By: Carolyn Crandall, CMO
When threat actors are able to stealthily penetrate an organizations defenses, the promptness of detection is critical to protecting critical information assets. The sooner that one can detect an inside-the-network threat, the easier it is to mitigate the damage from threats that have bypassed prevention systems. According to a cybersecurity report by Ponemon Institute, financial firms take an average of 98 days to detect a data breach and retailers can take up to 197 days. With more than 700 reported breaches occurring annually, being able to promptly detect threats becomes a critical line of defense in preventing the exfiltration of data, and/or potential harm to critical infrastructure or a company’s brand reputation.
Last week, Attivo Networks announced solutions integration with Blue Coat Systems, Inc, a market leader in enterprise security. This partnership will enable us to provide customers with improved incident response times with automated information sharing. The integrated solution supplies real-time detection of cyber-attacks, automatically passing the attack information captured by the Attivo BOTsink® deception platform to the Blue Coat ProxySG for automated blocking and quarantining of an infected end-point or device, improving customers’ ability to combat cyber-attacks.
Protecting 15,000 organizations every day, the Blue Coat Security Platform, unites network, security and cloud, providing customers with maximum protection against advanced threats, while minimizing the impact on network performance and enabling cloud applications and services.
The Blue Coat ProxySG is an industry-leading secure web gateway, delivered on-premise or in the cloud, that delivers world-class protection and bandwidth management capabilities to secure and optimize the use of the web. The unparalleled feature set includes user authentication, web filtering, data loss prevention, encrypted traffic visibility, content caching, stream splitting and more.
The joint solution seamlessly integrates attack forensics gathered by the Attivo BOTsink engagement server with the Blue Coat ProxySG to automatically prevent compromised endpoints from exfiltrating data or communicating with the attacker’s command and control center. This level of high-quality forensics improves customers’ incident response and significantly reduces the time to complete remediation.
The BOTsink platform is designed to provide inside-the-network threat detection and to create key forensics for the:
- Identification and detection of all threat vectors – reconnaissance, stolen credential, phishing, and ransomware and multi-stage exploit kits
- Gathering of instructions sent from a command and control (C&C) server as part of initial callback mechanism: Allowing the opening of a proxy and for man-in-the-middle (MITM) for SSL encrypted sessions forensics
- Generation of attacker signatures which can be uploaded to block connection attempts based on intent
How it works:
The Attivo Networks BOTsink seamlessly integrates with the Blue Coat ProxySG to deliver the addresses of the internally compromised endpoints that need to be blocked from communicating with the command and control (C&C) or any other external communication. The BOTsink engagement server is able to compile the needed information and make it available to the ProxySG through its dedicated connector. As such, it complements and feeds the ProxySG database so that it can block the compromised endpoints from opening backdoors with the C&C or from ex-filtrating any data.
Lifecycle of attack detection to blocking
- BOTsink detects attack and raises an alert for a particular attacker IP
- The info about the attacker IP to be blocked is automatically pulled by the SG periodically from the Attivo Appliance in realtime
- SG Proxy blocks all traffic originating
For a modern day security approach, it is important to work under the assumption that your network will be breached and accept that even the best security prevention systems have gaps, and attackers will get in. Organizations are increasingly realizing that having an adaptive defense program that includes prevention and inside-the-network threat detection is the most effective approach to combatting cyber threats. The Attivo BOTsink® deception platform with Blue Coat ProxySG provides organizations with a fast, reliable and cost-effective solution that allows for real-time detection of threats, improving the likelihood of successfully combatting a cyberattack.
Additional information on the Attivo Networks and Blue Coat integration can be found here: