1 / 38

Juniper Secure Analytics (JSA) Overview

Juniper Secure Analytics (JSA) Overview. Stefan Lager Product Line Manager slager @juniper.net. AGENDA. Challenges with Event Management Data Collection Event Management and Analytics Flow Management and Analytics Secure Analytics - Use Cases Deployment Options Platforms and Licensing.

grant
Download Presentation

Juniper Secure Analytics (JSA) Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Juniper Secure Analytics (JSA)Overview Stefan LagerProduct Line Manager slager@juniper.net

  2. AGENDA • Challenges with Event Management • Data Collection • Event Management and Analytics • Flow Management and Analytics • Secure Analytics - Use Cases • Deployment Options • Platforms and Licensing

  3. Challenges with EVENT collection • IT “information” overload • The amount of events • The amount of different types of events • The amount of different type of event sources • Data mining and Analytics • Events Categorization • Event Search and Drill-down • Anomaly Detection

  4. The solution: juniper Secure Analytics Secure Analytics (JSA) Log Server “Here are all your events. Please take a look at them andlet me know if you find anything strange. “Of all the million incoming events I think you need to take a look at this one.”

  5. LOG Server vs. juniper Secure Analytics Secure Analytics (JSA) Log Server • “APACHE-STRUTS-URI-CMDEXE” • “APACHE-STRUTS-URI-CMDEXE” • Webserver is vulnerable! • Webserver sent a crash event! • Strange traffic seen FROM Webserver! • Attack came from an IP with bad reputation! • Attack came from a suspicious country! • Events has been received from other “Security Devices”! • … “Security Device” “Security Device” Webserver

  6. AGENDA • Challenges with Event Management • Data Collection • Event Management and Analytics • Flow Management and Analytics • Secure Analytics - Use Cases • Deployment Options • Platforms and Licensing

  7. Networking events Switches & routers, including flow data Security logs Firewalls, IDS, IPS, VPNs, Vulnerability Scanners, Gateway AV, Desktop AV, & UTM devices Operating Systems/Host logs Microsoft, Unix and Linux Applications Database, mail & web User and asset Authentication data Security map utilities GeoIP Reputation Feeds Multi-vendor event and flow collection Compliance Templates Forensics Search Policy Reporting

  8. What does JSA Collect? (*) For more info refer to datasheet

  9. Reduced OPEX Collects all event and flow data in one place Supports a large set of vendors out-of-the-box Compliance Ships with predefined reports for COBIT, FISMA, GLBA,GSX-Memo22, HIPAA, NERC, PCI and SOX. Increased Visibility Supports Graph/Dashboard/Reporting on any event data Flow collection enables proactive actions Increased Detection Analytics engine detects violations and anomalies Built in support for GeoIP and Reputation feeds Scalable Supports up to 7M EPS per console Supports distributed collection of events and flows Secure Analytics (JSA) - Key Benefits

  10. AGENDA • Challenges with Event Management • Data Collection • Event Management and Analytics • Flow Management and Analytics • Secure Analytics - Use Cases • Deployment Options • Platforms and Licensing

  11. EXAMPLE:What Can Secure Analytics DO with a FIREWALL Event? • <182>Sep 26 20:14:49 127.0.0.1 <14>1 2012-03-24T05:21:13.677 utm-n0 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.40 source-address="192.168.34.10" source-port="58541" destination-address="204.245.34.169" destination-port="80" service-name="junos-http" nat-source-address="192.168.32.2" nat-source-port="3195" nat-destination-address="204.245.34.169" nat-destination-port="80" src-nat-rule-name="r1" dst-nat-rule-name="None" protocol-id="6" policy-name="utm-out" source-zone-name="trust" destination-zone-name="untrust" session-id-32="143804" username="VIRTUALPOC\slager" roles="VPoC-UTM-Demo" packet-incoming-interface="ge-0/0/2.3602"] • Event Analytics • Taxonomy : RT_FLOW_SESSION_CREATE => Category “FIREWALL PERMIT” • GeoIP : 204.245.34.169 => Country “BRAZIL” • IP Reputation: 204.245.34.169 => Remote-Network “BOTNET” • Analytics: Alert if more then <x> events from the same src, IF the src is coming from one of our client networks • Event Management • RBAC: Allow access to subset of event data • Indexing: Allow to index on any field. 10-100x search time improvement • Retention: Flexible setting for how long this event should be stored • Forwarding: Should this specific event be forwarded ?

  12. EVENT ANALYTICS: GEOIP-MAPPING Provide mapping of IP to Countries both for visibility and for correlation.

  13. EVENT ANALYTICS: IP Reputation

  14. Event analytics: Rules Engine Matching • Secure Analytics is delivered with a large set of built-in rules • Many of them are disabled per default but will help you get tips on whatto correlate on • All rules are easy to tune to fit your specific deployment Creating a correlation rule is as simple as sorting mail in Outlook!

  15. Event analytics: Rules Engine ACTION

  16. Correlation of data sources creates offenses (129) Offenses are a complete history of a threat or violation with full context about accompanying network, asset and user identity information Offenses are further prioritized by business impact THE KEY TO DATA MANAGEMENT: REDUCTION AND PRIORITIZATION STRM Previous 24hr period of network and security activity (2.7M logs)

  17. USE CASE: COMPLEX THREAT DETECTION Sounds Nasty… But how do we know this? The evidence is a single click away. Buffer Overflow Exploit attempt seen by Snort Network Scan Detected by QFlow Total Security Intelligence Convergence of Network, Event and Vulnerability data Targeted Host Vulnerable Detected by Nessus

  18. USE CASE: USER ACTIVITY MONITORING Authentication Failures Perhaps a user who forgot his/her password? Brute Force Password Attack Numerous failed login attempts against different user accounts Host Compromised All this followed by a successful login. Automatically detected, no custom tuning required.

  19. AGENDA • Challenges with Event Management • Data Collection • Event Management and Analytics • Flow Management and Analytics • Secure Analytics - Use Cases • Deployment Options • Platforms and Licensing

  20. secure analytics flow Branch-Office DMZ STRM-FP STRM-FP STRM-Console WEB-3 WEB-2 WEB-1 STRM-FP Virtualized Servers vGW STRMV-FP

  21. FLOWS FOR NETWORK INTELLIGENCE • QoS Monitoring • Detection of day-zero attacks that have no signature • Policy monitoring and rogue server detection • Visibility into all attacker communications • Passive flow monitoring builds asset profiles & auto-classifies hosts • Network visibility and problem solving (not just security related)

  22. Anomaly detection • Secure Analytics learns and anticipates the established “normal” condition for: • The Network • The Host • The Protocol • The Application

  23. AGENDA • Challenges with Event Management • Data Collection • Event Management and Analytics • Flow Management and Analytics • Secure Analytics - Use Cases • Deployment Options • Platforms and Licensing

  24. Use-case: Campus & Branch VPN monitoring using junos RPM RPM-Logs HQ RPM-Probes RPM-Probes BRANCH-2 BRANCH-1

  25. Use-case: Campus & Branch VPN monitoring using junos RPM

  26. Use-case: Datacentervisibility, Reporting and Correlation of events and traffic Exposed Services SRX AppSecure WebApp Secure Events Clients Events EX WEB-3 WEB-2 WEB-1 Flow Virtualized Servers N NOC/SOC FireFly FireFly Flow and events JSA VM-6 VM-3 VM-4 VM-5 VM-1 VM-2

  27. Application Servers Use-case: BYOD Automatic remediation using open standards protocol (IF-MAP) IF-MAP NSM Juniper IC (IF-Map Server) Secure Analytics Juniper EX (Switch) Firewall IDP Series UAC Agent SSG Series SRX Series Juniper AX (WLAN AP) UAC Agent-less Mode ISG Series Juniper SA (SSL-VPN)

  28. AGENDA • Challenges with Event Management • Data Collection • Event Management and Analytics • Flow Management and Analytics • Secure Analytics - Use Cases • Deployment Options • Platforms and Licensing

  29. JSA1500 can collect up to 1000 events per second 50kF/min Allows Real-Time Streaming of events Visibility of incoming/outgoing traffic (SRX FW/AppTrack) Visibility of internal traffic (EX flow-data) Threat and Anomaly Detection Correlation and Compliance Reporting Provides Common Dashboard Small Site Deployment – Appliance OR VM JSA1500 Flowdata and syslog syslog STRM 5000 EP or FP SRX Branch EX- VirtualChassis

  30. You can connect up to 250 Event Processors to one Console JSA Console provides One Dashboard with aggregated data from all EPs Searches and Reports are done on aggregated data from all EPs Configurable Retention Policies allows storing of important/compliance logs for a longer time than other logs Large Site Deployment – Appliance JSA5500-Console JSA 1/3/5/7500EventProcessors STRM 5000 EP or FP SLB syslog SRX-5800 SRX-5800

  31. Distributed Log/Flow Collection • Distributed log and flow collection offloads WAN links • Will continue to receive and store events/flows even if WAN link goes down • Available both as physical appliance and virtual appliances • CombiCollector (both EP/FP) only supported on physical appliance • JSA VM is available as:- Remote TM EP- Remote LM EP- Remote FP • Visibility of incoming/outgoing traffic • Threat and Anomaly Detection • Correlation and Compliance • Provides Common Dashboard JSA-Console EMEA JSA VM Local FP JSA1500 Local EP/FP JSA VM Local EP Beijing Australia Canada

  32. AGENDA • Challenges with Event Management • Data collection • Event Management and Analytics • Flow Management and Analytics • Secure Analytics - Use Cases • Deployment Options • Platforms and Licensing

  33. Secure Analytics: All-in-one Deployment Medium Enterprise JSA5500 Small Medium Enterprise JSA3500 Small Enterprise JSA1500 5,000EPS 50KF/M 1,000EPS 15KF/M 10,000 EPS 200 KF/M

  34. Supports very high amount of EPS Solves branch-office collection Can be fully redundant Secure Analytics: Distributed Deployment WebUI Console EP/FP combo Qflow Collector Flow Processor Event Processor Security Devices Exporting Event Data Network Devices Exporting Flow Data JSA1500 QFlow Collectors Deployed in Tap/Mirror or SPAN Mode

  35. JSA Platform Support Matrix

  36. Secure Analytics – LicensingLog Analytics vs Threat Analytics Threat Analytics License Network Behavior Anomaly Detection (NBAD) • Network Traffic Visibility • QoS Visibility • Traffic Anomaly Detection Security Information and Event Management (SIEM) • Event and Flow Correlation • Asset Profiling • Vulnerability Scanner integration • Log Collection and Categorization • Customizable Dashboards • Predefined and customizablereports Log Analytics License

  37. Reduced OPEX Collects all event and flow data in one place Supports a large set of vendors out-of-the-box Compliance Ships with predefined reports for COBIT, FISMA, GLBA,GSX-Memo22, HIPAA, NERC, PCI and SOX. Increased Visibility Supports Graph/Dashboard/Reporting on any event data Flow collection enables proactive actions Increased Detection Analytics engine detects violations and anomalies Built in support for GeoIP and Reputation feeds Scalable Supports up to 7M EPS per console Supports distributed collection of events and flows Secure Analytics - Key Benefits

  38. Thanks!

More Related