JUNIPER SECURE ANALYTICS (JSA) OVERVIEW Stefan Lager Product Line Manager slager@juniper.net AGENDA 1. Challenges with Event Management 2. Data Collection 3. Event Management and Analytics 4. Flow Management and Analytics 5. Secure Analytics - Use Cases 6. Deployment Options 7. Platforms and Licensing 2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net CHALLENGES WITH EVENT COLLECTION IT “information” overload The amount of events The amount of different types of events The amount of different type of event sources Data mining and Analytics Events Categorization Event Search and Drill-down Anomaly Detection 3 Copyright © 2009 Juniper Networks, Inc. www.juniper.net THE SOLUTION: JUNIPER SECURE ANALYTICS Secure Analytics (JSA) Log Server “Here are all your events. Please take a look at them and let me know if you find anything strange. 4 Copyright © 2009 Juniper Networks, Inc. “Of all the million incoming events I think you need to take a look at this one.” www.juniper.net LOG SERVER VS. JUNIPER SECURE ANALYTICS Secure Analytics (JSA) Log Server • • “APACHE-STRUTS-URI-CMDEXE” • • • • • • • “Security Device” “APACHE-STRUTS-URI-CMDEXE” Webserver is vulnerable! Webserver sent a crash event! Strange traffic seen FROM Webserver! Attack came from an IP with bad reputation! Attack came from a suspicious country! Events has been received from other “Security Devices”! … “Security Device” Webserver 5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net AGENDA 1. Challenges with Event Management 2. Data Collection 3. Event Management and Analytics 4. Flow Management and Analytics 5. Secure Analytics - Use Cases 6. Deployment Options 7. Platforms and Licensing 6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net MULTI-VENDOR EVENT AND FLOW COLLECTION Networking events Switches & routers, including flow data Security logs Compliance Templates Firewalls, IDS, IPS, VPNs, Vulnerability Scanners, Gateway AV, Desktop AV, & UTM devices Operating Systems/Host logs Microsoft, Unix and Linux Applications Database, mail & web User and asset Authentication data Security map utilities GeoIP Reputation Feeds 7 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Forensics Search Policy Reporting WHAT DOES JSA COLLECT? Syslog SNMP Application/Protocols (*) Agents JDBC OPSEC/LEA SDEE SourceFire Estreamer UDP/TCP Multiline UDP Events Binary (SRX) Log File ALE Microsoft Snare EMC VMWare WinCollect Version 1, 2 & 3 +PCAP (SRX) Oracle Syslog-TLS SMB Tail Cisco NSEL … NetFlow Flows 8 Version 1,5,7,9 IPFIX JFlow Supported Supported Copyright © 2009 Juniper Networks, Inc. SFlow QFlow Packeteer Version On QFC and Monitor Interfaces FDR 2, 4, 5 www.juniper.net (*) For more info refer to datasheet SECURE ANALYTICS (JSA) - KEY BENEFITS Reduced OPEX Collects all event and flow data in one place Supports a large set of vendors out-of-the-box Compliance Ships with predefined reports for COBIT, FISMA, GLBA, GSX-Memo22, HIPAA, NERC, PCI and SOX. Increased Visibility Supports Graph/Dashboard/Reporting on any event data Flow collection enables proactive actions Increased Detection Analytics engine detects violations and anomalies Built in support for GeoIP and Reputation feeds Scalable Supports up to 7M EPS per console Supports distributed collection of events and flows 9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net AGENDA 1. Challenges with Event Management 2. Data Collection 3. Event Management and Analytics 4. Flow Management and Analytics 5. Secure Analytics - Use Cases 6. Deployment Options 7. Platforms and Licensing 10 Copyright © 2009 Juniper Networks, Inc. www.juniper.net EXAMPLE: WHAT CAN SECURE ANALYTICS DO WITH A FIREWALL EVENT? <182>Sep 26 20:14:49 127.0.0.1 <14>1 2012-03-24T05:21:13.677 utm-n0 RT_FLOW RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.40 source-address="192.168.34.10" source-port="58541" destination-address="204.245.34.169" destination-port="80" service-name="junos-http" nat-sourceaddress="192.168.32.2" nat-source-port="3195" nat-destination-address="204.245.34.169" nat-destination-port="80" src-nat-rule-name="r1" dst-nat-rule-name="None" protocol-id="6" policy-name="utm-out" source-zone-name="trust" destination-zone-name="untrust" session-id-32="143804" username="VIRTUALPOC\slager" roles="VPoC-UTM-Demo" packet-incoming-interface="ge-0/0/2.3602"] Event Analytics • Taxonomy : • GeoIP : • IP Reputation: • Analytics: RT_FLOW_SESSION_CREATE => Category “FIREWALL PERMIT” 204.245.34.169 => Country “BRAZIL” 204.245.34.169 => Remote-Network “BOTNET” Alert if more then <x> events from the same src, IF the src is coming from one of our client networks Event Management • RBAC: Allow access to subset of event data • Indexing: Allow to index on any field. 10-100x search time improvement • Retention: Flexible setting for how long this event should be stored • Forwarding: Should this specific event be forwarded ? 11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net EVENT ANALYTICS: GEOIP-MAPPING Provide mapping of IP to Countries both for visibility and for correlation. 12 Copyright © 2009 Juniper Networks, Inc. www.juniper.net EVENT ANALYTICS: IP REPUTATION 13 Copyright © 2009 Juniper Networks, Inc. www.juniper.net EVENT ANALYTICS: RULES ENGINE MATCHING • • • Secure Analytics is delivered with a large set of built-in rules Many of them are disabled per default but will help you get tips on what to correlate on All rules are easy to tune to fit your specific deployment Creating a correlation rule is as simple as sorting mail in Outlook! 14 Copyright © 2009 Juniper Networks, Inc. www.juniper.net EVENT ANALYTICS: RULES ENGINE ACTION 15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net THE KEY TO DATA MANAGEMENT: REDUCTION AND PRIORITIZATION STRM Previous 24hr period of network and security activity (2.7M logs) Correlation of data sources creates offenses (129) Offenses are a complete history of a threat or violation with full context about accompanying network, asset and user identity information Offenses are further prioritized by business impact 16 Copyright © 2009 Juniper Networks, Inc. www.juniper.net USE CASE: COMPLEX THREAT DETECTION Sounds Nasty… But how do we know this? The evidence is a single click away. Network Scan Buffer Overflow Detected by QFlow Exploit attempt seen by Snort Total Security Intelligence Targeted Host Vulnerable Convergence of Network, Event and Vulnerability data Detected by Nessus 17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net USE CASE: USER ACTIVITY MONITORING Authentication Failures Perhaps a user who forgot his/her password? Brute Force Password Attack Numerous failed login attempts against different user accounts Host Compromised All this followed by a successful login. Automatically detected, no custom tuning required. 18 Copyright © 2009 Juniper Networks, Inc. www.juniper.net AGENDA 1. Challenges with Event Management 2. Data Collection 3. Event Management and Analytics 4. Flow Management and Analytics 5. Secure Analytics - Use Cases 6. Deployment Options 7. Platforms and Licensing 19 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SECURE ANALYTICS FLOW Branch-Office DMZ STRM-FP STRM-FP STRM-Console WEB-1 WEB-2 WEB-3 STRM-FP Virtualized Servers vGW STRMV-FP 20 Copyright © 2009 Juniper Networks, Inc. www.juniper.net FLOWS FOR NETWORK INTELLIGENCE • QoS Monitoring • Detection of day-zero attacks that have no signature • Policy monitoring and rogue server detection • Visibility into all attacker communications • Passive flow monitoring builds asset profiles & auto-classifies hosts • Network visibility and problem solving (not just security related) 21 Copyright © 2009 Juniper Networks, Inc. www.juniper.net ANOMALY DETECTION Secure Analytics learns and anticipates the established “normal” condition for: - The Network - The Host - The Protocol - The Application 22 Copyright © 2009 Juniper Networks, Inc. www.juniper.net AGENDA 1. Challenges with Event Management 2. Data Collection 3. Event Management and Analytics 4. Flow Management and Analytics 5. Secure Analytics - Use Cases 6. Deployment Options 7. Platforms and Licensing 23 Copyright © 2009 Juniper Networks, Inc. www.juniper.net USE-CASE: CAMPUS & BRANCH VPN MONITORING USING JUNOS RPM RPM-Logs RPM-Probes HQ RPM-Probes BRANCH-2 BRANCH-1 24 Copyright © 2009 Juniper Networks, Inc. www.juniper.net USE-CASE: CAMPUS & BRANCH VPN MONITORING USING JUNOS RPM 25 Copyright © 2009 Juniper Networks, Inc. www.juniper.net USE-CASE: DATACENTER VISIBILITY, REPORTING AND CORRELATION OF EVENTS AND TRAFFIC Exposed Services SRX AppSecure WebApp Secure Events Clients Events EX WEB-1 WEB-2 WEB-3 Flow Virtualized Servers NOC/SOC N JSA 26 FireFly FireFly Flow and events VM-1 VM-2 VM-3 VM-4 VM-5 VM-6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net USE-CASE: BYOD AUTOMATIC REMEDIATION USING OPEN STANDARDS PROTOCOL (IF-MAP) IF-MAP Juniper IC (IF-Map Server) Juniper EX (Switch) NSM Secure Analytics Firewall IDP Series UAC Agent SSG Series Juniper AX (WLAN AP) UAC Agent-less Mode ISG Series Juniper SA (SSL-VPN) 27 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SRX Series Application Servers AGENDA 1. Challenges with Event Management 2. Data Collection 3. Event Management and Analytics 4. Flow Management and Analytics 5. Secure Analytics - Use Cases 6. Deployment Options 7. Platforms and Licensing 28 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SMALL SITE DEPLOYMENT – APPLIANCE OR VM JSA1500 Flowdata and syslog syslog STRM 5000 EP or FP JSA1500 can collect up to 1000 events per second 50kF/min Allows Real-Time Streaming of events Visibility of incoming/outgoing traffic (SRX FW/AppTrack) Visibility of internal traffic (EX flow-data) Threat and Anomaly Detection Correlation and Compliance Reporting Provides Common Dashboard SRX Branch EX- VirtualChassis 29 Copyright © 2009 Juniper Networks, Inc. www.juniper.net LARGE SITE DEPLOYMENT – APPLIANCE You can connect up to 250 Event Processors to one Console JSA Console provides One Dashboard with aggregated data from all EPs Searches and Reports are done on JSA5500Console aggregated data from all EPs Configurable Retention Policies allows storing of important/compliance logs for a longer time than other logs JSA 1/3/5/7500 EventProcessors STRM 5000 EP or FP SLB syslog 30 SRX-5800 SRX-5800 Copyright © 2009 Juniper Networks, Inc. www.juniper.net DISTRIBUTED LOG/FLOW COLLECTION Distributed log and flow collection offloads WAN links Will continue to receive and store events/flows even if WAN link goes down Available both as physical appliance and virtual appliances JSAConsole EMEA CombiCollector (both EP/FP) only supported on physical appliance JSA VM is available as: - Remote TM EP - Remote LM EP - Remote FP Visibility of incoming/outgoing traffic JSA1500 Local EP/FP JSA VM Local EP Threat and Anomaly Detection JSA VM Local FP Correlation and Compliance Provides Common Dashboard Australia 31 Beijing Canada Copyright © 2009 Juniper Networks, Inc. www.juniper.net AGENDA 1. Challenges with Event Management 2. Data collection 3. Event Management and Analytics 4. Flow Management and Analytics 5. Secure Analytics - Use Cases 6. Deployment Options 7. Platforms and Licensing 32 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SECURE ANALYTICS: Medium Enterprise ALL-IN-ONE DEPLOYMENT Small Enterprise Small Medium Enterprise JSA5500 33 JSA3500 JSA1500 1,000EPS 5,000EPS 10,000 EPS 15KF/M 50KF/M 200 KF/M Copyright © 2009 Juniper Networks, Inc. www.juniper.net SECURE ANALYTICS: DISTRIBUTED DEPLOYMENT Supports very high amount of EPS Solves branch-office collection WebUI Can be fully redundant Console EP/FP combo Event Processor Security Devices Exporting Event Data 34 Flow Processor Network Devices Exporting Flow Data Copyright © 2009 Juniper Networks, Inc. www.juniper.net Qflow Collector JSA1500 QFlow Collectors Deployed in Tap/Mirror or SPAN Mode JSA PLATFORM SUPPORT MATRIX QFlow Collector Event Processor Flow Processor EP/FP Combo JSA VM JSA1500 JSA3500 JSA5500 JSA7500 35 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Console All-in-one Support Support SECURE ANALYTICS – LICENSING LOG ANALYTICS VS THREAT ANALYTICS Threat Analytics License Network Behavior Anomaly Detection (NBAD) Security Information and Event Management (SIEM) Log Analytics License 36 - Network Traffic Visibility QoS Visibility Traffic Anomaly Detection - Event and Flow Correlation Asset Profiling Vulnerability Scanner integration - Log Collection and Categorization Customizable Dashboards Predefined and customizable reports Copyright © 2009 Juniper Networks, Inc. www.juniper.net SECURE ANALYTICS - KEY BENEFITS Reduced OPEX Collects all event and flow data in one place Supports a large set of vendors out-of-the-box Compliance Ships with predefined reports for COBIT, FISMA, GLBA, GSX-Memo22, HIPAA, NERC, PCI and SOX. Increased Visibility Supports Graph/Dashboard/Reporting on any event data Flow collection enables proactive actions Increased Detection Analytics engine detects violations and anomalies Built in support for GeoIP and Reputation feeds Scalable Supports up to 7M EPS per console Supports distributed collection of events and flows 37 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Thanks!