GUIDE TO SECURENETWORKS

Your ideas. Connected.

Copyright © March 2016, Juniper Networks, Inc.

EBOOK

SECURITY

Preface

In today’s rapidly evolving world, the modern enterprise has the benefit of many technologies that were unheard of just 10 years ago – the cloud, for instance. However, with every new technology – cloud included – there are new security challenges. With huge numbers of users, devices and data deployed to take advantage of the latest technologies, the enterprise is becoming increasingly vulnerable to data loss, malicious attacks and network instability.

In the era of the cloud, the always-on workforce and high levels of digital literacy, your customers, prospects, staff and suppliers expect 24/7 network access and availability. However, 24/7 access is not enough; your data needs protection from any number of potential security breaches. These can happen when data is inside the cloud or when it is in transit. Multiple layersof protection are required to safeguard your information, within physical and virtual environments, from hackers and their various modes of attack. You need a multidimensional approach to minimize the risks you face.

Gartner predicts that from 2017 to 2020, the underground market price for selling new vulnerabilities will increase annually. (Source: Gartner, Inc. "Gartner Predicts 2016: Threat and Vulnerability Management", (December 4, 2015) by Ray Wagner, Sid Deshpande, Jeremy D’Hoinne, Greg Young, Paul E. Proctor).

GUIDE TO SECURE NETWORKS

Section 1KNOW THE LAY OF THE LAND

“ USA has a 23% share of the world’s malicious computer activity. The highest rate of cybercrime among the world’s top 20 countries.”BusinessWeek / Symantec

Today’s cybercriminal is more prolific, elusive and unpredictable than ever before. They might be stealing your data, your intellectual property or your identity. They can penetrate your accounts, compromise your data or take down your site. Regardless, their reputation is enhanced and yours could be destroyed.

The channels used by such criminals are commonplace: online stores, forums, email, private chat, open chat rooms – the list goes on. The cybercriminal’s reputation within these communities is a huge driver – for both the skilled and non-skilled hacker.

With the advent and popularity of anonymous crypto-currencies, such as Bitcoin, the basic economics lend themselves to more crime, not less. Yes, law enforcement is getting better – after all, bigger targets get more attention. However, media coverage of these high profile attacks can glamorize the practice and attract newcomers to this digital underworld.

The lesson is that our hyper-connected, smart, on-demand environment creates more black market opportunities for digital natives. And they are displaying more creativity and variation in their attacks. Phishing is on the rise since 2011. 23% of recipients now open phishing messages and 11% click on attachments. RAM-scraping has grown up in a big way. This type of malware was present in some of the most high-profile retail breaches. (Source: Verizon 2015 Data Breach Investigations Report). It appears financial motivation for hackers is still alive and well.

p/ 03

GUIDE TO SECURE NETWORKS

Section 2KNOW YOUR VULNERABILITIES

“ Tomorrow's dynamic and abstract digital systems are increasingly based on distributed components and services, containing your data or supporting your business, located outside of your physical control, accessed by people who aren't your employees, and potentially accessible by people you aren't even aware of.”Source: Gartner Inc., "Cloud Security and Emerging Technology Security Primer for 2016", (14 January, 2016) by Jay Heiser

According to Gartner, as we become increasingly dependent on complex, pervasive networked technologies, the implications of a security failure becomes greater.(Source: Gartner Inc., "Cloud Security and Emerging Technology Security Primer for 2016", (14 January, 2016) by Jay Heiser).

The modern threat environment is increasingly becoming more complex and more elusive. Gartner finds that existing

vulnerabilities remain prevalent throughout the threat landscape, as 99.99% of exploits are based on vulnerabilities already known for at least one year. (Source: Gartner, Inc. "Predicts 2016: Threat and Vulnerability Management", (December 4, 2016) by Ray Wagner, Sid Deshpande, Jeremy D'Hoinne, Greg Young, Paul E. Proctor).

In many recent high profile security breaches last year, the victim organization failed to detect the breach for

weeks, even months. Businesses reacted to cybercrime by increasing their focus on counter-threat measures such as intelligence services, wireless security, next generation firewall services and malware detection.

This form of tactical response is hardly surprising when the economics of cybercrime are becoming more and more lucrative for

the "actors" involved. Indeed, a recent RAND report, released in association with Juniper Networks, suggests that cybercrime – in some instances – can be more profitable than the black market drug trade. With low barriers to entry, less personal risk and steeper rewards, there’s an argument that the incentives to attack will always outpace the ability to defend.

p/ 05

“ Cyber black markets are a maturing, multi-billion-dollar economy, with robust infrastructure and social organization.” RAND Corporation, Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar

That doomsday scenario could well come true for the unprepared, the under-invested and the misinformed enterprises that are held back by sub-par network, data center and cloud infrastructures. After all, these are the types of organizations that cybercriminals prey upon time and time again. If the economics stack up, why wouldn’t they?

Multiple layers of security must continually be revisited by security professionals. The tendency is to focus on one or two areas for maximum strength, but this can lead to vulnerabilities on other levels. While there tends to be good control at the end point and perimeter firewall, where it’s easiest to manage, elsewhere it’s a different story.

In the so-called "soft" middle layer—within apps, the network and data center – businesses are often left vulnerable or inert by needless complexity – complexity that is caused by proprietary, legacy systems, tools, policies and non-standard protocols. This is compounded by a lack of understanding of where the organization's most valuable data resides that Is the target for theft and extortion. All of this, of course, causes a real headache for IT security teams as they struggle with the manual labor of dealing with multiple signatures and patches. For the business as a whole, this has a direct bearing on the organization’s ability to keep data secure while improving user productivity and keeping costs under control. Hackers are not only stealing your data and intellectual property, they’re stealing your time, your money, your ability to do business – even your reputation.

KNOW YOUR BIGGEST THREATS:

GUIDE TO SECURE NETWORKS

Insiders, hackers and ineffective security solutionsThese combined internal and external factors are the core challenges facing the modern enterprise. Rarely do long-term threats to corporate security come from a single, manageable source.

Social, big data, mobility and cloudThese are the Gartner "Nexus of Forces" which are major future threats to enterprise security. The intersection between social and the business is a key vulnerability, as is data sprawl.(Source: Gartner IT Glossary, Nexus of Forces,http://www.gartner.com/it-glossary/nexus-of-forces)

Ineffective traditional controlsSpeed is the new weaponry of cybercriminals. A recent Verizon study found that in 60% of cases, attackers are able to compromise an organization within minutes. Old-school slow, antivirus and vulnerability signature updates can be ineffective against the ever-changing attack methods of cyber criminals.

End users and end pointsThese are cybercriminals' entry point to your organization. They will use hostile entities such as packets, URLs, devices, apps and users to find their way in, with email as the most common attack vector.

Section 3KNOW YOUR OPPORTUNITIES Passive defences such as simply monitoring and/or blocking traffic are important, but are no longer enough. Instead, firms should be looking to deploy a strategy that disrupts the economic benefits of hacking. In short, hitting them where it hurts – in the pocket.

Enterprises that can impose a holistic and more active defense utilizing proactive blocking techniques are well positioned to make hacking more expensive and time consuming for the intruder. And, in doing so, either deflecting their attentions away from your perimeter or nullifying their behavior entirely.

Securing your data center, edge, and cloud environments is an ongoing challenge. Your

adversaries—cyber criminals, nation state attackers, hacktivists—continue to develop sophisticated, invasive techniques, resulting in a continually evolving threat landscape. Traditional firewalls focused on layer 3 and 4 inspection are not sufficient in today’s threat environment. Next-gen firewalls are powerful at defending layer 4 through layer 7, yet not designed to protect from the velocity and variety of new attacks which can come in the form of zero day attacks and have no signatures associated with them. In today’s world, your security solution must be able to take immediate and proactive action based on known or emerging intelligence. It must identify attacks accurately and act quickly to disseminate this intelligence throughout the network in near real-time so that the threat can be blocked as quickly as possible and as close to the source as possible.

“ Organizations continue to struggle to properly segment and provide adequate access control over their sensitive networks, hosts and applications within their environments beyond the perimeter firewall or segmentation performed at network boundaries.” (Source: Gartner, Inc. "Predicts 2016: Security Solutions", (December 4, 2015) by Ruggero Contu, Deborah Kish, Perry Carpenter, Sid Deshpande, Lawrence Pingree)

GUIDE TO SECURE NETWORKS

IDC predicts that by 2020, security will move to the cloud with over half of all enterprises adopting Cloud-based Web security platforms.(Source: IDC, IDC FutureScape: WorldWide Security 2016 Predictions, November 2015).

With the shift to cloud architectures, firewall administration becomes burdensome and fraught with human error due to the sheer complexity

of distributed security. What’s needed is a centralized management system that can adapt policies to emerging threats in near real time, in an automated and dynamic way.

Opportunities/challenges – As you build and manage a traditional or cloud data center, security is a fundamental element.

Balancing the need for users to access applications with the need to protect your digital assets is no easy task. Consider some of the following challenges:

Proprietary and Inflexible Security Platforms—While some firewall solutions leverage cloud-based threat intelligence, the data involved is often proprietary,

preconfigured on the firewall, and inflexible, not allowing you to select nor exert any control over the information provided.

Security Inefficacy—The market is saturated with sources claiming to offer threat intelligence, though most of the available data feeds are not immediately

actionable. Your firewall, therefore, is unable to use those data feeds directly within policy, providing less than optimal protection.

Static Address Groups—Administrators typically rely on static address lists to apply inspection or blocking and must manually update the firewall policy every time any of these lists change.

This is cumbersome and difficult to maintain.

Firewall Performance—Next Generation Firewall services, such as IPS and application inspection, tend to lead to dramatic performance reductions. In particular, high volume of threat feed entries on a single firewall device can cause performance issues. And, your firewall

may not be optimized to maximize performance and security posture for different traffic types.

Decentralized Policy Management—As the number of firewalls (physical and virtual) increase across your network and you need consistent policies across the firewall estate, a reliable, centralized web-based

policy management system is critical.

“ Juniper strongly believes that while the economic calculus for attackers is clear, the same cannot be said for companies who face a much more hectic, unclear and chaotic landscape.” Juniper Networks

p/ 09

“ U.S. information security budgets have grown at almost double the rate of IT budgets over the last two years.” PwC Global State of Information Security Survey 2015

This is just one example of the agility you can get from a high level of security intelligence. The ability to make security decisions on the fly, based on new information, will be a critical defensive weapon against cybercriminals. Knowing other dynamic security information such as updates on Command and Control centers (to defend against botnets), up-to-the-second worm and virus signatures, or custom threat feeds focused on your specific industry, company, brand and environment can all be critical to protecting your business.

Pure-play vendors provide only one part of the solution, meaning businesses tend to have more than “one throat to choke” when it comes to security andnetworking. As firms ratchet services up and down across multiple environmentswith more speed than ever before, it’s important to be able to manage multiple security gateways and devices – such as firewalls, routers and switches – using a common platform.

The modern enterprise needs to grow its security as its network grows, ensuring that they have a scalable, secure network in place to defend its most valuable data assets. A security solution that delivers without compromising business continuity. A security solution that can detect threats based on correlation of data using smart analytics. A security solution that can identify attackers and determine the nature of the threat.

Most of all, firms that are serious about lowering costs and improving business agility need to better understand what their future needs are. Not just put up with a "make do and mend" mentality that holds the business back and opens the door to further security breaches and damaging downtime.

GUIDE TO SECURE NETWORKS

p/ 11

“ According to Gartner, the world will spend

$117 billion on information security in 2019” (Source: Gartner, Inc. "Forecast: Information Security, Worldwide, 2013-2019, 4Q15 Update", (February 9, 2016) by Ruggero Contu, Christian Canales, Sid Deshpande, Lawrence Pingree)

Section 4KNOW YOUR CHECKLIST

What are the key attributes to look for when building a secure network?

Reliable and secure hardware using open interfaces and standard protocols

Ability to protect network traffic at high speeds

Programmable, open hardware that adapts to changes

Single management point for networking and security, physical and virtual

Layered security in the network, firewall, and cloud

Consistent visibility, security and compliance across physical and virtual environments

Supports the three security components of prevention, detection, and response

Automated network and security provisioning to support service agility and reduce vulnerabilities

caused by human error

High resiliency and recovery due to separate data and control pane architecture

Global threat intelligence sharing in near real-time

Ability to scale up or down to meet demand as needs change

GUIDE TO SECURE NETWORKS

p/ 13

Copyright © March 2016, Juniper Networks, Inc.

To purchase Juniper Networks solutions, please contact your Juniper Networks representative at +1-866-298-6428 or authorized reseller.

Corporate and Sales Headquarters

Juniper Networks, Inc.

1133 Innovation Way,

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737)

or +1.408.745.2000

Fax: +1.408.745.2100

www.juniper.net

Copyright © March 2016, Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. This document is provided for information purposes only, and Juniper Networks reserves the right to change, modify, transfer or otherwise revise the contents hereof at any time without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Juniper Networks specifically disclaims any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.

APAC and EMEA Headquarters

Juniper Networks International B.V.

Boeing Avenue 240

1119 PZ Schiphol-Rijk

Amsterdam, The Netherlands

Phone: +31.0.207.125.700

Fax: +31.0.207.125.701