1 Copyright 2012 Juniper Networks, Inc. www.juniper.net RETHINK SECURITY FOR UNKNOWN ATTACKS John McCreary Security Specialist, Juniper Networks
AGENDA 1 2 3 Introduction 5 minutes Security Trends 5 minutes NGFW What is it? What is it not? 10 minutes 4 Counter Security Taking Care of the Ingress 25 minutes 5 Q & A remainder 2 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SECURITY TRENDS
SECURITY TRENDS 2012 VERIZON REPORT 96% of attacks were not highly difficult 97% 97% of attacks were avoidable through simple or intermediate controls. of data breaches were not discovered until well after the fact, many not until a third party audit was conducted. Attack was cloaked or staff was so busy they missed the alerts 70% discovered via audit/fraud; 13% employee discovered; 11% performance 75% Attacks are targeting application layer 4 Copyright 2012 Juniper Networks, Inc. www.juniper.net
REPORTED ATTACKS 55% of Telco's 53% of stock exchanges 32% of financial services firms 32% of travel companies 30% of IT Vendors 16% of retailers Most Major universities 5 Copyright 2012 Juniper Networks, Inc. www.juniper.net
PRIMARY CONCERNS Availability of information and systems to users and customers Compliance The disclosure process Theft of intellectual property Financial theft Effect on customer experience Brand damage and revenue loss 6 Copyright 2012 Juniper Networks, Inc. www.juniper.net
ADDITIONAL TRENDS 49% 80% 90% Rise From of internet traffic is human of automated traffic are botnets of botnets are malicious of APT - Advanced Persistent Threats DoS to DDoS Offline to distraction (Bank of the West) 7 Copyright 2012 Juniper Networks, Inc. www.juniper.net
TRENDS SHIFT IN HACKING Cyber Criminals estimated to be a $2B industry Nation-State: hatred and damage to American companies Anonymous China: not your ordinary hacker (Mandiant APT report) Fully institutionalized: Some Hacking Groups report to the Chinese Government (sanctioned) Evidence that Unit 61398 aggressively recruits new talent from the Science and Engineering Universities and recruits must be fluent in English Isn t just for military secrets! Largest US Bond Holder.is China APT s have been directly linked to Chinese Hacking Groups 8 Copyright 2012 Juniper Networks, Inc. www.juniper.net
INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two years through insecure Web apps. Ponemon Institute 9 Copyright 2012 Juniper Networks, Inc. www.juniper.net
NGFW WHAT IS IT? WHAT IS IT NOT?
NGFW: WHAT IS IT? WHAT IS IT NOT? Gartner s definition.. 1. Standard first-generation 5-tuple capabilities. Port-based FW, VPN, NAT, ALG, full feature routing, etc. 2. Integrated, rather than merely collocated, network IPS. 3. Application visibility and control 4. Extra firewall intelligence (basically, AD integration) 5. Support upgrade paths for integration of new information feeds and new techniques to address future threats. 11 Copyright 2012 Juniper Networks, Inc. www.juniper.net
COUNTER SECURITY TAKING CARE OF THE INGRESS
JUNIPER ANNOUNCES: SPOTLIGHT SECURE ATTACKER DATABASE WebApp Secure DDoS Secure Spotlight Attacker Database What it is Aggregates hacker profile information from global sources in a cloud-based database Distributes aggregated hacker profile information to global subscribers Why it s different High accuracy zero day attacker detection and threat mitigation Only vendor to offer device-level hacker profiling service Can block a single device/attacker Spotlight Attacker Database WebApp Secure SRX Secure SRX Secure DDoS Secure 13 Copyright 2012 Juniper Networks, Inc. www.juniper.net
JUNIPER ANNOUNCES: SPOTLIGHT SECURE ATTACKER DATABASE WebApp Secure DDoS Secure Spotlight Attacker Database WebApp Secure Spotlight Attacker Database What it is Continuously monitors web apps to stop hackers and botnets Collects forensic data on hacker device, location, and methods Continuously updates on-board hacker profile information Why it s different Accurate threat mitigation with near-zero false positives Hacker profile sharing for global protection surface Flexible deployment (i.e., appliance, VM, AWS) SRX Secure SRX Secure DDoS Secure 14 Copyright 2012 Juniper Networks, Inc. www.juniper.net
JUNIPER ANNOUNCES: SPOTLIGHT SECURE ATTACKER DATABASE WebApp Secure DDoS Secure Spotlight Attacker Database WebApp Secure SRX Secure SRX Secure Spotlight Attacker Database What it is WebApp Secure communicates attacker information to SRX upon detection of attempted breach SRX uses WebApp Secure intelligence about ongoing attack to temporarily block offending IP(s) Why it s different Only security provider to leverage hacker profile intelligence in network firewalling Provides large-scale web attack mitigation and web DDoS prevention Extends existing SRX capabilities with web DDoS mitigation DDoS Secure 15 Copyright 2012 Juniper Networks, Inc. www.juniper.net
JUNIPER ANNOUNCES: SPOTLIGHT SECURE ATTACKER DATABASE WebApp Secure DDoS Secure Spotlight Attacker Database WebApp Secure SRX Secure DDoS Secure SRX Secure Spotlight Attacker Database What it is Large-scale DDoS attack mitigation Slow and low DDoS attack mitigation Zero-day protection via combination of behavioral and rules-based detection Why it s different Broadest protection with best-in-class deployment ease Industry leading performance 40Gb throughput Ease of use through automated updating Flexible deployment (i.e., 1U appliance, VM) 16 Copyright 2012 Juniper Networks, Inc. www.juniper.net
Junos DDoS Secure
JUNOS DDOS SECURE CHARM Algorithm Packet validated against pre-defined RFC filters Malformed and missequenced packets dropped Individual IP addresses assigned CHARM value Value assigned based on IP behaviours Mechanistic Traffic First Time Traffic Low CHARM Value Medium CHARM Value Humanistic, Trusted Traffic High CHARM Value 19 Copyright 2012 Juniper Networks, Inc. www.juniper.net
JUNOS DDOS SECURE - HEURISTIC MITIGATION Normal Internet Traffic Normal Internet Traffic DDoS Attack Traffic Resources Normal Internet Traffic Junos DDoS Secure Heuristic Analysis DROP DDoS Attack Traffic Management PC Normal Internet traffic flows through the Junos DDoS Secure Appliance, while the software analyses the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time, with minimal (store and forward) latency. 20 Copyright 2012 Juniper Networks, Inc. www.juniper.net
Junos WebApp Secure
THE ANATOMY OF A WEB ATTACK Phase 1 Reconnaissance Phase 2 Attack Vector Establishment Phase 3 Implementation Phase 4 Automation Days or weeks Weeks or months Weeks or months Months or years Years Phase 5 Maintenance Web App Firewall 22 Copyright 2012 Juniper Networks, Inc. www.juniper.net
JUNOS WEBAPP SECURE - DETECTION BY DECEPTION Tar Traps Query String Parameters Network Perimeter Hidden Input Fields Client Firewall App Server Database Server Configuration 23 Copyright 2012 Juniper Networks, Inc. www.juniper.net
TRACK ATTACKERS BEYOND THE IP Track IP Address Track Browser Attacks Persistent Token Capacity to persist in all browsers including various privacy control features. Track Software and Script Attacks Fingerprinting HTTP communications. 24 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THE CERTAINTY & SPECIFICITY YOU NEED! TAR TRAPS DECEPTION QATAR UNIVERSITIES BEYOND IP 25 Copyright 2012 Juniper Networks, Inc. www.juniper.net
FINGERPRINT OF AN ATTACKER Timezone Browser version Fonts Browser add-ons 200+ attributes used to create the fingerprint. ~ Real Time availability of fingerprints IP Address False Positives nearly zero 26 Copyright 2012 Juniper Networks, Inc. www.juniper.net
JUNOS SPOTLIGHT SECURE Junos Spotlight Secure Global Attacker Intelligence Service Attacker from San Francisco Junos WebApp Secure protected site in UK Attacker fingerprint uploaded Attacker fingerprint available for all sites protected by Junos WebApp Secure Detect Anywhere, Stop Everywhere 27 Copyright 2012 Juniper Networks, Inc. www.juniper.net
JUNOS WEBAPP SECURE - SMART PROFILE OF ATTACKER Every attacker assigned a name Incident history Attacker threat level 28 Copyright 2012 Juniper Networks, Inc. www.juniper.net
JUNOS WEBAPP SECURE - SECURITY ADMINISTRATION Web-based console Real-time On-demand threat information SMTP alerting Reporting (Pdf, HTML) CLI for exporting data into SIEM tool 29 Copyright 2012 Juniper Networks, Inc. www.juniper.net