plnog13 2014 security intelligence_pkedra_v1
DESCRIPTION
Piotr Kędra – network consultant. Since 2007 Piotr has been working as Systems Engineer in Polish entity of Juniper Networks. He is responsible for network solutions for enterprise sector and technical support for channel. Previously he work in Solidex and NextiraOne as presales enginner. He participated in number of audits and many projects in area of LAN, WAN and network security. Topic of Presentation: The role of information in modern security systems Language: Polish Abstract: TBDTRANSCRIPT
![Page 1: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/1.jpg)
Copyright © 2014 Juniper Networks, Inc. 1
Rola informacji w nowoczesnych systemach bezpieczeństwaSecurity Intelligence
Piotr Kędra
Senior Systems Engineer, Channel support
![Page 2: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/2.jpg)
Copyright © 2014 Juniper Networks, Inc. 2
Agenda
• What are we talking about?
• Modern warfare
• Firewall evolution
• Threat landscape
• Security Intelligence
• Summary
![Page 3: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/3.jpg)
Copyright © 2014 Juniper Networks, Inc. 3
Network-Centric Warfare
• 1996, Admiral William Owens described the evolution of a system of intelligence sensors, command and control systems, and precision weapons that enabled enhanced situational awareness, rapid target assessment, and distributed weapon assignment.
• An information superiority-enabled concept of operations that generates increased combat power by networking sensors, decision makers and shooters to achieve shared awareness, increased speed of command, higher tempo of operations, greater lethality, increased survivability and a degree of self-synchronization.
• Power To The Edge’s
![Page 4: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/4.jpg)
Copyright © 2014 Juniper Networks, Inc. 4
![Page 5: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/5.jpg)
Copyright © 2014 Juniper Networks, Inc. 5
• State of security – Past and Present• What is a firewall?• How have firewalls been evolving?
• Is a firewall still necessary?
• High-end customer requirements• Performance• Segmentation• Compliance mandates• Do more with less
Firewall Technology Overview
![Page 6: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/6.jpg)
Copyright © 2014 Juniper Networks, Inc. 6
What is (was) a firewall?
• Software / Hardware barrier between intranet (LAN) and extranet (WAN)
• Permit or deny traffic based on policies / rules• Source IP address/port, destination IP address/port, destination service,
protocols, source domain, etc.
• Stateful – maintains information about existing sessions• Make decisions based on session state rather than individual packets
• Perimeter Gateway – common entry point to LAN
![Page 7: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/7.jpg)
Copyright © 2014 Juniper Networks, Inc. 7
How have they evolved?
• From Packet Filter to Stateful to NextGen• Addressing the evolving threat landscape
• FW/IPsec VPN – secure remote tunnels into corporate• UTM – AV, antispam, URL filtering, DI/IPS, and more
• Consolidate security posture into a single appliance• Application / NextGen Gateways
• From Perimeter to Infrastructure / Core• Addressing the needs of changing network function / design
• Multiple entry points to network• Partner portals, remote connectivity, wireless, etc
• Segmentation capabilities – network zoning• Enforcement of user roles / responsibilities
![Page 8: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/8.jpg)
Copyright © 2014 Juniper Networks, Inc. 8
Is firewall still needed?
• Still 1st line of defense• DoS/DDoS protection• Ports / protocols usage
• White lists, black lists – allow or deny
• NATing – transition between IPv4 and IPv6
• Regulatory Compliance• Requires security in depth including firewall
• PCI, SCADA, and others
• Segmentation of LAN• Separate zones / policies to logically separate traffic• Enforce corporate policies
![Page 9: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/9.jpg)
Copyright © 2014 Juniper Networks, Inc. 9
Firewalls – reality ;-)
![Page 10: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/10.jpg)
Copyright © 2014 Juniper Networks, Inc. 10
•Separation of tasks•Expensive, high-touch
•No logical integration•Very complex set-up & ongoing maintenance
•Uncompromised performance•Complete inheritance•Best in class services
Stand-aloneSpecialized functions
•Stateful FW•IPSec VPN•IDP•Routing
Bolt-onLoose functional integration & coordination
•FW “houses” add-on svcs•Single chassis convenience
Fully-integratedHW/SW optimized for full integration – Tight coordination with apps & functions
Firewall
IPS
Firewall
IPS
+
Evolution of Integration
![Page 11: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/11.jpg)
Copyright © 2014 Juniper Networks, Inc. 11
• Removable top barrel hurls 20mm high-explosive air-bursting fragmentation rounds more than a half-mile. The lower barrel shoots NATO-standard 5.56mm ammunition. These rounds provide accurate single-round or bursts to about 500 yards. Laser-guided electronics as sophisticated as on a modern tank.
NG Infantry weapon…
![Page 12: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/12.jpg)
Copyright © 2014 Juniper Networks, Inc. 12
Next-Generation Firewall (NGFW)
• Application Visibility and Control
• User-based Controls
• Intrusion Prevention Services
Emphasis on Visibility
L7
L3
Traditional firewall
Next-gen firewall
Static Dynamic
![Page 13: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/13.jpg)
Copyright © 2014 Juniper Networks, Inc. 13
Evolution Of The Firewall
Open platform delivers more value
Scalable to ensure full enterprise or service provider deployment
Built for expansive data capacity
Improved efficacy, with fine-tuning
Adaptive in its ability to incorporate many types of data into policy
Security Intelligence!
Layer 7
Layer 3
Next-gen firewall
Dynamic AdaptivePlatform
Traditional firewall
Closed Open
![Page 14: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/14.jpg)
Copyright © 2014 Juniper Networks, Inc. 14 Copyright © 2014 Juniper Networks, Inc.
The Current Security Threat Landscape
• Attacks coming faster; attackers getting smarter• Complex attacks using multiple vulnerabilities• No simple solution works
– Patching helps– Firewalls help– AV & attachment removal help– Encrypted passwords/tunnels help
• You can’t be “secure”; only “more secure”• We must share information better
![Page 15: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/15.jpg)
Copyright © 2014 Juniper Networks, Inc. 15
5%40 80
anti-virus new viruses catch rate
4w
coverage
Today’s Threats, Yesterday’s Defenses
Assessing the Effectiveness of Antivirus Solutions, Imperva
![Page 16: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/16.jpg)
Copyright © 2014 Juniper Networks, Inc. 16
The Malware Workflow
Infection Download, C&C
Lateral Movement
Data Exfiltration
![Page 17: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/17.jpg)
Copyright © 2014 Juniper Networks, Inc. 17
Conceptual Overview
SRX
SpotlightSecure
GlobalAttacker
FingerprintsCommand & ControlG
loba
lLo
cal
SpotlightConnectorCustom Lists
Malware Domains, IPs
Suspicious APTBehaviors
LocalAttacker
IDs
GeoIP
CompromisedHosts
• Centrally managed threat intelligence• Open platform for custom threat data• Scalable solution supports many SRX• Future-proof framework• Precise attacker identification
FUTURE
![Page 18: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/18.jpg)
Copyright © 2014 Juniper Networks, Inc. 18
Solution Architecture
Customer-provided or3rd Party Threat Data
Command & ControlGeoIP
Attacker Fingerprints
Local Attacker Details(e.g. WebApp Secure)
1
2
3
45
SRX Firewalls
Aggregated & optimized cloud-based threat intelligence1
Juniper-provided threat intelligence to customer premise2
Local/Customer data incorporated into solution3
Centrally managed by Junos Space Security Director4
Intelligence distributed to SRX enforcement points5
Security Director
Spotlight Secure
![Page 19: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/19.jpg)
Copyright © 2014 Juniper Networks, Inc. 19
Attacker from San Francisco
WebApp Secure protected site in UK records fingerprint
Attacker fingerprint uploaded
Attacker fingerprint available for all sites protected by WebApp Secure
Detect Anywhere, Stop Everywhere
Spotlight Secure TodaySharing Attacker Fingerprints in Real-Time Spotlight Secure
Global Attacker Intelligence Service
1
2
3
4
![Page 20: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/20.jpg)
Copyright © 2014 Juniper Networks, Inc. 20
Juniper “Feed” Creation & Structure
• Consolidate data• Weed out false positives• Add/normalize scores• Prioritize based on current
threat landscape
192.168.3.101 5192.168.4.25
3www.bad.com/xyz 1…
The Juniper Threat Feed
• Juniper threat feeds are designed to maximize enforcement point resources
• Policy can be fine-tuned using threat scores
Not all threat intelligence is created equal
The Optimization Process
Threat intelligence iscollected from a
variety of sources
Sourcing Threat Data
• Juniper is committed to delivering focused threat intelligence (C&C, botnet)
• We utilize a variety of threat data sources and techniques to ensure intelligence is current and actionable
• All data sources are carefully evaluated by Juniper’s threat research team
Rinse & Repeat
Optimize
Generate Feed
Source Data
• Threats change often• Refresh all data sources at
regular intervals• Spotlight Secure ensures that
data delivered to customer premise is fresh and actionable
![Page 21: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/21.jpg)
Copyright © 2014 Juniper Networks, Inc. 21
Support for Custom Feeds
• Security intelligence solution supports customer choice• Multi vendor data can easily be integrated into the solution• Scalable component within SD aggregates all data for customer• Management still occurs through same SD-based tools• Support for blacklist and whitelist – Customer defines policy that uses data
• Update Mechanisms• File PUSH through Security Director• Web server PULL• Local appliance/service PUSH interface
![Page 22: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/22.jpg)
Copyright © 2014 Juniper Networks, Inc. 22
SpotlightConnector
Internet
SpotlightCloud
IP/URL feed
IP/URL feed SRX
Use-case #1: Detection of infected hosts
![Page 23: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/23.jpg)
Copyright © 2014 Juniper Networks, Inc. 23
SpotlightConnector
Internet
SpotlightCloud Customer-A
Customer-B
WebAppSecure
WebAppSecure
SRXSRX
SRX
NAT-Gateway
Use-case #2: Mitigation of fingerprinted attackers
![Page 24: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/24.jpg)
Copyright © 2014 Juniper Networks, Inc. 24
Dynamic Address Groups• Dynamic Address Groups can be used as either “Source Address” or
“Destination Address” in a firewall rule.
• A Dynamic Address Group is updated dynamically and does not require any configuration commit.
• The following type of feeds are supported in the first version:• Custom IP-list feeds• GeoIP feed (from Spotlight Cloud)
Use-case #3: GEOIP based traffic Inspection
![Page 25: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/25.jpg)
Copyright © 2014 Juniper Networks, Inc. 25
SpotlightConnector
Internet
IP feedIP feed
Use-case #4: Custom IP feeds
![Page 26: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/26.jpg)
Copyright © 2014 Juniper Networks, Inc. 26
Users Datacenters
Security Intelligence
IPS
Firewall
Security Management
ContentSecurity
Network Security
Web SecurityApplication
Visibility & ControlEmerging Threat
ProtectionIntrusion
Deception
Client
DDoS
Juniper Security FrameworkLooking across Threat Vectors
![Page 27: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/27.jpg)
Copyright © 2014 Juniper Networks, Inc. 27
Summary
• Status• Competitive intelligence is a work-in-progress• More details will be made available as we near formal launch (we are almost
ready)
• Highlights• Centralized and open threat intelligence framework• Highly scalable and performant firewall implementation• Emphasis on efficacy, particularly with integration of attacker fingerprinting
![Page 28: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/28.jpg)
Copyright © 2014 Juniper Networks, Inc. 28
Authentication, Authorization, and Accounting Server
(Radius or AD)
NAC integration
NAC policy server
Policy met?
Identity correct?
Switches and WLAN
Protected Resources
Firewall
Local User
Remote User
Allowor
Disallow?
Authorized?
Set access policy
Enforce policies before users get on the network
Identify who gets access
Allow access to authorized resources
![Page 29: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/29.jpg)
Copyright © 2014 Juniper Networks, Inc. 29
Security Information and Event Management
![Page 30: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/30.jpg)
Copyright © 2014 Juniper Networks, Inc. 30
SIEM, NBAD, VA, etc…
![Page 31: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/31.jpg)
Copyright © 2014 Juniper Networks, Inc. 31
Big Data Platforms and Security Intelligence
Customers looking to combine Big Data Platforms and Security
Intelligence to derive further security insights including:
• Beaconing
• Identify a pattern of connectivity from internal hosts or
users to external endpoints over a long period of time.
• Advanced base lining
• Model normal behavior of users, apps, assets and other
organizational entities so that anomalous behavior can be
identified
• Users susceptible to spear phishing
• Enumerate users who are prone to spear phishing attacks
because of their propensity to click suspicious URL links
and who may require additional security training
![Page 32: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/32.jpg)
Q&A
![Page 33: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/33.jpg)
![Page 34: Plnog13 2014 security intelligence_pkedra_v1](https://reader036.vdocuments.net/reader036/viewer/2022070319/55845c1fd8b42ae03e8b4630/html5/thumbnails/34.jpg)
Thank You!