JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM May 2015 Nguyễn Tiến Đức ASEAN Security Specialist
Agenda Modern Malware: State of the Industry Dynamic Threat Intelligence on the Firewall Argon Secure: Emerging Threat Protection
Threat Actions Leading To Breaches Verizon Data Breach Investigations Report
The Malware Workflow Infection Wait for Commands Lateral Movement Data Exfiltration
Opportunistic Attacks Targeted Attacks Mind The Gap: Attack Sophistication Security Gap Current solutions fail to protect organizations from sophisticated, evasive attacks. Evasive Threats APT Solutions Persistent Threats Polymorphic Fluxing Packing C&C Plain Virus Antivirus Solutions Simple Threats Sophisticated Threats
Working Example
The Cockroach of Malware Source: US Federal Bureau of Investigations
The Cockroach of Malware Source: US Federal Bureau of Investigations
Zeus: A Modern Malware Case Study Infection Malicious Functions Persistence
Defense in Depth IPS Anti-Virus Sandboxing Application Visibility DDoS Compromised Host Detection Command & Control Web Security
Agenda Modern Malware: State of the Industry Dynamic Threat Intelligence on the Firewall Argon Secure: Emerging Threat Protection
Spotlight Secure: Threat Intel Description Details Related SecIntel Feed Command & Control Disruption, Compromise Detection Block command & control connections Block botnet activity on network Identify and isolate internal infections Spotlight C&C Geo-based traffic shaping ID attackers with Precision ( Beyond the IP ) Rapid Incident Response & 3 rd Party Threat Intelligence Block traffic from specified countries Balance load by sending only specified traffic through additional security services Integrate web app protection with firewall Reduce FPs and stop roaming attackers by using non-ip identifier Utilize data in firewall policy that is licensed from 3 rd parties, consortia Enable rapid incident response Spotlight GeoIP Spotlight Fingerprints Custom Threat Feeds
Threat intelligence architecture Spotlight Secure Cloud Other threat intelligence GeoIP feed Command & Control Security Director Junos Space Spotlight Secure Connector Firewalls Open platform delivers more value Scalable to ensure full enterprise or service provider deployment Built for expansive data capacity Improved efficacy through threat scores and tuning Adaptive: from the data source, to data normalization, to enforcement at the firewall
Security Intelligence Architecture The Internet SRX Firewall Customer Infrastructure Internal Hosts Spotlight Secure Connector Security Director Security Intelligence lives inside the customer s network, leveraging existing infrastructure and adding the Connector component to access Juniper s Spotlight Secure data feeds and allow the customer to easily insert their own pertinent data.
Agenda Modern Malware: State of the Industry Dynamic Threat Intelligence on the Firewall Argon Secure: Emerging Threat Protection
EMERGING THREAT PROTECTION Drive-by Attack SRX Command & Control Threat intelligence proactively delivered To Argon Secure Spotlight Cloud Scan traffic for (1) malicious content; (2) indicators of C&C and internal compromise Analyze objects (EXEs & DOCs) with highresolution analysis Inspection Deception 50+ techniques that tickle & deceive malware to reveal itself Correlation Aggregate/Correlate alerts & produce Actionable Intelligence ENFORCEMENT @ SRX Feedback for global threat intelligence
Intrusion Deception For Malware Deceive Malware, Disrupt the Kill Chain, Expose Suspicious Behavior Infection
Threat intelligence platform differentiators Open Consumes virtually any data feed Scalable Robust, scalable architecture supports thousands of of firewalls High capacity Adaptable Capacity for over 1m threats, including IP addresses, URLs, and domains Policy engine supports fine grain controls for prioritization and categorization of threats.
Thank you