1. Software Defined Secure Networks
José Fidel Tomás –

2. Trends Impacting Enterprise Security
Threats
Advanced adversaries & emerging threat actors
Our adversaries are professional – they are motivated and well skilled. In some cases they represent new classes of threat actors like nation states, not just script kiddies looking for fame/notoriety.
Further, our adversaries don’t have to play by the same rules and in many cases can be more innovative that we, the defenders, can be.
Infrastructure monoculture vulnerabilities
The Internet is remarkably resilient given some of it’s fragile underpinnings…we continue to see vulnerabilities that affect widespread, at-scale, Internet-level vulnerabilities that
Aren’t easily patched away…and the exposure is huge. When “everyone” uses a specific piece of code or functionality and a vulnerability is discovered (responsibly disclosed
Or not) it’s a mad scramble to try and understand and mitigate the risk.
Cloud
Cloud computing is an amazing operational model and platform that allows for rapid innovation. That same platform is being (ab)used by adversaries to deliver massively
Scaleable and disruptive attacks that cost them very little and allow for maximal damage…
Zero Days and targeted attacks
Attacks aren’t just brute blunt-force trauma. Nor are the sphisticated attacks one dimensional. In many cases advanced adversaries are leveraging zero day
Attacks that they create – or even buy on the open market – to attack not only infrastructure, but specifically target users/people and exploit the trust models
Which give them access to the information they desire.
Adaptive and advanced malware
A favorite tool of the bad guys is malware – and it’s getting smarter, more evasive, and much more difficult to find let alone stop. Examples have been found where malware
Can intelligently evade solutions by turning off AV, detecting whether they are in virtualized sandbox environments and not activating, or even emulating legitimate user behavior
To disguise/distract from nefarious activities…and in many cases, traditional security mechanisms are not enough to prevent exfiltration of sensitve data.
Industry
Virtualized Service Delivery
As services/applications become more agile, cloud-based and distributed, the industry is evolving to provide both physical and virtual security services…SDN/NFV are examples where
Sofware-defined environments require software-delivered security. There are some very specific and nuanced requirements in virtualized services delivery – it’s not just “we’ll take a
Physical firewall and make a virtual version of it” and call it a day…performance, management, policy enforcement, footprint, etc. all matter
Automation and Orchestration Integration
…to that last point about virtualization…the physical and virtual components in a network – and especially security components – need the context, configuration, state and connectivity
Telemetry to enable the most specific, effective and coordinated security policy enforcement across these virtualized and cloud environments…that means that solutions MUST connect
To the orchestration systems used to deploy applications and infrastructure and MUST be automated.
Native cloud services and offload
When you use the words “Cloud” and “security” together, besides the discussions around privacy, usually the discussion revolves around 1) deloying solutions IN the cloud to protect the Cloud
itself [native cloud services] or 2) using the cloud or cloud services to offload and/or provide security services…either in addition to or replacing CPE solutions.
Bit Data / Security Analytics
The need to go beyond simple log analysts or correlation is being driven by the complexity of our environments as well as the huge amount of data that exists in their operation.
Using technologies and approaches such as Big Data to deliver analytics – which takes data and turns it into intelligent, actionable INFORMATION – is critical. So instead of
Isolated devices
API-Driven
Looking at what we’ve discussed so far – from Cloud, to automation and DevOps to the way in which adversaries are using agile and hostile methods to quickly infiltrate our infrastructure – requiring the network to leverage automated and AUTONOMIC responses to detected anomalies/threats is critical. As such, when something is detected, we can’t wait for a human to fire up a CLI/GUI…so the requirements across infrastructure – including security – is that EVERYTHING can be managed via API to allow for a programmatic manner of interacting with solutions. This is huge and a big change from the way in which we have managed our solutions – especially security.
Infrastructure
Hybrid Cloud & Micro-perimeterization
Our customers – Service Providers, Cloud/content providers, and enterprises are ALL building clouds or using clouds that others provide.
But “Cloud” will really emerge to define a hybrid model where public and private clouds are interconnected (across many layers) using infrastructure, platform and software-as-service models
This means that the how we apply security policy needs to be attached to the workload and/or the information it traffics in – it means that the perimeter is not that one boundary between inside and outside
Your DC network, but rather everything – a machine, an VM, an app, a mobile device – is it’s own “microperimeter” – [ we could use “microsegmentation” here as Vmware does]
Bring your own everything
It’s not just devices that users and employees are bringing into the workplace now, it’s devices, applications, ways of using external applications and ways of working – it’s the BYOE movement.
Thus, protecting or managing on a “device” basis doesn’t/won’t work in isolation
The Internet of Everything
…and now everything has an IP address and connects to or talks with the Internet – your phone, TV, refigerator, lighbulbs, baby monitors, security systems…there have been compromises of
These IoE devices – washing machines used to send SPAM, video cameras used to mine Bitcoin…
Focus on Resilience, recovery and incident response
There’s a move – from detection and prevention to resilience, recovery and incident response. It’s not that defense or prevention isn’t important, but in many cases
It’s an acceptance that despite out best efforts, we are already compromised. It’s not “if” you’re going to suffer a breach, it’s “when” and how you’re going to respond.
It’s important to be able to quickly recover and stem additional impact and the network – and it’s security capabilities – are important here. In many cases, it’s about
Not just finding a needle in a haystack, but a needle in a needle stack!
DevOps
All this technology, innovation, and agility – enabled by Cloud – is driving a new model of operations: DevOps – a cooperative model where the existing silos of IT are broken down, environments become more heavily automated, iterative and ultimately instrumented…which allows functional groups to work together – and leverage a more programmatic way of deploying applications and infrastructure together – as code. It’s a fundmental restructuring of how IT is done and is driving a huge change across our customer base
THREAT SOPHISTICATION
CLOUD
INFRASTRUCTURE
Zero day attacks
Advanced, persistent, targeted attacks
Adaptive malware
Virtualization and SDN
Applications, data, management in the cloud
Application proliferation
Hybrid cloud deployments growing
Device proliferation and BYOD
IoT and big everywhere

3. Perimeter Oriented Security
Hyper-connected Network
Security at Perimeter
Outside
(Untrusted)
Complex Security Policies
Lateral Threat Propagation
Internal
(Trusted)
Limited Visibility
Gartner tracks 21 categories for security
In  the past, “security” was layered on top of the network. Built on a perimeter model, devices at the edge of networks served as the primary means of defense for all types of threats. The foundation was based on both a trusted and untrusted model: trust what’s inside the network, don’t trust what is outside coming in. Perimeter firewalls were stateless, then state-full. Time and threat complexity progressed then next gen firewalls were introduced to provide protection against application layer threats. Since those early days, the threat landscape has dramatically changed which has also changed how and where we need to deploy security in the network. Threats continue to evolve and we continue to add features to the perimeter, but that is not enough.
Security hackers are now highly organized units meant for serious financial gain.
Technical proof point of what can be done by Juniper: threat data from Vz report, etc. 60% of breaches were from admin errors.
----- Meeting Notes (12/28/15 13:57) -----
disband this slide:
- roll trust and firewall into previous slide

4. Software Defined Secure Network
Delivers Zero Trust Security Model
Perimeter
Secure Network
Outside
(Untrusted)
Simplified Security Policy
Block Lateral Threat Propagation
Comprehensive Visibility
Internal
(Also Untrusted)
Gartner tracks 21 categories for security
In  the past, “security” was layered on top of the network. Built on a perimeter model, devices at the edge of networks served as the primary means of defense for all types of threats. The foundation was based on both a trusted and untrusted model: trust what’s inside the network, don’t trust what is outside coming in. Perimeter firewalls were stateless, then state-full. Time and threat complexity progressed then next gen firewalls were introduced to provide protection against application layer threats. Since those early days, the threat landscape has dramatically changed which has also changed how and where we need to deploy security in the network. Threats continue to evolve and we continue to add features to the perimeter, but that is not enough.
Security hackers are now highly organized units meant for serious financial gain.
Technical proof point of what can be done by Juniper: threat data from Vz report, etc. 60% of breaches were from admin errors.
----- Meeting Notes (12/28/15 13:57) -----
disband this slide:
- roll trust and firewall into previous slide

5. Transformation to Software Defined Secure NetworksAV
Today solutions in the market are uncoordinated and focused on firewall. Can’t stop spread of an attack laterally in the network.
Trying to secure everything and in the end not being more secure, (trying to use endpoint protection, and firewall for east-west traffic)
SDSN is a complete transformation from deploying myriad of network security tools, each with their own policy, detection and enforcement to a holistic security system that unifies detection and enforcement and globalizes policy.
NGFW
Sandbox
IDS
IPS
Deception
Analytics
NAT
Uncoordinated and firewall focused
Orchestrated, holistic system encompassing security + infrastructure

6. Software Defined Secure Network
Your Enterprise Network
Threat
Intelligence
Enforcement
Detection
Cloud-based
Threat Defense
Dynamic and Adaptive Policy Engine
Policy
Campus & Branch DC
Public
Cloud
Private
Policy
Create and centrally manage security policy through user-intent based system
Detection
Unify and rate threat intelligence from multiple sources
Enforcement
Enforce policy in near real time across the network; ability to adapt to network changes

7. Software Defined Secure Networks (SDSN) Unified Security Platform
Third Party
Threat Intel
Security Director + Policy Enforcement Orchestrator
Policy Enforcement, Visibility, Automation
SRX
Physical Firewall
vSRX
Virtual Firewall
Juniper Cloud
Sky Advanced Threat Prevention (ATP)
MX Routers*
EX & QFX Switches
Third Party Elements*
DETECTION
POLICY
ENFORCEMENT
Detection
Fast, effective protection from advanced threats
Integrated threat intelligence
Policy
Adaptive enforcement to firewalls, switches, 3rd party devices and routers
Robust visibility and management
Enforcement
Consistent protection across physical/virtual
Open and programmable environment
*Roadmap, subject to change
Network as a single enforcement domain - Every element is a policy enforcement point

8. Sky ATP in Action

9. What is Sky Advanced Threat Prevention
SRX extracts potentially malicious objects and files and sends them to the cloud for analysis
Known malicious files are quickly identified and dropped before they can infect a host
Multiple techniques identify new malware, adding it to the Known Bad list and reporting it to SecOps
Correlation between newly identified malware and known C&C sites aids analysis
SRX blocks known malicious file downloads and outbound C&C traffic
Sky Advanced Threat Prevention Cloud
Sandbox
w/Deception
Static
Analysis
ATP
Juniper Cloud
Customer
Customer SRX

10. Sky Advanced Threat Prevention in action

11. The ATP verdict chain
Staged analysis: combining rapid response and deep analysis
Suspect file
Suspect files enter the analysis chain in the cloud 1
Cache lookup: (~1 second)
Files we’ve seen before are identified and a verdict immediately goes back to SRX 2
Anti-virus scanning: (~5 second)
Multiple AV engines to return a verdict, which is then cached for future reference 3
Static analysis: (~30 second)
The static analysis engine does a deeper inspection, with the verdict again cached for future reference 4
Dynamic analysis: (~7 minutes)
Dynamic analysis in a custom sandbox leverages deception and provocation techniques to identify evasive malware

12. Anti-Virus: First Pass

13. Static Analysis: Pulling apart the code

14. Dynamic Analysis: Sandboxing
Inside a custom Sandbox environment
Spool up a live desktop
Hook into the OS to record everything
Upload and execute the suspect file
Apply Sky’s Deception and Provocation Techniques
The full run takes approximately 7 minutes
Download the activity recording for analysis
Tear down the live desktop
Generate a verdict with Machine Learning
At release: Windows 7
Future: Windows 8, 10, Android, Linux, other.

15. Machine Learning
Digging through massive piles of data: letting machines do what machines do best
This is unknown
These are good
“Feature” analysis
These are Bad
Verdict
The final verdict is based on how much a new example resembles the known good or bad samples. By comparing many features across large data sets, we can deliver very accurate results.

16. Deception and Provocation
Juniper’s Sky Advanced Threat Prevention looks for over 300 different malware behaviors and includes over 50 different deception techniques to provoke malware into revealing itself.
Deception: Convince it it’s on a valid target to get a reaction
Provocation: Poke it with a stick and see how it reacts

17. Sandboxing: Behavioral Analysis
Allocate large chunks of memory
Long sleep times
Document exploit
Launch processes in debugging mode
Create mutex
Drop PE
Create temporary files
Read .ini files
Create files in user directory

18. Licensing Model FREE PREMIUM Sky ATP offers a “Freemium” model
1YR and 3YR software subscription SKUs
FREE
PREMIUM
Available on any SRX with valid contract
No license installation required – ‘zero friction’
Comprehensive analysis and reporting – Executables only
Infected host feed
Inline blocking
Purchase 1/3 YR subscription
ALL “FREE” features PLUS…
Comprehensive analysis and reporting - Executables, PDF, MS Office, Java, Flash, etc.
Comprehensive feeds for full protection

19. SDSN DEPLOYMENT SCENARIOS

20. SDSN Deployment Scenarios
Campus & Branch
Quarantine infected end points
BYOD and device profile based access control
Data Center
Micro-segmentation
Consistent security for
Private and hybrid-cloud
SDN based workloads
Service Provider
Mobile Edge Gateway
Gi Firewall

21. Campus Network: Infected Host Workflow
Internet
CAMPUS
3rd Party Feeds
Policy defined in Policy Engine
“Infected Hosts with Threat Level >8 should be quarantined”
POLICY
Sky ATP Threat Feeds
Custom Feeds (e.g: Attivo, Vectra)
DETECTION
Access and aggregation switches quarantine infected host
SRX policy enforcement
ENFORCEMENT
SRX Series Cluster
SKY ATP
Customer Benefit:
Block data loss from infected hosts automatically
Lateral spread of malware blocked
Let security teams leverage end point security solution to remediate the infection
SRX Policy & Feeds
Switch ACLs SD ND
Core / Distribution
Threat Feeds
SDSN Policy Engine
Access 🚫🚫

22. Data Center Micro-segmentation
Internet
Policy defined in Policy Engine
“IT Applications cannot access Finance Applications even if they share same VLAN”
Traffic in and out of Infected Applications should be logged
POLICY
DATA CENTER
Perimeter SRX
Cluster
3rd Party Feeds
vSRX 🚫🚫
SKY ATP
Customer Benefit:
Block East-West traffic to limit attack surface
Support physical servers as well as virtualized applications
Infected status based actions (monitor, block, quarantine)
DMZ VLAN
Sky detection applicable for infected applications scenario (#2 above)
DETECTION
Internal SRX
Cluster
IT Web
Fin Web
vSRX Policy
Threat Feeds
SDSN Policy Engine
DMZ VLAN
Switch ACLs
Security Groups
“IT Apps”
“Fin Apps”
VM related traffic controls enforced in vSRX
Physical to physical traffic controls in access/aggregation switches
ENFORCEMENT
IT App
Fin App 🚫🚫
Provisions vSRX in Service Chain
SDN Controller
DB_VLAN
IT DB
Fin DB

23. Service Provider: Mobile Edge Computing
MOBILE SP NETWORK
3rd Party Feeds
Policy defined in Policy Engine
“Attacks from infected mobile devices should be blocked in Mobile Hub site”
POLICY
Sky Infected Host feed
Using 3rd feeds
SRX data to Sky
DETECTION
Contrail provisions vSRX in Service Chain
Traffic from infected mobiles dropped by vSRX
ENFORCEMENT
SKY ATP
Customer Benefit:
Block data loss from infected hosts automatically
Lateral spread of malware blocked
Let security teams leverage end point security solution to remediate the infection
MOBILE HUB SITE
Policy Enforcement on vSRX
SDSN Policy Engine
Policy update for Service Chain requirements
Dynamic Service Chain w/ vSRX
Contrail Service Orchestrator

24. Thank you