Juniper Security Threat Response Manager (STRM) Mikko Kuljukka COMPUTERLINKS Oy
Customer Challenges Dispersed Threats IT Overload IT information overload Flood of logged events from many point network and security devices Lack of expertise to manage disparate data silos & tools Compliance mandates Industry specific regulations mandating security best practices Internal IT risk assessment programs Evolving internal and external threats Insider abuse, theft of intellectual property Complex integrated attacks Industry Regulations 2 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Junipers SIEM/NBAD Solution STRM Security Threat Response Manager STRM Key application features Log Management Provides long term collection, archival, search and reporting of event logs, flow logs and application data Security Information and Event Management (SIEM) Centralizes heterogeneous event monitoring, correlation and management Network Behavior Anomaly Detection (NBAD) Discovers aberrant network activities using network and application flow data Log Management Network Behavior Analysis Security Information & Event Management 3 Copyright 2009 Juniper Networks, Inc. www.juniper.net
STRM s Key Value Proposition Threat Detection: Detect New Threats That Others Miss Log Management: Right Threats at the Right Time 4 Copyright 2009 Juniper Networks, Inc. www.juniper.net Enterprise Value Compliance: Compliance and Policy Safety Net Complements Juniper s Enterprise Mgmt Portfolio
STRM Architecture 5 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Log Management Challenges include Log overload for administrators STRM enables Highly scalable log aggregation; Consistent logging taxonomy Multi-vendor network; Constant change of formats Demanding operational requirements Broad vendor coverage and extensible APIs for less common formats Advanced log management capabilities including tamper proof log archives 6 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Unrivalled Data & log Management Networking events Switches & routers, including flow data Compliance from Jflow, Netflow, Forensics Sflow, Packeteer, qflow Security logs Firewalls, IDS, IPS, VPNs, Vulnerability Scanners, Gateway AV, Desktop AV, & UTM devices Operating Systems/Host logs Microsoft, Unix and Linux, OSX Applications Database, mail & web Support for leading vendors including: Networking: Juniper,Cisco, Extreme, Nokia, F5, 3Com, TopLayer and others Security: Juniper, Bluecoat, Checkpoint, Fortinet, ISS, McAfee,Snort, SonicWall, Sourcefire, Secure Computing, Symantec, and others Network flow: NetFlow, JFlow, Packeteer FDR, & SFlow Operating systems: Microsoft, AIX, HP-UX, Linux (RedHat, SuSe), SunOS, and others Applications: Oracle, MS SQL, MS IIS, MS AD, MS Exchange, and others Security map utilities: Maxmine (provides geographies) Shadownet Botnet Templates Customization logs through generic Device Support Module (DSM) Adaptive Logging Exporter (ALE) Integrate proprietary applications and legacy systems Search Policy Reporting 7 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Security Event correlation & threat Management How to make sense of the collected data Challenges include Correlation rules complex to manage Vendor log formats are a moving target Constant change on the network STRM provides Simplified out-of-the-box building blocks & rules simplify rule management QID map provides intelligent mapping of vendor events Extensive use of historical profiling for improved accuracy of results 8 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Event rule example 9 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Asset Profiles Active and Passive Asset Profiles Combination of Active and Passive Profiles for correlation Host existence Port Open/Close Host vulnerable to this attack/any attack Nessus, nmap, Qualys, Lumension etc. etc. History of Identity (user, host, MAC, etc ) Ability to control timing and type of scanning activity Cross correlation with other events 10 Copyright 2009 Juniper Networks, Inc. www.juniper.net
The Value of FLOW Passive flow monitoring creates asset profiles and helps classify hosts Detection of day-zero attacks Policy monitoring and rogue server detection Visibility into all communication Network awareness, visibility and problem solving 11 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Flow Data For Policy Monitoring Detection of applications and protocols that are not trusted P2P Chat Unencrypted traffic in secure areas of network Applications or Protocols running on non standard ports Establishing Policies for trusted network communications 12 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Flow Data For Anomaly Detection Detects changes in traffic based on New protocol or application on the network Abnormal use of a protocol or service (SSH) Loss of a service such as web server 13 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Flow Data For Behavior Profiling Learn normal traffic patters for hosts, protocols and networks Predicts behavior and identifies abnormal conditions Abnormal traffic patterns to country X 14 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Reduction and Prioritization Threat Management STRM Previous 24hr period of network and security activity (1.3 M logs)! STRM correlation of data sources creates offenses (129)! Data reduction:! 10633:1! 15 Copyright 2009 Juniper Networks, Inc. www.juniper.net
STRM Offense Management Tracks significant security incidents & threats Leverages building blocks & rules Builds history of supporting & relevant information for significant security incidents Provides point-in-time reference of offending users and vulnerability state Provides record of first and last occurrence of security incidents Incorporates network behavior analysis to validate/discredit incidents & detect unknown traffic patterns Provides prioritization based on: credibility, relevance & severity 16 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Offense Management Intelligent Workflow for Operators Who Is attacking? What is being attacked? What is the impact? Where do I investigate? 17 Copyright 2009 Juniper Networks, Inc. www.juniper.net
STRM System features Centralized browser based UI Role based access to information Customizable dashboards Real-time & historical visibility Advanced data mining & drill down Easy to use rule engine Hierarchical distribution for scale 18 Copyright 2009 Juniper Networks, Inc. www.juniper.net
About Reports Reports interface allows you to create, distribute, and manage reports Use the Report Template Wizard to create operational and executive level reports that combine any network traffic and security event data in a single report Reports also allows you to brand your documents with your customized logos enabling you to support various unique logos for each report 19 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Reporting 1500+ Out of the box report templates Fully customizable reporting engine: creating, branding and scheduling delivery of reports Events and Time Series Reports Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA Reports based on control frameworks: NIST, ISO and CoBIT Executive Reports Vendor Specific Reports Routers/Switches VPN/SSL Firewalls/IDP UTM Application Database Access 20 Copyright 2009 Juniper Networks, Inc. www.juniper.net
STRM Products Distributed STRM 2500 EP/ FP Combo Large enterprises &Service Providers STRM5000 STRM 500 QFC STRM 5000 STRM 2500 FP STRM5000 STRM 5000 STRM 2500 EP STRM 500 QFC Small Medium Enterprise STRM2500 STRM 500 QFC Small Enterprise STRM500 STRM 500 QFC 250EPS 500EPS 1000EPS 2500EPS 5000EPS 10000 + EPS 15K flows 25K 50K flows 21 Copyright 2009 Juniper Networks, Inc. www.juniper.net (50 MB 200MB QFlow collection) 100K 200K flows 200K 400K flows
Hardware Summary Market Segments STRM Models CPU Memory Storage Small STRM 500 Intel Core 2 Dual 8GB 2x 500GB HDD RAID 1 Medium STRM 2500 Intel Core 2 Quad 8GB 6x 250GB HDD RAID 5 array Large STRM 5000 Intel Core 2 Quad 8GB 6x 500GB HDD RAID 10 array 22 Copyright 2009 Juniper Networks, Inc. www.juniper.net
SMALL/MEDIUM ENTERPRISE ALL-IN-ONE Company Requirement Less than 200 eps Less than 10K flows STRM Web Console STRM Solution All in one STRM 500 250 eps and 15K Flow license Correlation Reporting Log Management Flow Management Embedded Qflow Collection Network Devices Exporting Flow Data Security Devices Exporting Logs 23 Copyright 2009 Juniper Networks, Inc. www.juniper.net
SMALL/MEDIUM ENTERPRISE LOG MANAGEMENT ONLY Company Requirement Less than 200 eps No need for Flows No need for Correlation STRM LM Web Console STRM Solution STRM 500 LM (Log Manager) 500 eps LM license Reporting Log Management 24 Copyright 2009 Juniper Networks, Inc. www.juniper.net Security Devices Exporting Logs
Medium to Large Enterprise All-in-One Company Requirements 100K Flows 2000 EPS Up to 100 + devices STRM Web Console STRM Solution STRM 2500 Correlation Reporting Log Management Flow Management Embedded Qflow Collection Network Devices Exporting Flow Data Security Devices Exporting Logs 25 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Large Enterprise/SP All-in-One Company Requirements 200K Flows 5000 EPS Up to 1000 + devices STRM Web Console STRM Solution STRM 5000 Correlation Reporting Log Management Flow Management Network Devices Exporting Flow Data Security Devices Exporting Logs 26 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Distributed Deployment Typical STRM Web Console Company Requirements Distributed deployment 200K Flows 2500 EPS Up to 100 + devices STRM Solution STRM 5000 CON STRM 2500 EP STRM 2500 FP STRM 5000 Console STRM 2500 EP STRM 2500 FP STRM QFC (Optional) STRM 500 Qflow Network Devices Exporting Flow Data Security Devices Exporting Logs 27 Copyright 2009 Juniper Networks, Inc. www.juniper.net
STRM 50K EPS Deployment Scenario True Distribution Large Scale deployment One Central Console Normalization on EPs STRM Web Console STRM 5000 Console 10K EPS 10K EPS 10K EPS 10K EPS 10K EPS Security Devices Exporting Logs Security Devices Exporting Logs Security Devices Exporting Logs Security Devices Exporting Logs Security Devices Exporting Logs 28 Copyright 2009 Juniper Networks, Inc. www.juniper.net
ISCSI (IP-SAN) Deployment Scenario STRM Event Processors Collection, Analysis Storage of Events from Security and Infrastructure Devices (Up to 10,000 EPS each) STRM Console Correlation, Reporting Storage &, Analysis LAN Network STRM Flow Processor Flow Processing and Storage (Up to 600,000 flows) STRM EP STRM EP STRM FC STRM FC STRM Netflow/J Flow Collectors Collection from routers, switches with optional L7 flow collection from a span port or tap 29 Copyright 2009 Juniper Networks, Inc. www.juniper.net IP-SAN Appliance
Deploying STRM with Existing SIM solutions ArcSight, RSA etc Correlation 3 rd Party SEM Solution Syslog Forwarding 3 rd Party Syslog Servers STRM (LM) Log Consolidation Flexibility in deployment Coexist with competitors Log Management No Correlation needed Consolidation of Logs Security Devices Exporting Logs Security Devices Exporting Logs 30 Copyright 2009 Juniper Networks, Inc. www.juniper.net
..so what is STRM Visibility to the environment Support wide vendor spread to gather information Combine flow information with log data Both passive and active asset mapping Network, security, application, & identity awareness Unrivaled data management greatly improves ability to meet IT security control objectives Advanced analytics & threat detection Detects threats that other solutions miss Intuitive and easy to get the information Data reduction and priorization Scalable distributed log collection and archival Network security management scales to any sized organization 31 Copyright 2009 Juniper Networks, Inc. www.juniper.net
Thank You