20. Drive-by Cryptocurrency Mining – One week snapshot
• 35,000+ unique URLs
associated with
coinhive.min.js.
• 144 unique IP addresses
• 1,025 unique hostnames
• 6,000-10,000 newURLs
per day leading to the
coinhive script
25. How fast can you respond.
2
6
Reconnaissance Research: Scan, Social Info
Weaponization Create Malware
Delivery Push Email or Pull Content
Exploit
Execution of Payload
(Vulnerability + Exploit)
Installation
Compromise Host and/or
Lateral Movement
Command &
Control
Remote Control Attained
by Adversary
Actions Data Breach or Damage
PreCompromiseDuringAttackPost
Compromise
*Active engagements with partners
30. Software Defined Secure Networks
Global Policy Orchestration, Policy Engine
Open and Unified Threat Detection
Dynamic, Automated Enforcement
IPSWAF Sandbox
AV NGFW
SIEMWeb Email
Uncoordinated and
perimeter focused
Orchestrated, holistic system
encompassing security + infrastructure
31. Day 0
Establish standard-based
network interfaces and data
models
Automate network
provisioning & management
Simplify security and
network operations
Human-driven automation
Day 1
Gather security & network
information (Telemetry)
Intelligence drives automated
response and policies
Rule-based action on critical
network events
(Closed loop automation)
Event-driven automation
Day N
Use machine-learning tools
to train the system
Machines makes decisions
and drives network change
Humans make decisions
where machines cannot
Machine-driven automation
How do we get there?
32. Significant Response Improvements With Automation
Malware Investigation Tasks Manual Effort Juniper SDSN
Identify host and user 10min Automated
Collect AV and EDTR data for given host 25min Automated
Collect network data (NGFW, SWG) 25min Automated
Analyze & correlate 35min Automated
Determine progression and scope 15min Automated
Contain the threat 10min Automated
TOTAL TIME > 2hrs < 10min
33. Detection
• Fast, effective protection from advanced threats
• Integrated threat intelligence
Policy
• Adaptive enforcement to firewalls, switches, 3rd
party devices and routers
• Robust visibility and management
Enforcement
• Consistent protection across physical/virtual
• Open and programmable environment
SDSN Architecture
The Network fabric is now a single enforcement domain
Third Party
Threat Intel
Security Director + Policy Enforcer
Policy Enforcement, Visibility, Automation
SRX Physical
Firewalls
vSRX/cSRX
Virtual
Firewalls
SkyATP
Advanced Threat
Prevention (ATP)
Analysis
Threat Intelligence
RoutersEX Switches
Third Party Elements
DETECTION
POLICY
DETECTION
ENFORCEMENT
34. What if your Network could be a Firewall?
DETECTION
POLICY
DETECTION &
ENFORCEMENT
School District Network
Sally
Instant threat intelligence
and detection
Dynamically adapting
policy, deployed in real-
time
Enforce security
everywhere
You need true end-to-
end visibility to secure
the entire network
35. How does SDSN completely isolate infected host?
• Stateful filter on Firewall + Access list on the switch port
SKY ATP
NGFW
SWITCH
192.168.10.225
NGFW
SWITCH
192.168.20.2
Infected Host =
192168.10.225
36. Data Center Micro-segmentation
Internet
DATA CENTER
SDSN Policy
Engine
DMZ VLAN
SDN
Controller
Security
Groups
• “IT Apps”
• “Fin Apps”
3rd
Party
Feeds
Threat Feeds
SKY ATP
DB_VLAN
IT DB Fin DB
🚫
DMZ VLAN
vFWvFW
vFWvFW
Perimeter Firewall
Cluster
Internal Firewall
Cluster
Provisions
vSRX in
Service Chain
vSRX Policy
Switch ACLs
🚫
🚫
IT App Fin App
IT Web Fin
Web
• Policy defined in Policy Engine
1. “IT Applications cannot access Finance
Applications even if they share same
VLAN”
2. Traffic in and out of Infected
Applications should be logged
POLICY
• Sky detection applicable for infected
applications scenario (#2 above)
DETECTION
• VM related traffic controls enforced in
vSRX
• Physical to physical traffic controls in
access/aggregation switches
ENFORCEMENT
37. Security Director
• Threat condition visibility
• Dynamic enforcement adapts
to changing threat conditions
• Pre-create security policy for
agile workloads based on
metadata
• Reduced effort by 20x
• Reduced user error
• Improved remediation time
Enforcement Rules
Policy Automation
Application Behavior
Dashboard
SIEM
38. Innovative visibility…
1. Interactive/Graphical
Summary of Applications.
2. Data from different
angles.
3. Who is using what
4. Perform correcting
actions - –identify and
block usage
5. Toggle to launch to details
Grid view
1 2
3
5
4
39. Policy Enforcer
Define Once – Detect, Enforce and Contain Everywhere
Public Cloud Private Cloud
Contrail
Security
Cloud
User
Premise
Sky Advanced Threat
Prevention (ATP)
Malware Defense
40. Policy Enforcer
• Automated containment via
Policy Enforcer in Security
Director
• Extended containment to
access switches
• Updates enforcement
criteria automatically with
new threat data
• Tracks infected
host/endpoint movement
from site to site via MAC
address vs IP address
• Block, quarantine, release
and track
42. Juniper Advanced Threat Prevention (ATP) Appliance
Advanced Malware
Detection
One-Touch
Mitigation
Threat Behavior
Analytics
31
2
Juniper ATP
Appliance
Detection
• On-premise solution that can detect advanced
threats across web, email and lateral traffic
• Machine learning + behavior analysis + threat
feeds
Analytics
• Improve productivity of SOC and IR teams by
automating manual activities
• Timeline view of all security events that have
occurred on a host or user
Mitigation
• Leverage existing security infrastructure to
mitigate threats
• Automatically block malicious IPs, URLs and
infected hosts
Cliched but absolutely true.
Attackers don’t have to play by any rules…defenders are constrained by compliance, certification, business, etc.
Are people more scared of their auditor or their attackers?
This resonates with all customers because they have all basically built this “best of breed” architecture.
However, all of these solutions are at best 99.9X% effective, so there will always be a small security gap.
I very rarely meet a customer who confidently says they have an expert team that manages all of this
The reality is that 99.35% effective means 248 malware payloads are executed in an environment
This timeline really highlights the pace, innovation and sophistication in the ransomware space.
It’s a great area to follow as the malware authors treat this a business and are constantly evolving.
Fileless malware is a great example
Why are breaches being discovered by Law enforcement or merchant providers?
Or even someone like Brian Krebs - https://krebsonsecurity.com/
The days of being able to detect malware based on signatures is long gone.
Malware doesn’t wait!!
It compromises and exhilarates at machine speed. It’s not waiting for a chain of events to occur, then a ticket to be raised, and someone to get back off coffee break to begin it’s attackes.
SDSN can respond at the machine speed!
Sec Ops guys can get back to chasing down sophisticated attacks, pen testing and running deception honeypots
As any chess player would know, the best defense is understanding your opponent’s strategy.
When we start mapping our efforts to attacker’s infiltration steps, we can determine where to plug the gaps.
The “cyber kill chain” is a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it.
Each stage demonstrates a specific goal along the attacker’s path.
Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on how actual attacks happen.
Considered in the context of network intrusions, the kill chain process is as follows
Kill chain is broadly categorized as Pre-Comp, During Attack, and Post Comp.
Let’s quickly walk through the steps and see how Juniper can defend and remediate customer’s assets at every step of the way.
This resonates with all customers because they have all basically built this “best of breed” architecture.
However, all of these solutions are at best 99.9X% effective, so there will always be a small security gap.
I very rarely meet a customer who confidently says they have an expert team that manages all of this
It’s time to transform to a new security model
Today solutions in the market are uncoordinated and focused on firewall. Can’t stop spread of an attack laterally in the network.
Trying to secure everything and in the end not being more secure, (trying to use endpoint protection, and firewall for east-west traffic)
SDSN is a complete transformation from deploying myriad of network security tools, each with their own policy, detection and enforcement to a holstic security system that unifies detection and enforcement and globalizes policy. This is a strategy. It is a vision. It is not separate from the products we are shipping. You can sell what is on the truck and as we add services and capabilties to build out SDSN they will just add on.
This illustrates the path that we are on to get to what I guess we could call, “self driving networks”, where networks react, very similar to what routing protocols do now, in a programmed fashion and have a learning side to them. We are a bit away from that, but there are things we can do today to start on this journey.
Day 0 is pretty much where we are today. Human-Driven automation. What this means is that we are looking at an open ended architecture where something comes out of the system, and a human has to make a decision. This can be done with some common Develops tools that perhaps some of you have heard of like Puppet or Chef, or even Ansible. This is where we enter some type of templates and workflow and we push buttons to stamp out solutions. This this in someway is how we solve some of initial problems, like the building deployments in mass we discussed earlier. You can do tasks over and over again without the concern of the machine getting distracted over it’s favorite song.
But moving to more of a closed loop automated system where you begin to use telemetry to determine what actions to take based on workflows you design or have been setup in the network. For instance, if you detect something on your system (note I didn’t say network), let’s say by some type of endpoint client. Perhaps someone has taken their machine out of your secure zone and received an unauthorized package. You detect this either at your perimeter due to unusual traffic or perhaps you have some type end point software on the client that notifies your central point of enforcement. Can you shut this user down at the port level? What if the user moves around?
Numbers generated by user input calculator
35
Customer Benefit:
Block East-West traffic to limit attack surface
Support physical servers as well as virtualized applications
Infected status based actions (monitor, block, quarantine)
When it comes to security we cannot allow valuable security practitioners to waste their time with excess manual work.
Our visibility and management solution, Security Director, automates and simplifies the management of SDSN components. The automation inherent in Security Director has reduced the amount of effort needed to administer policies by 20x as compared to manual processes.
And with the our latest advances in enforcement automation and orchestration, practitioners don’t have to struggle with manually updating static rules. Imagine the number of user errors that can be reduced and the time saved when managing multiple sites and thousands of devices in the network.
All this us unified in a single pane of glass, further simplifying the workflow of your scarce security specialists.
And our most innovative addition to SDSN is Policy Enforcer.
This is a revolutionary concept, enabling policies to be defined once for detection, enforcement and containment everywhere – no matter the environment.
we are taking visibility and management with Policy Enforcer to the next level
With Policy Enforcer,
Extend threat containment to access switches, including Cisco’s
Update enforcement criteria automatically with new threat data
Tracks infected host/endpoint movement from site to site via MAC address vs IP address
We can Block, quarantine, release and track…all seamlessly
Policy Enforcer is fueled by with Sky ATP advanced malware defense and is being integrated with our eco system partners for extended defense
We all know what a menace ransomware has become. During the recent WannaCry outbreak Sky ATP was able to detect and block the exploit in 90 seconds
NOTE: If a more current example of a breakout has occurred, use that vs WannaCry
http://forums.juniper.net/t5/Security-Now/Rapid-Response-The-WannaCry-Ransomware-Outbreak/ba-p/307835
Demo video
On-Premise anti-malware appliance
Threat analytics and correlation
Lateral propagation detection
Cloud email threat detection
MAC OS support