Juniper Secure Analytics (JSA) Overview

JUNIPER SECURE ANALYTICS (JSA)OVERVIEW

Stefan LagerProduct Line [email protected]

mailto:[email protected]

mailto:[email protected]

2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

AGENDA

1. Challenges with Event Management

2. Data Collection

3. Event Management and Analytics

4. Flow Management and Analytics

5. Secure Analytics - Use Cases

6. Deployment Options

7. Platforms and Licensing


CHALLENGES WITH EVENT COLLECTION

IT “information” overload The amount of events The amount of different types of events The amount of different type of event sources

Data mining and Analytics Events Categorization Event Search and Drill-down Anomaly Detection


THE SOLUTION: JUNIPER SECURE ANALYTICS

Log Server

“Here are all your events.Please take a look at them andlet me know if you find anything strange.

Secure Analytics (JSA)

“Of all the million incoming events I think you need to take a look at this one.”


LOG SERVER VS. JUNIPER SECURE ANALYTICS

Log Server Secure Analytics (JSA)

“Security Device” “Security Device”

• “APACHE-STRUTS-URI-CMDEXE”

• Webserver is vulnerable!• Webserver sent a crash event!• Strange traffic seen FROM Webserver!• Attack came from an IP with bad reputation!• Attack came from a suspicious country!• Events has been received from other

“Security Devices”! • …

• “APACHE-STRUTS-URI-CMDEXE”

Webserver


AGENDA


2. Data Collection







MULTI-VENDOR EVENT AND FLOW COLLECTION Networking events

Switches & routers, including flow data Security logs

Firewalls, IDS, IPS, VPNs, Vulnerability Scanners, Gateway AV, Desktop AV, & UTM devices

Operating Systems/Host logs Microsoft, Unix and Linux

Applications Database, mail & web

User and asset Authentication data

Security map utilities GeoIP Reputation Feeds

ComplianceTemplates

ForensicsSearch

PolicyReporting


WHAT DOES JSA COLLECT?Syslog SNMP Application/Protocols (*) Agents

EventsUDP/TCP

Multiline UDPBinary (SRX)+PCAP (SRX)Syslog-TLS

Version 1, 2 & 3

JDBCOPSEC/LEA

SDEESourceFire Estreamer

Log FileMicrosoft

EMC VMWareOracle

SMB TailCisco NSEL

…

ALESnare

WinCollect

NetFlow IPFIX JFlow SFlow QFlow Packeteer

Flows Version1,5,7,9

Supported SupportedVersion2, 4, 5

On QFC and Monitor

InterfacesFDR

(*) For more info refer to datasheet


SECURE ANALYTICS (JSA) - KEY BENEFITS Reduced OPEX

Collects all event and flow data in one place Supports a large set of vendors out-of-the-box

Compliance Ships with predefined reports for COBIT, FISMA, GLBA,

GSX-Memo22, HIPAA, NERC, PCI and SOX. Increased Visibility

Supports Graph/Dashboard/Reporting on any event data Flow collection enables proactive actions

Increased Detection Analytics engine detects violations and anomalies Built in support for GeoIP and Reputation feeds

Scalable Supports up to 7M EPS per console Supports distributed collection of events and flows


AGENDA


2. Data Collection







EXAMPLE:WHAT CAN SECURE ANALYTICS DO WITH A FIREWALL EVENT?

<182>Sep 26 20:14:49 127.0.0.1 <14>1 2012-03-24T05:21:13.677 utm-n0 RT_FLOW - RT_FLOW_SESSION_CREATE [[email protected] source-address="192.168.34.10" source-port="58541" destination-address="204.245.34.169" destination-port="80" service-name="junos-http" nat-source-address="192.168.32.2" nat-source-port="3195" nat-destination-address="204.245.34.169" nat-destination-port="80" src-nat-rule-name="r1" dst-nat-rule-name="None" protocol-id="6" policy-name="utm-out" source-zone-name="trust" destination-zone-name="untrust" session-id-32="143804" username="VIRTUALPOC\slager" roles="VPoC-UTM-Demo" packet-incoming-interface="ge-0/0/2.3602"]

Event Analytics• Taxonomy : RT_FLOW_SESSION_CREATE => Category “FIREWALL PERMIT”• GeoIP : 204.245.34.169 => Country “BRAZIL”• IP Reputation: 204.245.34.169 => Remote-Network “BOTNET”• Analytics: Alert if more then <x> events from the same src, IF the src is coming from

one of our client networks Event Management• RBAC: Allow access to subset of event data• Indexing: Allow to index on any field. 10-100x search time improvement• Retention: Flexible setting for how long this event should be stored• Forwarding: Should this specific event be forwarded ?


EVENT ANALYTICS: GEOIP-MAPPING

Provide mapping of IP to Countries both for visibility and for correlation.


EVENT ANALYTICS: IP REPUTATION


EVENT ANALYTICS: RULES ENGINE MATCHING

Creating a correlation rule is as simple as sorting mail in Outlook!

• Secure Analytics is delivered with a large set of built-in rules• Many of them are disabled per default but will help you get tips on what

to correlate on• All rules are easy to tune to fit your specific deployment


EVENT ANALYTICS: RULES ENGINE ACTION


THE KEY TO DATA MANAGEMENT:REDUCTION AND PRIORITIZATION

Previous 24hr period of network and security activity (2.7M logs)

Correlation of data sources creates offenses (129)

STRM

Offenses are a complete history of a threat or

violation with full context about accompanying

network, asset and user identity information

Offenses are further prioritized by business

impact


USE CASE: COMPLEX THREAT DETECTION

Sounds Nasty…But how do we know this?The evidence is a single

click away.

Buffer OverflowExploit attempt seen by Snort

Network ScanDetected by QFlow

Targeted Host VulnerableDetected by Nessus

Total Security IntelligenceConvergence of Network, Event and Vulnerability data


USE CASE: USER ACTIVITY MONITORINGAuthentication FailuresPerhaps a user who forgot his/her

password?

Brute Force Password AttackNumerous failed login attempts against different user accounts

Host CompromisedAll this followed by a successful login.Automatically detected, no custom tuning required.


AGENDA


2. Data Collection







SECURE ANALYTICS FLOW

STRMV-FP

WEB-1 WEB-2 WEB-3

VirtualizedServers

DMZSTRM-FP

Branch-Office

STRM-FP

STRM-Console

STRM-FP

vGW


FLOWS FOR NETWORK INTELLIGENCE• QoS Monitoring• Detection of day-zero attacks that have no signature• Policy monitoring and rogue server detection• Visibility into all attacker communications• Passive flow monitoring builds asset profiles & auto-classifies hosts• Network visibility and problem solving (not just security related)


Secure Analytics learns and anticipates the established “normal” condition for:- The Network- The Host- The Protocol- The Application

ANOMALY DETECTION


AGENDA


2. Data Collection







USE-CASE: CAMPUS & BRANCH VPN MONITORING USING JUNOS RPM

BRANCH-1 BRANCH-2

RPM-Probes

HQ

RPM-Probes

RPM-Logs


USE-CASE: CAMPUS & BRANCH VPN MONITORING USING JUNOS RPM


VM-1 VM-2 VM-3 VM-4 VM-5 VM-6

WEB-1 WEB-2 WEB-3

Clients

VirtualizedServers

ExposedServices

WebApp SecureSRXAppSecure

FireFlyFireFly

N

JSA

NOC/SOC

USE-CASE: DATACENTERVISIBILITY, REPORTING AND CORRELATION OF EVENTS AND TRAFFIC

Flow and events

Flow

EventsEvents

EX


Juniper EX (Switch)IDP Series

Firewall

SSG Series

ISG Series

Application Servers

Juniper IC (IF-Map Server) Secure Analytics

UAC Agent

UAC Agent-less Mode

NSM

USE-CASE: BYODAUTOMATIC REMEDIATION USING OPEN STANDARDS PROTOCOL (IF-MAP)

SRX Series

IF-MAP

Juniper SA (SSL-VPN)

Juniper AX (WLAN AP)


AGENDA


2. Data Collection







SMALL SITE DEPLOYMENT – APPLIANCE OR VM

JSA1500 can collect up to 1000 events per second 50kF/min

Allows Real-Time Streaming of events Visibility of incoming/outgoing traffic (SRX FW/AppTrack)

Visibility of internal traffic (EX flow-data)

Threat and Anomaly Detection Correlation and Compliance Reporting Provides Common Dashboard

STRM 5000 EP or FP

EX- VirtualChassis

SRX Branch

JSA1500Flowdata and syslog

syslog


LARGE SITE DEPLOYMENT – APPLIANCE

You can connect up to 250 Event Processors to one Console

JSA Console provides One Dashboard with aggregated data from all EPs

Searches and Reports are done on aggregated data from all EPs

Configurable Retention Policies allows storing of important/compliance logs for a longer time than other logs

STRM 5000 EP or FP

SRX-5800

JSA 1/3/5/7500EventProcessors

syslog

SRX-5800

SLB

JSA5500-Console


DISTRIBUTED LOG/FLOW COLLECTION

JSA-Console EMEA

CanadaAustralia Beijing

JSA1500Local EP/FP

JSA VMLocal EP

JSA VMLocal FP

Distributed log and flow collection offloads WAN links

Will continue to receive and store events/flows even if WAN link goes down

Available both as physical appliance and virtual appliances

CombiCollector (both EP/FP) only supported on physical appliance

JSA VM is available as:- Remote TM EP- Remote LM EP- Remote FP

Visibility of incoming/outgoing traffic

Threat and Anomaly Detection

Correlation and Compliance

Provides Common Dashboard


AGENDA


2. Data collection







SECURE ANALYTICS: ALL-IN-ONE DEPLOYMENT

JSA1500

JSA3500

1,000EPS15KF/M

5,000EPS50KF/M

10,000 EPS200 KF/M

Sm

all

Ent

erpr

ise

Sm

all M

ediu

m

Ent

erpr

ise

Med

ium

E

nter

pris

e

JSA5500


WebUI

JSA1500 QFlow Collectors Deployed in Tap/Mirror or SPAN Mode

Security Devices Exporting Event Data

Console

Event Processor

Network Devices Exporting Flow Data

Flow Processor Qflow Collector

EP/FP combo

Supports very high amount of EPS Solves branch-office collection Can be fully redundant

SECURE ANALYTICS: DISTRIBUTED DEPLOYMENT


JSA PLATFORM SUPPORT MATRIXQFlow

CollectorEvent

ProcessorFlow

ProcessorEP/FP

ComboConsoleSupport

All-in-oneSupport

JSA VM

JSA1500

JSA3500

JSA5500

JSA7500


SECURE ANALYTICS – LICENSINGLOG ANALYTICS VS THREAT ANALYTICS

Threat Analytics License

- Log Collection and Categorization- Customizable Dashboards- Predefined and customizable

reports

Log Analytics License

- Event and Flow Correlation- Asset Profiling- Vulnerability Scanner integration

Security Information and Event Management

(SIEM)

- Network Traffic Visibility- QoS Visibility- Traffic Anomaly Detection

Network Behavior Anomaly Detection

(NBAD)


SECURE ANALYTICS - KEY BENEFITS Reduced OPEX

Collects all event and flow data in one place Supports a large set of vendors out-of-the-box

Compliance Ships with predefined reports for COBIT, FISMA, GLBA,

GSX-Memo22, HIPAA, NERC, PCI and SOX. Increased Visibility

Supports Graph/Dashboard/Reporting on any event data Flow collection enables proactive actions

Increased Detection Analytics engine detects violations and anomalies Built in support for GeoIP and Reputation feeds

Scalable Supports up to 7M EPS per console Supports distributed collection of events and flows

Thanks!

Documents

Juniper Secure Analytics (JSA) Overview