KEY BENEFITS OF CORRELATING DATA WITH JUNIPER NETWORKS STRM SERIES SECURITY THREAT RESPONSE MANAGERS

Transcription

1 APPLICATION NOTE KEY BENEFITS OF CORRELATING DATA WITH JUNIPER NETWORKS STRM SERIES SECURITY THREAT RESPONSE MANAGERS STRM Series Enables Threat and Log Management, Compliance and IT Efficiency Copyright 2010, Juniper Networks, Inc.

2 Table of Contents Introduction The Search for Enterprise-Wide Visibility The Challenge Posed by Millions of Events Keeping Pace with Emerging Threats Threats Posed by Insiders Compliance Requirements Scope Design Considerations Juniper Networks STRM500 Security Threat Response Manager Juniper Networks STRM2500 Security Threat Response Manager Description and Deployment Scenario Centralized Log Collection, Analysis and Reporting Across Juniper s Security Portfolio Deep Juniper Interoperability Combined with Broad Multivendor Support Enabling an Enterprise-Wide View of Network Behavior from J-Flow Discrete Juniper Product Events Correlated with Network Behavior and Asset/VA Knowledge Cross-Portfolio Event Correlation that Identifies Complex Enterprise Threats Correlation Scenarios in Action Complex Attack Detection: Zero-Day Client Exploit Log Aggregation and Prioritization Contextual Analysis of Assets and Network Behavior Compliance and Policy Summary Appendix A Two-Phased Correlation and Analysis of Juniper Security Events: Event Management and Offense Management Phase 1: Event Management Determines the Severity of the Event Phase 2: Creating and Managing Offenses with the Offense Manager Appendix B Deployment Steps Appendix C STRM Series integration with NSM Profiler Technical Notes: About Juniper Networks ii Copyright 2010, Juniper Networks, Inc.

3 Table of Figures Figure 1: STRM2500 typical deployment Figure 2: STRM Series offense summary screen Figure 3: STRM Series offense summary dashboard Figure 4: STRM Series annotations on normalized Juniper device events Figure 5: STRM Series offense summary screen Figure 6: STRM Series internal processing of Juniper security events and flows Figure 7: STRM Series offense processing Figure 8: STRM Series integration with NSM Profiler (right click) Figure 9: IDP Series profiler data displayed from the STRM Series Copyright 2010, Juniper Networks, Inc. iii

4 Introduction Once they have deployed the necessary detection and enforcement points in their networks, organizations of any size face the challenge of stepping back from the multitude of individual product views in order to see and maintain their effectiveness in the context of solving enterprise-wide policy and security issues. The Search for Enterprise-Wide Visibilities Access control points, VPNs, firewalls, and intrusion prevention systems (IPS) are critical elements of a defense-indepth security architecture. Increasingly, so are the routers and other elements of the network that those security devices are ultimately charged with protecting. Thus, the ability to view, analyze and respond to information across this entire infrastructure must be enabled, as the sum of all these products will provide a more meaningful security and policy view than the individual components. The Challenge Posed by Millions of Events With the necessary proliferation of detection and enforcement points in the network, operators are constantly under an avalanche of information produced by any product with logging capability. Events and alerts constitute the critical evidence needed to understand threats across the network, but the Sisyphean task posed is how to effectively collect, analyze and prioritize this evidence when tens of millions of event records stream out daily from devices. Threat data and alarms come in many forms, such as host logs, firewall, IPS, network flow data, and VPN logs or alerts. This creates an enormous challenge for IT staff who must analyze data from a multitude of sources to understand the threats they are facing and determine what actions to take. Keeping Pace with Emerging Threats Security will always be a game of changing offense and improving defense. As threats continue to evolve, administrators must improve their network security posture by using multiple defense perspectives to catch the harbingers of attacks that are difficult to accurately detect/prevent through one single technology. While access control initiatives such as unified access control (UAC), coupled with industry-leading signature development and distribution to IPS products, provide critical safeguards against the constant update race, zero-day attacks are still likely to emerge that challenge any defense-in-depth posture. This further emphasizes the need for visibility into all points of the network, regardless of whether or not security devices exist at all of these points. Threats Posed by Insiders Network and security operators have long known that in addition to combating the emerging threats that seek to penetrate their enterprises, they also have to worry about the problem of insider threats. An unhappy employee turned saboteur, an unwitting employee using unsecured devices and applications, an untrained employee taking shortcuts with key corporate data all represent a larger challenge than external threats for some organizations. In addition to firewalls, VPN, UAC and IPS, there is also a need to look at employee, application and device behavior within a network and to connect seemingly disparate security information into a more complete picture of networkwide activity. Compliance Requirements Once the defense posture against internal and external threats has been optimized, the poor administrator still doesn t get to put his or her feet up. All organizations are increasingly open to scrutiny from internal and external audit groups. The implementation and validation of a company s compliance with internal policy or external regulation (such as the PCI Standard) is yet another challenge that lands in the lap of the overburdened network and security team. Implementation requires that the correct visibility and alerting capabilities be in place to conform to particular control standards (for example, multiple failed logins to database admin accounts followed by a successful login should be alerted on). Validation requires that reports to support the existence and effectiveness of the control standards be available at any time, across all relevant technology elements. Copyright 2010, Juniper Networks, Inc. 1

5 With all of these challenges in mind, combining Juniper Networks security and routing products with Juniper Networks STRM Series Security Threat Response Managers provide four essential benefits to network and security operators drowning in these challenges. 1. Threat Detection detect events that would otherwise be missed by product or operational silos. 2. Log Management respond to the right threats at the right time through the effective management of millions of log files. 3. Compliance implement a compliance and policy safety net with comprehensive event storage and reporting. 4. IT Efficiency extract IT value that is latent but lost from existing network and security investments. Scope This application note will help Network Operation Center (NOC) administrators, Security Operation Center (SOC) administrators, engineers and compliance auditors understand the value of collecting, correlating and analyzing discrete Juniper Networks security and network infrastructure information in a centralized location. This document highlights key integrations between the Juniper Networks product portfolio and the STRM Series. This document will illustrate how events and alerts from separate products can be efficiently aggregated and analyzed in order to deliver an enterprise-wide threat management view that encompasses both the network and the security operation s span of control. This application note covers in detail how events, alerts and flow logs from discrete products are correlated and processed to effectively prioritize and manage large amounts of infrastructure data. This document does not cover in great detail the specifics of configuring Juniper devices for event correlation or STRM Series for event analysis and management. It is assumed that the reader will access relevant product manuals and guides for detailed deployment information. Design Considerations Juniper Networks STRM Series comes with two models that offer full correlation, collection, analysis and reporting all in one easy to use and management appliances: Juniper Networks STRM500 Security Threat Response Manager Can support up to 500 events per second Can support up to 15,000 flows per minute Juniper Networks STRM2500 Security Threat Response Manager Can support up to 2500 events per second Can support up to 100K flows per minute (Please review the STRM Series data sheet for detailed information.) Deployment of STRM Series depends on many factors. The number of events per second Flows per minute Number hosts and applications Number of users We will not go into details of each factor in a typical environment, but a minimum of STRM500 Series needs to be deployed to get the full benefit of the STRM Series. 2 Copyright 2010, Juniper Networks, Inc.

6 STRM Series Web Console STRM2500 E320 M Series SSG Series IDP Series WXC eps 50K - 100K fpm 6 x 250 GB HD ISG2000 NS5400 IC4000 J2300 SA4000 Network Devices Exporting Flow Data Figure 1: STRM2500 typical deployment Multi-Vendor Security Devices Exporting Logs Description and Deployment Scenario Centralized Log Collection, Analysis and Reporting Across Juniper s Security Portfolio The STRM Series serves as a command and control center for all Juniper security technologies deployed within a customer environment. Events and alerts from the firewall, Juniper Networks SA Series SSL VPN Appliances, ISG Series Integrated Security Gateways, SSG Series Secure Services Gateways, IDP Series Intrusion Detection and Prevention Appliances, IC Series Unified Access Control Appliances, and NetScreen Series Security Systems are aggregated in a single location where they can be viewed and queried. In addition, events from different devices that indicate similar or identical security threats are normalized and categorized in order to enable easier analysis. Examples of STRM Series categories to which Juniper events from multiple devices are sent include: Recon: Events relating to scanning and other techniques used to identify network resources, for example, network or host port scans. DoS: Events relating to denial of service (DoS) or distributed denial of service (DDoS) attacks against services or hosts such as brute force network DoS attacks. Authentication: Events relating to authentication controls, group or privilege change such as login or logout. Access: Events where a communication or access has occurred such as firewall accept or deny. Exploit: Events relating to application exploits and buffer overflow attempts such as buffer overflow or Web application exploits. Malware: Events relating to viruses, trojans, backdoor attacks or other forms of hostile software. These may include a virus, trojan, malicious software or spyware. Suspicious: The nature of the threat is unknown but behavior is suspicious, including protocol anomalies that potentially indicate evasive techniques. Examples are packet fragmentation and known intrusion detection service (IDS) evasion techniques, as well as suspicious patterns such as multiple failed logins followed by a successful login. System: Events related to system changes, software installation or status messages. Policy: Events regarding corporate policy violations or misuse. Copyright 2010, Juniper Networks, Inc. 3

7 In addition to using STRM Series as a centralized dashboard for collecting, analyzing and querying Juniper security events, administrators can create and customize reports that reflect activity across all devices within the Juniper security portfolio. Not only is this a single repository for any kind of operator or executive-level report for security information, it also includes the ability to generate key reports about network behavior, application traffic and network performance. Deep Juniper Interoperability Combined with Broad Multivendor Support The STRM Series has interoperability with Juniper Networks security and networking portfolio: The STRM Series event collection and correlation capabilities are available for all products within the Juniper security portfolio including Juniper Networks Unified Access Control 2.0. The STRM Series interoperates with Juniper Networks NSM Profiler in order to prepopulate asset information and query any IP address from any device against the Profiler database. The STRM Series leverages Trusted Computing Group s Trusted Network Connect (TCG-TNC) standards to send remediation recommendations to the IC Series Unified Access Control Appliances. The STRM Series leverages J-Flow from the Juniper router family. The STRM Series gathers user identity data from multiple Juniper products in order to tie network offenses to attacker identity. For details on how the STRM Series processes information from discrete Juniper devices, see Appendix A. In addition to this deep interoperability with Juniper products, the STRM Series also provides broad support to many other best-in-class security device types and vendors as well as other flow sources including NetFlow. This enables Juniper network and security devices to smoothly complement the events, alerts and flow information that may come from other areas of an organization s network. Enabling an Enterprise-Wide View of Network Behavior from J-Flow The STRM Series surveys the entire network using J-Flow sources in a customer s routing infrastructure to form Layer 3 and Layer 4 analysis of application behavior and a detailed history of all network flow activity. Leveraging J-Flow as a source, STRM Series discovers the rate, volume and nature of network traffic to detect issues that affect service levels, and offers early detection of security threats that would otherwise go unnoticed (such as a mail virus that leverages the corporate Simple Mail Transfer Protocol (SMTP) server in the middle of the night). Additionally, STRM Series QFlow collectors can be connected to the network at strategic points (the network core, perimeter and in front of key server farms) to monitor critical network traffic. STRM Series analyzes these traffic flows to create a flow record that contains details of the conversation, including a deep packet inspection that identifies the actual application (regardless of port). What the STRM Series detects from J-Flow also helps to create a picture of the assets that exist within an environment, their vulnerability level and business value. These asset profiles are then used as a contextual correlation source for other incoming Juniper security events. Discrete Juniper Product Events Correlated with Network Behavior and Asset/VA Knowledge Collection and normalization of events from multiple security devices and device types are valuable to network and security administrators. Of equal value, however, is the information that STRM Series provides from discrete Juniper products in terms of contextual correlation. Contextual correlation refers to the capability to prioritize the severity of reported security events against what is known about the existence, vulnerability and business value of targets. Passive vulnerability information, as well as active vulnerability data from a customer s vulnerability assessment (VA) scanner (such as Qualys, ncircle, Nessus), can be used in judging the priority of every single Juniper security event regardless of emitting device. This prioritization is not limited to just vulnerability status but also includes the business value or weighting that has been assigned to the asset in question. In a Juniper product environment, these asset profiles can also be prepopulated in the STRM Series with the data that the NSM Profiler may already have gleaned about the hosts that it has observed in the network. Another key area of interoperability between the STRM Series and Juniper products is the ability for any IP within the STRM Series system to be queried against Juniper s rich NSM Profiler database (See Appendix C). Contextual correlation also enables correlation of that security event with network activity before, during and after the event s firing, which helps to determine the impact of a particular threat. 4 Copyright 2010, Juniper Networks, Inc.

8 Example: Events are received from a Juniper Networks IDP Series appliance indicating a Windows service attack and the target s asset profile indicates that the targeted port is open and that there is a vulnerability on the machine. The STRM Series performs network flow analysis for five minutes on all flows between the attacker and the target, as well as on other flows being sent out from the target of the attack. The results will help determine the priority of that event as well as any chaining that has taken place between the original target and any hosts it is now attempting to infect. Through correlation against asset profiles and observed network information, individual Juniper security device events are more accurately and correctly prioritized based on a complete knowledge of the customer s network environment. Cross-Portfolio Event Correlation that Identifies Complex Enterprise Threats Once correlation and testing have been conducted on discrete events from Juniper devices, the STRM Series further delivers enterprise-wide prioritization by correlating information across multiple device types and from multiple network segments. If the correlation of discrete product events has helped to prioritize data, then the correlation of multiple device types (firewalls, IPS, VPN, UAC) helps to further prioritize that information and significantly reduce the crush of the millions of events that can be produced in an enterprise. Example: A single attacker launches a DoS attack within a network and successfully executes a buffer overflow on one of the targets. The exploited host then performs reconnaissance on additional assets in the network and attempts to escalate privilege on a mail server, which ultimately fails. While different security devices (firewall and IPS) will correctly report 6500 events covering four different categories targeting 1200 hosts over a period of one hour, this should be viewed as a single offense against the network. Hidden in the deluge of events that can come from even moderate deployments of firewalls, VPNs and IPSs on a high-traffic network are the piece parts that constitute a prelude to something much more damaging. Indeed, attacks like this may take many days to evolve. While individual security devices normally do their part in flagging activity peculiar to the segment or traffic they are monitoring, greater visibility is required across all devices incorporating network and security activity, as well as the important contextual elements mentioned earlier that help prioritize the severity and relevance of threats. The STRM Series accomplishes this important prioritization and data reduction through the creation of offenses, which are a complete record of all security events, network transactions and additional contextual information (derived from correlation tests) observed during an attack. The purpose of offense management across many different types of Juniper devices is to answer the following question: In the context of your business, what threats are the most severe? Copyright 2010, Juniper Networks, Inc. 5

9 Correlation Scenarios in Action Complex Attack Detection: Zero-Day Client Exploit Scenario: A user clicks on a link that leads to a website. Embedded in this website is new malicious code that installs a backdoor onto the computer. The victim machine makes an Internet Relay Chat (IRC) connection over a non-standard port in order to hide the connection from security devices. Once it connects to the IRC server, it joins a channel and waits for a command to scan certain subnets for open mail servers (port 25) and return the results back to a chat room. Once the results have been returned, the attacker then sends a command to the backdoor telling it to send out mail to those hosts with open mail ports. The Juniper firewall and IDP Series are effective at logging firewall accepts, some malformed headers and the scan for mail servers. STRM Series correlation is required to tie these events together with the missing network behavior analysis that detects IRC on a non-standard channel (botnet) and the victim host that is sending mail. Log Aggregation and Prioritization Figure 2: STRM Series offense summary screen Scenario: Juniper Networks firewalls, IDP Series appliances and VPN products are deployed within a network and are producing events and alerts based on discrete packet flow and activity that they are observing. STRM Series correlation of events from the multiple device types helps to prioritize those 800,000 events into a smaller number of accurate and relevant offenses (11) against the network that needs to be investigated. 6 Copyright 2010, Juniper Networks, Inc.

10 Figure 3: STRM Series offense summary dashboard Contextual Analysis of Assets and Network Behavior Scenario: An exploit targeting the Apache Chunked Encoding vulnerability is attacking multiple hosts within a network. One host is vulnerable and is exploited, which results in new connections back to the attacker. The Juniper Networks Network and Security Manager (NSM) correctly identifies the Apache Chunked Encoding attack in multiple event messages. STRM Series correlation is required to tie these events together, and contextual correlation against host and network knowledge shows that not only is one of the hosts vulnerable, it also was exploited. Copyright 2010, Juniper Networks, Inc. 7

11 Compliance and Policy Figure 4: STRM Series annotations on normalized Juniper device events Scenario: An internal user scans for services on port 443 using nmap. Once the user finds an interesting device, one that happens to be governed by a particular compliance regulation, the user tries to connect to it. After a number of failed login attempts, the user is finally successful. Subsequent policy-violating activity includes launching and using peer-to-peer traffic in a bandwidth-sensitive area of the network. Juniper firewalls and IDP Series products correctly identify the relevant firewall accepts and network scanning information. The STRM Series correlation ties together the authentication failures followed by success, as well as the discovery of out of policy application traffic. 8 Copyright 2010, Juniper Networks, Inc.

12 Figure 5: STRM Series offense summary screen Summary The combination of Juniper Networks product portfolio and STRM Series data collection, normalization and correlation helps customers detect threats they would otherwise miss, respond to the right threats at the right time, implement appropriate compliance and policy controls, and above all maximize the value of their existing Juniper investments. Copyright 2010, Juniper Networks, Inc. 9

13 Appendix A Two-Phased Correlation and Analysis of Juniper Security Events: Event Management and Offense Management STRM Series essentially puts the network and security information it receives from Juniper products through two distinct layers of correlation and analysis. The first deals with the management and processing of raw events within the Event Processor. The second deals with the creation and management of offenses within the Offense Manager. Phase 1: Event Management Determines the Severity of the Event STRM Series has thousands of out-of-the-box normalization and correlation rules that it applies as it processes events from Juniper devices. It performs unique correlations depending on the category of the event. The purpose of event processing and management is to answer the following question: In the context of current network activity and asset posture, how severe is this event? Firewall ISG Series/ SSG Series SA Series NSM IC Series IDP Series Events Network Anomaly Events STRM Series Event Processor Events Recon DoS Custom Rule Engine Authentication Exploit Malware Asset Profiles Passive Network Knowledge J-Flow and Profiler Data DB Storage Routing Additional Network Flow Content (Offense Management) Figure 6: STRM Series internal processing of Juniper security events and flows An Event Processor processes the security events that STRM Series collects and correlates the information, assigns a category to each Juniper device event, and distributes it to the appropriate Correlation Group for processing. (See page 6 for examples of correlation groups.) The correlation groups perform tests on the events to determine factors such as vulnerability data, relevance of the targets, importance or credibility of the events. For each event category, the correlation group determines the correlation rules (tests) that are performed on each event, then performs each test and assigns a value between Once all tests are complete, the test results are weighted and the data for the event appears in the event viewer. The STRM Series network analysis of J-Flow from Juniper routers and the resultant knowledge empower many of the correlation tests that are performed within the Event Processor. Correlation tests also leverage asset information that is gathered from the NSM Profiler. These tests ensure that events are more accurately and correctly judged based on a complete knowledge of the customer s network and security infrastructure. 10 Copyright 2010, Juniper Networks, Inc.

14 Note: The symbol ** denotes tests that are uniquely available to the STRM Series through J-Flow-enabled contextual network knowledge. Device credibility: The credibility rating can be applied to each device, allowing users to associate credibility with the device based on the level of trust for the device and the validity of the produced event. For example, a highly tuned IDP Series in front of a key server may have a credibility of seven while a newly installed IDP Series outside the corporate network may have a credibility of three. Event rate: Determines if the event rate of this event type is greater than normal. This is determined on a categoryby-category basis. **Attacker: Determines if the attacker is one of the configured assets within the network. **Target: Determines if the target is one of the configured assets within the network. Source port: Determines if the source port is less than If the port is less than 1024, the attacker may be attempting to fool a stateless firewall. **Attacker age: Determines the relative importance of how long the attacker has been known to the system. If the attacker is new, its relevance increases. **Target age: Determines the relative importance of how long the target has been known to the system. **Attacker network: Determines the relative importance of the attacker network. **Target network: Determines the relative importance of the target network. Target port: Determines if the target port is included in the list of most attacked ports provided by the incident s org data. **Attacker risk: Determines the overall risk assessment value for the attacker based on the asset profile data. **Target risk: Determines the overall risk assessment value for the target. Time of the attack: Determines the time of attack. For example, if the attack occurs in the middle of the night, which is deemed to be a low-traffic time, this indicates a higher relevance of the attack. **Vulnerable targeted port: If the port is open, determines if the targeted port is vulnerable to the current exploit. Vulnerable port: Determines if the port is vulnerable to any type of attack or exploit. **Open target port: Determines if the target port is open. **Remote Target: Determines if the target network is defined as a remote network within the STRM Series. **Geographic Location: Determines the relative importance of the geographic location of the target. **Remote attacker: Determines if the attacker network is defined as a remote network in the STRM Series views. Attacker IP address: Determines if the attacker IP address is included in the list of IP addresses that are highlighted as suspicious. The results of the Correlation Group tests appear as annotations within the offenses and event categories that are viewed from the STRM Series dashboard. These annotations are a simple description of why groups of events, or offenses, have been escalated or assigned a higher priority than others. Also, STRM Series applies custom rules to additional events for specific incident recognition. Once it has completed these activities, the Event Processor stores the event in a database and, in some circumstances, performs real-time flow analysis on network traffic associated with that event or target asset. For example: Events are received indicating a DDoS attack and the target s asset profile indicates that the targeted port is open. STRM Series performs network flow analysis (J-Flow data) for five minutes on all flows between the attacker and the target, as well as on other flows being sent out from the target of the attack. The Event Processor then delivers event information to the Offense Manager, which creates offenses and subsequently displays them in the STRM Series console. Copyright 2010, Juniper Networks, Inc. 11

15 Phase 2: Creating and Managing Offenses with the Offense Manager The STRM Series Offense Manager brings together the security events, asset profiles/vulnerabilities and traffic flows, relating them to policy violations, misuse and threats to your business. It is within the Offense Manager that the true benefits of converging network and security knowledge from Juniper devices can be seen as opposed to more traditional security management technologies. Offenses bring together events and network flows that may span time or network location. They are a complete record of all security events, network transactions and additional contextual information (derived from correlation tests) observed during an attack. The magnitude that the JSL assigns to an individual offense is the metric that highlights the most important offenses within the network. Magnitude is a consistent measurement throughout STRM Series and it is applied to the individual event categories that end up creating an offense. The magnitude, represented on a scale of 0-10, is the result of combining three different criteria: severity, credibility and relevance as they apply to monitored information. Severity: Indicates the amount of threat an attacker poses in relation to how prepared the target is for the attack. This value is mapped to an event category that is correlated to the offense. Credibility: Indicates the integrity or validity of an offense as determined by the credibility rating from devices reporting the individual security events. The credibility can increase as multiple sources report the same event. Relevance: Determines the significance of an event or offense in terms of how the target asset has been valued within the network. For example, attacks against customer databases are more relevant than the same attacks directed against print servers. An offense is initially created from knowledge of an attacker, a target network (or asset), events and a period of time. Thousands of security and network events (often from different categories) may indicate one offense against a network or asset. The magnitude of an offense can be modified at any time due to real-time changes observed within the network and also the analysis that is performed on incoming events by the Offense Manager. Using the elements of severity, credibility and relevance, the STRM Series associates the Juniper device events from the processor with an offense and passes them though a number of different Offense Analysis Modules. The results of each module contribute weight to the overall severity, credibility and relevance of the entire offense. As a result, the overall magnitude of the offense either increases or decreases. The following Offense Analysis Modules are applied to events as they enter The STRM Series Judicial System Logic. Aggregation: The aggregator rolls up events into their designated offenses. Target Event Analysis: For security events that are targeted at local assets (remote-to-local or local-to-local attacks), this analysis function weighs the number of reported events, the number of targets reported in the events, and the number or relevant targets that actually exist within the network. This weighting contributes to the overall relevance of an attack (for example, if only 20 percent of the reported targets actually exist within the network, the relevance is lowered). For remote-to-remote or local-to-remote attacks, the number of relevant targets that exists is unknown, so only the number of reported targets and the number of events can be weighted. Flow Context Analysis: If the STRM Series performs flow context analysis on an event in the Event Processor, this next analysis layer contributes relevance and severity to that output based on the targeted network and the observed change in the target s communication patterns. Defense Perspectives Analysis: The number of distinct types of security devices (such as IDP Series, ISG Series and firewalls) that are being monitored and the number of total instances (two firewalls, two ISG Series and one IDP Series) are weighted in order to contribute a credibility factor to the events that make up an offense. 12 Copyright 2010, Juniper Networks, Inc.

16 Juniper Events from Event Processor OFFENSE MANAGER OFFENSE MAGNITUDE Severity Credibility Relevance Offense Annotation Security and Policy Predictive Analysis Offense Describer Custom Rules Offense Chain Defense Perspectives Flow Context Target Event Aggregator Offense Analysis Modules Offense Manager in the STRM Series Console Figure 7: STRM Series offense processing Offense Chaining Analysis: The STRM Series analysis links attackers to their targets. This shows how many offenses a particular attacker is part of, as well as how many of the attacker s targets have now become attackers themselves (such as during worm or virus propagation). This contributes a relevance factor to the offense. Custom Rules Engine (CRE) Analysis: If the administrator configures custom rules, this module associates those offense rules to the notification options that exist within the STRM Series. Offense Description: In this analysis module, low-level event categories (assigned in the Event Processor) are organized according to time sequence and made available as a summary of the offense (for example, Recon followed by DDoS, followed by a buffer overflow on a server). Predictive Analysis: This module creates the threat under value of an asset and the threat posed value of an attacker. Based on 15-minute intervals, the threat under calculation is assigned to an asset as a result of the severity, credibility and relevance of events directed toward it. The threat posed calculation is based on the severity, credibility and relevance of the offense itself. These values decay over time (every interval that an attacker or target is not seen reduces the value). Security and Policy Event Analysis: This analysis module names and annotates Sentries from the STRM Series network behavioral analysis engine (where security or policy anomalies are detected). Offense Annotation: Additional annotations or offense context are added within this final analysis module including: Rate analysis The magnitude of an attacker (which contributes to the attacker s overall history) Any modifications or descriptions that are appended to an offense based on the CRE Offenses populate the STRM Series console and it is from this console view that the STRM Series administrators should derive their understanding and manage their response to issues within the network and security infrastructure. All annotations that occur as a result of the Offense Analysis Modules are appended to the offense and can be read as a simple description of how the offense s magnitude has been increased or decreased by the passage through each module. The end result of the STRM Series two-phased correlation and analysis of Juniper information means that events are smartened based on contextual knowledge gathered from the Profiler about network assets, and from J-Flow about network activity. Then these events are intelligently associated with offenses and these offenses are in turn smartened by a weighted analysis of all the information they contain. Administrators are therefore presented with information that is more accurate, more concise, better prioritized and more actionable. Copyright 2010, Juniper Networks, Inc. 13

17 Appendix B Appendix C Deployment Steps Summary of Integration Steps (refer to the STRM Series Admin Guide and relevant Juniper device guides for full deployment instructions): 1. Deploy the STRM Series management appliances within the network. Ideally the STRM Series appliances should be located with other key management servers. STRM Series is centrally managed by a secure, browser-based interface that supports full role-based access control, well suited for use in an NOC or an SOC. 2. Direct security log and event data from Juniper security products including firewall, SA Series, ISG Series, SSG Series, IC Series, Juniper Networks NSM and IDP Series to STRM Series. Consult your device-specific instructions for syslog export. 3. Note that STRM Series will auto-detect event streams from Juniper devices and begin processing events without requiring any configuration at the STRM Series admin console. Direct other heterogeneous security logs and events to the STRM Series if applicable. 4. Direct NetFlow or J-Flow surveillance data from Juniper routers to the STRM Series management appliance. Routers will need to be configured to send either a NetFlow Data Export (NDE) or a J-Flow export to the STRM Series appliance. These export sources provide a Layer 4 analysis of traffic with applications being identified from the TCP port. Direct other NetFlow-compliant devices to the STRM Series if necessary. 5. Import pre-existing information about the network assets that already exists within the NSM Profiler (see Appendix C for information). STRM Series Integration with NSM Profiler The integration between the STRM Series and NSM allows the STRM Series to take advantage of information that has been collected from across the network through IDP Series sensors. The NSM Profiler data is integrated into the STRM Series in two ways: 1. This data contributes to the asset profiles contained inside of the STRM Series, allowing users to view detailed profiles of individual hosts. Users can now view the OS, open port and corresponding service information collected by the Profiler Database inside of the STRM Series on demand or by scheduling future scans. By combining this host data with known vulnerability information collected through vulnerability scanners, STRM Series is able to greatly reduce the number of false positives and offer greater detail on valid network incidents. 2. Any IP address within the STRM Series can be directly queried against the relevant NSM Profiler direct from the STRM Series console. This integration speeds forensic investigation and provides a richer set of information about the asset in question. 14 Copyright 2010, Juniper Networks, Inc.

18 Figure 8: STRM Series integration with NSM Profiler (right click) Figure 9: IDP Series profiler data displayed from the STRM Series Copyright 2010, Juniper Networks, Inc. 15

19 Technical Notes: The STRM Series interacts with NSM through the profilerdb Postgres Database. Data is queried from the corresponding tables to create individual records on a per-port basis for each host. The results are fed into the STRM Series Asset database and the transfer is complete. The STRM Series queries the following tables: os, host, profile, value and context. About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at Corporate and Sales Headquarters Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888.JUNIPER ( ) or Fax: APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: Fax: EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: EMEA Sales: Fax: To purchase Juniper Networks solutions, please contact your Juniper Networks representative at or authorized reseller. Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice EN May Printed on recycled paper