Secure Analytics - IP NETWORK SOLUSINDO

Report
JUNIPER SECURE ANALYTICS (JSA)
OVERVIEW
Stefan Lager
Product Line Manager
[email protected]
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
2
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
CHALLENGES WITH EVENT COLLECTION
IT “information” overload
 The amount of events
 The amount of different types of events
 The amount of different type of event sources
Data mining and Analytics
 Events Categorization
 Event Search and Drill-down
 Anomaly Detection
3
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
THE SOLUTION: JUNIPER SECURE ANALYTICS
Secure Analytics (JSA)
Log Server
“Here are all your events.
Please take a look at them and
let me know if you find anything
strange.
4
Copyright © 2009 Juniper Networks, Inc.
“Of all the million incoming
events I think you need to take a
look at this one.”
www.juniper.net
LOG SERVER VS. JUNIPER SECURE ANALYTICS
Secure Analytics (JSA)
Log Server
•
•
“APACHE-STRUTS-URI-CMDEXE”
•
•
•
•
•
•
•
“Security Device”
“APACHE-STRUTS-URI-CMDEXE”
Webserver is vulnerable!
Webserver sent a crash event!
Strange traffic seen FROM Webserver!
Attack came from an IP with bad reputation!
Attack came from a suspicious country!
Events has been received from other
“Security Devices”!
…
“Security Device”
Webserver
5
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
6
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
MULTI-VENDOR EVENT AND FLOW COLLECTION
Networking events
 Switches & routers, including flow data
Security logs
Compliance
Templates
 Firewalls, IDS, IPS, VPNs, Vulnerability
Scanners, Gateway AV, Desktop AV, & UTM
devices
Operating Systems/Host logs
 Microsoft, Unix and Linux
Applications
 Database, mail & web
User and asset
 Authentication data
Security map utilities
 GeoIP
 Reputation Feeds
7
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Forensics
Search
Policy
Reporting
WHAT DOES JSA COLLECT?
Syslog
SNMP
Application/Protocols (*)
Agents
JDBC
OPSEC/LEA
SDEE
SourceFire Estreamer
UDP/TCP
Multiline UDP
Events
Binary (SRX)
Log File
ALE
Microsoft
Snare
EMC VMWare
WinCollect
Version
1, 2 & 3
+PCAP (SRX)
Oracle
Syslog-TLS
SMB Tail
Cisco NSEL
…
NetFlow
Flows
8
Version
1,5,7,9
IPFIX
JFlow
Supported
Supported
Copyright © 2009 Juniper Networks, Inc.
SFlow
QFlow
Packeteer
Version
On QFC and
Monitor
Interfaces
FDR
2, 4, 5
www.juniper.net
(*) For more info refer to datasheet
SECURE ANALYTICS (JSA) - KEY BENEFITS
Reduced OPEX
 Collects all event and flow data in one place
 Supports a large set of vendors out-of-the-box
Compliance
 Ships with predefined reports for COBIT, FISMA, GLBA,
GSX-Memo22, HIPAA, NERC, PCI and SOX.
Increased Visibility
 Supports Graph/Dashboard/Reporting on any event data
 Flow collection enables proactive actions
Increased Detection
 Analytics engine detects violations and anomalies
 Built in support for GeoIP and Reputation feeds
Scalable
 Supports up to 7M EPS per console
 Supports distributed collection of events and flows
9
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
10
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
EXAMPLE:
WHAT CAN SECURE ANALYTICS DO WITH A FIREWALL EVENT?
<182>Sep 26 20:14:49 127.0.0.1 <14>1 2012-03-24T05:21:13.677 utm-n0 RT_FLOW RT_FLOW_SESSION_CREATE [[email protected] source-address="192.168.34.10" source-port="58541"
destination-address="204.245.34.169" destination-port="80" service-name="junos-http" nat-sourceaddress="192.168.32.2" nat-source-port="3195" nat-destination-address="204.245.34.169" nat-destination-port="80"
src-nat-rule-name="r1" dst-nat-rule-name="None" protocol-id="6" policy-name="utm-out" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="143804" username="VIRTUALPOC\slager" roles="VPoC-UTM-Demo"
packet-incoming-interface="ge-0/0/2.3602"]
Event Analytics
• Taxonomy :
• GeoIP :
• IP Reputation:
• Analytics:
RT_FLOW_SESSION_CREATE => Category “FIREWALL PERMIT”
204.245.34.169 => Country “BRAZIL”
204.245.34.169 => Remote-Network “BOTNET”
Alert if more then <x> events from the same src, IF the src is coming from
one of our client networks
Event Management
• RBAC:
Allow access to subset of event data
• Indexing:
Allow to index on any field. 10-100x search time improvement
• Retention:
Flexible setting for how long this event should be stored
• Forwarding:
Should this specific event be forwarded ?
11
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
EVENT ANALYTICS: GEOIP-MAPPING
Provide mapping of IP to Countries both for visibility and for correlation.
12
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
EVENT ANALYTICS: IP REPUTATION
13
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
EVENT ANALYTICS: RULES ENGINE MATCHING
•
•
•
Secure Analytics is delivered with a large set of built-in rules
Many of them are disabled per default but will help you get tips on what
to correlate on
All rules are easy to tune to fit your specific deployment
Creating a correlation rule is as simple as sorting mail in Outlook!
14
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
EVENT ANALYTICS: RULES ENGINE ACTION
15
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
THE KEY TO DATA MANAGEMENT:
REDUCTION AND PRIORITIZATION
STRM
Previous 24hr period of
network and security
activity (2.7M logs)
Correlation of data sources
creates offenses (129)
Offenses are a complete
history of a threat or
violation with full context
about accompanying
network, asset and user
identity information
Offenses are further
prioritized by business
impact
16
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
USE CASE: COMPLEX THREAT DETECTION
Sounds Nasty…
But how do we know this?
The evidence is a single click
away.
Network Scan
Buffer Overflow
Detected by QFlow
Exploit attempt seen by Snort
Total Security Intelligence
Targeted Host Vulnerable
Convergence of Network, Event and Vulnerability data
Detected by Nessus
17
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
USE CASE: USER ACTIVITY MONITORING
Authentication Failures
Perhaps a user who forgot his/her
password?
Brute Force Password Attack
Numerous failed login attempts against
different user accounts
Host Compromised
All this followed by a successful login.
Automatically detected, no custom tuning
required.
18
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
19
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SECURE ANALYTICS FLOW
Branch-Office
DMZ
STRM-FP
STRM-FP
STRM-Console
WEB-1 WEB-2 WEB-3
STRM-FP
Virtualized
Servers
vGW
STRMV-FP
20
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
FLOWS FOR NETWORK INTELLIGENCE
•
QoS Monitoring
•
Detection of day-zero attacks that have no signature
•
Policy monitoring and rogue server detection
•
Visibility into all attacker communications
•
Passive flow monitoring builds asset profiles & auto-classifies hosts
•
Network visibility and problem solving (not just security related)
21
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
ANOMALY DETECTION
Secure Analytics learns and anticipates the
established “normal” condition for:
- The Network
- The Host
- The Protocol
- The Application
22
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
23
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
USE-CASE: CAMPUS & BRANCH
VPN MONITORING USING JUNOS RPM
RPM-Logs
RPM-Probes
HQ
RPM-Probes
BRANCH-2
BRANCH-1
24
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
USE-CASE: CAMPUS & BRANCH
VPN MONITORING USING JUNOS RPM
25
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
USE-CASE: DATACENTER
VISIBILITY, REPORTING AND CORRELATION OF EVENTS AND TRAFFIC
Exposed
Services
SRX
AppSecure
WebApp Secure
Events
Clients
Events
EX
WEB-1 WEB-2 WEB-3
Flow
Virtualized
Servers
NOC/SOC
N
JSA
26
FireFly
FireFly
Flow and events
VM-1 VM-2 VM-3
VM-4 VM-5 VM-6
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
USE-CASE: BYOD
AUTOMATIC REMEDIATION USING OPEN STANDARDS PROTOCOL (IF-MAP)
IF-MAP
Juniper IC (IF-Map Server)
Juniper EX (Switch)
NSM
Secure Analytics
Firewall
IDP Series
UAC Agent
SSG Series
Juniper AX (WLAN AP)
UAC Agent-less Mode
ISG Series
Juniper SA (SSL-VPN)
27
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SRX Series
Application
Servers
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
28
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SMALL SITE DEPLOYMENT – APPLIANCE OR VM




JSA1500
Flowdata and syslog

syslog
STRM 5000 EP or FP


JSA1500 can collect up to 1000 events
per second 50kF/min
Allows Real-Time Streaming of events
Visibility of incoming/outgoing traffic
(SRX FW/AppTrack)
Visibility of internal traffic
(EX flow-data)
Threat and Anomaly Detection
Correlation and Compliance Reporting
Provides Common Dashboard
SRX Branch
EX- VirtualChassis
29
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
LARGE SITE DEPLOYMENT – APPLIANCE
 You can connect up to 250 Event
Processors to one Console
 JSA Console provides One Dashboard
with aggregated data from all EPs
 Searches and Reports are done on
JSA5500Console
aggregated data from all EPs
 Configurable Retention Policies allows
storing of important/compliance logs for
a longer time than other logs
JSA 1/3/5/7500
EventProcessors
STRM 5000 EP or FP
SLB
syslog
30
SRX-5800
SRX-5800
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
DISTRIBUTED LOG/FLOW COLLECTION
 Distributed log and flow collection
offloads WAN links
 Will continue to receive and store
events/flows even if WAN link goes
down
 Available both as physical appliance
and virtual appliances
JSAConsole
EMEA
 CombiCollector (both EP/FP) only
supported on physical appliance
 JSA VM is available as:
- Remote TM EP
- Remote LM EP
- Remote FP
 Visibility of incoming/outgoing traffic
JSA1500
Local EP/FP
JSA VM
Local EP
 Threat and Anomaly Detection
JSA VM
Local FP
 Correlation and Compliance
 Provides Common Dashboard
Australia
31
Beijing
Canada
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
32
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SECURE ANALYTICS:
Medium
Enterprise
ALL-IN-ONE DEPLOYMENT
Small
Enterprise
Small Medium
Enterprise
JSA5500
33
JSA3500
JSA1500
1,000EPS
5,000EPS
10,000 EPS
15KF/M
50KF/M
200 KF/M
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SECURE ANALYTICS:
DISTRIBUTED DEPLOYMENT



Supports very high amount of EPS
Solves branch-office collection
WebUI
Can be fully redundant
Console
EP/FP combo
Event Processor
Security Devices Exporting
Event Data
34
Flow Processor
Network Devices Exporting
Flow Data
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Qflow Collector
JSA1500 QFlow Collectors Deployed in
Tap/Mirror or SPAN Mode
JSA PLATFORM SUPPORT MATRIX
QFlow
Collector
Event
Processor
Flow
Processor
EP/FP
Combo
JSA VM
JSA1500
JSA3500
JSA5500
JSA7500
35
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Console
All-in-one
Support
Support
SECURE ANALYTICS – LICENSING
LOG ANALYTICS VS THREAT ANALYTICS
Threat Analytics License
Network Behavior
Anomaly Detection
(NBAD)
Security Information and
Event Management
(SIEM)
Log Analytics License
36
-
Network Traffic Visibility
QoS Visibility
Traffic Anomaly Detection
-
Event and Flow Correlation
Asset Profiling
Vulnerability Scanner integration
-
Log Collection and Categorization
Customizable Dashboards
Predefined and customizable
reports
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SECURE ANALYTICS - KEY BENEFITS
Reduced OPEX
 Collects all event and flow data in one place
 Supports a large set of vendors out-of-the-box
Compliance
 Ships with predefined reports for COBIT, FISMA, GLBA,
GSX-Memo22, HIPAA, NERC, PCI and SOX.
Increased Visibility
 Supports Graph/Dashboard/Reporting on any event data
 Flow collection enables proactive actions
Increased Detection
 Analytics engine detects violations and anomalies
 Built in support for GeoIP and Reputation feeds
Scalable
 Supports up to 7M EPS per console
 Supports distributed collection of events and flows
37
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Thanks!

similar documents