Software Defined Secure Networks José Fidel Tomás – fidel.tomas@juniper.net
Trends Impacting Enterprise Security Threats Advanced adversaries & emerging threat actors Our adversaries are professional – they are motivated and well skilled. In some cases they represent new classes of threat actors like nation states, not just script kiddies looking for fame/notoriety. Further, our adversaries don’t have to play by the same rules and in many cases can be more innovative that we, the defenders, can be. Infrastructure monoculture vulnerabilities The Internet is remarkably resilient given some of it’s fragile underpinnings…we continue to see vulnerabilities that affect widespread, at-scale, Internet-level vulnerabilities that Aren’t easily patched away…and the exposure is huge. When “everyone” uses a specific piece of code or functionality and a vulnerability is discovered (responsibly disclosed Or not) it’s a mad scramble to try and understand and mitigate the risk. Cloud Cloud computing is an amazing operational model and platform that allows for rapid innovation. That same platform is being (ab)used by adversaries to deliver massively Scaleable and disruptive attacks that cost them very little and allow for maximal damage… Zero Days and targeted attacks Attacks aren’t just brute blunt-force trauma. Nor are the sphisticated attacks one dimensional. In many cases advanced adversaries are leveraging zero day Attacks that they create – or even buy on the open market – to attack not only infrastructure, but specifically target users/people and exploit the trust models Which give them access to the information they desire. Adaptive and advanced malware A favorite tool of the bad guys is malware – and it’s getting smarter, more evasive, and much more difficult to find let alone stop. Examples have been found where malware Can intelligently evade solutions by turning off AV, detecting whether they are in virtualized sandbox environments and not activating, or even emulating legitimate user behavior To disguise/distract from nefarious activities…and in many cases, traditional security mechanisms are not enough to prevent exfiltration of sensitve data. Industry Virtualized Service Delivery As services/applications become more agile, cloud-based and distributed, the industry is evolving to provide both physical and virtual security services…SDN/NFV are examples where Sofware-defined environments require software-delivered security. There are some very specific and nuanced requirements in virtualized services delivery – it’s not just “we’ll take a Physical firewall and make a virtual version of it” and call it a day…performance, management, policy enforcement, footprint, etc. all matter Automation and Orchestration Integration …to that last point about virtualization…the physical and virtual components in a network – and especially security components – need the context, configuration, state and connectivity Telemetry to enable the most specific, effective and coordinated security policy enforcement across these virtualized and cloud environments…that means that solutions MUST connect To the orchestration systems used to deploy applications and infrastructure and MUST be automated. Native cloud services and offload When you use the words “Cloud” and “security” together, besides the discussions around privacy, usually the discussion revolves around 1) deloying solutions IN the cloud to protect the Cloud itself [native cloud services] or 2) using the cloud or cloud services to offload and/or provide security services…either in addition to or replacing CPE solutions. Bit Data / Security Analytics The need to go beyond simple log analysts or correlation is being driven by the complexity of our environments as well as the huge amount of data that exists in their operation. Using technologies and approaches such as Big Data to deliver analytics – which takes data and turns it into intelligent, actionable INFORMATION – is critical. So instead of Isolated devices API-Driven Looking at what we’ve discussed so far – from Cloud, to automation and DevOps to the way in which adversaries are using agile and hostile methods to quickly infiltrate our infrastructure – requiring the network to leverage automated and AUTONOMIC responses to detected anomalies/threats is critical. As such, when something is detected, we can’t wait for a human to fire up a CLI/GUI…so the requirements across infrastructure – including security – is that EVERYTHING can be managed via API to allow for a programmatic manner of interacting with solutions. This is huge and a big change from the way in which we have managed our solutions – especially security. Infrastructure Hybrid Cloud & Micro-perimeterization Our customers – Service Providers, Cloud/content providers, and enterprises are ALL building clouds or using clouds that others provide. But “Cloud” will really emerge to define a hybrid model where public and private clouds are interconnected (across many layers) using infrastructure, platform and software-as-service models This means that the how we apply security policy needs to be attached to the workload and/or the information it traffics in – it means that the perimeter is not that one boundary between inside and outside Your DC network, but rather everything – a machine, an VM, an app, a mobile device – is it’s own “microperimeter” – [ we could use “microsegmentation” here as Vmware does] Bring your own everything It’s not just devices that users and employees are bringing into the workplace now, it’s devices, applications, ways of using external applications and ways of working – it’s the BYOE movement. Thus, protecting or managing on a “device” basis doesn’t/won’t work in isolation The Internet of Everything …and now everything has an IP address and connects to or talks with the Internet – your phone, TV, refigerator, lighbulbs, baby monitors, security systems…there have been compromises of These IoE devices – washing machines used to send SPAM, video cameras used to mine Bitcoin… Focus on Resilience, recovery and incident response There’s a move – from detection and prevention to resilience, recovery and incident response. It’s not that defense or prevention isn’t important, but in many cases It’s an acceptance that despite out best efforts, we are already compromised. It’s not “if” you’re going to suffer a breach, it’s “when” and how you’re going to respond. It’s important to be able to quickly recover and stem additional impact and the network – and it’s security capabilities – are important here. In many cases, it’s about Not just finding a needle in a haystack, but a needle in a needle stack! DevOps All this technology, innovation, and agility – enabled by Cloud – is driving a new model of operations: DevOps – a cooperative model where the existing silos of IT are broken down, environments become more heavily automated, iterative and ultimately instrumented…which allows functional groups to work together – and leverage a more programmatic way of deploying applications and infrastructure together – as code. It’s a fundmental restructuring of how IT is done and is driving a huge change across our customer base THREAT SOPHISTICATION CLOUD INFRASTRUCTURE Zero day attacks Advanced, persistent, targeted attacks Adaptive malware Virtualization and SDN Applications, data, management in the cloud Application proliferation Hybrid cloud deployments growing Device proliferation and BYOD IoT and big everywhere
Perimeter Oriented Security Hyper-connected Network Security at Perimeter Outside (Untrusted) Complex Security Policies Lateral Threat Propagation Internal (Trusted) Limited Visibility Gartner tracks 21 categories for security In the past, “security” was layered on top of the network. Built on a perimeter model, devices at the edge of networks served as the primary means of defense for all types of threats. The foundation was based on both a trusted and untrusted model: trust what’s inside the network, don’t trust what is outside coming in. Perimeter firewalls were stateless, then state-full. Time and threat complexity progressed then next gen firewalls were introduced to provide protection against application layer threats. Since those early days, the threat landscape has dramatically changed which has also changed how and where we need to deploy security in the network. Threats continue to evolve and we continue to add features to the perimeter, but that is not enough. Security hackers are now highly organized units meant for serious financial gain. Technical proof point of what can be done by Juniper: threat data from Vz report, etc. 60% of breaches were from admin errors. ----- Meeting Notes (12/28/15 13:57) ----- disband this slide: - roll trust and firewall into previous slide
Software Defined Secure Network Delivers Zero Trust Security Model Perimeter Secure Network Outside (Untrusted) Simplified Security Policy Block Lateral Threat Propagation Comprehensive Visibility Internal (Also Untrusted) Gartner tracks 21 categories for security In the past, “security” was layered on top of the network. Built on a perimeter model, devices at the edge of networks served as the primary means of defense for all types of threats. The foundation was based on both a trusted and untrusted model: trust what’s inside the network, don’t trust what is outside coming in. Perimeter firewalls were stateless, then state-full. Time and threat complexity progressed then next gen firewalls were introduced to provide protection against application layer threats. Since those early days, the threat landscape has dramatically changed which has also changed how and where we need to deploy security in the network. Threats continue to evolve and we continue to add features to the perimeter, but that is not enough. Security hackers are now highly organized units meant for serious financial gain. Technical proof point of what can be done by Juniper: threat data from Vz report, etc. 60% of breaches were from admin errors. ----- Meeting Notes (12/28/15 13:57) ----- disband this slide: - roll trust and firewall into previous slide
Transformation to Software Defined Secure Networks AV Today solutions in the market are uncoordinated and focused on firewall. Can’t stop spread of an attack laterally in the network. Trying to secure everything and in the end not being more secure, (trying to use endpoint protection, and firewall for east-west traffic) SDSN is a complete transformation from deploying myriad of network security tools, each with their own policy, detection and enforcement to a holistic security system that unifies detection and enforcement and globalizes policy. NGFW Sandbox IDS IPS Deception Analytics NAT Uncoordinated and firewall focused Orchestrated, holistic system encompassing security + infrastructure
Software Defined Secure Network Your Enterprise Network Threat Intelligence Enforcement Detection Cloud-based Threat Defense Dynamic and Adaptive Policy Engine Policy Campus & Branch DC Public Cloud Private Policy Create and centrally manage security policy through user-intent based system Detection Unify and rate threat intelligence from multiple sources Enforcement Enforce policy in near real time across the network; ability to adapt to network changes
Software Defined Secure Networks (SDSN) Unified Security Platform Third Party Threat Intel Security Director + Policy Enforcement Orchestrator Policy Enforcement, Visibility, Automation SRX Physical Firewall vSRX Virtual Firewall Juniper Cloud Sky Advanced Threat Prevention (ATP) MX Routers* EX & QFX Switches Third Party Elements* DETECTION POLICY ENFORCEMENT Detection Fast, effective protection from advanced threats Integrated threat intelligence Policy Adaptive enforcement to firewalls, switches, 3rd party devices and routers Robust visibility and management Enforcement Consistent protection across physical/virtual Open and programmable environment *Roadmap, subject to change Network as a single enforcement domain - Every element is a policy enforcement point
Sky ATP in Action
What is Sky Advanced Threat Prevention SRX extracts potentially malicious objects and files and sends them to the cloud for analysis Known malicious files are quickly identified and dropped before they can infect a host Multiple techniques identify new malware, adding it to the Known Bad list and reporting it to SecOps Correlation between newly identified malware and known C&C sites aids analysis SRX blocks known malicious file downloads and outbound C&C traffic Sky Advanced Threat Prevention Cloud Sandbox w/Deception Static Analysis ATP Juniper Cloud Customer 01101010 01110101 01101110 01101001 01110000 Customer SRX
Sky Advanced Threat Prevention in action
The ATP verdict chain Staged analysis: combining rapid response and deep analysis Suspect file Suspect files enter the analysis chain in the cloud 1 Cache lookup: (~1 second) Files we’ve seen before are identified and a verdict immediately goes back to SRX 2 Anti-virus scanning: (~5 second) Multiple AV engines to return a verdict, which is then cached for future reference 3 Static analysis: (~30 second) The static analysis engine does a deeper inspection, with the verdict again cached for future reference 4 Dynamic analysis: (~7 minutes) Dynamic analysis in a custom sandbox leverages deception and provocation techniques to identify evasive malware
Anti-Virus: First Pass
Static Analysis: Pulling apart the code
Dynamic Analysis: Sandboxing Inside a custom Sandbox environment Spool up a live desktop Hook into the OS to record everything Upload and execute the suspect file Apply Sky’s Deception and Provocation Techniques The full run takes approximately 7 minutes Download the activity recording for analysis Tear down the live desktop Generate a verdict with Machine Learning At release: Windows 7 Future: Windows 8, 10, Android, Linux, other.
Machine Learning Digging through massive piles of data: letting machines do what machines do best This is unknown These are good “Feature” analysis These are Bad Verdict The final verdict is based on how much a new example resembles the known good or bad samples. By comparing many features across large data sets, we can deliver very accurate results.
Deception and Provocation Juniper’s Sky Advanced Threat Prevention looks for over 300 different malware behaviors and includes over 50 different deception techniques to provoke malware into revealing itself. Deception: Convince it it’s on a valid target to get a reaction Provocation: Poke it with a stick and see how it reacts
Sandboxing: Behavioral Analysis Allocate large chunks of memory Long sleep times Document exploit Launch processes in debugging mode Create mutex Drop PE Create temporary files Read .ini files Create files in user directory
Licensing Model FREE PREMIUM Sky ATP offers a “Freemium” model 1YR and 3YR software subscription SKUs FREE PREMIUM Available on any SRX with valid contract No license installation required – ‘zero friction’ Comprehensive analysis and reporting – Executables only Infected host feed Inline blocking Purchase 1/3 YR subscription ALL “FREE” features PLUS… Comprehensive analysis and reporting - Executables, PDF, MS Office, Java, Flash, etc. Comprehensive feeds for full protection
SDSN DEPLOYMENT SCENARIOS
SDSN Deployment Scenarios Campus & Branch Quarantine infected end points BYOD and device profile based access control Data Center Micro-segmentation Consistent security for Private and hybrid-cloud SDN based workloads Service Provider Mobile Edge Gateway Gi Firewall
Campus Network: Infected Host Workflow Internet CAMPUS 3rd Party Feeds Policy defined in Policy Engine “Infected Hosts with Threat Level >8 should be quarantined” POLICY Sky ATP Threat Feeds Custom Feeds (e.g: Attivo, Vectra) DETECTION Access and aggregation switches quarantine infected host SRX policy enforcement ENFORCEMENT SRX Series Cluster SKY ATP Customer Benefit: Block data loss from infected hosts automatically Lateral spread of malware blocked Let security teams leverage end point security solution to remediate the infection SRX Policy & Feeds Switch ACLs SD ND Core / Distribution Threat Feeds SDSN Policy Engine Access 🚫🚫
Data Center Micro-segmentation Internet Policy defined in Policy Engine “IT Applications cannot access Finance Applications even if they share same VLAN” Traffic in and out of Infected Applications should be logged POLICY DATA CENTER Perimeter SRX Cluster 3rd Party Feeds vSRX 🚫🚫 SKY ATP Customer Benefit: Block East-West traffic to limit attack surface Support physical servers as well as virtualized applications Infected status based actions (monitor, block, quarantine) DMZ VLAN Sky detection applicable for infected applications scenario (#2 above) DETECTION Internal SRX Cluster IT Web Fin Web vSRX Policy Threat Feeds SDSN Policy Engine DMZ VLAN Switch ACLs Security Groups “IT Apps” “Fin Apps” VM related traffic controls enforced in vSRX Physical to physical traffic controls in access/aggregation switches ENFORCEMENT IT App Fin App 🚫🚫 Provisions vSRX in Service Chain SDN Controller DB_VLAN IT DB Fin DB
Service Provider: Mobile Edge Computing MOBILE SP NETWORK 3rd Party Feeds Policy defined in Policy Engine “Attacks from infected mobile devices should be blocked in Mobile Hub site” POLICY Sky Infected Host feed Using 3rd feeds SRX data to Sky DETECTION Contrail provisions vSRX in Service Chain Traffic from infected mobiles dropped by vSRX ENFORCEMENT SKY ATP Customer Benefit: Block data loss from infected hosts automatically Lateral spread of malware blocked Let security teams leverage end point security solution to remediate the infection MOBILE HUB SITE Policy Enforcement on vSRX SDSN Policy Engine Policy update for Service Chain requirements Dynamic Service Chain w/ vSRX Contrail Service Orchestrator
Thank you