Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Luke Worrall Social Media and SDSN


Published on

Social Media and SDSN

Published in: Education
  • Be the first to comment

  • Be the first to like this

Luke Worrall Social Media and SDSN

  1. 1. Social Media and SDSN Luke Worrall Sr. Security Specialist Juniper Networks October 5th, 2018
  2. 2. A defender has to be flawless every single time …An attacker only needs to succeed once!
  3. 3. Flow management Load balancers Perimeter firewalls Aggregation firewall SSL PAC File 1 2 3 28 27 26 10 15, 16 Client - side SSL tunnel SSLSandbox Web Filter 11 Log files Email Inspection DLP
  4. 4. Social media is a rich hunting ground
  5. 5. Anatomy of a Social Media attack
  6. 6. Phishing still just works
  7. 7. Why wouldn’t you click through?
  8. 8. Ransomware timeline
  9. 9. Crypto mining malware timeline
  10. 10. Drive-by Cryptocurrency Mining – One week snapshot • 35,000+ unique URLs associated with coinhive.min.js. • 144 unique IP addresses • 1,025 unique hostnames • 6,000-10,000 newURLs per day leading to the coinhive script
  11. 11. Breaches aren’t being discovered internally
  12. 12. Payloads are almost always unique
  13. 13. Rapid Response is critical Time to compromise Time to exfiltration
  14. 14. How fast can you respond. 2 6 Reconnaissance Research: Scan, Social Info Weaponization Create Malware Delivery Push Email or Pull Content Exploit Execution of Payload (Vulnerability + Exploit) Installation Compromise Host and/or Lateral Movement Command & Control Remote Control Attained by Adversary Actions Data Breach or Damage PreCompromiseDuringAttackPost Compromise *Active engagements with partners
  15. 15. Flow management Load balancers Perimeter firewalls Aggregation firewall SSL PAC File 1 2 3 28 27 26 10 15, 16 Client - side SSL tunnel SSLSandbox Web Filter 11 Log files Email Inspection DLP
  16. 16. Software Defined Secure Networks
  17. 17. Software Defined Secure Networks Global Policy Orchestration, Policy Engine Open and Unified Threat Detection Dynamic, Automated Enforcement IPSWAF Sandbox AV NGFW SIEMWeb Email Uncoordinated and perimeter focused Orchestrated, holistic system encompassing security + infrastructure
  18. 18. Day 0 Establish standard-based network interfaces and data models Automate network provisioning & management Simplify security and network operations Human-driven automation Day 1 Gather security & network information (Telemetry) Intelligence drives automated response and policies Rule-based action on critical network events (Closed loop automation) Event-driven automation Day N Use machine-learning tools to train the system Machines makes decisions and drives network change Humans make decisions where machines cannot Machine-driven automation How do we get there?
  19. 19. Significant Response Improvements With Automation Malware Investigation Tasks Manual Effort Juniper SDSN Identify host and user 10min Automated Collect AV and EDTR data for given host 25min Automated Collect network data (NGFW, SWG) 25min Automated Analyze & correlate 35min Automated Determine progression and scope 15min Automated Contain the threat 10min Automated TOTAL TIME > 2hrs < 10min
  20. 20. Detection • Fast, effective protection from advanced threats • Integrated threat intelligence Policy • Adaptive enforcement to firewalls, switches, 3rd party devices and routers • Robust visibility and management Enforcement • Consistent protection across physical/virtual • Open and programmable environment SDSN Architecture The Network fabric is now a single enforcement domain Third Party Threat Intel Security Director + Policy Enforcer Policy Enforcement, Visibility, Automation SRX Physical Firewalls vSRX/cSRX Virtual Firewalls SkyATP Advanced Threat Prevention (ATP) Analysis Threat Intelligence RoutersEX Switches Third Party Elements DETECTION POLICY DETECTION ENFORCEMENT
  21. 21. What if your Network could be a Firewall? DETECTION POLICY DETECTION & ENFORCEMENT School District Network Sally Instant threat intelligence and detection Dynamically adapting policy, deployed in real- time Enforce security everywhere You need true end-to- end visibility to secure the entire network
  22. 22. How does SDSN completely isolate infected host? • Stateful filter on Firewall + Access list on the switch port SKY ATP NGFW SWITCH NGFW SWITCH Infected Host = 192168.10.225
  23. 23. Data Center Micro-segmentation Internet DATA CENTER SDSN Policy Engine DMZ VLAN SDN Controller Security Groups • “IT Apps” • “Fin Apps” 3rd Party Feeds Threat Feeds SKY ATP DB_VLAN IT DB Fin DB 🚫 DMZ VLAN vFWvFW vFWvFW Perimeter Firewall Cluster Internal Firewall Cluster Provisions vSRX in Service Chain vSRX Policy Switch ACLs 🚫 🚫 IT App Fin App IT Web Fin Web • Policy defined in Policy Engine 1. “IT Applications cannot access Finance Applications even if they share same VLAN” 2. Traffic in and out of Infected Applications should be logged POLICY • Sky detection applicable for infected applications scenario (#2 above) DETECTION • VM related traffic controls enforced in vSRX • Physical to physical traffic controls in access/aggregation switches ENFORCEMENT
  24. 24. Security Director • Threat condition visibility • Dynamic enforcement adapts to changing threat conditions • Pre-create security policy for agile workloads based on metadata • Reduced effort by 20x • Reduced user error • Improved remediation time Enforcement Rules Policy Automation Application Behavior Dashboard SIEM
  25. 25. Innovative visibility… 1. Interactive/Graphical Summary of Applications. 2. Data from different angles. 3. Who is using what 4. Perform correcting actions - –identify and block usage 5. Toggle to launch to details Grid view 1 2 3 5 4
  26. 26. Policy Enforcer Define Once – Detect, Enforce and Contain Everywhere Public Cloud Private Cloud Contrail Security Cloud User Premise Sky Advanced Threat Prevention (ATP) Malware Defense
  27. 27. Policy Enforcer • Automated containment via Policy Enforcer in Security Director • Extended containment to access switches • Updates enforcement criteria automatically with new threat data • Tracks infected host/endpoint movement from site to site via MAC address vs IP address • Block, quarantine, release and track
  28. 28. Sky ATP
  29. 29. Juniper Advanced Threat Prevention (ATP) Appliance Advanced Malware Detection One-Touch Mitigation Threat Behavior Analytics 31 2 Juniper ATP Appliance Detection • On-premise solution that can detect advanced threats across web, email and lateral traffic • Machine learning + behavior analysis + threat feeds Analytics • Improve productivity of SOC and IR teams by automating manual activities • Timeline view of all security events that have occurred on a host or user Mitigation • Leverage existing security infrastructure to mitigate threats • Automatically block malicious IPs, URLs and infected hosts
  30. 30. 44 Thank you