www.juniper.net 1

Juniper Security Threat Response Manager

(STRM)

Сергей Полищук

системный инженер

Компания Telcosp@telco.ua

www.juniper.net 2

SecurityInformation

& EventManagement

Introducing Junipers SIEM/NBAD SolutionSTRM – “Security Threat Response Manager”

� STRM Key application features

• Log Management• Provides long term collection,

archival, search and reporting of event logs, flow logs and application data

• Security Information and Event Management (SIEM)

• Centralizes heterogeneous event monitoring, correlation and management

• Network Behavior Anomaly Detection (NBA/NBAD)

• Discovers aberrant network activities using network and application flow data

Integrates Mission Critical Network & Security Data Sil os

NetworkBehaviorAnalysis

LogManagement

STRM

www.juniper.net 3

Advanced Log Management� Networking events

• Switches & routers, including flow data

� Security logs• Firewalls, IDS, IPS, VPNs, Gateway AV, Desktop AV, & UTM devices

• Vulnerability Scanners (FoundScan, Juniper Profiler. nCircle, nmap, nessus, QualysGuard, Rapid7)

� Operating Systems/Host logs• Microsoft, Unix and Linux

� Applications• Database, mail & web

� User and asset• Authentication data

� Support for leading vendors including:• Networking: Juniper,Cisco, Extreme, Nokia, F5, 3Com, TopLayer and others

• Security: Juniper, Bluecoat, Checkpoint, Fortinet, ISS, McAfee,Snort, SonicWall, Sourcefire, Secure Computing, Symantec, and others

• Network flow: NetFlow, JFlow, Packeteer FDR, & SFlow, span/mirror (QFlow L7 analysis)

• Operating systems: Microsoft, AIX, HP-UX, Linux (RedHat, SuSe), SunOS, and others

• Applications: Oracle, MS SQL, MS IIS, MS AD, MS Exchange, and others

� Security map utilities:• Maxmine (provides geographies)

• Shadownet

• Botnet

� Customization logs through generic Device Support M odule (DSM) Adaptive Logging Exporter (ALE)

• Integrate proprietary applications and legacy systems

• Syslog, JDBC, JDBC:SiteProtector, JuniperNSM, LEA, SDEE, SNMPV2, SNMPV3

ComplianceTemplates

ForensicsSearch

PolicyReporting

www.juniper.net 4

Integrated Network AndSecurity Management Console� Centralized browser based

UI� Role based access to

information� Customizable dashboards� Real-time & historical

visibility� Advanced data mining & drill

down� Easy to use rule engine� Compliance reporting( PCI, SOX,

FISMA, GLBA, and HIPAA )

www.juniper.net 5

STRM Products

STRM500

STRM2500

STRM5000

250EPS

15kF

500EPS

15kF

1000EPS

50 & 100 KF

2500EPS

50 & 100 KF

5000EPS

100 & 200KF

STRM - FP

5000 + EPS

100 & 200KF

STRM - EP

Sm

all

Ent

erpr

ise

Sm

all

Med

ium

E

nter

pris

e

Larg

e en

terp

rises

&

Ser

vice

P

rovi

ders

www.juniper.net 6

STRM Pricing

$35,000 Console for Distributed ArchitectureSTRM5K-ADD-CON

$90,000Upgrade Flow Processor to 600K FlowsSTRM5K-UPG-FP-600KF

$90,000Upgrade Flow Processor to 400K FlowsSTRM5K-UPG-FP-400KF

$90,000Add Flow Processor for 200K Flows (Distribution)STRM5K-ADD-FP-200KF

$90,000Upgrade Event Processor to 10,000 EPSSTRM5K-UPG-EP-10KEPS

$90,000 Add Event Processor for 5000 Events Per Sec (Distri bution)STRM5K-ADD-EP-5KEPS

$42,000Upgrade to 200K FlowsSTRM5K-UPG-5KEPS-200KF

$109,000Add 5000 EPS and 100K FlowsSTRM5K-ADD-5KEPS-100KF

$11,000Base HW ApplianceSTRM5K-A-BSE

$20,000Upgrade to 100K FlowsSTRM2500-UPG-2500EPS-100KF

$30,000Upgrade to 2500 EPS with 50K FlowsSTRM2500-UPG-2500EPS-50KF

$30,000Add 1000 EPS and 50K FlowsSTRM2500-ADD-1KEPS-50KF

$7,000Base HW ApplianceSTRM2500-A-BSE

$7,000Upgrade to 500 EPS with 15K FlowsSTRM500-UPG-500EPS-15KF

$12,000Add 250EPS and 15K FlowsSTRM500-ADD-250EPS-15KF

$3,000Base HW ApplianceSTRM500-A-BSE

List PriceDescriptionSKU

www.juniper.net 7

Storage Options

� SAN (Storage Area Network) Fiber Channel � IPSAN (IP Storage Area Network) through ISCSI� NAS (Network Attached Storage) NFS� DAS (Direct Attached Storage) SCSI

STRM compression ratio is 10:1(13.3 billion events in 1TB of storage ) - It works out to around 4-5 weeks a t 5000 EPS

Data retention is 30 days (up to 2 years)

www.juniper.net 8

STRM functional Architecture

www.juniper.net 9

Events and Offense Ratings

� Credibility: How credible is the evidence. Credibility of the witnesses, if multiple witnesses report same attack, credibility of overall offenses in increased

� Severity: How much of a threat is the attacker, network, offense to my enterprise. Affected by object weights, asset values, category (type) of attacks, actual vulnerability of targets, and number of targets

� Relevance: Based on the weight of Networks and Assets, how relevant is this offense or violation to you. Is it occurring in areas of the network that are not as important to you.

Magnitude

www.juniper.net 10

Phase 1: Event Management Determines the Severity of the Event

www.juniper.net 11

Phase 2: Creating and Managing Offenses with the Offense Manager

www.juniper.net 12

STRMFeatures Overview

www.juniper.net 13

Key Feature # 1: Event Viewer/Flow Viewer

� Start with troubleshooting (50 firewalls and an app lication that fails to communicate)

� Show live filters and sorting of data� Show real-time aggregate view� Show how any search can become a report� Show exports and RAW views

www.juniper.net 14

Key Feature #2: Asset Profiles

� Explain how server discovery can be used for tuning as well as network awareness

� Explain how customer can write rules to get asset a lerts like a new port opening up in the DMZ

� Explain how weighting effects Magnitude� Explain imports of existing data

www.juniper.net 15

Key Feature #3 :Network Surveillance

� Bandwidth and Application Utilization� Explain how any graph is a direct link to

flows� Functions in the flow viewer are like an

event viewer but for network communications

� Explain additional alerting capabilities from simple thresholds to complex base lining

� Remind that any view can be placed on the dashboard • Local Networks

• Threats• Applications • Geographic• Protocol• Flow Types• Custom Views

(ASNsrc,ASNdst, IfindexIn, IfindexOut,QoS)

www.juniper.net 16

Key Feature #4: Offense Manager

� Explain • Event Reduction• Offense Prioritization• Ability to search and sort

� All information in one summary• (Hosts, Identity, Events, Flows, etc…)

� Host Profiles as part of an offense� Show network anomaly and flow based offenses� Rules (easy to use rules engine)

www.juniper.net 17

Offense ManagementIntelligent Workflow for Operators

WhoIs attacking ?

What is being attacked ?

What is the impact ?

Where do I investigate ?

www.juniper.net 18

Key Feature # 5: Dashboard

� Explain system has multiple users and roles• Roles control access to

types of data• User control access to

networks objects• Local, RADIUS,

TACACS+, LDAP auth

� Explain you can detach components

� Explain right-click throughout system

� Explain extensibility

www.juniper.net 19

The Key to Data Management: Reduction and Prioritiz ation

Previous 24hr period of network and security

activity

STRM correlation of data sources creates

offenses

Offenses are a complete history of a threat or

violation with full context about accompanying

network, asset and user identity information

Offenses are further prioritized by business

impact

www.juniper.net 20

Key Feature # 6 : Reporting� 220+ Out of the box report templates� Fully customizable reporting engine: creating,

branding and scheduling delivery of reports with wizards

� Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA

� Reports based on control frameworks: NIST, ISO and CoBIT

� Multiple output formats• PDF, RTF, CVS, HTML,

XML, etc…

www.juniper.net 21

Using the Reports Interface

www.juniper.net 22

STRM DeploymentScenarios

www.juniper.net 23

Small/Medium Enterprise

� Company Requirements:• <1000 EPS

• <100K Flows

• 1000 to 3000 Nodes

• Dozens to 100s of event feeds

� STRM Solution:• Single hardware platform

• Additional collectors if needed

� STRM 500• <500 EPS

• <15K NetFlows

� STRM 2500• <2500 EPS

• <100K NetFlows

STRM Web Console

Security Devices Exporting Logs

Network Devices Exporting Flow Data

www.juniper.net 24

Medium to Large Enterprise

� Company Requirements• 300K Net Flows• 3000 EPS• 10,000 Nodes• Up to 100s of Devices

� STRM Solution� STRM 5000� STRM Flow Collector

• < 400K NetFlows• < 10000 EPS• Distributed flow collectors

STRM Web Console

Security Devices Exporting Logs

Network Devices Exporting Flow Data

www.juniper.net 25

Large Enterprise (Multiple Locations)

� Company Requirements• 600,000+ Flows• 15,000+ EPS• 30,000+ Nodes

� STRM Solution• STRM 5000

� Distributed Flow and Event Processors• STRM-EP and STRM-FP• Stackable to meet most

any requirement

STRM 5000

STRM EP

STRM 2500

STRM FP

STRM 500

Security LogsFlow Events

Flow Events Security Logs

www.juniper.net 26

Growing a deployment� As event rates increase above 5000 EPS

• Add additional Event Processor Appliances (one for each 10K)• Configure event sources to distribute load between EPs

� As flow rates increase above 200,000 flow/minute• Add additional Flow Processor Appliances (one for each 600K)• Configure flow sources to balance load or use branch filters

� Isolate the console to simple tasks (remove all even t and flow processing)

� As retention times increase• Add external storage

� As simultaneous users increase spec more hardware for th e same EPS and Flow rates (i.e. sell them a 5000 eps appliance, but with a 2500 eps license)

www.juniper.net 27

WeakStrongStrongWeakStrongCompliance Management

•••• No event data•••• Flow data only

•••• Weak•••• Limited flow support

•••• No NBAD

Cisco-focusedStrongThreat Management

NoStrong

•••• Disjoint solutions for log and threat management

•••• Limited Flow support•••• No NBAD

WeakStrongLog Management

Mazu/Lancope/Arbor

RSA EnvisionArcsightCisco MARSSTRM

Competitive Matrix

www.juniper.net 28

Competitive Overview

� Traditional SIM vendors• ArcSight, E-Security Network Intelligence• No flow analysis• Almost exclusively compliance focus

� Traditional Flow (NBAD) vendors• Mazu, Arbor, Lancope• No security event analysis

� Cisco MARS• Most direct competitor• Core component to “Self-Defending” network• Sales force and partners tasked with pitching MARS in every

deal• STRM routinely bets it in technical evaluations

www.juniper.net 29

Competitive Analysis: STRM vs. CS-MARS

�Commitment to heterogeneous support for monitoring and mitigation

� Sophisticated analytics clearly prioritizes threats and incidents. Analytics that directly tie incidents to business impact

� Rich anomaly detection and flow analysis capabiliti es provide threat detection and surveillance impossible with C S-MARS

� Layer 7 application classification enables policy e nforcement and threat detection not possible with Netflow alone and CS-MARS

�Decreased time-to-resolve because of comprehensive forensics and troubleshooting capabilities

�Fully compliant storage solution for network flows (incl. content) and complete raw events to meet compliance requirement

� Robust and flexible reporting and real-time monitor ing capabilities provide complete network visibility

�Scalable three-tier architecture scales from depart mental to very large enterprise deployments

�Superficial commitment to multi-vendor support for monitoring and mitigation

� Poor data reduction: customer presented with 1000s of poorly prioritized Incidents

� Rudimentary anomaly detection and flow analysis results in missed threats

� No application level awareness means lack of credib le policy capabilities

� Excessive time to resolve due to lack of forensics

�Fundamental forensic and compliance shortcomings• Truncated storage of events

•No flow storage and content capture

�Incomplete reporting and real-time monitoring

�Poorly scalable two-tier architecture suitable for departmental applications only

Strengths for STRMWeaknesses for CS MARS

www.juniper.net 30

STRM Key Benefits� Converged network security management console

• Integrates typically silo’d network & security data

� Network, security, application, & identity awarenes s• Unrivaled data management greatly improves ability to meet IT

security control objectives

� Advanced analytics & threat detection• Detects threats that other solutions miss

� Compliance-driven capabilities• Enables IT best practices that support compliance initiatives

� Scalable distributed log collection and archival• Network security management scales to any sized organization

� Multi-vendor

www.juniper.net 31Copyright © 2009 Juniper Networks, Inc. www.juniper.net 31

�Сергей Полищук

�системный инженер

�Компания Telco�sp@telco.ua