Juniper Security Threat Response Manager (STRM)
Сергей Полищук системный инженер Компания Telco sp@telco.ua www.juniper.net
1
Introducing Junipers SIEM/NBAD Solution STRM – “Security Threat Response Manager” Integrates Mission Critical Network & Security Data Silos STRM Key application features • Log Management • Provides long term collection, archival, search and reporting of event logs, flow logs and application data
• Security Information and Event Management (SIEM) • Centralizes heterogeneous event monitoring, correlation and management
• Network Behavior Anomaly Detection (NBA/NBAD)
Security Information & Event Management
Log Management
STRM
Network Behavior Analysis
• Discovers aberrant network activities using network and application flow data
www.juniper.net
2
Advanced Log Management
Networking events •
Security logs •
Firewalls, IDS, IPS, VPNs, Gateway AV, Desktop AV, & UTM devices
•
Vulnerability Scanners (FoundScan, Juniper Profiler. nCircle, nmap, nessus, QualysGuard, Rapid7)
Policy Reporting
Microsoft, Unix and Linux Database, mail & web
User and asset •
Forensics Search
Applications •
Compliance Templates
Operating Systems/Host logs •
Switches & routers, including flow data
Authentication data
Support for leading vendors including: •
Networking: Juniper,Cisco, Extreme, Nokia, F5, 3Com, TopLayer and others
•
Security: Juniper, Bluecoat, Checkpoint, Fortinet, ISS, McAfee,Snort, SonicWall, Sourcefire, Secure Computing, Symantec, and others
•
Network flow: NetFlow, JFlow, Packeteer FDR, & SFlow, span/mirror (QFlow L7 analysis)
•
Operating systems: Microsoft, AIX, HP-UX, Linux (RedHat, SuSe), SunOS, and others
•
Applications: Oracle, MS SQL, MS IIS, MS AD, MS Exchange, and others
Security map utilities: •
Maxmine (provides geographies)
•
Shadownet
•
Botnet
Customization logs through generic Device Support Module (DSM) Adaptive Logging Exporter (ALE) •
Integrate proprietary applications and legacy systems
•
Syslog, JDBC, JDBC:SiteProtector, JuniperNSM, LEA, SDEE, SNMPV2, SNMPV3
www.juniper.net
3
Integrated Network And Security Management Console Centralized browser based UI Role based access to information Customizable dashboards Real-time & historical visibility Advanced data mining & drill down Easy to use rule engine Compliance reporting(PCI, SOX, FISMA, GLBA, and HIPAA)
www.juniper.net
4
STRM Products Large enterprises &Service Providers
STRM5000
Small Enterprise
Small Medium Enterprise
STRM - EP
www.juniper.net
STRM - FP
STRM2500
STRM500
250EPS
500EPS
1000EPS
2500EPS
5000EPS
5000 + EPS
15kF
15kF
50 & 100 KF
50 & 100 KF
100 & 200KF
100 & 200KF 5
STRM Pricing
www.juniper.net
SKU
Description
List Price
STRM500-A-BSE
Base HW Appliance
$3,000
STRM500-ADD-250EPS-15KF
Add 250EPS and 15K Flows
$12,000
STRM500-UPG-500EPS-15KF
Upgrade to 500 EPS with 15K Flows
$7,000
STRM2500-A-BSE
Base HW Appliance
$7,000
STRM2500-ADD-1KEPS-50KF
Add 1000 EPS and 50K Flows
$30,000
STRM2500-UPG-2500EPS-50KF
Upgrade to 2500 EPS with 50K Flows
$30,000
STRM2500-UPG-2500EPS-100KF
Upgrade to 100K Flows
$20,000
STRM5K-A-BSE
Base HW Appliance
$11,000
STRM5K-ADD-5KEPS-100KF
Add 5000 EPS and 100K Flows
$109,000
STRM5K-UPG-5KEPS-200KF
Upgrade to 200K Flows
$42,000
STRM5K-ADD-EP-5KEPS
Add Event Processor for 5000 Events Per Sec (Distribution)
$90,000
STRM5K-UPG-EP-10KEPS
Upgrade Event Processor to 10,000 EPS
$90,000
STRM5K-ADD-FP-200KF
Add Flow Processor for 200K Flows (Distribution)
$90,000
STRM5K-UPG-FP-400KF
Upgrade Flow Processor to 400K Flows
$90,000
STRM5K-UPG-FP-600KF
Upgrade Flow Processor to 600K Flows
$90,000
STRM5K-ADD-CON
Console for Distributed Architecture
$35,000
6
Storage Options SAN (Storage Area Network) Fiber Channel IPSAN (IP Storage Area Network) through ISCSI NAS (Network Attached Storage) NFS DAS (Direct Attached Storage) SCSI STRM compression ratio is 10:1(13.3 billion events in 1TB of storage ) - It works out to around 4-5 weeks at 5000 EPS Data retention is 30 days (up to 2 years)
www.juniper.net
7
STRM functional Architecture
www.juniper.net
8
Events and Offense Ratings
Magnitude Credibility: How credible is the evidence. Credibility of the witnesses, if multiple witnesses report same attack, credibility of overall offenses in increased
Relevance: Based on the weight of Networks and Assets, how relevant is this offense or violation to you. Is it occurring in areas of the network that are not as important to you.
Severity: How much of a threat is the attacker, network, offense to my enterprise. Affected by object weights, asset values, category (type) of attacks, actual vulnerability of targets, and number of targets
www.juniper.net
9
Phase 1: Event Management Determines the Severity of the Event
www.juniper.net
10
Phase 2: Creating and Managing Offenses with the Offense Manager
www.juniper.net
11
STRM Features Overview
www.juniper.net
12
Key Feature # 1: Event Viewer/Flow Viewer
Start with troubleshooting (50 firewalls and an application that fails to communicate) Show live filters and sorting of data Show real-time aggregate view Show how any search can become a report Show exports and RAW views www.juniper.net
13
Key Feature #2: Asset Profiles Explain how server discovery can be used for tuning as well as network awareness Explain how customer can write rules to get asset alerts like a new port opening up in the DMZ Explain how weighting effects Magnitude Explain imports of existing data
www.juniper.net
14
Key Feature #3 :Network Surveillance Bandwidth and Application Utilization Explain how any graph is a direct link to flows Functions in the flow viewer are like an event viewer but for network communications Explain additional alerting capabilities from simple thresholds to complex base lining Remind that any view can be placed on the dashboard
www.juniper.net
• Local Networks • Threats • Applications • Geographic • Protocol • Flow Types • Custom Views (ASNsrc,ASNdst, IfindexIn, IfindexOut,QoS) 15
Key Feature #4: Offense Manager
www.juniper.net
Explain • Event Reduction • Offense Prioritization • Ability to search and sort All information in one summary • (Hosts, Identity, Events, Flows, etc…) Host Profiles as part of an offense Show network anomaly and flow based offenses Rules (easy to use rules engine) 16
Offense Management Intelligent Workflow for Operators Who Is attacking ?
What is being attacked ?
What is the impact ?
Where do I investigate ?
www.juniper.net
17
Key Feature # 5: Dashboard
Explain system has multiple users and roles • • •
Roles control access to types of data User control access to networks objects Local, RADIUS, TACACS+, LDAP auth
Explain you can detach components Explain right-click throughout system Explain extensibility
www.juniper.net
18
The Key to Data Management: Reduction and Prioritization Previous 24hr period of network and security activity
STRM correlation of data sources creates offenses
Offenses are a complete history of a threat or violation with full context about accompanying network, asset and user identity information
Offenses are further prioritized by business impact www.juniper.net
19
Key Feature # 6 : Reporting 220+ Out of the box report templates Fully customizable reporting engine: creating, branding and scheduling delivery of reports with wizards Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA Reports based on control frameworks: NIST, ISO and CoBIT
Multiple output formats • PDF, RTF, CVS, HTML, XML, etc…
www.juniper.net
20
Using the Reports Interface
www.juniper.net
21
STRM Deployment Scenarios
www.juniper.net
22
Small/Medium Enterprise Company Requirements: • • • •
<1000 EPS <100K Flows 1000 to 3000 Nodes Dozens to 100s of event feeds
STRM Web Console
STRM Solution: • Single hardware platform • Additional collectors if needed
STRM 500 • <500 EPS • <15K NetFlows
STRM 2500 • <2500 EPS • <100K NetFlows
www.juniper.net
Network Devices Exporting Flow Data
Security Devices Exporting Logs
23
Medium to Large Enterprise Company Requirements • • • •
STRM Web Console
300K Net Flows 3000 EPS 10,000 Nodes Up to 100s of Devices
STRM Solution STRM 5000 STRM Flow Collector
• < 400K NetFlows • < 10000 EPS • Distributed flow collectors
Network Devices Exporting Flow Data
www.juniper.net
Security Devices Exporting Logs
24
Large Enterprise (Multiple Locations) Company Requirements • 600,000+ Flows • 15,000+ EPS • 30,000+ Nodes
STRM 500
STRM Solution
STRM 5000
• STRM 5000
Distributed Flow and Event Processors • STRM-EP and STRM-FP • Stackable to meet most any requirement
Flow Events STRM 2500
STRM FP
Flow Events
www.juniper.net
Security Logs
STRM EP
Security Logs
25
Growing a deployment As event rates increase above 5000 EPS • Add additional Event Processor Appliances (one for each 10K) • Configure event sources to distribute load between EPs
As flow rates increase above 200,000 flow/minute • Add additional Flow Processor Appliances (one for each 600K) • Configure flow sources to balance load or use branch filters
Isolate the console to simple tasks (remove all event and flow processing) As retention times increase • Add external storage
As simultaneous users increase spec more hardware for the same EPS and Flow rates (i.e. sell them a 5000 eps appliance, but with a 2500 eps license)
www.juniper.net
26
Competitive Matrix
Log Management
STRM
Cisco MARS
Strong
Weak
Arcsight
RSA Envision
Mazu/Lancope /Arbor
Strong
No
• Weak • Limited flow support • No NBAD
• No event data • Flow data only
Strong
Weak
• Disjoint solutions for
Threat Management
Strong
Compliance Management
Strong
www.juniper.net
log and threat management • Limited Flow support • No NBAD Cisco-focused
Weak
Strong
27
Competitive Overview Traditional SIM vendors • ArcSight, E-Security Network Intelligence • No flow analysis • Almost exclusively compliance focus
Traditional Flow (NBAD) vendors • Mazu, Arbor, Lancope • No security event analysis
Cisco MARS • Most direct competitor • Core component to “Self-Defending” network • Sales force and partners tasked with pitching MARS in every deal • STRM routinely bets it in technical evaluations
www.juniper.net
28
Competitive Analysis: STRM vs. CS-MARS Weaknesses for CS MARS Superficial commitment to multi-vendor support for monitoring and mitigation
Strengths for STRM Commitment to heterogeneous support for monitoring and mitigation
Poor data reduction: customer presented with 1000s of Sophisticated analytics clearly prioritizes threats and poorly prioritized Incidents incidents. Analytics that directly tie incidents to business impact Rudimentary anomaly detection and flow analysis results in missed threats
Rich anomaly detection and flow analysis capabilities provide threat detection and surveillance impossible with CS-MARS
No application level awareness means lack of credible Layer 7 application classification enables policy enforcement policy capabilities and threat detection not possible with Netflow alone and CSMARS Excessive time to resolve due to lack of forensics Fundamental forensic and compliance shortcomings â&#x20AC;˘ Truncated storage of events
Decreased time-to-resolve because of comprehensive forensics and troubleshooting capabilities
Incomplete reporting and real-time monitoring
Fully compliant storage solution for network flows (incl. content) and complete raw events to meet compliance requirement
Poorly scalable two-tier architecture suitable for departmental applications only
Robust and flexible reporting and real-time monitoring capabilities provide complete network visibility
â&#x20AC;˘No flow storage and content capture
Scalable three-tier architecture scales from departmental to very large enterprise deployments
www.juniper.net
29
STRM Key Benefits Converged network security management console • Integrates typically silo’d network & security data Network, security, application, & identity awareness • Unrivaled data management greatly improves ability to meet IT security control objectives Advanced analytics & threat detection • Detects threats that other solutions miss Compliance-driven capabilities • Enables IT best practices that support compliance initiatives Scalable distributed log collection and archival • Network security management scales to any sized organization Multi-vendor
www.juniper.net
30
Сергей Полищук системный инженер Компания Telco sp@telco.ua www.juniper.net Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
31