Security Analytics 7.2.1 Release Notes
Version: 7.2.1.43768 Software Release Date: 4 August 2016 Document Revision: 1.7 on 24 February 2017 Blue Coat Security Analytics is a sophisticated network security device that delivers full network visibility, advanced network forensics, and real‐time content inspection for all network activity. IMPORTANT In Security Analytics 7.2.1 many features from earlier versions have been significantly retooled. When you upgrade to 7.2.1 from an earlier version, this information will not be automatically preserved:
Saved reports ThreatBLADE‐related reports, alerts, CMC VPN and sensor entries actions, and favorites (including ThreatBLADE favorites customized by Child alerts from Local File Analysis support services); remote notification, Customized alert thresholds and URL unknown protocol, and endpoint protocol Analysis verdict mappings settings Unmodified default actions and favorites Credentials and settings for third‐party Custom favorites and actions created via reputation providers such as FireEye and the CMC Lastline The Default Summary view Some RBAC settings for user groups Data‐enrichment file‐type filter settings Actions associated with discontinued Customized YARA rules and custom providers (Bit9, NormanShark, Lastline hashes in Solera HashDB Hash, Local File Analysis)
To preserve the information you can and transfer it to version 7.2.1, go to "Installation and Upgrades" on page 18.
Release Notes Contents
"Additional Features Since 7.1.0" on page 2 "Installation and Upgrades" on page 18 "New in Security Analytics 7.2.1" on page 3 • "CMC Upgrade Instructions" on page 23 • "Security Upgrades" on page 13 "Known Issues" on page 25 "Fixes" on page 15 • "Known CMC Issues" on page 25 • "CMC Fixes" on page 17 • "Discontinuation" on page 25 "Resources" on page 26
1 of 29 Security Analytics 7.2.1 43768 Release Notes
Additional Features Since 7.1.0 Since the release of Security Analytics 7.1.0, the following features and improvements were added in 7.1.x maintenance releases: New and enhanced enrichment providers: • Endpoint analysis such as EnCase° Cybersecurity by Guidance° Software •YARA rules, including user‐defined •Provider selection for Local File Analysis •FTP File Mover option for e‐mail attachments only •Customized pivot‐only reputation providers •Login Correlation Service support for Windows 2012 Server DC •More precise WebThreat BLADE alerting •Remote notification of ThreatBLADE alerts •Malware Analysis improvements: .SandBox profile prioritized for parallel tasks .Sample sent once, even with multiple profiles .Child files of ZIP archives displayed with parent .Android APK file support .Faster verdict returns .Direct link to task from the alert .Feedback on new malware returned to Blue Coat Global Intelligence Network Improved PCAP downloader: backgrounding, remote‐path save Alert filtering by import_id Data‐enrichment jobs displayed on the capture summary graph Transition from packet‐based reporting to flow‐based reporting Report performance improvement GRE encapsulation detection SSL Serial Number, Machine ID, Tunnel Initiator, and Tunnel Responder reports Stop Report and Stop Extraction buttons Combined reindexing with reprocessing Signature‐based and protocol‐based extraction options Fuzzy‐hash calculation for real‐time extraction Telnet‐session extraction Heartbleed‐detection alerts and reports Support for LDAP anonymous bind Authenticated proxy support, including certificate handshake Self‐encrypting disk (SED) support to protect data at rest
2 of 29 New in Security Analytics 7.2.1
New in Security Analytics 7.2.1 From a new landing page to a wholly re‐imagined and rebuilt data‐enrichment process to dynamic capture filters and selectable capture profiles, this major release of Security Analytics provides exciting new features to assist in forensic investigations. "Alerts Management Dashboard" on page 4 "Anomaly Detection" on page 4 "Data Enrichment" on page 5 • "Real-Time Enrichment Providers" on page 5 ."Blue Coat Intelligence Services" on page 5 ."Blue Coat Analysis Providers" on page 6 ."Local File Analysis" on page 6 ."Indicators" on page 7 ."Rules" on page 8 • "File-Type Filters" on page 7 • "Real-Time Extraction" on page 7 "Data Enrichment Profiles" on page 9 "Dynamic Filters" on page 9 "Reports" on page 10 • "Report Status Pages" on page 10 • "New Reports" on page 10 ."Additional Metadata" on page 11 ."SCADA Reports" on page 11 ."Encapsulation Reporting" on page 11 • "Filters" on page 11 • "Extractor" on page 12 ."Artifact Preview" on page 12 "Command-Line Utilities" on page 12 "Web UI and More" on page 12 "New on the Central Manager Console (CMC)" on page 13 "Security Upgrades" on page 13 • "Remote Access" on page 14 • "Role-Based Access Control" on page 14
3 of 29 Security Analytics 7.2.1 43768 Release Notes
Alerts Management Dashboard Analyze > Alerts As the new default landing page, the Alerts Management Dashboard provides immediate visibility into the current state of network traffic.
Read More: In the Help Files under Alerts Management Dashboard.
Important: Upgrading to version 7.2.1 from earlier versions has a significant impact on alerts. Before attempting to upgrade to 7.2.1, review the "Upgrade Instructions" on page 18 to avoid losing data and settings.
Anomaly Detection Analyze > Anomalies Anomaly Detection provides visibility into abnormalities in your traffic patterns. By evaluating traffic in 10‐minute analysis windows, Anomaly Detection determines which traffic is normal for your network and then creates alerts for outlier network behavior. A mere six hours after Security Analytics 7.2.1 begins to capture traffic, the anomaly detector has established a baseline and will begin to report anomalies.
4 of 29 New in Security Analytics 7.2.1
From an individual anomaly alert, you can pivot to the new Anomaly Investigation summary view for immediate insight into which traffic triggered the alert—then drill down into more specific data through the reports). You can also send the anomaly data to a remote resource for further analysis.
Read More: In the Help Files under Data Analysis > Anomaly Detection.
Note: Anomaly detection requires an appliance or VM with at least 64GB RAM to function properly. Less memory will result in degraded performance and missed anomalies. To disable anomaly detection, see "Data Enrichment Profiles" on page 9.
Data Enrichment The Security Analytics data‐enrichment subsystem has undergone a comprehensive rewrite so that you can deploy the enrichment providers more independently, in terms of both configuration and prioritization. The new system also provides improved data‐enrichment performance and scalability.
Important: Upgrading to version 7.2.1 from earlier versions has a significant impact on data‐ enrichment features. Before attempting to upgrade to 7.2.1, review the "Upgrade Instructions" on page 18 to avoid losing data and settings.
Real-Time Enrichment Providers Settings > Data Enrichment Traffic that matches the filters in a rule (formerly: “action”) can be sent to one or more real‐time enrichment providers to get a prompt verdict. All of the real‐time enrichment providers can be selected individually for any rule—default or user‐ defined—using any set of filters that you specify.
Blue Coat Intelligence Services The functionality of the ThreatBLADES has been consolidated into two Blue Coat Intelligence Services: File Reputation Service—The SHA256 hashes of files that match a rule are sent to the Blue Coat Global Intelligence Network (GIN), which returns a verdict based on the file‐reputation information from more than 15,000 customers and 75 million endpoints that contribute to GIN’s threat intelligence, which includes: •A black list of 3.5 billion file hashes • Additional black and white lists from three major security organizations •Malware Analysis detonation results from the field •Research results from Blue Coat Labs
5 of 29 Security Analytics 7.2.1 43768 Release Notes
Web Reputation Service—The URLs that are associated with artifacts that match a rule are sent to GIN, which returns one or more URL categories that Security Analytics evaluates for threat level.
Read More: In the Help Files under Data Enrichment > Enrichment Providers > Intelligence Services.
Blue Coat Analysis Providers ICAP—Send ICAP service objects to Blue Coat Content Analysis. Malware Analysis—No longer dependent on ThreatBLADES for real‐time enrichment, Malware Analysis can operate in conjunction with—or independently of—the File Reputation Service. •With the FRS Prefilter setting (enabled by default) you can get a verdict on files that are already known to the File Reputation Service without sending them to Malware Analysis. •With the default per‐environment task settings available in Malware Analysis 4.2.x, you can select iVM plugins such as ghost_user.py to apply to samples sent from Security Analytics. •Samples sent to Malware Analysis retain their original filenames. •New file types are sent to Malware Analysis: BAT, COM, DEB, PS1, IPA •Malware Analysis now supports iOS (IPA) in the Mobile IntelliVM.
Read More: In the Help Files under Data Enrichment > Enrichment Providers > Analysis Providers.
Local File Analysis As separated entities that you can select for real‐time enrichment, Local File Analysis comprises five providers.
Important: Upgrading to version 7.2.1 from earlier versions has a significant impact on Local File Analysis providers. Before attempting to upgrade to 7.2.1, review the "Upgrade Instructions" on page 18 to avoid losing data and settings.
Calculate and Store Hashes—Calculate MD5, SHA1, and SHA256 hashes for files that match the rule and write them to the indexing database. Fuzzy hashes can be enabled as well. ClamAV°—File scanning for known viruses. Custom Hash List—Replacing Solera HashDB, this provider contains only the MD5, SHA1, or SHA256 blacklist hashes that you upload. jsunpack‐n—On‐board analysis of JavaScript, PDF, HTML, and SWF files. YARA—These rules help detect live exploits before they are known to Blue Coat GIN.
Read More: In the Help Files under Data Enrichment > Enrichment Providers > Reputation Providers > Local File Analysis Providers.
6 of 29 New in Security Analytics 7.2.1
File-Type Filters Settings > Data Enrichment In version 7.1.x, the data enrichment file‐type filter was applied to all file and file‐ hash providers. In version 7.2.1, each provider’s filter can be configured separately on the Data Enrichment Settings page. For example, you can specify that only JavaScript be sent to jsunpack‐n or you can send all file types except email bodies to an FTP server.
Important: Upgrading to version 7.2.1 from earlier versions has a significant impact on the file‐ type filters. Before attempting to upgrade to 7.2.1, review the "Upgrade Instructions" on page 18 to avoid losing data and settings.
Additions to the file‐type filter include: Filters—Binaries, Code, JAR Archives, Debian° Packages File Types—BZIP, GZIP, CPP, BIN, MP3, RTF MIME Types—text/x-msdos-batch (EXE), application/x-httpd-php3 (PHP), application/cgi (CGI), and binary/octet-stream, multipart/byteranges (BIN)
Read More: In the Help Files under Data Enrichment > Data Enrichment Filters.
Real-Time Extraction The real‐time data‐enrichment process begins with a set of filters—formerly “favorites,” now “indicators”—that identify traffic to be sent to the rules engine. The new data enrichment rules (“actions” in 7.1.x) offer each real‐time enrichment provider as a separate entity in the Send to list.
Indicators Analyze > Rules
Important: Upgrading to version 7.2.1 from earlier versions has a significant impact on indicators (favorites). Before attempting to upgrade to 7.2.1, review the "Upgrade Instructions" on page 18 to avoid losing data and settings.
The robust new set of indicators in version 7.2.1 includes: Live‐Feed Indicators—Leveraging public resources such as abuse.ch and rules.emergingthreats.net, these indicators can be updated at a regular interval to instantly apply filters for the latest threats as they emerge. Optionally, you can create your own live‐feed indicators. Ransomware Tracker—By http_server, ipv4_address, or http_uri Presented MIME Type—mime_type from packet headers Detected File Type—file_type from the magic number File Transfer Activity—To detect SMB, FTP, TFTP, and FTP Data traffic Non‐Alphabetic Server Name—For http_server=[IPv4 address]
7 of 29 Security Analytics 7.2.1 43768 Release Notes
Rules Analyze > Rules
Important: Upgrading to version 7.2.1 from earlier versions has a significant impact on rules (actions). Before attempting to upgrade to 7.2.1, review the "Upgrade Instructions" on page 18 to avoid losing data and settings.
Instead of activating ThreatBLADE rules on the Data Enrichment Settings page, the rules for the Blue Coat Intelligence Services, Malware Analysis, and Local File Analysis are listed on the Rules page.
Read More: In the Help Files under Data Enrichment > Rules.
As with “actions” in previous versions of Security Analytics, in version 7.2.1 you can create rules for alerts, IPFIX export, PCAP export, and data enrichment. Additionally, you can create dynamic filter rules to prevent specified traffic from being written to your capture and indexing drives, on the fly. See "Dynamic Filters" on page 9. In version 7.2.1 you also have nearly unlimited flexibility in assigning which types of traffic are sent to each enrichment provider. The indicators for both Blue Coat Intelligence Services are exposed to the user for alteration and refinement, as is the rule for Malware Analysis and all of the Local File Analysis providers. By default, the following rules are active immediately after you upgrade to version 7.2.1: Heartbleed Attack Attempt Alert Non‐Standard SSH Alert Shellshock Webserver Exploit Attempt Alert Local File Analysis ‐ Live Exploits (YARA rules)
On-Demand Reputation Providers Settings > Data Enrichment The on‐demand reputation providers give you instant visibility into individual report and artifact attributes
Important: Upgrading to version 7.2.1 from earlier versions has a significant impact on the on‐ demand reputation providers. Before attempting to upgrade to 7.2.1, review the "Upgrade Instructions" on page 18 to avoid losing data and settings.
Blue Coat ThreatExplorer From nearly any URL, IP address, file name, or file hash, you can pivot to Blue Coat ThreatExplorer, which displays all of the threat intelligence on that attribute that is archived in the Blue Coat Global Intelligence Network. Access requires separate login credentials from Blue Coat.
8 of 29 New in Security Analytics 7.2.1
Third-Party Providers Improvements to existing third‐party on‐demand reputation providers include: Support for FireEye AX‐series Team Cymru Malware Hash Registry replaces SANS ISC Hash Option to preserve the original filename for FTP File Mover User‐configurable Lastline location
Data Enrichment Profiles Settings > Data Enrichment For more control over how Security Analytics uses system resources, you can select one of three Data Enrichment Profiles: Full Data Enrichment with Anomaly Detection—All services are active, including the new anomaly detection system. Full Data Enrichment (no Anomaly Detection)—All services are active but the anomaly detector is idle. Packets Only—Indexing and anomaly‐detection services are disabled; all system resources are dedicated to writing packets to the capture drive at the highest possible rate. All three profiles are included with the base license, and switching from one profile to another does not require a reboot.
Read More: In the Help Files under Data Capture > Data Availability > Data Enrichment Profiles.
Dynamic Filters Analyze > Rules Streaming media such as movies or Internet radio can fill your capture and indexing drives with data that may not be forensically useful. Use a dynamic filter rule to detect streaming media flows, write the first part of the flow to the capture and indexing drives, and then stop recording the flow for a specified time. You can use dynamic filters on any traffic that you can specify with an indicator, such as traffic from a particular domain or VLAN, or traffic that is encrypted (application_group=encrypted).
Read More: In the Help Files under Data Capture > Dynamic Filters.
9 of 29 Security Analytics 7.2.1 43768 Release Notes
Reports
Important: Upgrading to version 7.2.1 from earlier versions has a significant impact on reports. Before attempting to upgrade to 7.2.1, review the "Upgrade Instructions" on page 18 to avoid losing data and settings.
Report Status Pages Analyze > Report Status The new Report Status pages display reports that are running or that have completed. You can use the information on these pages to keep track of system resources and report‐generation history.
Read More: In the Help Files under Data Analysis > Reports > Report Status Pages.
New Reports Analyze > Summary > Reports The new Threat Intel reports consolidate and simplify the previous ThreatBLADES reports: Threat Intel Reports • Local File Analysis—Local File Analysis provider verdicts • File Signature Verdict—File Reputation Service verdicts • Malware Analysis—Malware Analysis verdicts • URL Categories—Assigned by the Blue Coat Global Intelligence Network • URL Risk Verdict—URL category risk assigned by Security Analytics New reports and their corresponding filter attributes have also been added: DNS Reports •DNS Answer Count (dns_ancount) •DNS IPv4 Name •DNS Answer Name (dns_name) (dns_host_ipv4_addr) •DNS Autogenerated Name •DNS IPv6 Name (autogenerated_domain) (dns_host_ipv6_addr) •DNS Autogenerated Domain Score •DNS Time‐to‐Live (dns_ttl) (autogenerated_domain_score) Flow‐Information Reports •Flow Duration (flow_duration) •Flow ID (flow_id)
10 of 29 New in Security Analytics 7.2.1
File‐Related Reports •Detected File Type (renamed) (file_type) •Presented MIME Type (renamed) (mime_type) • File Extension (file_extension) •SHA256 Hash (sha256_hash) HTTP‐Related Reports •SPDY attributes folded into corresponding HTTP reports •HTTP Content Length (http_content_len) •HTTP Location (redirect target) (http_location)
Read More: In the Help Files under Data Analysis > Reports > Available Reports.
Additional Metadata Since version 7.1.6: 50 new report attributes: 437 total 298 new recognized applications: 2574 total
Read More: In the Help Files under Reference > Report Attributes and Reference > Recognized Applications.
SCADA Reports For SCADA control systems, version 7.2.1 provides reports for dozens of MODBUS and DNP3 attributes. Contact Blue Coat Support to enable the reports for no extra cost.
Read More: In the Help Files under Data Analysis > Reports > SCADA Reports.
Encapsulation Reporting The Tunnel Initiator and Tunnel Responder reports can display IP addresses for GRE encapsulation as well as IPv4‐in‐IPv6 and IPv6‐in‐IPv4 tunnels.
Read More: In the Help Files under Data Analysis > Encapsulation Detection.
Filters Analyze > Summary | Reports | Extractions | Geolocation] Improvements to the primary, advanced, and PCAP download filters include: Case‐sensitive searching is available for the keyword_utf8 attribute in the Extractions advanced filter. Percent‐match supported in the primary filter for fuzzy_hash. PCAP download filters can be saved for later use.
11 of 29 Security Analytics 7.2.1 43768 Release Notes
Extractor Analyze > Summary > Extractions Enhancements to the extraction process include: Enable or disable hash calculation for MD5, SHA1, and SHA256 in the web UI File‐transfer extraction for IRC, YMSG, Jabber, and Paltalk Extractor handling special characters in the presented MIME type Artifact entry showing exact byte size instead of rounding to a two‐place decimal for artifacts smaller than 999,999 bytes Protocol carving and signature‐based extraction using Foremost signature scan
Read More: In the Help Files under Data Enrichment > Extractions > Artifact Extraction.
Artifact Preview In the new artifact preview window, all preview types are available by default to provide total visibility into an artifact’s true nature.
Read More: In the Help Files under Data Enrichment > Artifact Preview.
Command-Line Utilities New command‐line utilities include: User‐defined port‐to‐application mapping SCM Migrator, to export and then import users and groups, rules, indicators, firewall settings, remote‐notification settings, system time, DNS, and geolocation subnet information.
Read More: In the Help Files under Reference > CLI Commands.
Web UI and More Pagers have GOTO page number, Next, and Previous controls. Default system installation pages have man pages. Release Notes can be accessed from the Upgrade dialog (BlueTouch Online authentication required). Up to 30 Geolocation internal subnets are supported. Follow TCP Stream feature was added to the Packet Analyzer. Packet Analyzer is integrated with the Encoder/Decoder tool.
Read More: In the Help Files under Data Analysis > Packet Analyzer.
12 of 29 New in Security Analytics 7.2.1
BIOS settings support the serial console on Dell hardware. Slot size was increased from 64MB to 256MB to increase jumbo frames performance. No Proxy field allows specified domains and subnets to bypass the proxy.
Read More: In the Help Files under Initial Settings.
New on the Central Manager Console (CMC)
Important: Before attempting to upgrade a Central Manager and its sensors to version 7.2.1, review the instructions in "CMC Upgrade Instructions" on page 23, because you must delete the existing CMC VPN and re‐add the sensors to the CMC.
Support for 215 sensors per CMC User‐defined sensor labels to organize sensors for viewing, upgrades, and configuration Up to 400% improvement in report performance, especially under demanding conditions Update button for deselecting sensors Keys for the CMC VPN increased to 2048 bits Mount points synchronized among multiple sensors Report Status pages available for the CMC
Read More: In the Help Files under Central Manager.
Security Upgrades Vulnerabilities in the following Security Advisories have been addressed:
SA83 SA117 SA98 SA120* SA103 SA121* SA108 SA123* SA111 SA126* SA113 (partial: see SA113 for details) SA128 * Omitted from the first version of these release notes Note: Go to bto.bluecoat.com/security-advisories to review vulnerabilities and fixes for Security Analytics.
RSA key strength for various subsystems increased to 2048 bits or more OCSP certificate‐chain validation for Blue Coat cloud‐based enrichment providers SSL key and certificate files retaining custom names
13 of 29 Security Analytics 7.2.1 43768 Release Notes
TLS compatibility with LDAP Inputs sanitized to prevent XSS vulnerability
Remote Access Group Name Attribute was hard‐coded as cn for OpenLDAP and name for Active Directory; now user‐configurable. Firewall interface in the web UI better represents iptables substructure. APIv6 keys not visible on the web UI by default: created by user action in web UI and displayed only once
Role-Based Access Control Settings > Users and Groups > Groups Security Analytics 7.2.1 provides more granular control over role‐based access.
Important: Upgrading to version 7.2.1 from earlier versions may have a significant impact on RBAC. Before attempting to upgrade to 7.2.1, review the "Upgrade Instructions" on page 18 to avoid losing data and settings.
Capture permissions are now broken out into: •Stop and start capture •Stop and start playback •Initiate reindexing •View capture rate and system statistics Import PCAP is now broken out as: •Import PCAP from browser •PCAPs without access restrictions (with BPF filters) •Analyze PCAPs •Download PCAPs Analyze pages are broken out into: •View Summary page •Generate reports •Download and preview artifacts •View artifact metadata •View Geolocation page •Create, edit, and delete rules and alerts •Create, edit, and delete edit indicators Restricted‐shell access to the CLI: • Base Permissions—Read‐only commands • Tier 1 Permissions—Networking and file‐system management • Tier 2 Permissions—File system and admin utilities, process and drive management
14 of 29 Fixes
Fixes The following fixes are in Security Analytics 7.2.1. Also see "CMC Fixes" on page 17.
Indexing and DPI IRC was misclassified as FTP. File modification events were not extracted as metadata for SMB2 client/ server traffic. VLAN IDs were not indexed correctly in the context of VLAN trunking. Thunderbird client IMAP emails were not being classified. Long‐lived flows were not reindexed properly. Some HTTP traffic was classified as unknown. Synflood traffic was classified as unknown. The characters in some URIs and filenames were improperly rendered. HTTP POST data was missed by indexing and extraction.
Reports and Filters The WSAPI method=deepsee did not convert a single time value into the specified time range. Downloading a CSV report for 14TB of metadata took longer than an hour. All intermediate records are processed instead of only the last 500 slots. API error message for querying report data was improved. Multiple ORs in a /pfs/flows path did not return data. A session resolution <100%, combined with a processed slot with fewer than 10 records, caused an infinite loop in the report handler. The advanced filter protocol=ftp_data could not be created from an artifact’s web UI entry.
Data Enrichment and Extraction Some WHOIS results were missing from the web UI Reputation Report. FTP File Mover in active mode was exporting 0‐byte files. Manual extractions (web UI‐initiated) sometimes crashed during the cleanup phase of a canceled manual extraction. APK files were misclassified and not sent to the Malware Analysis MobileVM. Incorrect value types were submitted to some reputation providers. Extracted files were being corrupted by FTP File Mover. Pivoting from a Malware Analysis task to the Security Analytics Summary view sometimes produced no data. ClamAV was upgraded to 98.7 to improve malware recognition. Freshclam update service did not honor system proxy settings. Redundant extractions were sometimes sent to Malware Analysis.
15 of 29 Security Analytics 7.2.1 43768 Release Notes
Filenames with special characters were not sent to Malware Analysis. Email preview did not render the HTML aspects of an email message.
Authentication, Permissions, and Remote Access dsadduser could not create an account in the admin group. Custom LDAP certificates were not preserved during upgrade from 6.6.x to 6.6.x+1. Invalid email settings could prevent login for all users. RBAC was not applied to PCAP Download and Packet Analyzer.
Logging and Remote Notification PostgreSQL log files contained too many errors. Reindexer job sent excessive email alerts. Could not remove
Web UI The wrong error message was displayed when the appliance could not download the upgrade file from the Internet. Web page preview did not render base64‐encoded images. Log showed wrong PCAP download size. Widget records could not be sorted by attribute name. IP address source/destination appeared as initiator/responder in artifact display. PCAP download estimator showed inaccurate size. Help link did not work in IPv6 environment. Default port for SNMP inform traps was incorrect. Capture Summary Graph did not use units specified in preferences. Alerts counter did not refresh after clearing alerts. Initial configuration screen did not indicate errors clearly. Non‐interface data was not cleaned up for Capture Summary Graph. Initial configuration page did not notify that Save was required.
16 of 29 CMC Fixes
System and Miscellany Slot‐corruption handling was improved. Indexer surpassed more slots when there was one fast and one slow interface. SQL errors were produced when cleaning up abandoned reports. Temporary files were not deleted after running a Geolocation report. Data cleanup from large manual extractions was improved. dszap appeared to hang because verbose messages were not displayed. Old CSR files were not cleaned up.
CMC Fixes Remote groups could not be deleted. Internal Server Error occurred on login when a sensor was not available. Sharding and cleanup were not working on the capture summaries table. scotus start did not complete. Capture summary and sensor‐selector pages were blank after a sensor was disconnected. Central Manager did not delete PCAP and ZIP files after download. Scheduled reports on the CMC would never finish.
17 of 29 Security Analytics 7.2.1 43768 Release Notes
Installation and Upgrades
Browser Support Security Analytics 7.2.1 supports all of the latest browser versions.
Compatibility Issues Security Analytics management traffic (on eth0) cannot be subjected to SSL intercept. If your Security Analytics appliance is deployed behind SSL‐intercept devices such as Blue Coat SSL Visibility Appliance, Blue Coat ProxySG, or a next‐ generation firewall, you must configure those devices to exclude traffic from the Security Analytics management interface.
Upgrade Instructions If you are upgrading a Central Manager environment, you must follow the instructions in "CMC Upgrade Instructions" on page 23.
Before the Upgrade Verify that you have saved, exported, or noted the information in this section:
Information to Manually Record To preserve this information you must view it on the web UI and either take a screenshot or notate the information:
On Settings > Data Enrichment Individual settings for the FileThreat BLADE and WebThreat BLADE.
•Make a note of any remote notification, template, endpoint provider, and unknown protocols settings. Third‐Party On‐Demand Reputation Providers credentials and settings. •For providers that require authentication credentials (FireEye, FTP File Mover, Lastline, VirusTotal), note the account names and make sure you can locate the passphrases for the accounts. .Bit9 and NormanShark providers are discontinued in 7.2.1.
18 of 29 Installation and Upgrades
•For FTP File Mover, note whether the Attachments Only option has been selected. Data Enrichment File Types selections. WebPulse Custom Update Location settings and credentials.
On Settings > Users and Groups RBAC permissions for the user groups, especially admin.
Information to Export from the Web UI The following data and settings can be downloaded from or altered in the web UI to preserve them on upgrade.
On Analyze > Summary The old Default View on the Summary page will be deleted, regardless of whether you have designated it as your default view.
•To preserve the current Default View, create a new view as a duplicate of Default View and give it a new name; user‐defined views will not be overwritten. Report data that is associated with the ThreatBLADES and Local File Analysis will be deleted. Download the reports that you want to save as CSV or PDF.
On Analyze > Saved Results For saved reports to keep, click View Report and then save the report as a CSV or PDF. (Saved extractions will be preserved on upgrade.)
On Analyze > Favorites Use the export function to preserve default favorites that you have not modified. Alternatively, you can change the name of a default favorite to preserve it.
On Settings > Network In the HTTP Proxy field, remove http://
Information to Copy from System Files This customized information must be copied from system files: YARA Rules—In /usr/lib64/python3.3/site-packages/derp/providers/third_party/yara_rules/ rules.yar ThreatBLADE Favorites—For assistance, consult the sales engineer who customized them. Alert Threshold—In /etc/solera/config/derp.conf as "derpd":{"threshold":x,} URL Category Verdict Mapping—In /etc/solera/config/threat_mapping.txt
19 of 29 Security Analytics 7.2.1 43768 Release Notes
Information That Cannot Be Saved The following information cannot be viewed on or exported from the Security Analytics appliance. You may be able to obtain some of this information elsewhere in your organization if you need to restore it to version 7.2.1: Custom hash blacklists Alerts generated by the ThreatBLADES Alerts generated by unmodified default actions Child alerts generated by Local File Analysis
After the Upgrade At this point, you may want to consult the 7.2.1 Help Files to get more information on some of the changes mentioned in this section. Go to "Security Analytics Help Files" on page 26 for Help Files locations. In Security Analytics 7.2.1 some of the terminology has changed: •Favorites —> Indicators •Actions —> Rules •WebPulse —> Web Reputation Service • ThreatBLADES —> Blue Coat Intelligence Services. More than having a new name, the data‐enrichment process has been significantly retooled. See "Data Enrichment" on page 5 for details.
Follow these instructions to re‐import or re‐enter the information you recorded.
Information to Manually Input This information must be manually input to the web UI. Remote Notifications and Endpoint Providers are now associated with rules instead of ThreatBLADES. Go to Analyze > Rules and edit the File Reputation Service or Web Reputation Service rules to re‐enter the information. To restore the Unknown Protocols setting, add application_id=unknown to an indicator. Consult the Help Files for more information on how the function of the unknown protocol setting changed for 7.2.1.
Read More: In the Help Files under Data Enrichment > Extractions > Artifact Extraction > Signature-Based Extraction.
Re‐enter the Third‐Party On‐Demand Reputation Provider settings and credentials on Settings > Data Enrichment. •The default port for Cuckoo has changed to 8090.
Read More: In the Help Files under Data Enrichment > Enrichment Providers > Integration Providers.
20 of 29 Installation and Upgrades
•The Attachments Only setting for the FTP File Mover has been replaced with the per‐provider data enrichment filters: clear the Email Bodies file type to send only email attachments.
Read More: In the Help Files under Data Enrichment > Data Enrichment Filters and Data Enrichment > Enrichment Providers > Integration Providers > Configure Integration Providers.
The new data‐enrichment file‐type filters comprise one default filter set (that you can apply to any file/file hash provider) and per‐provider filters that you can customize. On Settings > Data Enrichment, manually input the file‐type filter settings as desired.
Read More: In the Help Files under Data Enrichment > Data Enrichment Filters.
The Web Reputation Service Custom Update Location and credentials is on Settings > Data Enrichment, as before. On Settings > Users and Groups, validate the RBAC settings for all groups.
Information to Upload to the Web UI The new default landing page is the Alerts Management Dashboard instead of the default Summary page. Select Analyze > Summary to verify that the old Default View has been preserved under its new name. • ThreatBLADE‐related report widgets and their data have been removed. •The Local File Analysis report widget from 7.1.x was deleted along with its data, but it has been replaced by a new report widget with the same name. If you used the Export function on Analyze > Favorites to save your favorites, go to Analyze > Indicators to import them again. On Analyze > Rules, reactivate any rules that may have been deactivated. •Actions (rules) that you created or customized should have been transferred to the new Rules list intact, with the following exceptions: .Data‐enrichment actions that specified providers that do not exist in 7.2.1 (Bit9, NormanShark, Lastline Hash) are deactivated and can be manually deleted. .Custom actions with Local File Analysis as the provider are converted into rules with ClamAV selected as the provider. .The Local File Analysis and Local File Analysis ‐ Live Exploits actions are deleted and replaced by their 7.2.1 counterparts.
Information to Copy to System Files This customized information can be copied to the new system files: YARA Rules—To /usr/share/solera/yara_rules/rules.yar Alert Threshold—To /etc/tonic.d/alerting.conf URL Category Verdict Mapping—To /etc/solera/config/threat_mapping.txt
21 of 29 Security Analytics 7.2.1 43768 Release Notes
Inputting Custom Hashes The new Custom Hash List provider is populated by using the lhr_flat_to_qdb utility. Instructions are in the Help Files.
Read More: In the Help Files under Data Enrichment > Enrichment Providers > Custom Hash List.
Settings to Verify Check these settings to make sure they still suit your needs. If your Security Analytics appliance connects to the Internet through a proxy, configure the proxy for the new Blue Coat Intelligence Services: • File Reputation Service—*.es.bluecoat.com:8443 • Web Reputation Service—sp.cwfservice.net:443
Read More: In the Help Files under Appliance Security > Ports and Protocols.
If you already had at least one ThreatBLADES subscription, you are automatically entitled to both Blue Coat Intelligence Services. •The new Blue Coat Intelligence Services are not enabled by default. You must activate them first on the Data Enrichment Settings page and then go to Analyze > Rules to enable the corresponding rule. •Enabling the File Reputation Service rule at the same time as the Malware Analysis rule (with FRS pre‐filtering) will trigger duplicate alerts. The Help Files contain recommendations for avoiding duplicates.
Read More: In the Help Files under Data Enrichment > Alerts > Blue Coat Malware Analysis Alerts.
Favorites that you have created or customized should have been transferred to the new Indicators list except for ThreatBLADE‐related attributes such as standard_blade_verdict and web_blade_malware_verdict; obsolete filter attributes may need to be manually deleted from transferred favorites.
22 of 29 Installation and Upgrades
CMC Upgrade Instructions Because Security Analytics 7.2.1 has upgraded the API calls and the Central Manager’s VPN ciphers and keys, CMC networks that were created in previous versions are incompatible with version 7.2.1.
Important: 7.2.1 CMCs cannot manage 7.1.x or 6.6.x sensors, and 7.2.1 sensors cannot be managed by 7.1.x or 6.6.x CMCs, even though it may appear as though the CMC and sensors are still connected.
Before the Upgrade 1. On the CMC: •Go to the Manage Sensors page and make a note of all the sensor IDs, names, and authorizations.
Note: Instead of taking notes manually, you can select the entire screen, copy it, and then paste it to Microsoft Word (to preserve the table structure) or to another text editor.
•On the Settings tab, note the Protocol, Subnet, Netmask, and Port.
Important: When you reset the CMC VPN, all of the favorites and actions that were created via the CMC will be deleted, because the user that is associated with those items is the cmc_proxyX user, which is always deleted when the CMC VPN is reset.
•To save favorites (but not actions), go to Analyze > Favorites on the CMC, select any favorites that you would like to save, and export them. 2. On the sensors: •Consult "Upgrade Instructions" on page 18 to preserve information that will be overwritten or deleted upon upgrade.
Upgrading the CMC and Sensors 1. Download version 7.2.1 to the CMC’s upgrade repository. 2. Upgrade all of the sensors to 7.2.1 first, and then upgrade the CMC. •If you do not want to upgrade all of your sensors at once, you can go to Settings > Upgrade on the sensor and download the upgrade file from the CMC. Until you click Initiate Upgrade, the sensor will remain on its current version. After the CMC has been upgraded to version 7.2.1, however, you cannot download the upgrade file from the sensor in this manner.
After the Upgrade After the CMC finishes upgrading: 1. On the CMC select Settings > Central Management > Settings and click Reset Settings.
23 of 29 Security Analytics 7.2.1 43768 Release Notes
2. When the VPN has finished deleting, you can input the same Subnet, Netmask, and Port as before or you can specify new ones. •The VPN subnet is now set up with 2048‐bit keys. For this reason, creating the new VPN and connecting sensors may take longer than usual over high‐latency connections. 3. On the Manage Sensors page, create all of the sensor entries and download the new authorization key files. If desired, you can add labels to the sensors, or you can add the labels at a later time. See "New on the Central Manager Console (CMC)" on page 13 for more information. 4. On each sensor delete the old CMC entry on the Central Management Settings page and then create the new CMC entry.
Read More: In the Help Files under Central Manager > CMC Initial Settings and Central Manager > Connect Your First Sensor to the CMC.
5. If you exported favorites from the CMC, you must re‐import them on each individual sensor. (If you re‐import them to the CMC, they will not be visible on the CMC.) •If you ran the scm script or the manual command before the upgrade, the favorites (indicators) and actions (rules) should still reside on each sensor. The CMC will automatically aggregate all identical indicators and rules.
24 of 29 Known Issues
Known Issues IPv6 addresses are not supported for default gateway, Malware Analysis appliances, the CMC VPN, and NTP. Adding remote notification to an already‐enabled rule requires that you disable then re‐enable the rule for the change to take effect. Rules with autogenerated_domain_score as the indicator do not produce results. Changing the HTTP port to 8080 disables the Apache server because that port is already in use by a Security Analytics background service; any other unused port is valid for HTTP. Importing PCAPs from multiple watch folders with the same check interval fails. The update interval for the Web Reputation Service database is not honored. When a manually typed timespan in the web UI is missing a colon, the start date is reset to 12/31/1969. SCADA reports should be available with the base license; contact Blue Coat Support to enable the reports for no extra cost.
Known CMC Issues Disabling one CMC entry on a sensor disables all of the CMC entries. A rule that is created through the CMC may seem to disappear after it is disabled. Where multiple CMCs are associated with the same sensors, non‐shared indicators and rules result in unexpected behavior and therefore are not supported.
Discontinuation These features are no longer available: •NormanShark and Bit9 as third‐party integration providers •Manual reputation requests to the Global Intelligence Network without a Blue Coat Intelligence Services subscription •Default support for TLS v1.0. (It can be manually enabled during the upgrade transition; contact Blue Coat Support for details.) •Support for Security Analytics APIv5
25 of 29 Security Analytics 7.2.1 43768 Release Notes
These Web Services APIs will be discontinued in the next major release of Security Analytics, most likely version 7.3.1: • /ws/pcap?method=deepsee—Replaced by GET: /pcap/download/deepsee in APIv6 • /ws/pcap?method=merge_path—Replaced by GET: /pcap/download/merge_path and GET: /pcap/download/merge in APIv6 • /ws/pcap?method=raw—Replaced by GET: /pcap/download/raw in APIv6s
Resources Consult these resources as needed.
Technical Support To contact Blue Coat Support you have these options: Log on to BlueTouch Online (BTO) (https://bto.bluecoat.com) and open a case at the Cases link. Contact Support & Services at https://www.bluecoat.com/support-services.
Security Analytics Help Files You can find the Help Files for Security Analytics in the following places: In the web UI select Settings > Help. • Click English under Online Help Files. Go to BTO (https://bto.bluecoat.com) and click the Documentation tab. •From the Product list select Security Analytics. • Click View for the Security Analytics WebGuide 7.2.1. To subscribe to update notifications consult "Product Documentation" on page 28.
BlueTouch Online BTO is Blue Coat’s online repository for: Downloads—Software upgrades, release notes Documentation—All product documentation, including the latest version of this document Cases—Open and manage support cases Forums—Ask questions and share information with other Blue Coat users as well as Blue Coat support staff Knowledge Base—Product‐specific solutions and technical issues Security Advisories—Latest vulnerabilities that affect Blue Coat products Training—Webcasts, fee‐based instructor‐led courses, virtual classrooms, and complimentary videos Recommended Releases—Recommendations for long‐term support by software or hardware version. RSS Feeds—Notifications of knowledge‐base releases
26 of 29 Resources
To access BlueTouch Online: Log in to https://bto.bluecoat.com.
Note: To request login credentials for BTO, go to https://www.bluecoat.com/forms/contact.
Subscribe to Content Blue Coat recommends that you subscribe to RSS feeds, user documentation, or security advisories to receive notifications when documents are added or updated.
Specific Security Advisories Follow these steps to subscribe to specific advisories:
1. On the BlueTouch Online main page click Security Advisories. 2. Optional—Select a product name in the Select Products list and click Apply. 3. Optional—Click a column heading to sort the list of advisories. 4. Select an advisory that is in Interim status, which means that further updates are expected. 5. Click Subscribe.
All Security Advisories Follow these steps to subscribe to all security advisories: 1. On the BlueTouch Online main page click the RSS Feed icon.
2. Under Content Feeds, click Security Advisories. 3. Copy the RSS feed URL from your browser and add it to your preferred RSS reader.
27 of 29 Security Analytics 7.2.1 43768 Release Notes
Knowledge Base Articles Follow these steps to subscribe to knowledge‐base feeds: 1. On the BlueTouch Online main page click the RSS Feed icon.
2. Under Knowledge Base Feeds, click one or more of the following: • Content Types—Select from among the four article types: .Solution .Cloud Announcement .Product Information .Technical Alert • Products—Select from among Blue Coat products • Software—Select from among Blue Coat software • Topics—Select from among general topics 3. Copy the RSS feed URL from your browser and add it to your preferred RSS reader.
Product Documentation 1. On the BlueTouch Online main page click the Documentation tab. 2. Select the appropriate product from the Product drop‐down list.
3. Place your cursor over the document you would like to subscribe to and click Subscribe.
To follow Blue Coat Systems on social media: In the upper‐left corner, click the appropriate icon: • Twitter •Facebook •YouTube
28 of 29 Resources
© 2017 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, UNIFIED AGENT, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are marked with the degree symbol (°) and are the property of their respective owners. This document is for informational purposes only. BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE‐EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.
Americas: Rest of the World: Blue Coat Systems, Inc. Blue Coat Systems International SARL 384 Santa Trinita Ave. 3a Route des Arsenaux Sunnyvale, CA 94085 1700 Fribourg, Switzerland
29 of 29