Infosec Cloud
Solutions. Services. Training.

The 'chat' from the cloud

Keep up-to-date with the latest trends, hints and tips on cloud-based security

Finding the Value in the Blue Coat Solution

Date: Jan 20, 2014

Category: Blog

Guest Post: Tim Chiu, Blue Coat

I was recently in a discussion with a CIO, and he informed me that all pitches from all the vendors he’s been talking to sound the same. Specifically he was of the belief that there was nothing unique about the Blue Coat solution, and he did not believe our claim that we were the only vendor offering our type of malware prevention and detection. He said our solution sounded like everyone else’s.

This CIO refused to take a meeting with anyone, until we put into writing how we thought we were unique and different. So working with the Blue Coat WebFilter and Webpulse team, we came up with the following. I thought it would be useful to share for those of you interested in Blue Coat technologies:

First let me start by talking about the scope of Blue Coat’s visibility into the web traffic that goes around the world, and that will help set the stage to understand Blue Coat’s unique capabilities around detecting malware, specifically what we call malnets (malware networks).

The 16 largest service providers in the world are customers of Blue Coat, as are all 25 of the 25 largest financial institutions in the world. 97 of the Fortune Global 100, 85% of the Fortune Global 500 are our customers. All these contribute to our network of over 75 million users who use our cloud based collaborative web threat defense network that we call Webpulse. We have visibility into the URLs visited by these 75 million users, and the linkages between web pages as these users click from one page to another.

Around 3 or 4 years ago one of our malware researchers was working with graphing programs, trying to diagram some of the linkages between web pages, and realized from the data, that he was mapping out networks of malware servers. These were servers dedicated to hosting malware, regardless of whether there was an active attack going on using these servers. As we observed and mapped these networks of malware we watched them evolve, grow, shrink, and get used in attacks as the underlying URLs in attacks on other websites.

As we’ve continued to track these malnets, we’ve found ways to detect when they add servers, IP addresses, and even when they rotate the use of addresses. In a typical attack that uses a malnet, (basically when a cyber criminal wants to use existing malware resources to get a quick return), Blue Coat has been aware of the malnet prior to an attack going live, meaning that if you’re using Blue Coat’s Webpulse, you’ve already blocked the malnet, and when zero day occurs (when an iFrame injection, XSS scripting or javascript exploit injects the malnet’s URL into the hacked site), you’re already protected and have been for some time.

We’re not saying that we will prevent you from getting all malware, but we will protect you from malware hosted by malnets. You may wonder how much that makes up of all the malware you get in a year. In our estimates, about two-thirds of all attacks we blocked in 2012 for our customers were prevented through the use of malnet detection and blocking. That may not sound like a lot, but think about it this way. You’ve prevented two-thirds of all the malware trying to get into your organization from having to be rated in real-time, virus scanned, sandboxed, or whatever else you’re doing in your network to detect web based malware.

You may be wondering how this can be unique to Blue Coat. When we first started talking about the existence of malnets a few years ago, we were the only company doing so. Many of the major analysts we presented our findings to were skeptical at first as well. But as we detailed actual attacks we had been protecting users from well before they went live, we were able to show that we are the only ones with this capability. We have this capability because of the scope of our network, and our deep understanding and focus on web traffic and web based malware. Blue Coat specializes in web security. Other companies are typically more broad-based, or if they are also web specialists, do not have the scope and reach in terms of the network they can analyze.

Further to address the comment that it sounds like all vendors do the same thing, it’s true that if an AV company identifies a specific attack (say, a chunk of exploit kit, javascript, or a particular new malware payload), and then, a week later, they see a new site using it, they can block it, and say that it was a negative-seven-day block, since that’s how long they’ve been able to identify the malicious content. They (other vendors in the security industry) haven’t chosen to call this sort of thing a negative-day-block, since it’s really just blocking a known attack from a new place. (As another example, if a cyber criminal was desperate enough to re-use a domain, a traditional web filtering company could claim a negative-day-block because they already knew that site was evil — they can block a new attack from a known place. But this rarely happens, these days…)

The Blue Coat difference is that we’re blocking new attacks from new places. Most of our blocks (not just the malnet ones) occur before we’ve ever seen the malicious content. Our team of malware researchers also takes the time to document these attacks and how Blue Coat is preventing a new attack from a new place…   Read more

Find out more about Blue Coat Unified Web Security

Comments are closed.

  • Employee GDPR Awareness Training

  •  Identity-as-a-Service (IDaaS) solution

  • Tokenless Strong Authentication (MFA)

  • Next Gen Endpoint Security

  • Enquiry LinkedIn Spiceworks