plnog13 2014 security intelligence_pkedra_v1

Copyright © 2014 Juniper Networks, Inc. 1

Rola informacji w nowoczesnych systemach bezpieczeństwaSecurity Intelligence

Piotr Kędra

Senior Systems Engineer, Channel support

[email protected]


Agenda

• What are we talking about?

• Modern warfare

• Firewall evolution

• Threat landscape

• Security Intelligence

• Summary


Network-Centric Warfare

• 1996, Admiral William Owens described the evolution of a system of intelligence sensors, command and control systems, and precision weapons that enabled enhanced situational awareness, rapid target assessment, and distributed weapon assignment.

• An information superiority-enabled concept of operations that generates increased combat power by networking sensors, decision makers and shooters to achieve shared awareness, increased speed of command, higher tempo of operations, greater lethality, increased survivability and a degree of self-synchronization.

• Power To The Edge’s


• State of security – Past and Present• What is a firewall?• How have firewalls been evolving?

• Is a firewall still necessary?

• High-end customer requirements• Performance• Segmentation• Compliance mandates• Do more with less

Firewall Technology Overview


What is (was) a firewall?

• Software / Hardware barrier between intranet (LAN) and extranet (WAN)

• Permit or deny traffic based on policies / rules• Source IP address/port, destination IP address/port, destination service,

protocols, source domain, etc.

• Stateful – maintains information about existing sessions• Make decisions based on session state rather than individual packets

• Perimeter Gateway – common entry point to LAN


How have they evolved?

• From Packet Filter to Stateful to NextGen• Addressing the evolving threat landscape

• FW/IPsec VPN – secure remote tunnels into corporate• UTM – AV, antispam, URL filtering, DI/IPS, and more

• Consolidate security posture into a single appliance• Application / NextGen Gateways

• From Perimeter to Infrastructure / Core• Addressing the needs of changing network function / design

• Multiple entry points to network• Partner portals, remote connectivity, wireless, etc

• Segmentation capabilities – network zoning• Enforcement of user roles / responsibilities


Is firewall still needed?

• Still 1st line of defense• DoS/DDoS protection• Ports / protocols usage

• White lists, black lists – allow or deny

• NATing – transition between IPv4 and IPv6

• Regulatory Compliance• Requires security in depth including firewall

• PCI, SCADA, and others

• Segmentation of LAN• Separate zones / policies to logically separate traffic• Enforce corporate policies


Firewalls – reality ;-)


•Separation of tasks•Expensive, high-touch

•No logical integration•Very complex set-up & ongoing maintenance

•Uncompromised performance•Complete inheritance•Best in class services

Stand-aloneSpecialized functions

•Stateful FW•IPSec VPN•IDP•Routing

Bolt-onLoose functional integration & coordination

•FW “houses” add-on svcs•Single chassis convenience

Fully-integratedHW/SW optimized for full integration – Tight coordination with apps & functions

Firewall

IPS

Firewall

IPS

+

Evolution of Integration


• Removable top barrel hurls 20mm high-explosive air-bursting fragmentation rounds more than a half-mile. The lower barrel shoots NATO-standard 5.56mm ammunition. These rounds provide accurate single-round or bursts to about 500 yards. Laser-guided electronics as sophisticated as on a modern tank.

NG Infantry weapon…


Next-Generation Firewall (NGFW)

• Application Visibility and Control

• User-based Controls

• Intrusion Prevention Services

Emphasis on Visibility

L7

L3

Traditional firewall

Next-gen firewall

Static Dynamic


Evolution Of The Firewall

Open platform delivers more value

Scalable to ensure full enterprise or service provider deployment

Built for expansive data capacity

Improved efficacy, with fine-tuning

Adaptive in its ability to incorporate many types of data into policy

Security Intelligence!

Layer 7

Layer 3

Next-gen firewall

Dynamic AdaptivePlatform

Traditional firewall

Closed Open

Copyright © 2014 Juniper Networks, Inc. 14 Copyright © 2014 Juniper Networks, Inc.

The Current Security Threat Landscape

• Attacks coming faster; attackers getting smarter• Complex attacks using multiple vulnerabilities• No simple solution works

– Patching helps– Firewalls help– AV & attachment removal help– Encrypted passwords/tunnels help

• You can’t be “secure”; only “more secure”• We must share information better


5%40 80

anti-virus new viruses catch rate

4w

coverage

Today’s Threats, Yesterday’s Defenses

Assessing the Effectiveness of Antivirus Solutions, Imperva


The Malware Workflow

Infection Download, C&C

Lateral Movement

Data Exfiltration


Conceptual Overview

SRX

SpotlightSecure

GlobalAttacker

FingerprintsCommand & ControlG

loba

lLo

cal

SpotlightConnectorCustom Lists

Malware Domains, IPs

Suspicious APTBehaviors

LocalAttacker

IDs

GeoIP

CompromisedHosts

• Centrally managed threat intelligence• Open platform for custom threat data• Scalable solution supports many SRX• Future-proof framework• Precise attacker identification

FUTURE


Solution Architecture

Customer-provided or3rd Party Threat Data

Command & ControlGeoIP

Attacker Fingerprints

Local Attacker Details(e.g. WebApp Secure)

1

2

3

45

SRX Firewalls

Aggregated & optimized cloud-based threat intelligence1

Juniper-provided threat intelligence to customer premise2

Local/Customer data incorporated into solution3

Centrally managed by Junos Space Security Director4

Intelligence distributed to SRX enforcement points5

Security Director

Spotlight Secure


Attacker from San Francisco

WebApp Secure protected site in UK records fingerprint

Attacker fingerprint uploaded

Attacker fingerprint available for all sites protected by WebApp Secure

Detect Anywhere, Stop Everywhere

Spotlight Secure TodaySharing Attacker Fingerprints in Real-Time Spotlight Secure

Global Attacker Intelligence Service

1

2

3

4


Juniper “Feed” Creation & Structure

• Consolidate data• Weed out false positives• Add/normalize scores• Prioritize based on current

threat landscape

192.168.3.101 5192.168.4.25

3www.bad.com/xyz 1…

The Juniper Threat Feed

• Juniper threat feeds are designed to maximize enforcement point resources

• Policy can be fine-tuned using threat scores

Not all threat intelligence is created equal

The Optimization Process

Threat intelligence iscollected from a

variety of sources

Sourcing Threat Data

• Juniper is committed to delivering focused threat intelligence (C&C, botnet)

• We utilize a variety of threat data sources and techniques to ensure intelligence is current and actionable

• All data sources are carefully evaluated by Juniper’s threat research team

Rinse & Repeat

Optimize

Generate Feed

Source Data

• Threats change often• Refresh all data sources at

regular intervals• Spotlight Secure ensures that

data delivered to customer premise is fresh and actionable


Support for Custom Feeds

• Security intelligence solution supports customer choice• Multi vendor data can easily be integrated into the solution• Scalable component within SD aggregates all data for customer• Management still occurs through same SD-based tools• Support for blacklist and whitelist – Customer defines policy that uses data

• Update Mechanisms• File PUSH through Security Director• Web server PULL• Local appliance/service PUSH interface


SpotlightConnector

Internet

SpotlightCloud

IP/URL feed

IP/URL feed SRX

Use-case #1: Detection of infected hosts


SpotlightConnector

Internet

SpotlightCloud Customer-A

Customer-B

WebAppSecure

WebAppSecure

SRXSRX

SRX

NAT-Gateway

Use-case #2: Mitigation of fingerprinted attackers


Dynamic Address Groups• Dynamic Address Groups can be used as either “Source Address” or

“Destination Address” in a firewall rule.

• A Dynamic Address Group is updated dynamically and does not require any configuration commit.

• The following type of feeds are supported in the first version:• Custom IP-list feeds• GeoIP feed (from Spotlight Cloud)

Use-case #3: GEOIP based traffic Inspection


SpotlightConnector

Internet

IP feedIP feed

Use-case #4: Custom IP feeds


Users Datacenters

Security Intelligence

IPS

Firewall

Security Management

ContentSecurity

Network Security

Web SecurityApplication

Visibility & ControlEmerging Threat

ProtectionIntrusion

Deception

Client

DDoS

Juniper Security FrameworkLooking across Threat Vectors


Summary

• Status• Competitive intelligence is a work-in-progress• More details will be made available as we near formal launch (we are almost

ready)

• Highlights• Centralized and open threat intelligence framework• Highly scalable and performant firewall implementation• Emphasis on efficacy, particularly with integration of attacker fingerprinting


Authentication, Authorization, and Accounting Server

(Radius or AD)

NAC integration

NAC policy server

Policy met?

Identity correct?

Switches and WLAN

Protected Resources

Firewall

Local User

Remote User

Allowor

Disallow?

Authorized?

Set access policy

Enforce policies before users get on the network

Identify who gets access

Allow access to authorized resources


Security Information and Event Management


SIEM, NBAD, VA, etc…


Big Data Platforms and Security Intelligence

Customers looking to combine Big Data Platforms and Security

Intelligence to derive further security insights including:

• Beaconing

• Identify a pattern of connectivity from internal hosts or

users to external endpoints over a long period of time.

• Advanced base lining

• Model normal behavior of users, apps, assets and other

organizational entities so that anomalous behavior can be

identified

• Users susceptible to spear phishing

• Enumerate users who are prone to spear phishing attacks

because of their propensity to click suspicious URL links

and who may require additional security training

Thank You!

plnog13 2014 security intelligence_pkedra_v1

Internet

firewall pci

firewall open platform

policy security intelligence

security posture

corporate policies

networkcentric warfare

destination ip addressport

network partner portals