TCP flow-timer delay changed from 60 seconds to 5 seconds to avoid both an intermediate and a
completed flow entry in the index.
•
The CMC and the sensors use the same rules when purging excessive alerts.
•
Improved accuracy with unindexed flows indicator
•
ThreatBLADE alerts via email contained a link to the wrong location.
•
Reports between CMC and sensor are stored in /home/apache/tmp to avoid prematurely filling up /tmp.
•
PCAPs downloaded via the CMC were not being deleted from /home/apache/tmp
•
User deletion from sensors was not always complete
•
Adding an authorized user to a sensor did not appear to work.
•
Artifacts were not downloading properly from the CMC when using the GET: /artifacts/download API call.
•
Reports saved as PDFs were sorting on a different column than specified on the UI.
•
The timeout on evaluation appliances is now automatically disabled when they are purchased.
•
When sending files to FireEye, the default base has changed to winxp-sp2 from winxp-base.
6 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this
document are the property of their respective owners.
Known Issues
•
Newly captured data is no longer indexed using packet-based attributes: packet_length,
ethernet_source(_vendors), ethernet_destination(_vendors). Beginning in version 7.1.5, these attributes are replaced
by ethernet_initiator(_vendors) and ethernet_responder(_vendors).
o Only data that was captured prior to version 7.1.5 will produce reports for the old attributes.
o
o
o
As a result, the Possible DNS Tunneling favorite is inoperable unless you remove the packet_length attribute
from the filter.
To enable packet-length indexing after upgrading to version 7.1.5, edit the /etc/init.d/solera-shaft file to
include -l (lower-case L) in the OPTIONS line, e.g., OPTIONS="-b -A -l"
To view the new Ethernet-related report widgets in the Ethernet Layer view on the Summary page, add
them manually by selecting Ethernet Layer from the view selector and then selecting Actions >
Add/Edit Widgets.
•
After you manually send a reputation request to a ThreatBLADE or an MAA, the result may be delayed for
several minutes during times when the data-enrichment process is experiencing low activity levels.
•
While importing a PCAP from the browser, it is recommended that you not click the blue progress indicator
to select another PCAP file to be imported. Such an action will prevent the PCAP downloads from
completing. The solution is to cancel the import and use separate browser windows to import multiple
PCAPs at once.
7 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this
document are the property of their respective owners.
Release Notes: Security Analytics 7.1.4
Blue Coat Security Analytics Platform 7.1.4 is primarily a patch update that includes support for more detailed remote
notifications.
Features
•
When creating remote-notification templates (SNMP, syslog, SMTP), you can now include MD5 and
SHA1 hashes.
•
Remote notifications now include whether the alert is for a URL, malware, or file.
•
More than 2000 application signatures are now available.
Fixes
•
The estimated PCAP size was 0 when downloading the PCAP through a CMC.
•
Some LDAP groups were not available for role-based access control.
•
The sudoers file was not being parsed successfully after some upgrades.
•
The extractor was failing to detect and delete duplicate callbacks in reassembled TCP flows.
•
The system was automatically cleaning up files sent to MAA rather than allowing MAA to control cleanup.
•
Flows were timing out when packets' timestamps appeared out of order.
•
Data was missing in some reports.
•
Some unknown motherboards were not being properly identified.
Known Issues
Data-Enrichment Job Counts
When you upload the same PCAP more than once, the data-enrichment job count may be different each time
because of the state of the cache.
Authenticated Proxies
To configure the Security Analytics Platform to use an authenticated proxy, edit /etc/environment as follows:
http_proxy="http://<username>:<password>@<IP_address>:<port>"
https_proxy="http://<username>:<password>@<IP_address>:<port>"
If the proxy has a certificate handshake for SSL traffic, add the CA certificate (PEM format) as follows:
cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.bak
openssl x509 -text -in <new_cacert>.crt >s> /etc/pki/tls/certs/ca-bundle.crt
openssl verify -CAfile /etc/pki/tls/certsca-bundle.crt <new_cacert>.crt
Reboot to apply changes.
8 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this
document are the property of their respective owners.
WebThreat BLADE Mappings
To reduce the number of alerts generated by the WebThreat BLADE, the categories that trigger alerts have been
limited to security risks. For further information, see the release notes for version 7.1.7.
FTP Mover with Proxy
The data-enrichment option FTP Mover does not support a proxy environment.
MAA API Key Error
If you change the MAA API key after performing successful detonations, the Security Analytics error message
shows as invalid_key.
9 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this
document are the property of their respective owners.
Release Notes: Security Analytics 7.1.3
Blue Coat Security Analytics Platform 7.1.3 supports GRE-encapsulated IPv4, IPv6, and WCCP traffic and provides
new reports and features to help detect the OpenSSL Heartbleed vulnerability (CVE-2014-0160).
GRE-Encapsulation Support
The following figure shows how GRE-encapsulated traffic appears on the Summary page in a customized view.
The endpoints of the GRE tunnel are displayed in the new Tunnel Initiator and Tunnel Responder report widgets. The
IPv4 Conversation report widget shows the IPv4 sessions that were encapsulated in the GRE tunnel. The IPv6
Conversation report widget would show any GRE-encapsulated IPv6 sessions.
The Extractions page displays the artifacts that passed through the GRE tunnel:
10 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this
document are the property of their respective owners.
Heartbleed Vulnerability Detection
The following reports and their respective attributes can be used to detect attempts to exploit the Heartbleed
vulnerability (CVE-2014-0160).
•
TLS Heartbeat Mismatch (tls_heartbeat_mismatch) — Detects when the length of a heartbeat reply message is
not equal in length to a heartbeat request message.
•
TLS Heartbeat Attack Attempt (tls_heartbeat_attack_attempt) — Detects when the message length field in an
heartbeat request does not match the (D)TLS record-length field.
If encryption has been established before the heartbeat requests begin, tls_heartbeat_attack_attempt will not register a hit;
however, the attempt can still be detected by tls_hearbeat_mismatch even when the message is encrypted.
Note
•
SSL Serial Number (ssl_serial_number) — Displays the serial number (hex) of SSL certificates.
Retooled Data Reprocessing
Data that was captured prior to the release of 7.1.3 can be reprocessed (Capture > Actions > Reprocess) such that
the data is also reindexed. Such reprocessing will permit the Security Analytics Platform to detect TLS heartbeat
mismatches and attack attempts as well as list the SSL certificate serial numbers.
This combination of reindexing with the reprocessing function is a permanent addition to the platform.
A new Reprocessing Jobs page has also been added to the UI so that you can see the progress of reprocessing and
reindexing jobs. Select Capture > Actions > Reprocess to view the page and also to manually initiate reprocessing
jobs.
New WebPulse Mapping in the WebThreat BLADE
To reduce the number of alerts generated by the WebThreatBLADE, the categories that trigger alerts have been
limited to security risks. Socially and legally questionable categories no longer generate an alert. Removed category.
•
Adult/Mature Content
•
Malicious Sources/Malnets
•
•
Pornography
•
Placeholders
Extreme
Malicious Outbound
Data/Botnets
•
•
Spam
•
Scam/Questionable/Illegal
•
•
•
Gambling
Mixed Content/Potentially
Adult
•
•
Hacking
•
Potentially Unwanted
Software
File Storage/Sharing
Dynamic DNS Host
Phishing
Proxy Avoidance
•
•
•
•
Child Pornography
•
Web Hosting
•
Computer/Information
Security
•
Unrated
•
Piracy/Copyright Concerns
Suspicious
Fixes
•
In some cases, a symlink in var/lib/pgsql was not preserved during upgrade
•
Unicode decode errors were preventing Data Enrichment from functioning
•
The performance of the reindexing function has been improved
•
ThreatCLOUD access through ProxySG is now functional
11 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this
document are the property of their respective owners.
Known Issues
•
If you reprocess data that was captured before version 7.1.3, the tls_heartbeat_attack_attempt attribute will not
be applied to encrypted protocols such as SSH, ISAKMP, and IPSEC. Heartbleed attacks can still be detected
using the tls_heartbeat_mismatch attribute.
•
If you attempt to access the new Reprocessing Jobs page through a CMC, that page will not be visible on
the CMC. However, a reprocessing job that is manually initiated via the CMC will be created as before.
•
The file /etc/solera/meta/metapocrypha.json is not preserved during upgrade, so any customized metadata
(CustomAnalytics BLADE trial version) will be overwritten. Furthermore, the version of metapocrypha.json that is
installed with version 7.1.3 contains the three new attributes/reports, so merely saving the file and copying it
back after upgrade will erase the three new attributes. To address this issue, try these methods:
o
Use diff and patch (or another tool that is compatible with UNIX file formats) to compare your altered
metapocrypha.json with canonical-metapocrypha.json (same directory).

Prior to upgrade, back up both metapocrypha.json and canonical-metapocrypha.json.

After the upgrade, use the differential and patch tools to compare the backed-up metapocrypha.json
with the new canonical-metapocrypha.json and add your customizations while preserving the new
attributes.

Be sure to validate, verify, and test prior to copying the altered file to the upgraded appliance.
o
Manually add your customized attributes to the new metapocrypha.json.
o
Manually add the new 7.1.3 attributes to your backed-up metapocrypha.json:
"active tags" : [
…
"tag:ssl_serial_number",
…
],
"directories" : {
…
"ssl_serial_number" : { "columns" : [ "tag:ssl_serial_number" ] },
…
"tls_heartbeat_mismatch" : { "columns" : [ "tls_heartbeat_mismatch" ] },
"tls_heartbeat_attack_attempt" : { "columns" : [ "tls_heartbeat_attack_attempt" ] },
…
},
"columns" : {
…
"tls_heartbeat_mismatch" : { "namespace" : "flows", "size" : 1 },
"tls_heartbeat_attack_attempt" : { "namespace" : "flows", "size" : 1 },
…
"tag:ssl_serial_number" : {
"namespace" : "flows",
"name" : "aggregate_ssl_serial_number_hooks",
"size" : 4096,
"variable" : true,
"tag" : true,
"packed" : true,
"fallback" : true
},
…
},
"tags" : {
…
"tag:ssl_serial_number" : { "attributes" : [ "SSL:SERIAL_NUMBER" ] },
…
},
12 of 19
Copyright © 2015 Solera Networks, a Blue Coat Company. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent
of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of
Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
Release Notes: Security Analytics 7.1.1
Blue Coat Security Analytics Platform 7.1.1 offers considerable performance improvement as well as some
UI enhancements for increased data visibility.
Enhancements
•
Signature-based extraction can be enabled as a secondary method during protocol-based extraction
•
Extraction and enrichment progress is displayed during PCAP import
•
Artifact ID is displayed for child alerts
•
Data-enrichment jobs and related data are displayed in the Capture Summary Graph
•
ThreatBLADE alerts can be sent as remote notifications
•
Signatures for new malware discovered by the Malware Analysis Appliance are sent to the global WebPulse
database
•
Providers for Local File Analysis can be customized
Performance Improvement
•
Report performance has been optimized
•
Data-enrichment jobs are realized in less time
Fixes
•
Software upgrade no longer changes root password expiry
•
CentOS script error has been corrected
•
Capture filters that were longer than 2048 characters could not be added
13 of 19
Copyright © 2015 Solera Networks, a Blue Coat Company. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent
of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of
Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
Release Notes: Security Analytics 7.1.0
Blue Coat Security Analytics Platform 7.1.0 offers significant enhancements and new features, including all-new,
protocol-based ThreatBLADES. The ThreatBLADES provide intelligence that points to the details of advanced
threats, targeted attacks, and anomalous activity. In the near future, organizations will be able to take advantage of
integrated Blue Coat sandbox technology to gain protection against advanced malware.
Security Analytics and Threat Intelligence
Blue Coat ThreatBLADES for Advanced Threat Protection are available on an annual subscription basis.
Malware Analysis Appliance
Support for connectivity to the MAA is now available in 7.1 with the option to send potentially malicious file
samples to multiple MAA profiles sequentially or in parallel. Unique hybrid design combines Blue Coat VM and
emulation sandboxes to deliver unrivaled malware and threat detection. Users can manually send files for
detonation or the process can be automated from either the Security Analytics Platform or the Blue Coat Content
Analysis System.
WebThreat BLADE
URL reputation and classifications powered by the Blue Coat Global Intelligence Network as well as analysis of
files transported over HTTP.
The WebThreat BLADE provides two reports that draw their verdicts from a local copy of the WebPulse
database. If WebPulse returns a verdict of 5 or higher (unknown through malicious) for an artifact, that artifact is
queried against the live, cloud-hosted Global Intelligence Network for evaluation.
§
§
•
Local File Analysis — HTTP-transported files are extracted and evaluated for known threats.
•
Local URL Analysis — URL threat level as calculated by a local copy of the WebPulse database.
•
Local URL Categories — URL category returned from a local copy of WebPulse database.
•
Live URL Analysis — URL threat level as calculated by the live Global Intelligence Network.
•
Live URL Categories — URL category returned from the live Global Intelligence Network.
•
Malware Analysis§ — Files for which the WebThreat BLADE has no information are sent to the Malware
Analysis Appliance for detonation.
Data for this report is available only in conjunction with the Malware Analysis Appliance.
There may be a few minutes delay in reporting a verdict after the URL is extracted.
MailThreat BLADE
Comprehensive scanning of mail protocols, provided by the Global Intelligence Network. The MailThreat BLADE
provides the following reports and report widgets:
§
•
File Analysis — Degree of risk (very low to very high) or unknown for files extracted from the SMTP, IMAP,
and POP3 protocols.
•
Malware Analysis§ — Files for which the MailThreat BLADE has no information are sent to the Malware
Analysis Appliance for detonation.
Data for this report is available only in conjunction with the Malware Analysis Appliance.
14 of 19
Copyright © 2015 Solera Networks, a Blue Coat Company. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent
of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of
Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
FileThreat BLADE
Analyzes files that are transported over FTP, SMB, and TFTP.
§
§
•
File Analysis — Files are extracted and evaluated for known threats.
•
Malware Analysis§ — Files for which the FileThreat BLADE has no information are sent to the Malware
Analysis Appliance for evaluation.
Data for this report is available only in conjunction with the Malware Analysis Appliance.
There may be some minutes delay in reporting a verdict after the file is extracted.
WebPulse Database
Blue Coat's WebPulse continually acquires the latest defenses from millions of users worldwide. Version 7.1
provides two ways to use WebPulse's massive resources: directly, from the cloud, and locally, from an onboard
copy of the database.
Users can configure the frequency of local WebPulse database updates as well as specify a custom location for
the database to reside. Malware Analysis Appliance users can elect to contribute the results of EXE and DLL
detonation to the WebPulse cloud to the benefit of other WebPulse customers.
Preview Only in Version 7.1
To get a sneak peak of these features, contact Solera Networks Support:
•
Toll-Free (U.S. and Canada): 888-860-5705
•
International: +1 801-545-4002
•
Web: www.bluecoat.com/support
•
Email: atp-support@bluecoat.com
CustomAnalytics BLADE
Includes an open parser for specific types of data, complex rules that detect series of events, and customized
metadata for reports.
SCADAThreat BLADE
Provides extensive medatada analysis for MODBUS and DNP3 protocols.
BlackBox Recorder
Like a flight recorder on an airplane, it captures all network events until a security incident requires that you
"break the glass" to view its contents.
15 of 19
Copyright © 2015 Solera Networks, a Blue Coat Company. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent
of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of
Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
Extractions
New Extraction Method
Prior to version 7.1, the Security Analytics Platform used signature-based extraction to produce artifacts.
Beginning in this version, extraction is protocol-based.
Artifacts are now extracted from the following protocols:
•
•
•
•
•
•
HTTP
TCP
TFTP
SMB
FTP
FTP-Data
•
o
o
o
Email Protocols
POP3
IMAP
SMTP
•
o
o
o
VoIP Protocols
SIP
MGCP
RTP, RTCP
•
o
o
o
o
o
o
o
IM Protocols
SIP
MGCP
RTP
RTCP
AIM
AIM Express
AIM Transfer
o
o
o
o
o
o
o
o
o
o
o
o
o
Badoo
eBuddy
Facebook
Google Chat
IRC
Jabber
MSN
PalTalk
QQ Transfer
Second Life
Teamspeak v2
Yahoo Messenger
Yahoo Web Messenger
Archive Extraction and Analysis
In Version 7.1, compressed archives are extracted and their component files analyzed.
Improved Artifact Display
To assist the user in associating related artifacts from a single flow, the Extractions results list displays additional
information.
1 — Collapse the Advanced Filter panel for a wider window.
2 — HTTP Response icons
1xx — Informational
3xx — Redirection
5xx — Server Error
2xx — Success
4xx — Client Error
Header not available
3 — Date is omitted to save space unless the extraction spans multiple days
4 — HTTP Request method is displayed
16 of 19
Copyright © 2015 Solera Networks, a Blue Coat Company. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent
of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of
Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
New Preview Types
•
Text preview for FTP session artifacts displays each step in an FTP session:
•
File command preview, such as the artifact filename, file modification date/time, application version,
flags, and so on:
•
Strings command preview. The strings command returns each string of printable characters in files. Its
main uses are to determine the contents of and to extract text from binary files, i.e., non-text files:
•
HTTP Headers preview displays the HTTP request and response headers:
17 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue
Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks
mentioned in this document are the property of their respective owners.
•
For HTTP POSTs, the payload has a separate entry from the original POST and is displayed below it. The
payload artifact does not display an HTTP method or an HTTP response icon.
•
Click Show Payload to see a separate artifact entry for the payload.
User-Configurable File Classification
You can specify which method determines the file type of an artifact: Select [Account Name] > Preferences:
•
Artifact MIME-Type Display — Specify the method for the extractor to determine the file type:
o
MIME — Use the value in the Content-Type field of the HTTP or email header, else return unknown.
o
Magic — Use the embedded magic number or file signature, else return unknown.
o
Derived — If both MIME and magic values are present, use internal logic to determine the most likely file
type.
Easier Extraction Cancelation
Prior to this version, you could only Save and Stop or Save and Continue an extraction. Extractions can now
be canceled without having to save the extraction.
During an extraction, select Actions > Stop Extraction and wait until the status shows Canceled 100%. (The
percentage does not reflect how much data was extracted before stopping).
After the extraction has stopped you can select Actions > Save to save the data that was extracted before the
process was canceled. After you have saved the data, you may restart the extraction by selecting Actions >
Rerun.
18 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue
Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks
mentioned in this document are the property of their respective owners.
Free User-Initiated Queries
In the absence of a WebThreat BLADE or FileThreat BLADE subscription, users can still see an artifact's
reputation from the Extractions page.
Click Reputation to manually request information on the artifact from common reputation providers. Users are
entitled to 1000 requests per month without charge.
Data Enrichment
File-Type Filter
To avoid sending every file type through data enrichment, you can now select which file types to send or omit.
File types to select on Settings > Data Enrichment include Adobe PDFs, archives, configuration files, downloads,
email, images, multimedia, office productivity, programs and libraries, web pages, and JavaScript.
Login Correlation Service
An updated version of the Login Correlation Service is available. Download the new version from Settings > Data
Enrichment and launch the installation to update an existing setup.
The new version number is visible after you launch SOLERA NETWORKS > DeepSee Login Correlation Service.
Syslog Facility Configuration
From the CLI, users can set up a many-to-many relationship among syslog servers and facilities. Prior to version 7.1,
multiple servers could be assigned to a single facility but not multiple facilities to one or more servers.
Fixes
•
Different-sized hard disks were not being classified properly.
•
In 6.6.8 to 7.0 upgrades, ssh.allow was not being removed as a requirement in /etc/pam.d/login and sshd.
•
Resetting the zoom on the Capture Summary Graph increased the total bytes captured display.
•
Large scheduled reports were causing system failure.
•
The RADIUS Auth Access-Request field contained malformed data.
•
Artifact keyword searches were not working on the Central Manager Console (CMC).
19 of 19
Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue
Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks
mentioned in this document are the property of their respective owners.