The Global Attacker Security Intelligence Service Explained

Similar documents
Junos WebApp Secure (formerly Mykonos)

RETHINK SECURITY FOR UNKNOWN ATTACKS

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

JUNIPER CARE PLUS ADVANCED SERVICES CREDITS

Customer Benefits Through Automation with SDN and NFV

White Paper. Five Steps to Firewall Planning and Design

Configuring and Implementing A10

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Juniper Networks Secure

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

Reasons to Choose the Juniper ON Enterprise Network

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Reasons Enterprises. Prefer Juniper Wireless

Juniper Solutions for Turnkey, Managed Cloud Services

JUNOS PULSE APPCONNECT

Juniper Care Plus Services

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

Junos Space for Android: Manage Your Network on the Go

IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS. Junos WebApp Secure Junos Spotlight Secure

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

IT SECURITY SEMINAR "STALLION " Security, NGFW fallacy & going Beyond IP? Juniper Networks - Jaro Pietikäinen

TOPOLOGY-INDEPENDENT IN-SERVICE SOFTWARE UPGRADES ON THE QFX5100

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

SoLuTIoN guide. CLoud CoMPuTINg ANd ThE CLoud-rEAdy data CENTEr NETWork

SECURE ACCESS TO THE VIRTUAL DATA CENTER

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Service Automation Made Easy

Payment Card Industry Data Security Standard

Junos Space Virtual Control

Network and Security. Product Description. Product Overview. Architecture and Key Components DATASHEET

Networks that know data center virtualization

PERFORMANCE VALIDATION OF JUNIPER NETWORKS SRX5800 SERVICES GATEWAY

Juniper Networks Automated Support and Prevention Solution (ASAP)

SECURE THE DATACENTER. Dennis de Leest Sr. Systems Engineer

Solution Brief. Secure and Assured Networking for Financial Services

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

10 Things Every Web Application Firewall Should Provide Share this ebook

Enterprise-Grade Security from the Cloud

White Paper. Copyright 2012, Juniper Networks, Inc. 1

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager

JUNIPER NETWORKS FIREFLY HOST ANTIVIRUS ARCHITECTURE

PRODUCT CATEGORY BROCHURE

Demonstrating the high performance and feature richness of the compact MX Series

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Juniper Optimum Care. Service Description. Continuous Improvement. Your ideas. Connected. Data Sheet. Service Overview

Transforming Service Life Cycle Through Automation with SDN and NFV

ALTERNATIVES FOR SECURING VIRTUAL NETWORKS

THE BLUENOSE SECURITY FRAMEWORK

EXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS

Beyond passwords: Protect the mobile enterprise with smarter security solutions

INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI

BMC s Security Strategy for ITSM in the SaaS Environment

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

SECURE CLOUD CONNECTIVITY FOR VIRTUAL PRIVATE NETWORKS

SEVEN MYTHS OF CONTROLLER- LESS WIRELESS LANS

Web Filtering For Branch SRX Series and J Series

Database Security in Virtualization and Cloud Computing Environments

TECHNICAL NOTE SETTING UP A STRM UPDATE SERVER. Configuring your Update Server

MIGRATING TO A 40 GBPS DATA CENTER

Juniper Networks Solution Portfolio for Public Sector Network Security

WEB FILTERING FOR BRANCH SRX SERIES AND J SERIES

Configuring and Deploying the Dynamic VPN Feature Using SRX Series Services Gateways

Juniper Networks MetaFabric Architecture

Meeting PCI Data Security Standards with

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

Identity-Based Application and Network Profiling

Authentication Strategy: Balancing Security and Convenience

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

NETWORK AND SECURITY MANAGER APPLIANCES (NSMXPRESS AND NSM3000)

On-Premises DDoS Mitigation for the Enterprise

Secure, Mobile Access to Corporate , Applications, and Intranet Resources

Achieve Deeper Network Security

The Cyber Threat Profiler

End-to-End Application Security from the Cloud

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

JUNIPER NETWORKS CLOUD SECURITY

Radware s Behavioral Server Cracking Protection

Strengthen security with intelligent identity and access management

Transcription:

White Paper How Junos Spotlight Secure Works The Global Attacker Security Intelligence Service Explained Copyright 2013, Juniper Networks, Inc. 1

Table of Contents Executive Summary...3 Introduction...3 Key Technology Components...3 Big Data Clusters...3 Pattern Matching Algorithms... 4 Robust Cloud Infrastructure... 4 Data Security... 4 Physical Security... 4 Certifications... 5 Geographical Redundancy... 5 How Global Attacker Tracking Works... 5 Conclusion... 9 About Juniper Networks... 9 List of Figures Figure 1. Junos Spotlight Secure... 4 Figure 2. Flowchart showing Visitor X on website of Organization A.... 6 Figure 3. Flowchart showing Visitor Y on website of Organization B after being previously identified as Visitor X on website of Organization A....7 Figure 4: Flowchart showing Visitor Y on website of Organization B after previously being identified as Visitor X on website of Organization A, but they have changed their IP address by using a different proxy................. 8 2 Copyright 2013, Juniper Networks, Inc.

Executive Summary Web applications and websites are constantly under attack because they are the easiest and least defended part of an organization s infrastructure. The popular methods of attack are distributed denial of service (DDoS) and hacking. While Juniper Networks Junos DDoS Secure is helping maintain the uptime of the Web infrastructure, Juniper Networks Junos WebApp Secure is uniquely placed to detect attackers that are attempting to hack through the Web application. One of the unique features of Junos WebApp Secure is its creation of a digital fingerprint of the attacker s device, and it is the first of its kind in the industry. This whitepaper discusses how these fingerprints are shared globally across all deployments of Junos WebApp Secure using Junos Web Spotlight, a cloud-based global attacker intelligence service that sets a new standard for security and networking vendors. Introduction Junos Spotlight Secure is a cloud-based global attacker intelligence solution that identifies individual attackers at the device level (versus the IP address), tracks them in a global database, and shares them globally with security devices. The product creates a persistent fingerprint of attacker devices based on more than 200 unique attributes to deliver precision identification and blocking of attackers without the false positives that could impact valid users. Once an attacker is identified and fingerprinted on a subscriber s Web application using Junos WebApp Secure (formerly Mykonos), the new global attacker intelligence service immediately shares the attacker profiles with other subscribers, providing advanced real-time security intelligence across multiple networks. When compared with currently available reputation feeds that rely on IP addresses, Junos Spotlight Secure offers customers more reliable security against attackers and all but eliminates false positives with its unique fingerprinting technique. Leveraged by Junos WebApp Secure and Juniper Networks SRX Series Services Gateways, Junos Spotlight Secure acts as the consolidation point for attacker and threat information, feeding intelligence in real time to Juniper security solutions. It puts non IP-based attacker profiling at the center of a framework that will gather and distribute attacker fingerprints to a worldwide network of inline security solutions. With a broad security and networking product installed base and a new system for distributing definitive hacker IDs, Juniper is poised to change the speed and accuracy with which customers prevent security breaches. The Junos Spotlight Secure global attacker intelligence service sets a new efficacy bar for all security and networking vendors. This document provides insights into the workings of Junos Spotlight Secure with Junos WebApp Secure along with some infrastructure highlights. Except for the role of fingerprinting, it does not discuss the details of the Junos WebApp Secure product. More information on Junos WebApp Secure can be found on www.juniper.net. Key Technology Components Junos Spotlight Secure has three main architectural components: 1. Big Data clusters 2. Pattern matching algorithms 3. Robust cloud infrastructure Big Data Clusters As mentioned above, each attacker fingerprint created by Junos WebApp Secure comprises more than 200 unique attributes. Given the vast number of fingerprints being collected by the global deployments of Junos WebApp Secure, the architecture requires a Big Data approach to solving the requirements around the capture, storage, search, and analysis of the data. Building on top of industry-leading Big Data platforms, additional optimizations have been added to cater to specific data visualization and pattern matching needs. The result is an elastic architecture that can scale seamlessly based on the demands placed on the incoming data. Some highlights of this architecture include: True cloud elasticity with the ability to expand globally impact to lookup time with database size Resiliency with no single point of failure As data gets written, the solution categorizes the data and optimizes the storage of data for fast retrieval. When a request for a pattern match comes in, the solution can deliver an answer with negligible delay, preventing undue latency in recognizing an attacker on a customer s network. The architecture is also designed for fast replication across geographically dispersed locations, enabling full redundancy and business continuity to the applications it enables. Copyright 2013, Juniper Networks, Inc. 3

Pattern Matching Algorithms At the heart of the solution is the fuzzy pattern matching algorithm that allows an incoming fingerprint (created by a Junos WebApp Secure device) to be matched against the list of known attackers. Before getting into the details of the pattern matching algorithms, it s important to have insight into how the fingerprint is created. When an attacker visits a protected website, the fingerprinting system on Junos WebApp Secure creates a unique fingerprint of the visiting device, based on both client and server side information. Client side information includes information like browser information and regional data, which is available via normal interfaces. The server side information consists of a host of different parameters that are dependent on the network interaction and session information. The algorithm uses a fuzzy matching technique to determine whether an incoming fingerprint matches an existing fingerprint that is already in the Global Attacker Database. The complexity lies in this fuzzy logic, as it has to account for the fact that two fingerprints from the same attacker might not match on all parameters. Differences in parameters could arise from a variety of reasons, including: The attacker might have changed the network used to connect to the website (e.g.. proxy, location, and so on). The attacker might have used a different attack tool. There has been a change in browser mode (e.g., incognito/private browsing). The power of the Junos Spotlight Secure solution lies in its ability to overcome the above challenges and detect an attacker. Spotlight Match = / Figure 1. Junos Spotlight Secure Robust Cloud Infrastructure JunosSpotlight Secure is hosted in multiple, resilient data centers to provide the highest levels of service availability and data protection. The design spans aspects such as physical access controls to data center buildings, access to fingerprint data, and the availability of the hardware infrastructure. Data Security In addition to employing the best practices around network security and logical access security (e.g., passwords, rolebased access, etc.), Junos Spotlight Secure has programmatic controls in place to allow writing of data only from legitimate Junos WebApp Secure devices. Care has been taken to ensure that data in the database can t be modified outside of this route, with the exception being a named list of engineers with the need for system administrator access. In addition, bulk read or export of data is not allowed via published AP or other mechanisms. Human controls are also put in place to ensure that customer facing roles don t have direct access to the data. Physical Security The physical data center where the service is housed also has a number of security initiatives in place. These physical security controls include but are not limited to perimeter controls such as fencing, walls, security staff, video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. 4 Copyright 2013, Juniper Networks, Inc.

Controls provide reasonable assurance that changes (including emergency, nonroutine, and configuration) to existing IT resources are logged, authorized, tested, approved, and documented. There is an SOC 1 Type 2 report available that provides additional details on the specific control activities executed by the data center provider. The data center provider has been validated and certified by an independent auditor to confirm alignment with ISO 27001 certification standard. Certifications The data center provider(s) have the following certifications/reports on file: Service Organization Controls 1 (SOC 1), Type II This serves as a replacement for the Statement on Auditing Standards. 70 (SAS 70) Type II Audit report that the provider previously had. Audit of the SOC1 Type II report is conducted in accordance with: -- statement on Standards for Attestation Engagements. 16 (SSAE 16) -- International Standards for Assurance Engagements. 3402 (ISAE 3402) Service Organization Controls 2 (SOC 2), Type 2 Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles Geographical Redundancy The Junos Spotlight Secure service is run out of multiple data centers to ensure redundancy. Currently, the service operates out of data centers based in rth America and the European Union. How Global Attacker Tracking Works Let s consider two organizations that are protected by Junos WebApp Secure and Junos Spotlight Secure products. For simplicity sake, we ll refer to them as Org. A and Org. B. Also assume that at this point there is no information about the new malicious user, User X, in the Junos Spotlight Secure database. 1. User X visits a webpage hosted by Org. A. a. First Visit During User X s first visit, the Junos WebApp Secure appliance does two things: i. Local Appliance Classification: t malicious It classifies User X as non-malicious, since it has not yet hit any of the tar traps inserted by the Junos WebApp Secure appliance. ii. Fingerprint: ne At this point there is no fingerprint of User X. However, during the first visit, the Junos WebApp Secure appliance inserts code into the HTTP response that will help in creating a fingerprint of User X. b. Second Visit During User X s second visit, the Junos WebApp Secure appliance will do the following: i. Fingerprint: Obtained At this point, the Junos WebApp Secure appliance has a fingerprint of User X based on the code that was inserted into the previous payload. ii. Spotlight Secure Check: t malicious The Junos WebApp Secure appliance will check with Spotlight Secure to see if the fingerprint it received is known to be malicious. Since we have assumed at this point that Junos Spotlight Secure does not have User X s fingerprint as malicious, it will return that response. iii. Local Appliance Classification: There are a couple of possible scenarios here. In one, User X has triggered a trap placed by Junos WebApp Secure; in another, it s just normal behavior. For simplicity sake, we assume that User X has triggered a trap. The local appliance will hence consider it malicious, and the local Junos WebApp Secure appliance will take the countermeasures that have been configured by Org. A. iv. Spotlight Secure Update: User X is malicious (global name: Attacker X) Junos WebApp Secure will also update Junos Spotlight Secure with User X s fingerprint. Spotlight Secure will now mark that fingerprint as malicious, and it will refer to this fingerprint with a global name, for example, Attacker X. Copyright 2013, Juniper Networks, Inc. 5

Visitor X Site A Visitor X interactions with Junos Spotlight Secure Locally? Profile Name Send Profile to Spotlight Fingerprint Match? and Global Entries Query Spotlight Globally? Send Counter Response Associated with Site? Sighting for Site Global Database Use Site as rmal Update Attacker Statistics Figure 2. Flowchart showing Visitor X on website of Organization A. 2. User Y (same individual as User X) visits a webpage hosted by Org. B. a. First Visit During User Y s first visit, the Junos WebApp Secure appliance will do the same two things as listed in 1.a. above and end up with the following: i. Local Appliance Classification: t malicious ii. Fingerprint: ne b. Second Visit During User Y s second visit, the Junos WebApp Secure appliance will do the following: i. Fingerprint: Obtained ii. Spotlight Secure Check: The Junos WebApp Secure appliance will check with Spotlight Secure to see if the fingerprint it received was known to be malicious. Since User Y s fingerprint matches Attacker X s profile, the Junos Spotlight Secure will respond that User Y is indeed malicious. Spotlight Secure will also update itself to indicate that: Attacker X (global name) > Known as User X (@ Org. A) Attacker X (global name) > Known as User Y (@ Org. B) The customer has the flexibility to take various actions at this particular point. 6 Copyright 2013, Juniper Networks, Inc.

Visitor X on Site A Visitor Y on Site B Visitor Y Visitor X Site B Site A Visitor X interactions with Junos Spotlight Secure Locally? Profile Name Send Profile to Spotlight Fingerprint Match? and Global Entries Query Spotlight Globally? Send Counter Response Associated with Site? Sighting for Site Global Database Use Site as rmal Update Attacker Statistics Figure 3. Flowchart showing Visitor Y on website of Organization B after being previously identified as Visitor X on website of Organization A. 3. User Y (same individual as User X, but from a different proxy having changed IP addresses) visits a webpage hosted by Org. B. a. First Visit During User Y s first visit, the Junos WebApp Secure appliance will do the same two things as listed in 1.a. above and end up with the following: i. Local Appliance Classification: t malicious ii. Fingerprint: ne b. Second Visit During User Y s second visit, the Junos WebApp Secure appliance will do the following: i. Fingerprint: Obtained ii. Spotlight Secure Check: The Junos WebApp Secure appliance will check with Spotlight Secure to see if the fingerprint it received was known to be malicious. Since User Y s fingerprint matches Attacker X s profile, Junos Spotlight Secure will respond that User Y is indeed malicious. The IP address is only one of the attributes used, so changing it using a different proxy will not break the fingerprint. Spotlight Secure will also update itself to indicate that: Attacker X (global name) > Known as User X (@ Org. A) Attacker X (global name) > Known as User Y (@ Org. B) The customer has the flexibility to take various actions at this particular point. Copyright 2013, Juniper Networks, Inc. 7

Proxy Visitor X on Site A Visitor Y on Site B Visitor Y Visitor X Site B Site A Visitor X interactions with Junos Spotlight Secure Locally? Profile Name Send Profile to Spotlight Fingerprint Match? and Global Entries Query Spotlight Globally? Send Counter Response Associated with Site? Sighting for Site Global Database Use Site as rmal Update Attacker Statistics Figure 4: Flowchart showing Visitor Y on website of Organization B after previously being identified as Visitor X on website of Organization A, but they have changed their IP address by using a different proxy. Extending the scenario further, consider the situation where the websites for Org. A and Org. B are two separate websites or portals of the same company. In this scenario, the attacker may attempt to evade detection by: Changing IP addresses Evading the cookie used by the standalone Junos WebApp Secure product Using other evasion strategies However, the global fingerprint will be tracking the individual s behavior regardless of the change. This is because by using 200+ attributes in the fingerprinting technology, the tracking goes beyond the IP address, cookies, and other factors to identify the attacker with near zero false positives. It s worthwhile noting that this fingerprinting technique will be able to handle these changes in normal operations such as a browser change, a change in IP address, or something similar. However, the extremely sophisticated attacker might still be able to find a workaround. While we can make the matching less strict with regards to the number of attributes matched, we risk the introduction of false positives. In those rare cases where an attacker does overcome the tracking, it will require major evasion tactics for every attack, which can significantly change the economics for the attackers. 8 Copyright 2013, Juniper Networks, Inc.

Conclusion With Junos Spotlight Secure working in conjunction with Junos WebApp Secure, Juniper helps companies track and stop attackers early on, before they can do any harm. As the first step, Junos WebApp Secure uses the latest intrusion deception technology to detect, profile, and even mislead attackers while simultaneously profiling and fingerprinting them. Junos WebApp Secure then synthesizes a variety of data in order to fingerprint and monitor hackers and, with a very high degree of accuracy, triggers counterresponses that thwart attacks early in the cycle before an exploit can even be launched. Deployed in front of application servers behind the firewall, Junos WebApp Secure is then enhanced with the integration of security intelligence from other sources provided by the Junos Spotlight Secure global attacker intelligence service. With this integrated intelligence, Juniper is able to deliver threat mitigation with significantly better accuracy compared to IP address only approaches like current next-generation firewalls that rely on IP-based reputation feeds. Moreover, the combination of Junos WebApp Secure and Junos Spotlight Secure effectively monitors and identifies hackers as they move from target to target around the world, shutting them down with each new attempt. Specific features of Junos Spotlight Secure that go beyond IP address fingerprinting and offer companies protection from hackers who have already visited their websites include: Device-level tracking for definitive hacker identification with near zero false positives Tracking of hundreds of identifying attributes, including browser information, region data, etc. An identification rate of 99% Device fingerprinting that overcomes use of proxy servers to identify and track the attacker s device no matter the IP address the attacker is using to evade detection Real-time global sharing of intelligence on hackers Flexible counterresponses at both the application layer and network firewall Continuous tracking of attackers, even if they shift proxies Assignment of permanent aliases for attackers Ability to direct counterresponses at a single offending device, so that legitimate customers who may be behind a shared IP address remain unaffected The unique global attacker intelligence service features of Junos WebApp Secure and Junos Spotlight are a first in the industry, with their precise identification. About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.juniper.net. Corporate and Sales Headquarters Juniper Networks, Inc. 1194 rth Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: 31.0.207.125.700 Fax: 31.0.207.125.701 To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller. Copyright 2013 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 2000516-001-EN May 2013 Printed on recycled paper Copyright 2013, Juniper Networks, Inc. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information