Secure Analytics - IP NETWORK SOLUSINDO

Download Report

Transcript Secure Analytics - IP NETWORK SOLUSINDO

JUNIPER SECURE ANALYTICS (JSA) OVERVIEW

Stefan Lager Product Line Manager [email protected]

AGENDA

1. Challenges with Event Management 2.

Data Collection 3.

Event Management and Analytics 4.

Flow Management and Analytics 5.

Secure Analytics - Use Cases 6.

Deployment Options 7.

CHALLENGES WITH EVENT COLLECTION

IT “information” overload  The amount of events   The amount of different types of events The amount of different type of event sources Data mining and Analytics  Events Categorization   Event Search and Drill-down Anomaly Detection Copyright © 2009 Juniper Networks, Inc. www.juniper.net

THE SOLUTION: JUNIPER SECURE ANALYTICS

Log Server Secure Analytics (JSA) 4 “Here are all your events.

Please take a look at them and let me know if you find anything strange.

LOG SERVER VS. JUNIPER SECURE ANALYTICS

Log Server Secure Analytics (JSA) • “APACHE-STRUTS-URI-CMDEXE” • “APACHE-STRUTS-URI-CMDEXE” • • • • • • • Webserver is vulnerable!

Webserver sent a crash event!

Strange traffic seen FROM Webserver!

Attack came from an IP with bad reputation!

Attack came from a suspicious country!

Webserver

AGENDA

1. Challenges with Event Management 2.

Data Collection 3.

Event Management and Analytics 4.

Flow Management and Analytics 5.

Secure Analytics - Use Cases 6.

Deployment Options 7.

MULTI-VENDOR EVENT AND FLOW COLLECTION Networking events

 Switches & routers, including flow data

Security logs

 Firewalls, IDS, IPS, VPNs, Vulnerability Scanners, Gateway AV, Desktop AV, & UTM devices

Operating Systems/Host logs

 Microsoft, Unix and Linux

Applications

 Database, mail & web

User and asset

 Authentication data

Security map utilities

WHAT DOES JSA COLLECT?

Syslog SNMP Events UDP/TCP Multiline UDP Binary (SRX) +PCAP (SRX) Syslog-TLS Version 1, 2 & 3 Application/Protocols (*) JDBC OPSEC/LEA SDEE SourceFire Estreamer Log File Microsoft EMC VMWare Oracle SMB Tail Cisco NSEL … NetFlow IPFIX JFlow SFlow QFlow Flows Version 1,5,7,9 Supported Supported Version 2, 4, 5 On QFC and Monitor Interfaces Agents ALE Snare WinCollect Packeteer FDR

(*) For more info refer to datasheet

SECURE ANALYTICS (JSA) - KEY BENEFITS

Reduced OPEX

 Collects all event and flow data in one place  Supports a large set of vendors out-of-the-box

Compliance

 Ships with predefined reports for COBIT, FISMA, GLBA, GSX-Memo22, HIPAA, NERC, PCI and SOX.

Increased Visibility

 Supports Graph/Dashboard/Reporting on any event data  Flow collection enables proactive actions

Increased Detection

 Analytics engine detects violations and anomalies  Built in support for GeoIP and Reputation feeds

Scalable

AGENDA

1. Challenges with Event Management 2.

Data Collection 3.

Event Management and Analytics 4.

Flow Management and Analytics 5.

Secure Analytics - Use Cases 6.

Deployment Options 7.

EXAMPLE:

WHAT CAN SECURE ANALYTICS DO WITH A FIREWALL EVENT?

<182>Sep 26 20:14:49 127.0.0.1 <14>1 2012-03-24T05:21:13.677 utm-n0 RT_FLOW RT_FLOW_SESSION_CREATE [[email protected] source-address="192.168.34.10" source-port="58541" destination-address="204.245.34.169" destination-port="80" service-name="junos-http" nat-source address="192.168.32.2" nat-source-port="3195" nat-destination-address="204.245.34.169" nat-destination-port="80" src-nat-rule-name="r1" dst-nat-rule-name="None" protocol-id="6" policy-name="utm-out" source-zone-name="trust" destination-zone-name="untrust" session-id-32="143804" username="VIRTUALPOC\slager" roles="VPoC-UTM-Demo" packet-incoming-interface="ge-0/0/2.3602"]

Event Analytics

• Taxonomy : • GeoIP : • IP Reputation: • Analytics: RT_FLOW_SESSION_CREATE => Category “FIREWALL PERMIT” 204.245.34.169 => Country “BRAZIL” 204.245.34.169 => Remote Network “BOTNET” Alert if more then events from the same src, IF the src is coming from one of our client networks

Event Management

• RBAC: Allow access to subset of event data • Indexing: • Retention: • Forwarding: Allow to index on any field. 10-100x search time improvement Flexible setting for how long this event should be stored Should this specific event be forwarded ?

EVENT ANALYTICS: GEOIP-MAPPING

Provide mapping of IP to Countries both for visibility and for correlation.

EVENT ANALYTICS: IP REPUTATION

EVENT ANALYTICS: RULES ENGINE MATCHING

• Secure Analytics is delivered with a large set of built-in rules • Many of them are disabled per default but will help you get tips on what to correlate on • All rules are easy to tune to fit your specific deployment 14

Creating a correlation rule is as simple as sorting mail in Outlook!

EVENT ANALYTICS: RULES ENGINE ACTION

THE KEY TO DATA MANAGEMENT: REDUCTION AND PRIORITIZATION STRM

2.7M logs

) Correlation of data sources creates offenses (

129

) Offenses are a complete history of a threat or violation with full context about accompanying network, asset and user identity information Offenses are further prioritized by business impact 16

USE CASE: COMPLEX THREAT DETECTION

Sounds Nasty… But how do we know this?

The evidence is a single click away.

Network Scan Detected by QFlow Buffer Overflow Exploit attempt seen by Snort Targeted Host Vulnerable Detected by Nessus 17 Total Security Intelligence Convergence of Network, Event and Vulnerability data Copyright © 2009 Juniper Networks, Inc. www.juniper.net

USE CASE: USER ACTIVITY MONITORING

Authentication Failures Perhaps a user who forgot his/her password? Brute Force Password Attack Numerous failed login attempts against different user accounts Copyright © 2009 Juniper Networks, Inc. www.juniper.net

Host Compromised

All this followed by a successful login.

Automatically detected, no custom tuning required.

AGENDA

1. Challenges with Event Management 2.

Data Collection 3.

Event Management and Analytics 4.

Flow Management and Analytics 5.

Secure Analytics - Use Cases 6.

Deployment Options 7.

SECURE ANALYTICS FLOW

• • • • • •

FLOWS FOR NETWORK INTELLIGENCE

QoS Monitoring Detection of day-zero attacks that have no signature Policy monitoring and rogue server detection Visibility into all attacker communications Passive flow monitoring builds asset profiles & auto-classifies hosts Network visibility and problem solving (not just security related) 21 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

ANOMALY DETECTION

AGENDA

1. Challenges with Event Management 2.

Data Collection 3.

Event Management and Analytics 4.

Flow Management and Analytics 5.

Secure Analytics - Use Cases 6.

Deployment Options 7.

USE-CASE: CAMPUS & BRANCH

VPN MONITORING USING JUNOS RPM

USE-CASE: CAMPUS & BRANCH

VPN MONITORING USING JUNOS RPM

USE-CASE: DATACENTER

VISIBILITY, REPORTING AND CORRELATION OF EVENTS AND TRAFFIC

Clients

SRX AppSecure

Events

Events Exposed Services

WebApp Secure

WEB-1 WEB-2 WEB-3 Flow 26 NOC/SOC

JSA

FireFly

USE-CASE: BYOD AUTOMATIC REMEDIATION USING OPEN STANDARDS PROTOCOL (IF-MAP)

Juniper IC (IF-Map Server) IF-MAP NSM Secure Analytics UAC Agent UAC Agent-less Mode Juniper EX (Switch) IDP Series Juniper AX (WLAN AP) Juniper SA (SSL-VPN) 27 Firewall SSG Series ISG Series Copyright © 2009 Juniper Networks, Inc. www.juniper.net SRX Series

Application Servers

AGENDA

1. Challenges with Event Management 2.

Data Collection 3.

Event Management and Analytics 4.

Flow Management and Analytics 5.

Secure Analytics - Use Cases 6.

Deployment Options 7.

SMALL SITE DEPLOYMENT – APPLIANCE OR VM JSA1500

syslog STRM 5000 EP or FP

SRX Branch

Flowdata and syslog  JSA1500 can collect up to 1000 events per second 50kF/min  Allows Real-Time Streaming of events  Visibility of incoming/outgoing traffic (SRX FW/AppTrack)  Visibility of internal traffic (EX flow-data)  Threat and Anomaly Detection  Correlation and Compliance Reporting  Provides Common Dashboard

EX- VirtualChassis

LARGE SITE DEPLOYMENT – APPLIANCE JSA 1/3/5/7500 EventProcessors

STRM 5000 EP or FP

JSA5500 Console

 You can connect up to 250 Event Processors to one Console  JSA Console provides One Dashboard with aggregated data from all EPs  Searches and Reports are done on aggregated data from all EPs  Configurable Retention Policies allows storing of important/compliance logs for a longer time than other logs

SLB

syslog 30

SRX-5800 SRX-5800

DISTRIBUTED LOG/FLOW COLLECTION

 Distributed log and flow collection offloads WAN links

JSA1500 Local EP/FP JSA Console JSA VM Local EP

EMEA

JSA VM Local FP

 Will continue to receive and store events/flows even if WAN link goes down  Available both as physical appliance and virtual appliances  CombiCollector (both EP/FP) only supported on physical appliance  JSA VM is available as: - Remote TM EP - Remote LM EP - Remote FP  Visibility of incoming/outgoing traffic  Threat and Anomaly Detection  Correlation and Compliance  Provides Common Dashboard Australia Beijing Canada Copyright © 2009 Juniper Networks, Inc. www.juniper.net 31

AGENDA

1. Challenges with Event Management 2.

Data collection 3.

Event Management and Analytics 4.

Flow Management and Analytics 5.

Secure Analytics - Use Cases 6.

Deployment Options 7.

SECURE ANALYTICS:

ALL-IN-ONE DEPLOYMENT JSA3500

JSA1500

1,000EPS 15KF/M 5,000EPS 50KF/M

JSA5500

10,000 EPS 200 KF/M

SECURE ANALYTICS:

DISTRIBUTED DEPLOYMENT

 Supports very high amount of EPS  Solves branch-office collection  Can be fully redundant

EP/FP combo Console WebUI Flow Processor Event Processor Qflow Collector

Security Devices Exporting Event Data Network Devices Exporting Flow Data

JSA1500 QFlow Collectors Deployed in Tap/Mirror or SPAN Mode

JSA PLATFORM SUPPORT MATRIX

QFlow Collector Event Processor Flow Processor EP/FP Combo JSA VM Console Support All-in-one Support JSA1500 JSA3500 JSA5500 JSA7500

SECURE ANALYTICS – LICENSING

LOG ANALYTICS VS THREAT ANALYTICS

Threat Analytics License Network Behavior Anomaly Detection (NBAD) Security Information and Event Management (SIEM) Network Traffic Visibility QoS Visibility Traffic Anomaly Detection Event and Flow Correlation Asset Profiling Vulnerability Scanner integration Log Analytics License Log Collection and Categorization Customizable Dashboards Predefined and customizable reports Copyright © 2009 Juniper Networks, Inc. www.juniper.net 36

SECURE ANALYTICS - KEY BENEFITS

Reduced OPEX

 Collects all event and flow data in one place  Supports a large set of vendors out-of-the-box

Compliance

 Ships with predefined reports for COBIT, FISMA, GLBA, GSX-Memo22, HIPAA, NERC, PCI and SOX.

Increased Visibility

 Supports Graph/Dashboard/Reporting on any event data  Flow collection enables proactive actions

Increased Detection

 Analytics engine detects violations and anomalies  Built in support for GeoIP and Reputation feeds

Scalable

Secure Analytics - IP NETWORK SOLUSINDO

Transcript Secure Analytics - IP NETWORK SOLUSINDO

JUNIPER SECURE ANALYTICS (JSA) OVERVIEW

AGENDA

CHALLENGES WITH EVENT COLLECTION

THE SOLUTION: JUNIPER SECURE ANALYTICS

LOG SERVER VS. JUNIPER SECURE ANALYTICS

AGENDA

WHAT DOES JSA COLLECT?

SECURE ANALYTICS (JSA) - KEY BENEFITS

AGENDA

EXAMPLE:

EVENT ANALYTICS: GEOIP-MAPPING

EVENT ANALYTICS: IP REPUTATION

EVENT ANALYTICS: RULES ENGINE MATCHING

EVENT ANALYTICS: RULES ENGINE ACTION

AGENDA

ANOMALY DETECTION

AGENDA

USE-CASE: CAMPUS & BRANCH

USE-CASE: CAMPUS & BRANCH

USE-CASE: DATACENTER

AGENDA

AGENDA

SECURE ANALYTICS:

SECURE ANALYTICS:

JSA PLATFORM SUPPORT MATRIX

SECURE ANALYTICS – LICENSING

SECURE ANALYTICS - KEY BENEFITS

Thanks!

Directory