Cumulative Release Notes: Security Analytics 7.1.x This document contains all of the release notes for Security Analytics 7.1.x in reverse chronological order: Release Notes: Security Analytics 7.1.8 .......................................................................................................................2 Release Notes: Security Analytics 7.1.7 .......................................................................................................................3 Release Notes: Security Analytics 7.1.6 .......................................................................................................................4 Release Notes: Security Analytics 7.1.5 .......................................................................................................................5 Release Notes: Security Analytics 7.1.4 .......................................................................................................................8 Release Notes: Security Analytics 7.1.3 .................................................................................................................... 10 Release Notes: Security Analytics 7.1.1 .................................................................................................................... 13 Release Notes: Security Analytics 7.1.0 .................................................................................................................... 14 Note There was no 7.1.2 release. For more information contact Blue Coat Support: www.bluecoat.com/support/technical-support/contact-service-support 1 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Release Notes: Security Analytics 7.1.8 Blue Coat Security Analytics Platform 7.1.8 is a patch release to address a few vulnerabilities and to provide some minor fixes. Changes • Customized pivot-only reputation-providers can be added. • High traffic was filling log space too quickly. • FireEye results were not being processed properly. • Only the first-selected sensor was sending packet analyzer data to the CMC. • Some files were not being extracted correctly. • PowerPoint files were being extracted as ZIP files. • Some MAA ZIP-file tasks were not being processed under heavy load. • The ThreatBLADES were not extracting EXE files for mimetype=html. • Double-byte characters were not properly interpreted or rendered for the filename attribute. • The following vulnerabilities were mitigated by upgrading to OpenSSL 0.9.8zf: o CVE-2015-0209 o CVE-2015-0286 o CVE-2015-0288 Known Issues • When an API query is sent with microseconds in the timespan field, the report may take an extremely long time to generate. 2 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Release Notes: Security Analytics 7.1.7 Blue Coat Security Analytics Platform 7.1.7 is a patch release to address a couple of new vulnerabilities and to provide some minor fixes. Changes • Patches have been installed to address CVE-2014-3571 and CVE-2015-0235 ("Ghost"). • Some scheduled reports were being terminated before they had finished. • Some long-lived flows were not being reindexed. • To help reduce the number of alerts, the WebThreat BLADE will produce alerts only for the following URL categories: Malicious Sources/Malnets, Malicious Outbound Data/Botnets, and Phishing. • CMCs and sensors could not make an initial connection if a proxy had been set up for either device. • Adding a firewall rule for SSH would also create a rule for ICMP and vice-versa. • Some sensors were experiencing communication issues with their CMCs. 3 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Release Notes: Security Analytics 7.1.6 Blue Coat Security Analytics Platform 7.1.6 is a minor release with various fixes and improvements. Changes • When a sample is sent to multiple Blue Coat Malware Analysis Appliance (MAA) profiles, the sample is submitted once, then tasks are created for each profile instead of sending multiple samples. • Samples sent in parallel to the MAA go to the SandBox first, then to the iVM queues if further analysis is indicated. • The first result that is returned by an MAA profile is displayed, rather than waiting for all results to be returned. • Android APK files can be sent to the MAA for detonation. • Support for endpoint analysis providers is included. • New File Type report: pattern-based detection to approximate the file type transmitted. • The Login Correlation Service supports Windows 2012 Server DC. • Signature-based scanning is enabled by default (and can be disabled in the GUI). • YARA rules for live exploits are available for Local File Analysis. • Artifacts can be extracted when application_id~unknown. • A new Protocol field is displayed in artifact entries. • A fix was included for the CVE-2014-1943 exploit. • The Summary screen was not displayed in IE9. • The Authentication settings page was taking too long to load in some circumstances. • Some reports were not being completed. • Invalid dates were being produced in deepsee_reports/index pivots. Known Issues • In some extremely rare cases, *_verdict reports can show double the amount of data in the rows compared to the total. To resolve the issue, run the report again. • Manual extractions (GUI-initiated) may sometimes crash during the cleanup phase of the canceled manual extraction. This occurrence is noted in /var/log/messages. • You cannot create a valid protocol=ftp_data filter by right-clicking FTP Data on the GUI; instead, manually type protocol=ftp_data in the advanced filter. • Data that is replayed from multiple interfaces may replay at a slower speed than selected. • If you are using Norman Shark as a third-party, on-demand integration provider and are experiencing issues with its remote notifications, please contact support. • When pivoting to Security Analytics from the Malware Analysis Appliance (MAA), the timespan for the Summary pages is set at five minutes before and after the task was created on the MAA. If the sample came from a PCAP with older, retained timestamps or if the sample was submitted manually, the original data for the sample is not displayed on the Summary pages. Manually selecting a timespan that corresponds to the original capture date will retrieve the proper data. 4 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Release Notes: Security Analytics 7.1.5 Blue Coat Security Analytics Platform 7.1.5 is a cumulative maintenance release that provides faster report generation, more flexible PCAP downloading, more detailed information on the alerts page — including a direct link to the detonation report on your MAA — and the Web interface and help files in five languages besides English. Features • Improved indexing method results in general report performance improvement (applies only to data captured with version 7.1.5 and later). • Improved PCAP downloader: o Can run in the background o Supports browser download o Supports saving to remote path (CIFS/NFS) o Supported via the CMC • Known SMB fragments can be viewed or hidden on the Extractions page. • GUI and Help Files available in Japanese, French, Italian, Spanish, and German as well as English. • Reports and extractions can be stopped on the GUI before completion. • Alerts List page shows the alert type: malware • A link to the Malware Analysis Appliance (MAA) task • Alerts can be filtered by import_id, either directly from the Import PCAP page or in the Advanced Filter on the Alerts pages. , file , URL , from the cache . is available from the alert that the MAA returned. • VM detection capability has been upgraded. • LDAP anonymous BIND DN is supported. • Telnet sessions are extracted and displayed on Analyze > Summary > Extractions. In the artifact preview, the messages are marked with <server> and <client> tags. • MAA data (appliance, profile, task) is sent in syslog messages. • Report creation line includes report_id and query_id to facilitate correlation. • The Advanced Filters are no longer case-sensitive. • Job ID is included on the Retrospective Jobs page. • New attribute and report, machine_id, is the combination of two values: NetBIOS Caller and LLMNR. • Hostname of the sensor is sent to the MAA along with the sample to be detonated. • MPIO (multipath I/O) support for the storage modules has been added. 5 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Enable Fuzzy Hash for Data Enrichment By default, the fuzzy hash is not calculated for data-enrichment operations. To enable fuzzy-hash calculation, edit the following value in /etc/solera/extractor/extractord.conf: # Flag to calculate the fuzzy hash calc_fuzzy_hash=1 Remove the # in front of calc_fuzzy_hash and set the value to one. Fixes • • Vulnerabilities related to Shellshock, BERserk, and other CVEs have been addressed. For more information, see RedHat Security Blog, Shellshocker.net, PC Advisor, NIST.gov, or CERT.org. o CVE-2014-7186 o CVE-2014-6271 o CVE-2014-7187 o CVE-2014-7169 o CVE-2014-6277 o CVE-2014-1568, CERT VU#772676 o CVE-2014-6278 Difference between Active and Inactive icons now discernible by the color blind. • Domain Controller autodiscovery for Login Correlation Service was not operable • Hourly cron jobs have staggered start times. • Non-TCP flow-timer delay changed from 60 seconds to 5 seconds to avoid both an intermediate and a completed flow entry in the index. • The CMC and the sensors use the same rules when purging excessive alerts. • Improved accuracy with unindexed flows indicator • ThreatBLADE alerts via email contained a link to the wrong location. • Reports between CMC and sensor are stored in /home/apache/tmp to avoid prematurely filling up /tmp. • PCAPs downloaded via the CMC were not being deleted from /home/apache/tmp • User deletion from sensors was not always complete • Adding an authorized user to a sensor did not appear to work. • Artifacts were not downloading properly from the CMC when using the GET: /artifacts/download API call. • Reports saved as PDFs were sorting on a different column than specified on the UI. • The timeout on evaluation appliances is now automatically disabled when they are purchased. • When sending files to FireEye, the default base has changed to winxp-sp2 from winxp-base. 6 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Known Issues • Newly captured data is no longer indexed using packet-based attributes: packet_length, ethernet_source(_vendors), ethernet_destination(_vendors). Beginning in version 7.1.5, these attributes are replaced by ethernet_initiator(_vendors) and ethernet_responder(_vendors). o Only data that was captured prior to version 7.1.5 will produce reports for the old attributes. o o o As a result, the Possible DNS Tunneling favorite is inoperable unless you remove the packet_length attribute from the filter. To enable packet-length indexing after upgrading to version 7.1.5, edit the /etc/init.d/solera-shaft file to include -l (lower-case L) in the OPTIONS line, e.g., OPTIONS="-b -A -l" To view the new Ethernet-related report widgets in the Ethernet Layer view on the Summary page, add them manually by selecting Ethernet Layer from the view selector and then selecting Actions > Add/Edit Widgets. • After you manually send a reputation request to a ThreatBLADE or an MAA, the result may be delayed for several minutes during times when the data-enrichment process is experiencing low activity levels. • While importing a PCAP from the browser, it is recommended that you not click the blue progress indicator to select another PCAP file to be imported. Such an action will prevent the PCAP downloads from completing. The solution is to cancel the import and use separate browser windows to import multiple PCAPs at once. 7 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Release Notes: Security Analytics 7.1.4 Blue Coat Security Analytics Platform 7.1.4 is primarily a patch update that includes support for more detailed remote notifications. Features • When creating remote-notification templates (SNMP, syslog, SMTP), you can now include MD5 and SHA1 hashes. • Remote notifications now include whether the alert is for a URL, malware, or file. • More than 2000 application signatures are now available. Fixes • The estimated PCAP size was 0 when downloading the PCAP through a CMC. • Some LDAP groups were not available for role-based access control. • The sudoers file was not being parsed successfully after some upgrades. • The extractor was failing to detect and delete duplicate callbacks in reassembled TCP flows. • The system was automatically cleaning up files sent to MAA rather than allowing MAA to control cleanup. • Flows were timing out when packets' timestamps appeared out of order. • Data was missing in some reports. • Some unknown motherboards were not being properly identified. Known Issues Data-Enrichment Job Counts When you upload the same PCAP more than once, the data-enrichment job count may be different each time because of the state of the cache. Authenticated Proxies To configure the Security Analytics Platform to use an authenticated proxy, edit /etc/environment as follows: http_proxy="http://<username>:<password>@<IP_address>:<port>" https_proxy="http://<username>:<password>@<IP_address>:<port>" If the proxy has a certificate handshake for SSL traffic, add the CA certificate (PEM format) as follows: cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.bak openssl x509 -text -in <new_cacert>.crt >s> /etc/pki/tls/certs/ca-bundle.crt openssl verify -CAfile /etc/pki/tls/certsca-bundle.crt <new_cacert>.crt Reboot to apply changes. 8 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. WebThreat BLADE Mappings To reduce the number of alerts generated by the WebThreat BLADE, the categories that trigger alerts have been limited to security risks. For further information, see the release notes for version 7.1.7. FTP Mover with Proxy The data-enrichment option FTP Mover does not support a proxy environment. MAA API Key Error If you change the MAA API key after performing successful detonations, the Security Analytics error message shows as invalid_key. 9 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Release Notes: Security Analytics 7.1.3 Blue Coat Security Analytics Platform 7.1.3 supports GRE-encapsulated IPv4, IPv6, and WCCP traffic and provides new reports and features to help detect the OpenSSL Heartbleed vulnerability (CVE-2014-0160). GRE-Encapsulation Support The following figure shows how GRE-encapsulated traffic appears on the Summary page in a customized view. The endpoints of the GRE tunnel are displayed in the new Tunnel Initiator and Tunnel Responder report widgets. The IPv4 Conversation report widget shows the IPv4 sessions that were encapsulated in the GRE tunnel. The IPv6 Conversation report widget would show any GRE-encapsulated IPv6 sessions. The Extractions page displays the artifacts that passed through the GRE tunnel: 10 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Heartbleed Vulnerability Detection The following reports and their respective attributes can be used to detect attempts to exploit the Heartbleed vulnerability (CVE-2014-0160). • TLS Heartbeat Mismatch (tls_heartbeat_mismatch) — Detects when the length of a heartbeat reply message is not equal in length to a heartbeat request message. • TLS Heartbeat Attack Attempt (tls_heartbeat_attack_attempt) — Detects when the message length field in an heartbeat request does not match the (D)TLS record-length field. If encryption has been established before the heartbeat requests begin, tls_heartbeat_attack_attempt will not register a hit; however, the attempt can still be detected by tls_hearbeat_mismatch even when the message is encrypted. Note • SSL Serial Number (ssl_serial_number) — Displays the serial number (hex) of SSL certificates. Retooled Data Reprocessing Data that was captured prior to the release of 7.1.3 can be reprocessed (Capture > Actions > Reprocess) such that the data is also reindexed. Such reprocessing will permit the Security Analytics Platform to detect TLS heartbeat mismatches and attack attempts as well as list the SSL certificate serial numbers. This combination of reindexing with the reprocessing function is a permanent addition to the platform. A new Reprocessing Jobs page has also been added to the UI so that you can see the progress of reprocessing and reindexing jobs. Select Capture > Actions > Reprocess to view the page and also to manually initiate reprocessing jobs. New WebPulse Mapping in the WebThreat BLADE To reduce the number of alerts generated by the WebThreatBLADE, the categories that trigger alerts have been limited to security risks. Socially and legally questionable categories no longer generate an alert. Removed category. • Adult/Mature Content • Malicious Sources/Malnets • • Pornography • Placeholders Extreme Malicious Outbound Data/Botnets • • Spam • Scam/Questionable/Illegal • • • Gambling Mixed Content/Potentially Adult • • Hacking • Potentially Unwanted Software File Storage/Sharing Dynamic DNS Host Phishing Proxy Avoidance • • • • Child Pornography • Web Hosting • Computer/Information Security • Unrated • Piracy/Copyright Concerns Suspicious Fixes • In some cases, a symlink in var/lib/pgsql was not preserved during upgrade • Unicode decode errors were preventing Data Enrichment from functioning • The performance of the reindexing function has been improved • ThreatCLOUD access through ProxySG is now functional 11 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Known Issues • If you reprocess data that was captured before version 7.1.3, the tls_heartbeat_attack_attempt attribute will not be applied to encrypted protocols such as SSH, ISAKMP, and IPSEC. Heartbleed attacks can still be detected using the tls_heartbeat_mismatch attribute. • If you attempt to access the new Reprocessing Jobs page through a CMC, that page will not be visible on the CMC. However, a reprocessing job that is manually initiated via the CMC will be created as before. • The file /etc/solera/meta/metapocrypha.json is not preserved during upgrade, so any customized metadata (CustomAnalytics BLADE trial version) will be overwritten. Furthermore, the version of metapocrypha.json that is installed with version 7.1.3 contains the three new attributes/reports, so merely saving the file and copying it back after upgrade will erase the three new attributes. To address this issue, try these methods: o Use diff and patch (or another tool that is compatible with UNIX file formats) to compare your altered metapocrypha.json with canonical-metapocrypha.json (same directory). Prior to upgrade, back up both metapocrypha.json and canonical-metapocrypha.json. After the upgrade, use the differential and patch tools to compare the backed-up metapocrypha.json with the new canonical-metapocrypha.json and add your customizations while preserving the new attributes. Be sure to validate, verify, and test prior to copying the altered file to the upgraded appliance. o Manually add your customized attributes to the new metapocrypha.json. o Manually add the new 7.1.3 attributes to your backed-up metapocrypha.json: "active tags" : [ … "tag:ssl_serial_number", … ], "directories" : { … "ssl_serial_number" : { "columns" : [ "tag:ssl_serial_number" ] }, … "tls_heartbeat_mismatch" : { "columns" : [ "tls_heartbeat_mismatch" ] }, "tls_heartbeat_attack_attempt" : { "columns" : [ "tls_heartbeat_attack_attempt" ] }, … }, "columns" : { … "tls_heartbeat_mismatch" : { "namespace" : "flows", "size" : 1 }, "tls_heartbeat_attack_attempt" : { "namespace" : "flows", "size" : 1 }, … "tag:ssl_serial_number" : { "namespace" : "flows", "name" : "aggregate_ssl_serial_number_hooks", "size" : 4096, "variable" : true, "tag" : true, "packed" : true, "fallback" : true }, … }, "tags" : { … "tag:ssl_serial_number" : { "attributes" : [ "SSL:SERIAL_NUMBER" ] }, … }, 12 of 19 Copyright © 2015 Solera Networks, a Blue Coat Company. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners. Release Notes: Security Analytics 7.1.1 Blue Coat Security Analytics Platform 7.1.1 offers considerable performance improvement as well as some UI enhancements for increased data visibility. Enhancements • Signature-based extraction can be enabled as a secondary method during protocol-based extraction • Extraction and enrichment progress is displayed during PCAP import • Artifact ID is displayed for child alerts • Data-enrichment jobs and related data are displayed in the Capture Summary Graph • ThreatBLADE alerts can be sent as remote notifications • Signatures for new malware discovered by the Malware Analysis Appliance are sent to the global WebPulse database • Providers for Local File Analysis can be customized Performance Improvement • Report performance has been optimized • Data-enrichment jobs are realized in less time Fixes • Software upgrade no longer changes root password expiry • CentOS script error has been corrected • Capture filters that were longer than 2048 characters could not be added 13 of 19 Copyright © 2015 Solera Networks, a Blue Coat Company. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners. Release Notes: Security Analytics 7.1.0 Blue Coat Security Analytics Platform 7.1.0 offers significant enhancements and new features, including all-new, protocol-based ThreatBLADES. The ThreatBLADES provide intelligence that points to the details of advanced threats, targeted attacks, and anomalous activity. In the near future, organizations will be able to take advantage of integrated Blue Coat sandbox technology to gain protection against advanced malware. Security Analytics and Threat Intelligence Blue Coat ThreatBLADES for Advanced Threat Protection are available on an annual subscription basis. Malware Analysis Appliance Support for connectivity to the MAA is now available in 7.1 with the option to send potentially malicious file samples to multiple MAA profiles sequentially or in parallel. Unique hybrid design combines Blue Coat VM and emulation sandboxes to deliver unrivaled malware and threat detection. Users can manually send files for detonation or the process can be automated from either the Security Analytics Platform or the Blue Coat Content Analysis System. WebThreat BLADE URL reputation and classifications powered by the Blue Coat Global Intelligence Network as well as analysis of files transported over HTTP. The WebThreat BLADE provides two reports that draw their verdicts from a local copy of the WebPulse database. If WebPulse returns a verdict of 5 or higher (unknown through malicious) for an artifact, that artifact is queried against the live, cloud-hosted Global Intelligence Network for evaluation. § § • Local File Analysis — HTTP-transported files are extracted and evaluated for known threats. • Local URL Analysis — URL threat level as calculated by a local copy of the WebPulse database. • Local URL Categories — URL category returned from a local copy of WebPulse database. • Live URL Analysis — URL threat level as calculated by the live Global Intelligence Network. • Live URL Categories — URL category returned from the live Global Intelligence Network. • Malware Analysis§ — Files for which the WebThreat BLADE has no information are sent to the Malware Analysis Appliance for detonation. Data for this report is available only in conjunction with the Malware Analysis Appliance. There may be a few minutes delay in reporting a verdict after the URL is extracted. MailThreat BLADE Comprehensive scanning of mail protocols, provided by the Global Intelligence Network. The MailThreat BLADE provides the following reports and report widgets: § • File Analysis — Degree of risk (very low to very high) or unknown for files extracted from the SMTP, IMAP, and POP3 protocols. • Malware Analysis§ — Files for which the MailThreat BLADE has no information are sent to the Malware Analysis Appliance for detonation. Data for this report is available only in conjunction with the Malware Analysis Appliance. 14 of 19 Copyright © 2015 Solera Networks, a Blue Coat Company. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners. FileThreat BLADE Analyzes files that are transported over FTP, SMB, and TFTP. § § • File Analysis — Files are extracted and evaluated for known threats. • Malware Analysis§ — Files for which the FileThreat BLADE has no information are sent to the Malware Analysis Appliance for evaluation. Data for this report is available only in conjunction with the Malware Analysis Appliance. There may be some minutes delay in reporting a verdict after the file is extracted. WebPulse Database Blue Coat's WebPulse continually acquires the latest defenses from millions of users worldwide. Version 7.1 provides two ways to use WebPulse's massive resources: directly, from the cloud, and locally, from an onboard copy of the database. Users can configure the frequency of local WebPulse database updates as well as specify a custom location for the database to reside. Malware Analysis Appliance users can elect to contribute the results of EXE and DLL detonation to the WebPulse cloud to the benefit of other WebPulse customers. Preview Only in Version 7.1 To get a sneak peak of these features, contact Solera Networks Support: • Toll-Free (U.S. and Canada): 888-860-5705 • International: +1 801-545-4002 • Web: www.bluecoat.com/support • Email: [email protected] CustomAnalytics BLADE Includes an open parser for specific types of data, complex rules that detect series of events, and customized metadata for reports. SCADAThreat BLADE Provides extensive medatada analysis for MODBUS and DNP3 protocols. BlackBox Recorder Like a flight recorder on an airplane, it captures all network events until a security incident requires that you "break the glass" to view its contents. 15 of 19 Copyright © 2015 Solera Networks, a Blue Coat Company. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners. Extractions New Extraction Method Prior to version 7.1, the Security Analytics Platform used signature-based extraction to produce artifacts. Beginning in this version, extraction is protocol-based. Artifacts are now extracted from the following protocols: • • • • • • HTTP TCP TFTP SMB FTP FTP-Data • o o o Email Protocols POP3 IMAP SMTP • o o o VoIP Protocols SIP MGCP RTP, RTCP • o o o o o o o IM Protocols SIP MGCP RTP RTCP AIM AIM Express AIM Transfer o o o o o o o o o o o o o Badoo eBuddy Facebook Google Chat IRC Jabber MSN PalTalk QQ Transfer Second Life Teamspeak v2 Yahoo Messenger Yahoo Web Messenger Archive Extraction and Analysis In Version 7.1, compressed archives are extracted and their component files analyzed. Improved Artifact Display To assist the user in associating related artifacts from a single flow, the Extractions results list displays additional information. 1 — Collapse the Advanced Filter panel for a wider window. 2 — HTTP Response icons 1xx — Informational 3xx — Redirection 5xx — Server Error 2xx — Success 4xx — Client Error Header not available 3 — Date is omitted to save space unless the extraction spans multiple days 4 — HTTP Request method is displayed 16 of 19 Copyright © 2015 Solera Networks, a Blue Coat Company. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners. New Preview Types • Text preview for FTP session artifacts displays each step in an FTP session: • File command preview, such as the artifact filename, file modification date/time, application version, flags, and so on: • Strings command preview. The strings command returns each string of printable characters in files. Its main uses are to determine the contents of and to extract text from binary files, i.e., non-text files: • HTTP Headers preview displays the HTTP request and response headers: 17 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. • For HTTP POSTs, the payload has a separate entry from the original POST and is displayed below it. The payload artifact does not display an HTTP method or an HTTP response icon. • Click Show Payload to see a separate artifact entry for the payload. User-Configurable File Classification You can specify which method determines the file type of an artifact: Select [Account Name] > Preferences: • Artifact MIME-Type Display — Specify the method for the extractor to determine the file type: o MIME — Use the value in the Content-Type field of the HTTP or email header, else return unknown. o Magic — Use the embedded magic number or file signature, else return unknown. o Derived — If both MIME and magic values are present, use internal logic to determine the most likely file type. Easier Extraction Cancelation Prior to this version, you could only Save and Stop or Save and Continue an extraction. Extractions can now be canceled without having to save the extraction. During an extraction, select Actions > Stop Extraction and wait until the status shows Canceled 100%. (The percentage does not reflect how much data was extracted before stopping). After the extraction has stopped you can select Actions > Save to save the data that was extracted before the process was canceled. After you have saved the data, you may restart the extraction by selecting Actions > Rerun. 18 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Free User-Initiated Queries In the absence of a WebThreat BLADE or FileThreat BLADE subscription, users can still see an artifact's reputation from the Extractions page. Click Reputation to manually request information on the artifact from common reputation providers. Users are entitled to 1000 requests per month without charge. Data Enrichment File-Type Filter To avoid sending every file type through data enrichment, you can now select which file types to send or omit. File types to select on Settings > Data Enrichment include Adobe PDFs, archives, configuration files, downloads, email, images, multimedia, office productivity, programs and libraries, web pages, and JavaScript. Login Correlation Service An updated version of the Login Correlation Service is available. Download the new version from Settings > Data Enrichment and launch the installation to update an existing setup. The new version number is visible after you launch SOLERA NETWORKS > DeepSee Login Correlation Service. Syslog Facility Configuration From the CLI, users can set up a many-to-many relationship among syslog servers and facilities. Prior to version 7.1, multiple servers could be assigned to a single facility but not multiple facilities to one or more servers. Fixes • Different-sized hard disks were not being classified properly. • In 6.6.8 to 7.0 upgrades, ssh.allow was not being removed as a requirement in /etc/pam.d/login and sshd. • Resetting the zoom on the Capture Summary Graph increased the total bytes captured display. • Large scheduled reports were causing system failure. • The RADIUS Auth Access-Request field contained malformed data. • Artifact keyword searches were not working on the Central Manager Console (CMC). 19 of 19 Copyright © 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners.
© Copyright 2024