Embed Size (px)
Citation preview
© 2015 Juniper Networks page 1
Juniper’s
Threat Intelligence Pla/orm
Explained 23 February 2015
In security, time matters. A lot. Consider the time it takes to identify a new threat. Sometimes it takes days, weeks, or months. Or, the time it takes to block a threat action, or stop a breach. Same thing: typically it takes days, weeks or months. During that time, the bad actor can do a lot of damage, before you’re even aware that there’s a problem. That’s why we built the Juniper Threat Intelligence Platform, which streams threat data to where it’s needed most – at the enforcement point – in only seconds. This means that moments after you know about a threat, your firewall policies can take action, and stop it from turning into a problem. In short, we can stop threats, faster. Let’s explore how this works.
© 2015 Juniper Networks page 2
The threat landscape is dynamic: constantly growing, changing, evolving. There are a multitude of threat actions that bad actors use today to execute an attack – establishing back doors, embedding root kits, delivering malware, SQL injection, brute force, DDoS attacks, spear phishing—the list is long, and the attacks often use a combination of techniques that eventually result in a breach and exfiltration of data. Often, they use a command and control server used to orchestrate remote actions -- sometimes executed on a single host, and other times executed in a peer-to-peer configuration, which makes it really hard to track. The adversaries are quick to change their network identifiers (like IP address) and behaviors so that their activities continue unabated.
© 2015 Juniper Networks page 3
In response, scores of security research firms have been established to find these threats. They make their findings available to subscribers as a feed; sometimes free and sometimes at a price. The good news is, there are plenty of choices for threat intelligence data. Some research firms are industry specific (e.g. federal government), some are technique specific (DDoS detection), some on technologies areas, such as discovering app vulnerabilities. The data is delivered to subscribers through a feed, where the data is used to enrich SIEM or other analytic engines, and/or to inform the enforcement point policy on the firewall itself. The problem is, getting the data to an enforcement point takes too long – typically days or weeks. First the data has to be converted to a usable format, then it has to be associated with the policies so that it’s actionable. It takes time. And when the source data changes (which it does every hour, every day) you have to do it all over again.
© 2015 Juniper Networks page 4
So Juniper created a new approach, with the Spotlight Secure Threat Intelligence service for the SRX Series firewall. The threat intelligence service is designed to aggregate a variety of command and control feeds, process them through algorithms and machine learning techniques to remove false positives and duplicates. Threat levels are added, data is prioritized, then pushed down to the SRX enforcement point.
© 2015 Juniper Networks page 5
This results in clean, actionable data that’s optimized for SRX. This threat information is delivered through a connector to JunOS Space Security Director, the SRX management platform, which controls security services (e.g. Web filtering, IPS, anti-virus) as well as security policies for all SRX instances. Threat levels can be tuned by the security administrator, who maintains control over what data is syndicated out to various SRX firewalls. This means that data center, campus and branch firewalls are all controlled from a single management platform, and can each consume threat intelligence data from Spotlight Secure. Juniper’s strategy is to provide the fastest and most effective way to take action to mitigate emerging threats. That’s why we make it easy to use right out of the box, including a a GeoIP feed as well the command and control capability.
© 2015 Juniper Networks page 6
Juniper’s threat intelligence platform also allows customers to use data from any other source--their own incident response team, other detection software such as advanced malware detection, or threat data from shared industry intelligence sources. Because it’s designed with an open data model, the SRX consumes data easily, from virtually any source, and incorporates it into policies across the enterprise. You can even feed data from your incident response team or your SIEM directly into the system.
© 2015 Juniper Networks page 7
One advantage of Juniper’s Threat Intelligence platform and SRX is that all enforcement points can consume this data – thus protecting the entire organization, no matter how large or distributed the enterprise. And, data can be right-sized to each device. For example, some quantity and type of data might flow to branch devices, while other data might be more pertinent in a data center environment. Importantly, as the data changes (and it changes constantly), each firewall is updated automatically, without needing to go through change or commit process.
© 2015 Juniper Networks page 8
Campus and branch environments primarily need protection from the “inside out” problem – where users are connecting to various sites and services on the internet. With a rich source of intelligence feeds, Juniper SRX firewalls can block or alert on outbound connections based on threat levels. These threat levels can be used by network or security administrators to fine-tune the security policy based on the need of that particular network. In other words, policy can be defined based on threat severity, and administrators can be given the power to make adjustments that befit the need. The security administrator can establish rules about connecting to domains, URLs or IPs based on acceptable use policy, and/or threat level associated with the destination. For example, some organization may choose to block entire geographies of IP addresses. If a user is requesting connection with a server that happens to be in a country or region that your organization considers a risk, the GeoIP feed can inform the SRX to block the request—preventing a user from connecting.
© 2015 Juniper Networks page 9
The data center is similarly protected from inbound and outbound data exchange, based on GeoIP and C&C threat information, as well as third party or proprietary feeds. Data center firewalls, even those that aren’t internet facing, are continually updated via Security Director, thus able to maintain up-to-the-minute threat protection. In fact, it takes less than a minute to update a firewall when new threat data enters the system.
© 2015 Juniper Networks page 10
How to get going? If you’re an SRX user, it’s easy. The solution is up and running right out of the box. It runs as a virtual machine on JunOS Space. So you can take advantage of better protection right now. And remember: • The solution is open: it consumes
virtually any data feed
• It’s scalable: each instance can support more than 1,000 firewalls
• It’s built for high capacity, supporting over a million threat data records
© 2015 Juniper Networks page 11
Finally, it’s vigilant. As threat data continues to stream in, the SRX firewalls continually are updated. It takes less than 60 seconds to get data from the source to the enforcement point. That speed is what you need to prevent threats from turning into attacks. By reducing the time between knowing about a threat and actually blocking that threat, you are a whole lot more secure. Time is on your side. Talk to Juniper about SRX and the Spotlight Secure Threat Intelligence Platform.
© 2015 Juniper Networks page 11
© 2015 Juniper Networks page 12 © 2015 Juniper Networks page 12
