plnog13 2014 security intelligence_pkedra_v1
Post on 20-Jun-2015
114 Views
Preview:
DESCRIPTION
TRANSCRIPT
Copyright © 2014 Juniper Networks, Inc. 1
Rola informacji w nowoczesnych systemach bezpieczeństwaSecurity Intelligence
Piotr Kędra
Senior Systems Engineer, Channel support
pkedra@juniper.net
Copyright © 2014 Juniper Networks, Inc. 2
Agenda
• What are we talking about?
• Modern warfare
• Firewall evolution
• Threat landscape
• Security Intelligence
• Summary
Copyright © 2014 Juniper Networks, Inc. 3
Network-Centric Warfare
• 1996, Admiral William Owens described the evolution of a system of intelligence sensors, command and control systems, and precision weapons that enabled enhanced situational awareness, rapid target assessment, and distributed weapon assignment.
• An information superiority-enabled concept of operations that generates increased combat power by networking sensors, decision makers and shooters to achieve shared awareness, increased speed of command, higher tempo of operations, greater lethality, increased survivability and a degree of self-synchronization.
• Power To The Edge’s
Copyright © 2014 Juniper Networks, Inc. 4
Copyright © 2014 Juniper Networks, Inc. 5
• State of security – Past and Present• What is a firewall?• How have firewalls been evolving?
• Is a firewall still necessary?
• High-end customer requirements• Performance• Segmentation• Compliance mandates• Do more with less
Firewall Technology Overview
Copyright © 2014 Juniper Networks, Inc. 6
What is (was) a firewall?
• Software / Hardware barrier between intranet (LAN) and extranet (WAN)
• Permit or deny traffic based on policies / rules• Source IP address/port, destination IP address/port, destination service,
protocols, source domain, etc.
• Stateful – maintains information about existing sessions• Make decisions based on session state rather than individual packets
• Perimeter Gateway – common entry point to LAN
Copyright © 2014 Juniper Networks, Inc. 7
How have they evolved?
• From Packet Filter to Stateful to NextGen• Addressing the evolving threat landscape
• FW/IPsec VPN – secure remote tunnels into corporate• UTM – AV, antispam, URL filtering, DI/IPS, and more
• Consolidate security posture into a single appliance• Application / NextGen Gateways
• From Perimeter to Infrastructure / Core• Addressing the needs of changing network function / design
• Multiple entry points to network• Partner portals, remote connectivity, wireless, etc
• Segmentation capabilities – network zoning• Enforcement of user roles / responsibilities
Copyright © 2014 Juniper Networks, Inc. 8
Is firewall still needed?
• Still 1st line of defense• DoS/DDoS protection• Ports / protocols usage
• White lists, black lists – allow or deny
• NATing – transition between IPv4 and IPv6
• Regulatory Compliance• Requires security in depth including firewall
• PCI, SCADA, and others
• Segmentation of LAN• Separate zones / policies to logically separate traffic• Enforce corporate policies
Copyright © 2014 Juniper Networks, Inc. 9
Firewalls – reality ;-)
Copyright © 2014 Juniper Networks, Inc. 10
•Separation of tasks•Expensive, high-touch
•No logical integration•Very complex set-up & ongoing maintenance
•Uncompromised performance•Complete inheritance•Best in class services
Stand-aloneSpecialized functions
•Stateful FW•IPSec VPN•IDP•Routing
Bolt-onLoose functional integration & coordination
•FW “houses” add-on svcs•Single chassis convenience
Fully-integratedHW/SW optimized for full integration – Tight coordination with apps & functions
Firewall
IPS
Firewall
IPS
+
Evolution of Integration
Copyright © 2014 Juniper Networks, Inc. 11
• Removable top barrel hurls 20mm high-explosive air-bursting fragmentation rounds more than a half-mile. The lower barrel shoots NATO-standard 5.56mm ammunition. These rounds provide accurate single-round or bursts to about 500 yards. Laser-guided electronics as sophisticated as on a modern tank.
NG Infantry weapon…
Copyright © 2014 Juniper Networks, Inc. 12
Next-Generation Firewall (NGFW)
• Application Visibility and Control
• User-based Controls
• Intrusion Prevention Services
Emphasis on Visibility
L7
L3
Traditional firewall
Next-gen firewall
Static Dynamic
Copyright © 2014 Juniper Networks, Inc. 13
Evolution Of The Firewall
Open platform delivers more value
Scalable to ensure full enterprise or service provider deployment
Built for expansive data capacity
Improved efficacy, with fine-tuning
Adaptive in its ability to incorporate many types of data into policy
Security Intelligence!
Layer 7
Layer 3
Next-gen firewall
Dynamic AdaptivePlatform
Traditional firewall
Closed Open
Copyright © 2014 Juniper Networks, Inc. 14 Copyright © 2014 Juniper Networks, Inc.
The Current Security Threat Landscape
• Attacks coming faster; attackers getting smarter• Complex attacks using multiple vulnerabilities• No simple solution works
– Patching helps– Firewalls help– AV & attachment removal help– Encrypted passwords/tunnels help
• You can’t be “secure”; only “more secure”• We must share information better
Copyright © 2014 Juniper Networks, Inc. 15
5%40 80
anti-virus new viruses catch rate
4w
coverage
Today’s Threats, Yesterday’s Defenses
Assessing the Effectiveness of Antivirus Solutions, Imperva
Copyright © 2014 Juniper Networks, Inc. 16
The Malware Workflow
Infection Download, C&C
Lateral Movement
Data Exfiltration
Copyright © 2014 Juniper Networks, Inc. 17
Conceptual Overview
SRX
SpotlightSecure
GlobalAttacker
FingerprintsCommand & ControlG
loba
lLo
cal
SpotlightConnectorCustom Lists
Malware Domains, IPs
Suspicious APTBehaviors
LocalAttacker
IDs
GeoIP
CompromisedHosts
• Centrally managed threat intelligence• Open platform for custom threat data• Scalable solution supports many SRX• Future-proof framework• Precise attacker identification
FUTURE
Copyright © 2014 Juniper Networks, Inc. 18
Solution Architecture
Customer-provided or3rd Party Threat Data
Command & ControlGeoIP
Attacker Fingerprints
Local Attacker Details(e.g. WebApp Secure)
1
2
3
45
SRX Firewalls
Aggregated & optimized cloud-based threat intelligence1
Juniper-provided threat intelligence to customer premise2
Local/Customer data incorporated into solution3
Centrally managed by Junos Space Security Director4
Intelligence distributed to SRX enforcement points5
Security Director
Spotlight Secure
Copyright © 2014 Juniper Networks, Inc. 19
Attacker from San Francisco
WebApp Secure protected site in UK records fingerprint
Attacker fingerprint uploaded
Attacker fingerprint available for all sites protected by WebApp Secure
Detect Anywhere, Stop Everywhere
Spotlight Secure TodaySharing Attacker Fingerprints in Real-Time Spotlight Secure
Global Attacker Intelligence Service
1
2
3
4
Copyright © 2014 Juniper Networks, Inc. 20
Juniper “Feed” Creation & Structure
• Consolidate data• Weed out false positives• Add/normalize scores• Prioritize based on current
threat landscape
192.168.3.101 5192.168.4.25
3www.bad.com/xyz 1…
The Juniper Threat Feed
• Juniper threat feeds are designed to maximize enforcement point resources
• Policy can be fine-tuned using threat scores
Not all threat intelligence is created equal
The Optimization Process
Threat intelligence iscollected from a
variety of sources
Sourcing Threat Data
• Juniper is committed to delivering focused threat intelligence (C&C, botnet)
• We utilize a variety of threat data sources and techniques to ensure intelligence is current and actionable
• All data sources are carefully evaluated by Juniper’s threat research team
Rinse & Repeat
Optimize
Generate Feed
Source Data
• Threats change often• Refresh all data sources at
regular intervals• Spotlight Secure ensures that
data delivered to customer premise is fresh and actionable
Copyright © 2014 Juniper Networks, Inc. 21
Support for Custom Feeds
• Security intelligence solution supports customer choice• Multi vendor data can easily be integrated into the solution• Scalable component within SD aggregates all data for customer• Management still occurs through same SD-based tools• Support for blacklist and whitelist – Customer defines policy that uses data
• Update Mechanisms• File PUSH through Security Director• Web server PULL• Local appliance/service PUSH interface
Copyright © 2014 Juniper Networks, Inc. 22
SpotlightConnector
Internet
SpotlightCloud
IP/URL feed
IP/URL feed SRX
Use-case #1: Detection of infected hosts
Copyright © 2014 Juniper Networks, Inc. 23
SpotlightConnector
Internet
SpotlightCloud Customer-A
Customer-B
WebAppSecure
WebAppSecure
SRXSRX
SRX
NAT-Gateway
Use-case #2: Mitigation of fingerprinted attackers
Copyright © 2014 Juniper Networks, Inc. 24
Dynamic Address Groups• Dynamic Address Groups can be used as either “Source Address” or
“Destination Address” in a firewall rule.
• A Dynamic Address Group is updated dynamically and does not require any configuration commit.
• The following type of feeds are supported in the first version:• Custom IP-list feeds• GeoIP feed (from Spotlight Cloud)
Use-case #3: GEOIP based traffic Inspection
Copyright © 2014 Juniper Networks, Inc. 25
SpotlightConnector
Internet
IP feedIP feed
Use-case #4: Custom IP feeds
Copyright © 2014 Juniper Networks, Inc. 26
Users Datacenters
Security Intelligence
IPS
Firewall
Security Management
ContentSecurity
Network Security
Web SecurityApplication
Visibility & ControlEmerging Threat
ProtectionIntrusion
Deception
Client
DDoS
Juniper Security FrameworkLooking across Threat Vectors
Copyright © 2014 Juniper Networks, Inc. 27
Summary
• Status• Competitive intelligence is a work-in-progress• More details will be made available as we near formal launch (we are almost
ready)
• Highlights• Centralized and open threat intelligence framework• Highly scalable and performant firewall implementation• Emphasis on efficacy, particularly with integration of attacker fingerprinting
Copyright © 2014 Juniper Networks, Inc. 28
Authentication, Authorization, and Accounting Server
(Radius or AD)
NAC integration
NAC policy server
Policy met?
Identity correct?
Switches and WLAN
Protected Resources
Firewall
Local User
Remote User
Allowor
Disallow?
Authorized?
Set access policy
Enforce policies before users get on the network
Identify who gets access
Allow access to authorized resources
Copyright © 2014 Juniper Networks, Inc. 29
Security Information and Event Management
Copyright © 2014 Juniper Networks, Inc. 30
SIEM, NBAD, VA, etc…
Copyright © 2014 Juniper Networks, Inc. 31
Big Data Platforms and Security Intelligence
Customers looking to combine Big Data Platforms and Security
Intelligence to derive further security insights including:
• Beaconing
• Identify a pattern of connectivity from internal hosts or
users to external endpoints over a long period of time.
• Advanced base lining
• Model normal behavior of users, apps, assets and other
organizational entities so that anomalous behavior can be
identified
• Users susceptible to spear phishing
• Enumerate users who are prone to spear phishing attacks
because of their propensity to click suspicious URL links
and who may require additional security training
Q&A
Thank You!
top related