Date post: | 10-Mar-2016 |
Category: |
Documents |
Upload: | anatoliy-grishin |
View: | 215 times |
Download: | 0 times |
www.juniper.net 1
Juniper Security Threat Response Manager
(STRM)
Сергей Полищук
системный инженер
Компания [email protected]
www.juniper.net 2
SecurityInformation
& EventManagement
Introducing Junipers SIEM/NBAD SolutionSTRM – “Security Threat Response Manager”
� STRM Key application features
• Log Management• Provides long term collection,
archival, search and reporting of event logs, flow logs and application data
• Security Information and Event Management (SIEM)
• Centralizes heterogeneous event monitoring, correlation and management
• Network Behavior Anomaly Detection (NBA/NBAD)
• Discovers aberrant network activities using network and application flow data
Integrates Mission Critical Network & Security Data Sil os
NetworkBehaviorAnalysis
LogManagement
STRM
www.juniper.net 3
Advanced Log Management� Networking events
• Switches & routers, including flow data
� Security logs• Firewalls, IDS, IPS, VPNs, Gateway AV, Desktop AV, & UTM devices
• Vulnerability Scanners (FoundScan, Juniper Profiler. nCircle, nmap, nessus, QualysGuard, Rapid7)
� Operating Systems/Host logs• Microsoft, Unix and Linux
� Applications• Database, mail & web
� User and asset• Authentication data
� Support for leading vendors including:• Networking: Juniper,Cisco, Extreme, Nokia, F5, 3Com, TopLayer and others
• Security: Juniper, Bluecoat, Checkpoint, Fortinet, ISS, McAfee,Snort, SonicWall, Sourcefire, Secure Computing, Symantec, and others
• Network flow: NetFlow, JFlow, Packeteer FDR, & SFlow, span/mirror (QFlow L7 analysis)
• Operating systems: Microsoft, AIX, HP-UX, Linux (RedHat, SuSe), SunOS, and others
• Applications: Oracle, MS SQL, MS IIS, MS AD, MS Exchange, and others
� Security map utilities:• Maxmine (provides geographies)
• Shadownet
• Botnet
� Customization logs through generic Device Support M odule (DSM) Adaptive Logging Exporter (ALE)
• Integrate proprietary applications and legacy systems
• Syslog, JDBC, JDBC:SiteProtector, JuniperNSM, LEA, SDEE, SNMPV2, SNMPV3
ComplianceTemplates
ForensicsSearch
PolicyReporting
www.juniper.net 4
Integrated Network AndSecurity Management Console� Centralized browser based
UI� Role based access to
information� Customizable dashboards� Real-time & historical
visibility� Advanced data mining & drill
down� Easy to use rule engine� Compliance reporting( PCI, SOX,
FISMA, GLBA, and HIPAA )
www.juniper.net 5
STRM Products
STRM500
STRM2500
STRM5000
250EPS
15kF
500EPS
15kF
1000EPS
50 & 100 KF
2500EPS
50 & 100 KF
5000EPS
100 & 200KF
STRM - FP
5000 + EPS
100 & 200KF
STRM - EP
Sm
all
Ent
erpr
ise
Sm
all
Med
ium
E
nter
pris
e
Larg
e en
terp
rises
&
Ser
vice
P
rovi
ders
www.juniper.net 6
STRM Pricing
$35,000 Console for Distributed ArchitectureSTRM5K-ADD-CON
$90,000Upgrade Flow Processor to 600K FlowsSTRM5K-UPG-FP-600KF
$90,000Upgrade Flow Processor to 400K FlowsSTRM5K-UPG-FP-400KF
$90,000Add Flow Processor for 200K Flows (Distribution)STRM5K-ADD-FP-200KF
$90,000Upgrade Event Processor to 10,000 EPSSTRM5K-UPG-EP-10KEPS
$90,000 Add Event Processor for 5000 Events Per Sec (Distri bution)STRM5K-ADD-EP-5KEPS
$42,000Upgrade to 200K FlowsSTRM5K-UPG-5KEPS-200KF
$109,000Add 5000 EPS and 100K FlowsSTRM5K-ADD-5KEPS-100KF
$11,000Base HW ApplianceSTRM5K-A-BSE
$20,000Upgrade to 100K FlowsSTRM2500-UPG-2500EPS-100KF
$30,000Upgrade to 2500 EPS with 50K FlowsSTRM2500-UPG-2500EPS-50KF
$30,000Add 1000 EPS and 50K FlowsSTRM2500-ADD-1KEPS-50KF
$7,000Base HW ApplianceSTRM2500-A-BSE
$7,000Upgrade to 500 EPS with 15K FlowsSTRM500-UPG-500EPS-15KF
$12,000Add 250EPS and 15K FlowsSTRM500-ADD-250EPS-15KF
$3,000Base HW ApplianceSTRM500-A-BSE
List PriceDescriptionSKU
www.juniper.net 7
Storage Options
� SAN (Storage Area Network) Fiber Channel � IPSAN (IP Storage Area Network) through ISCSI� NAS (Network Attached Storage) NFS� DAS (Direct Attached Storage) SCSI
STRM compression ratio is 10:1(13.3 billion events in 1TB of storage ) - It works out to around 4-5 weeks a t 5000 EPS
Data retention is 30 days (up to 2 years)
www.juniper.net 8
STRM functional Architecture
www.juniper.net 9
Events and Offense Ratings
� Credibility: How credible is the evidence. Credibility of the witnesses, if multiple witnesses report same attack, credibility of overall offenses in increased
� Severity: How much of a threat is the attacker, network, offense to my enterprise. Affected by object weights, asset values, category (type) of attacks, actual vulnerability of targets, and number of targets
� Relevance: Based on the weight of Networks and Assets, how relevant is this offense or violation to you. Is it occurring in areas of the network that are not as important to you.
Magnitude
www.juniper.net 10
Phase 1: Event Management Determines the Severity of the Event
www.juniper.net 11
Phase 2: Creating and Managing Offenses with the Offense Manager
www.juniper.net 12
STRMFeatures Overview
www.juniper.net 13
Key Feature # 1: Event Viewer/Flow Viewer
� Start with troubleshooting (50 firewalls and an app lication that fails to communicate)
� Show live filters and sorting of data� Show real-time aggregate view� Show how any search can become a report� Show exports and RAW views
www.juniper.net 14
Key Feature #2: Asset Profiles
� Explain how server discovery can be used for tuning as well as network awareness
� Explain how customer can write rules to get asset a lerts like a new port opening up in the DMZ
� Explain how weighting effects Magnitude� Explain imports of existing data
www.juniper.net 15
Key Feature #3 :Network Surveillance
� Bandwidth and Application Utilization� Explain how any graph is a direct link to
flows� Functions in the flow viewer are like an
event viewer but for network communications
� Explain additional alerting capabilities from simple thresholds to complex base lining
� Remind that any view can be placed on the dashboard • Local Networks
• Threats• Applications • Geographic• Protocol• Flow Types• Custom Views
(ASNsrc,ASNdst, IfindexIn, IfindexOut,QoS)
www.juniper.net 16
Key Feature #4: Offense Manager
� Explain • Event Reduction• Offense Prioritization• Ability to search and sort
� All information in one summary• (Hosts, Identity, Events, Flows, etc…)
� Host Profiles as part of an offense� Show network anomaly and flow based offenses� Rules (easy to use rules engine)
www.juniper.net 17
Offense ManagementIntelligent Workflow for Operators
WhoIs attacking ?
What is being attacked ?
What is the impact ?
Where do I investigate ?
www.juniper.net 18
Key Feature # 5: Dashboard
� Explain system has multiple users and roles• Roles control access to
types of data• User control access to
networks objects• Local, RADIUS,
TACACS+, LDAP auth
� Explain you can detach components
� Explain right-click throughout system
� Explain extensibility
www.juniper.net 19
The Key to Data Management: Reduction and Prioritiz ation
Previous 24hr period of network and security
activity
STRM correlation of data sources creates
offenses
Offenses are a complete history of a threat or
violation with full context about accompanying
network, asset and user identity information
Offenses are further prioritized by business
impact
www.juniper.net 20
Key Feature # 6 : Reporting� 220+ Out of the box report templates� Fully customizable reporting engine: creating,
branding and scheduling delivery of reports with wizards
� Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA
� Reports based on control frameworks: NIST, ISO and CoBIT
� Multiple output formats• PDF, RTF, CVS, HTML,
XML, etc…
www.juniper.net 21
Using the Reports Interface
www.juniper.net 22
STRM DeploymentScenarios
www.juniper.net 23
Small/Medium Enterprise
� Company Requirements:• <1000 EPS
• <100K Flows
• 1000 to 3000 Nodes
• Dozens to 100s of event feeds
� STRM Solution:• Single hardware platform
• Additional collectors if needed
� STRM 500• <500 EPS
• <15K NetFlows
� STRM 2500• <2500 EPS
• <100K NetFlows
STRM Web Console
Security Devices Exporting Logs
Network Devices Exporting Flow Data
www.juniper.net 24
Medium to Large Enterprise
� Company Requirements• 300K Net Flows• 3000 EPS• 10,000 Nodes• Up to 100s of Devices
� STRM Solution� STRM 5000� STRM Flow Collector
• < 400K NetFlows• < 10000 EPS• Distributed flow collectors
STRM Web Console
Security Devices Exporting Logs
Network Devices Exporting Flow Data
www.juniper.net 25
Large Enterprise (Multiple Locations)
� Company Requirements• 600,000+ Flows• 15,000+ EPS• 30,000+ Nodes
� STRM Solution• STRM 5000
� Distributed Flow and Event Processors• STRM-EP and STRM-FP• Stackable to meet most
any requirement
STRM 5000
STRM EP
STRM 2500
STRM FP
STRM 500
Security LogsFlow Events
Flow Events Security Logs
www.juniper.net 26
Growing a deployment� As event rates increase above 5000 EPS
• Add additional Event Processor Appliances (one for each 10K)• Configure event sources to distribute load between EPs
� As flow rates increase above 200,000 flow/minute• Add additional Flow Processor Appliances (one for each 600K)• Configure flow sources to balance load or use branch filters
� Isolate the console to simple tasks (remove all even t and flow processing)
� As retention times increase• Add external storage
� As simultaneous users increase spec more hardware for th e same EPS and Flow rates (i.e. sell them a 5000 eps appliance, but with a 2500 eps license)
www.juniper.net 27
WeakStrongStrongWeakStrongCompliance Management
•••• No event data•••• Flow data only
•••• Weak•••• Limited flow support
•••• No NBAD
Cisco-focusedStrongThreat Management
NoStrong
•••• Disjoint solutions for log and threat management
•••• Limited Flow support•••• No NBAD
WeakStrongLog Management
Mazu/Lancope/Arbor
RSA EnvisionArcsightCisco MARSSTRM
Competitive Matrix
www.juniper.net 28
Competitive Overview
� Traditional SIM vendors• ArcSight, E-Security Network Intelligence• No flow analysis• Almost exclusively compliance focus
� Traditional Flow (NBAD) vendors• Mazu, Arbor, Lancope• No security event analysis
� Cisco MARS• Most direct competitor• Core component to “Self-Defending” network• Sales force and partners tasked with pitching MARS in every
deal• STRM routinely bets it in technical evaluations
www.juniper.net 29
Competitive Analysis: STRM vs. CS-MARS
�Commitment to heterogeneous support for monitoring and mitigation
� Sophisticated analytics clearly prioritizes threats and incidents. Analytics that directly tie incidents to business impact
� Rich anomaly detection and flow analysis capabiliti es provide threat detection and surveillance impossible with C S-MARS
� Layer 7 application classification enables policy e nforcement and threat detection not possible with Netflow alone and CS-MARS
�Decreased time-to-resolve because of comprehensive forensics and troubleshooting capabilities
�Fully compliant storage solution for network flows (incl. content) and complete raw events to meet compliance requirement
� Robust and flexible reporting and real-time monitor ing capabilities provide complete network visibility
�Scalable three-tier architecture scales from depart mental to very large enterprise deployments
�Superficial commitment to multi-vendor support for monitoring and mitigation
� Poor data reduction: customer presented with 1000s of poorly prioritized Incidents
� Rudimentary anomaly detection and flow analysis results in missed threats
� No application level awareness means lack of credib le policy capabilities
� Excessive time to resolve due to lack of forensics
�Fundamental forensic and compliance shortcomings• Truncated storage of events
•No flow storage and content capture
�Incomplete reporting and real-time monitoring
�Poorly scalable two-tier architecture suitable for departmental applications only
Strengths for STRMWeaknesses for CS MARS
www.juniper.net 30
STRM Key Benefits� Converged network security management console
• Integrates typically silo’d network & security data
� Network, security, application, & identity awarenes s• Unrivaled data management greatly improves ability to meet IT
security control objectives
� Advanced analytics & threat detection• Detects threats that other solutions miss
� Compliance-driven capabilities• Enables IT best practices that support compliance initiatives
� Scalable distributed log collection and archival• Network security management scales to any sized organization
� Multi-vendor
www.juniper.net 31Copyright © 2009 Juniper Networks, Inc. www.juniper.net 31
�Сергей Полищук
�системный инженер
�Компания Telco�[email protected]