These materials are © 2019 John Wiley & Sons, Inc. …...the prior written permission of the...

These materials are © 2019 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

http://www.juniper.net


Cybersecurity Automation

Juniper Networks Edition

by Lawrence C. Miller


Cybersecurity Automation For Dummies®, Juniper Networks Edition

Published by John Wiley & Sons, Inc. 111 River St. Hoboken, NJ 07030-5774 www.wiley.com

Copyright © 2019 by John Wiley & Sons, Inc.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services, or how to create a custom For Dummies book for your business or organization, please contact our Business Development Department in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/go/custompub. For information about licensing the For Dummies brand for products or services, contact Branded Rights&[email protected].

ISBN: 978-1-119-55349-6 (pbk); ISBN: 978-1-119-55352-6 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

Publisher’s Acknowledgments

Some of the people who helped bring this book to market include the following:

Project Editor: Carrie A. Burchfield

Editorial Manager: Rev Mengle

Acquisitions Editor: Ashley Barth

Business Development Representative: Karen Hattan

Production Editor: G. Vasanth Koilraj

http://www.wiley.com

http://www.wiley.com/go/permissions

mailto:[email protected]

http://www.wiley.com/go/custompub

mailto:BrandedRights&[email protected]

mailto:BrandedRights&[email protected]

Table of Contents iii


Table of ContentsINTRODUCTION ............................................................................................... 1

About This Book ................................................................................... 1Foolish Assumptions ............................................................................ 2Icons Used in This Book ....................................................................... 2Beyond the Book .................................................................................. 3Where to Go from Here ....................................................................... 3

CHAPTER 1: Recognizing the Need for Cybersecurity Automation ...................................................................................... 5What Is Cybersecurity Automation? ................................................... 5Why Cybersecurity Automation Is Important ................................... 6Overcoming the Challenges of Cybersecurity Automation ............. 8The Future of Cybersecurity Automation .......................................... 9

CHAPTER 2: Understanding the Role of AI and Machine Learning in Cybersecurity Automation ................... 13Combating Advanced Threats with AI and Machine Learning ............................................................................................... 13Deriving Actionable Intelligence from AI and Machine Learning ............................................................................................... 14Leveraging Actionable Intelligence to Support Dynamic Policy Enforcement ............................................................................ 17

CHAPTER 3: Reducing Vendor Sprawl with an Open Architecture ................................................................................... 21Avoiding Vendor Sprawl and Lock-In ............................................... 21Getting Past Products that Overpromise and Underdeliver ......... 23Leveraging Third-Party Integrations ................................................ 24

CHAPTER 4: Exploring Juniper Connected Security ...................... 29Outlining the Solution Components ................................................ 29

Sophisticated threat detection engine ....................................... 31Centralized management, visibility, and analytics .................... 34Enforce security everywhere ....................................................... 35

Recognizing the Benefits and Advantages ...................................... 37Getting Results .................................................................................... 38

CHAPTER 5: Ten Steps to Cybersecurity Automation ................ 41

Introduction 1


Introduction

The modern cybersecurity landscape is rapidly and continu-ally evolving with new, sophisticated malware and attack techniques that threaten enterprises on a massive scale.

At the same time, enterprise networks have become increas-ingly complex with multi-cloud and multi-vendor solutions that expand the boundary of the network. Limited security staff members are inundated with alerts and data streams from too many security tools and are unable to prioritize and analyze this deluge of security information in a timely manner. As a result, threats go undetected for extended periods — an average of more than 200 days according to the Ponemon Institute — and cyber-criminals steal sensitive and valuable data while trolling their victims’ networks with unfettered access.

Modern cybercriminals are the new mafia — they’re well orga-nized, well-funded, and profit driven. To effectively combat these cybercriminals, enterprise security teams must become crimefighters. They must simplify and automate their network and security architecture leveraging artificial intelligence and machine learning capabilities to drive real-time actionable intel-ligence and remediation.

About This BookIn this book, you discover how cybersecurity automation can help you regain the advantage against modern cybercriminals and bol-ster your enterprise security posture. Cybersecurity Automation For Dummies, Juniper Networks Edition, consists of five chapters that explore

» Why modern enterprises need cybersecurity automation (Chapter 1)

» What capabilities artificial intelligence and machine learning bring to cybersecurity defense (Chapter 2)

» How an open architecture helps you manage your cybersecurity footprint (Chapter 3)

2 Cybersecurity Automation For Dummies, Juniper Networks Edition


» How Juniper’s security solutions enable cybersecurity automation (Chapter 4)

» How to simplify complex cybersecurity challenges with Connected Security from Juniper Networks (Chapter 5)

Foolish AssumptionsIt’s been said that most assumptions have outlived their useless-ness, but I assume a few things nonetheless. Mainly, I assume that you’re a security decision maker, such as a CISO, CSO, VP, or director of network security, or a security practitioner running a security operations center (SOC), such as a security architect, threat analyst or researcher, or a security incident response team member. As such, I assume you’re a somewhat technical reader with a good understanding of networking and security technolo-gies and current cybersecurity topics.

If any of these assumptions describe you, then this book is for you. If none of these assumptions describe you, keep reading anyway. It’s a great book, and when you finish reading it, you’ll know quite a few things about cybersecurity automation.

Icons Used in This BookThroughout this book, I occasionally use special icons to call attention to important information. Here’s what to expect:

This icon points out information you should commit to your nonvolatile memory, your gray matter, or your noggin’ — along with anniversaries and birthdays!

You won’t find a map of the human genome here, but if you seek to attain the seventh level of NERD-vana, perk up! This icon explains the jargon beneath the jargon!

Tips are appreciated, never expected — and I sure hope you’ll appreciate these tips. This icon points out useful nuggets of information.

Introduction 3


These alerts point out the stuff your mother warned you about (well, probably not), but they do offer practical advice to help you avoid potentially costly or frustrating mistakes.

Beyond the BookThere’s only so much I can cover in 48 short pages, so if you find yourself at the end of this book, thinking “where can I learn more?” take a look at the following resources:

» The Juniper Networks website provides information about the full suite of Juniper products and services, documentation, training, and certification opportunities. Go to www.juniper.net.

» Juniper Threat Labs is a threat intelligence portal that features rapid and actionable insights from worldclass security researchers. Through vigilance and regular updates, this site keeps you informed about existing and emerging threats, so you can keep your business moving forward with confidence. Go to www.juniper.net/us/en/threat-labs.

» Connect with others to ask questions, exchange ideas, and share expertise in the JNet Community. These resources include blogs, discussion forums, and wikis with the latest technical resources, insights, and conversations. Go to forums.juniper.net.

Where to Go from HereWith my apologies to Lewis Carroll, Alice, and the Cheshire cat:

“Would you tell me, please, which way I ought to go from here?”

“That depends a good deal on where you want to get to,” said the Cat — err, the Dummies Man.

“I don’t much care where . . . ,” said Alice.

“Then it doesn’t matter which way you go!”

https://www.juniper.net/us/en/security/

https://www.juniper.net/us/en/threat-labs/

https://forums.juniper.net/



That’s certainly true of Cybersecurity Automation For Dummies, Juniper Networks Edition, which, like Alice in Wonderland, is also destined to become a timeless classic!

If you don’t know where you’re going, any chapter will get you there — but Chapter 1 might be a good place to start! However, if you see a particular topic that piques your interest, feel free to jump ahead to that chapter. Each chapter is written to stand on its own, so you can read this book in any order that suits you (though I don’t recommend upside down or backwards).

I promise you won’t get lost falling down the rabbit hole!

CHAPTER 1 Recognizing the Need for Cybersecurity Automation 5


Chapter 1

IN THIS CHAPTER

» Defining cybersecurity automation

» Recognizing the need for cybersecurity automation

» Understanding the role of automation in cybersecurity

» Looking at what’s next in cybersecurity automation

Recognizing the Need for Cybersecurity Automation

In this chapter, you explore automation in cybersecurity and cyberattacks, why enterprises need cybersecurity automation, what you should and should not automate, and what the future

of cybersecurity automation holds.

What Is Cybersecurity Automation?The “bad guys” have been using automation to spread computer viruses, worms, and other malware, literally, since the inception of the very first viruses — Elk Cloner (Apple) in 1982 and Brain (PC) in 1986. Indeed, one of the defining characteristics of a computer virus is that it’s self-replicating.

Of course, the “good guys” have also been using automation, to some extent, since the early days of viruses and networks. Traditional antivirus software, for example, has long used virus signatures to automatically detect and quarantine (or delete)



infected files. Packet filtering network firewalls use statically configured rules to automatically allow or block inbound traffic at the network perimeter, typically based on source and destination IP address and port information. But these and other examples of security automation are siloed — integration between the various products and solutions is scarce, so security teams are unable to fully leverage the benefits of a comprehensive and unified secu-rity platform.

Unfortunately, the adoption of cybersecurity automation hasn’t matched the scale and sophistication of cyberattack automa-tion. Today, cybercriminals automate practically every aspect of a cyberattack from reconnaissance (scanning IP addresses and ports, brute-force password guessing, phishing campaigns) to data exfiltration (data hiding, encryption) or denial of service (overwhelming network/system resources, encrypting data with ransomware) — and everything in between (lateral movement, command-and-control communications, evasive techniques).

Cybersecurity automation, on the other hand, is primarily focused on detection, prevention, and some basic remediation. Whereas the good guys have used automation as a tool, the bad guys have used it as a force multiplier: Massive cyberattacks have become pervasive on a global scale, with devastating impacts affecting hundreds of millions of individual victims and costing hundreds of billions of dollars every year. McAfee estimated the current annual global cost of cybercrime is as much as $600 billion — roughly 0.8 percent of the global gross domestic product (GDP).

Some examples of evasive techniques used by cybercrimi-nals include using network anonymizers, port hopping, Fast Flux DNS (Domain Name System), and Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption. According to Google’s Transparency Report, 86 percent of web pages loaded in Chrome in the United States are now SSL/TLS encrypted (as of September 2018).

Why Cybersecurity Automation Is Important

Beyond the actual threats themselves, enterprise cybersecurity teams face a number of equally daunting challenges every day, including



» Too many notifications and alerts: Enterprise security teams are inundated with a deluge of data from a multitude of sources, including logs from servers, firewalls, and intrusion detection/prevention systems (IDS/IPS); threat intelligence feeds; vulnerability scans; email lists; news feeds; and more.

» Too many security tools: Somewhere along the way, “defense in depth” became “defense ad nauseum.” Leveraging best-of- breed security tools is generally considered a best practice, but, ironically, it often leads to needless complexity, disparate silos of uncorrelated information, a lack of in-depth knowledge or specific expertise with various tools, and delayed action.

» Lack of prioritization and context: Many alert systems attempt to assign severity levels to various issues (for exam-ple, severe/high/medium/low), but with so many alerts from so many different systems and no meaningful context (which of your systems are affected, how many instances, how business-critical is the system or application), enterprise security teams are unable to effectively prioritize the informa-tion leading to challenges responding to the most damaging threats.

» Limited security staff: The worldwide shortage of cyberse-curity skills in the workforce is well documented and will only continue to worsen. Companies must make the most effective use of their scarce security team resources to protect the enterprise. Manual processes and workflows are slow, inefficient, and can’t scale. The status quo is clearly unacceptable. Security teams must fully leverage automation and orchestration, along with artificial intelligence (AI) and machine learning, to bolster the enterprise security posture and regain the advantage against modern cybercriminals.

Enterprise Strategy Group (ESG) indicates that 45 percent of organizations report a problematic shortage of cybersecurity skills today, more than any other area within IT. To overcome these challenges, organizations need to automate cybersecurity workflows. In a recent study by the Ponemon Institute, 70 percent of survey respondents reported that security automation is important to their organizations’ security posture. The research found that cybersecurity automation improves an organization’s productivity and the ability to address the volume of threats by enabling rapid analysis and prioritization of threats and vulnerabilities.



Overcoming the Challenges of Cybersecurity Automation

Ironically, one of the biggest challenges to successfully deploy-ing cybersecurity automation is a lack of skilled automation personnel. The Ponemon Institute found that 57 percent of sur-vey respondents say they are unable to recruit knowledgeable or skilled personnel to deploy their security automation tools. Only 35 percent of respondents say their organizations have the in-house expertise to be effective in using security automation to respond to cyberthreats. Yet these organizations recognize that cybersecurity automation will accelerate and amplify their defenses through

» Increasing the productivity of IT security personnel (64 percent)

» Automatically correlating threat behavior to address the volume of threats (60 percent)

» Simplifying the process of detecting and responding to threats and vulnerabilities (54 percent)

Other challenges revealed in the study include

» Difficulty integrating security automation technologies and tools with legacy systems (63 percent)

» Interoperability issues among security technologies (57 percent)

» Inability to apply controls that span the entire enterprise (55 percent)

To overcome these challenges, organizations must implement a security automation strategy that reduces complexity in the security architechture and operating environment. This will be possible with an open framework that streamlines interoperability and integration between different vendor solutions.



Consider decreasing the number of vendors in the security environment to minimize the impact of challenging integrations. Broad overarching automation architecture projects can lead to excruciatingly long implementation timelines because they often require extensive discovery and the involvement of multiple departments and new vendors. Rather than investing in projects that aim to solve universal automation problems, organizations should focus on assessing the areas where automation will do the most good and seek out security solutions that feature built-in automation.

Some of the challenges that companies face when it comes to secu-rity automation may be technical in nature, but in some cases, the challenges may have more to do with the mindset of the staff in the organization. Security teams need to embrace security auto-mation, rather than seeing it as a hindrance to doing their jobs well. Automating the right tasks and workflows will relieve these teams from having to perform repetitive high-volume, low-value activities and will empower them to concentrate on the threats that can do the most damage.

Implementing effective security automation isn’t as easy as sim-ply buying and installing the right tools. You must also ensure these tools aren’t just procured and then forgotten, or worse, that they provide a false sense of security.

The Future of Cybersecurity AutomationMany cybersecurity automation tasks today are focused on detec-tion and basic response processes. As organizational processes and technology mature, the future of cybersecurity automa-tion will evolve. Research by ESG identifies some key trends in what enterprise organizations hope to achieve with cybersecurity automation:

» Integrate external threat intelligence with internal security data collection and analysis (35 percent)

» Add functionality to existing security tools (30 percent)

» Automate basic remediation tasks (29 percent)



» Correlate and contextualize data using the output from multiple tools (28 percent)

» Integrate security and IT operations tools (22 percent)

The Ponemon Institute identifies incident response, security analytics, and malware investigation as the security tasks that organizations are most likely to automate (59 percent), followed by threat intelligence (55 percent). Other automation priorities include

» Security of information assets (59 percent)

» Identification and authentication of users (59 percent)

» Secure workloads and applications in the cloud (46 percent)

So your security staff can automate the mundane and focus on higher priority tasks to improve your organization’s security posture, your security solutions should support the following capabilities:

» Integration with Microsoft Active Directory services to map IP addresses to users and their groups or roles within the organization

» Support for an open application programming interface (API) framework to extend integration with other solutions on the network

» Easy threat intelligence sharing between solutions using Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII)

» Data intake from other security solutions with a timeline view of malware outbreaks for all hosts on the network

» One-click dynamic rule updates to block applications, users, or IP addresses



AMERICA’S TEST KITCHEN SIZZLES WITH THE RIGHT NETWORK AND SECURITY INGREDIENTSFor more than two decades, people have relied on America’s Test Kitchen to create beautiful, delicious food without tripping up on com-plicated techniques or having to scour stores for hard-to-find ingredi-ents. Fueled by a rising consumer interest in at-home cooking, America’s Test Kitchen is expanding and enhancing its media business with Juniper Networks data center networking and security solutions.

America’s Test Kitchen deployed a Juniper-based network at its head-quarters and in its data center, anchored by the Juniper Networks QFX5100 Switch and the Juniper Networks EX4300 Ethernet Switch. The powerful simplicity and scalability of the Juniper data center fabric deliver operational efficiency, which is critical for this fast-growing media business. Simplifying its data center architecture also lays the groundwork for a multi-cloud future.

While America’s Test Kitchen is a nationally recognized brand, like most midsize organizations, its IT team is relatively small. As Dustin Brandt, director of IT at America’s Test Kitchen explains, “TCO is very important. Operationally, we need to make sure we can provide as much value and efficiency as possible.” The performance, resiliency, and integrated security of a Juniper network delivers that TCO.

With a radically simpler, operationally more efficient network, IT can quickly adapt as business conditions change. Centralized event monitoring and policy management with Juniper Advanced Threat Prevention (ATP) and Juniper Networks Junos Space Security Director enable real-time threat protection and segregation. Juniper Networks SRX1500 Next Gen Firewall provides advanced security services, including content security and unified threat management. Juniper ATP provides advanced malware protection from the cloud, securing data center workloads and protecting employees against spearphish-ing, ransomware, and other malware.

(continued)



Having security integrated into the network was critical for America’s Test Kitchen to simplify security operations while mitigating the risk of disruption to its shows, websites, and other media resources and to protect its intellectual property. “We need to be smart, lean, and efficient,” says Brandt. Juniper Connected Security was the perfect solution. “I can sleep better at night knowing that I have substantial protection with Juniper.”

“We had an incredibly successful transition to Juniper,” Brandt says. “Juniper is best-in-class. We have a network backbone that’s exponen-tially faster than before and is much easier to manage and adminis-ter.” Brandt continues, “As our needs change, we have a solid foundation to build out faster services, support different content types, and move that content around to different delivery channels. Juniper has been a great improvement for us.”

(continued)

CHAPTER 2 Understanding the Role of AI and Machine Learning in Cybersecurity Automation 13


Chapter 2

IN THIS CHAPTER

» Automating cybersecurity with AI and machine learning

» Detecting malware with AI and machine learning

» Enabling dynamic policy enforcement

Understanding the Role of AI and Machine Learning in Cybersecurity Automation

In this chapter, you learn what artificial intelligence (AI) and machine learning bring to the fight against advanced threats and how to apply AI and machine learning in cybersecurity

automation and policy enforcement.

Combating Advanced Threats with AI and Machine Learning

Detecting malware is a critical step in combating advanced threats. Almost all modern cyberattacks use either malware or a vulnerability exploit to infiltrate a targeted network or host.



Unfortunately, detection is easier said than done. Malware detec-tion using current, disparate security tools and manual processes doesn’t usually correlate to breach detection (and remediation). Case in point: Most enterprises today are confident in the abil-ity of their antimalware solutions to detect and prevent known and unknown (zero-day) malware threats in a “timely” manner by using a variety of techniques including signatures, heuristics, sandboxing and static analysis, and even machine learning.

Yet the Ponemon Institute’s 2017 Cost of a Data Breach Study found that United States companies took an average of 206 days to detect a data breach — and another 55 days to contain a breach after detection. I’d be remiss not to tell you the average cost of a data breach found in the 2017 Cost of a Data Breach Study was $8.7 million for a breach that took longer than 100 days to detect.

Machine learning uses algorithms to analyze massive amounts of data and make accurate determinations and predictions. Machine learning is a key enabler in AI applications. AI enables machines to perform complex tasks, such as driving an autonomous vehicle, by using human-like intelligence (but not the lack thereof — such as failing to use turn signals or exhibiting road rage).

Deriving Actionable Intelligence from AI and Machine Learning

Unfortunately, the proper application of machine learning isn’t always easy. In his book, Spurious Correlations, author Tyler Vigen illustrates the point that correlation doesn’t imply causation. As shown in Figure 2-1, Vigen demonstrates how not to use machine learning by correlating the number of films in which Nicolas Cage appeared annually with the number of people who drowned in a pool.

While Figure 2-1 illustrates an obvious example of how not to use machine learning (although an argument could perhaps be made that fewer people drown when Nicholas Cage makes a bad movie, like 2003’s Matchstick Men, and conversely, more people drown when he makes a good movie, like 2007’s Ghost Rider), it is all too common for machine learning to be incorrectly used to correlate data sets with little or no association.



Machine learning has two basic categories:

» Unsupervised machine learning attempts to discover relationships in large volumes of data. The primary value of this technique is in learning more about the data sets themselves, rather than solving a particular problem.

» Supervised machine learning is used to solve a specific problem. Supervised machine learning begins with a “predictor function” and sets of data points. This predictor function can be optimized by training a model against the large labeled data sets and ultimately measuring against a “known value.”

Understanding which features of a data set are relevant for the predictor is crucial to producing the desired results. Many behav-iors exhibited by the input values may be completely irrelevant. Others may only serve as indicators when they occur at a given frequency. Differentiating the signal from the noise in this respect is one key to creating a precise model.

Cybersecurity automation uses both unsupervised and supervised machine learning to combat advanced threats, such as malware. Sophisticated characteristics of malware include

» Employing obfuscation techniques (such as polymorphism and metamorphism) to evade detection by traditional anti-malware solutions

» Establishing resilience by creating a persistent “beachhead” using a command-and-control (C&C) infrastructure to move

FIGURE 2-1: Spurious correlations can lead to incorrect conclusions.



laterally in a network, escalate privileges, infect (or re-infect) other hosts, and update or change attack objectives

» Launching a targeted attack with a specific goal such as financial gain, data exfiltration, espionage, or simple sabotage

Metamorphism changes a malware signature by changing the body of its code with each iteration. Polymorphism changes a malware signature by changing part of its code — for example, its decryp-tion routine — with each iteration, without modifying its body.

For the purposes of advanced malware detection, a machine learning enabled system would analyze files and store a results log that describes each behavior the object exhibited during analysis. Creating a machine-learning model requires analyzing hundreds of thousands of malicious files, along with hundreds of millions of benign files, with a “known value” being used to determine whether an object is malicious or benign. A model can then be created where the behavior logs render the most precise verdict possible.

Any system that identifies a file as malicious or benign through behavioral observation has a degree of precision associated with it. In machine learning, there is no such thing as complete accu-racy, just degrees of precision. With a properly trained machine-learning model, the results of file analysis can be compared with the model to determine if the results are within the boundaries of what is known about malicious objects.

Determining where those boundaries are is the key to creating an effective model. The goal is to minimize, as much as possible, false positives (incorrectly identifying something as malicious when it is actually benign) and false negatives (incorrectly iden-tifying something as benign when it is actually malicious). The more sensitive the model, the more likely it is to produce false positives. A model can be trained not to produce false positives, but only at the risk of creating more false negatives, and vice versa. Striking this balance requires large data sets and consis-tent training, as the malware and threat landscape is constantly evolving.



Leveraging Actionable Intelligence to Support Dynamic Policy Enforcement

Most security policies are created with a mindset that you can set the controls and forget about them — not due to indifference, but out of necessity. Updating security policies is item number 437 on the list of a thousand or so things your limited security staff needs to get done this week. These static security policies are effective for a while, but they eventually become stale and outdated. And when a security incident happens — and everything points to an outdated and no longer effective security policy — suddenly updating hundreds of security policies becomes priority number one on your list, unless, of course, the security incident is serious enough to generate a “resume-updating” event.

Unlike the static security policies created to protect them, security operating environments are highly dynamic in nature and must constantly adapt to changing threat and business conditions. For example, policies (rules) that are enforced under normal operating conditions may need to be significantly changed when the network is under attack, requiring the following actions:

1. The security team must individually process the security rules in the firewall rule table.

There are potentially thousands of rules to figure out which rules need to be modified and how to modify them.

2. The rules then need to be modified, tested, and deployed to all the enterprise firewalls.

There is also a high risk of temporarily disabling or breaking business-critical applications and/or services, or exposing other attack vectors, due to the “emergency” nature of the changes being pushed.

3. After the attack has been contained, the emergency changes need to be reverted and applications/services restored and tested.

This step again risks more service outages.



This manual process could take hours to complete — precious hours that could’ve been better spent isolating and remediat-ing the threat and mitigating the damage. And, of course, many advanced threats can rapidly infect other vulnerable hosts on the network in a matter of seconds and mutate in real-time to adapt to your slowly changing security policies, using a powerful weapon in the attacker’s arsenal — which is automation.

Dynamic policy enforcement empowers security teams to fight fire with fire — well, automation with automation. For example, different security policies can be created and tested for different operating conditions (see Figure 2-2). By leveraging actionable intelligence derived from the various AI and machine-learning- enabled integrated security systems to detect different (or even previously unknown) operating conditions, appropri-ate pre-defined policies can be automatically deployed (with or without human approval/intervention).

The benefits of dynamic policy enforcement include the following:

» Appropriate security policies can be automatically deployed in near real time.

» As the threat evolves, so too does the security policy.

FIGURE 2-2: Different security policies can be created for certain operating conditions.



» Time-consuming, error-prone processes and change workflows are dramatically reduced or eliminated.

» The security team can focus on isolating and containing the threat and mitigating attack damage.

Machine learning doesn’t completely remove the need for human judgment. However, it can effectively scale the knowledge of skilled security analysts to large data sets and threat landscapes. Machine learning can also be integrated with other security processes to enable each of them to scale appropriately as the volume of data and the complexity of analysis increases with time.

CHAPTER 3 Reducing Vendor Sprawl with an Open Architecture 21


Chapter 3

IN THIS CHAPTER

» Balancing vendor sprawl and vendor lock-in challenges

» Avoiding the “used car lot” of security vendors

» Working together to deliver a comprehensive solution

Reducing Vendor Sprawl with an Open Architecture

In this chapter, you look at common business challenges that can lead to technical complexity that weaken your security pos-ture and how you can leverage an open framework that inte-

grates with third-party solutions to overcome these challenges.

Avoiding Vendor Sprawl and Lock-InSecurity automation can be the key for organizations to improve their security posture and make the most of scarce security personnel. However, according to a survey by the Ponemon Institute, more than 70 percent of organizations struggle with adoption due to vendor sprawl in their security environments and a lack of skilled professionals to implement a broader automa-tion initiative. Of course, vendor sprawl exacerbates the “lack of skills” problem by requiring limited staff to become experts in



different vendor solutions. In addition to learning how to use the different technologies, security professionals must deal with dis-parate data that often can’t be easily aggregated or correlated, different management consoles and command syntaxes, and other vendor nuances.

Vendor sprawl is often the result of many different factors:

» A “best-of-breed” security strategy: The organization selects the best vendor solution for a given technology need (for example, firewalls, intrusion prevention, antimalware, routers, switches, and so on).

» Mergers and acquisitions: Companies with different vendor solutions are merged or acquired, resulting in a hybrid vendor environment.

» Evolving preferences and requirements: IT executives and/or purchasing authorities may have different vendor preferences, vendor relationships may change, or technical requirements may change over time and legacy solutions are phased out over time and replaced with a different vendor solution.

» Moving workloads to the cloud: As organizations move their workloads to the cloud, their current security solutions may not work in either a public or private cloud environment. This situation may necessitate bringing in an additional vendor or leveraging security services from the cloud provider.

Regardless of its causes, vendor sprawl inevitably leads to com-plexity in the network and security environment.

At the opposite end of the spectrum, many organizations find themselves trapped by vendor lock-in, potentially limiting their options (and capabilities) to implement a best-of-breed solution. Vendor lock-in can happen for a variety of reasons:

» Previous vendor solutions may have been sold as a “package deal” that included heavy discounting if more components were purchased together.

» Vendor solutions may use a proprietary signature language that isn’t easily updated, lacks the ability to be easily customized, and doesn’t support industry standard threat intelligence



sharing specifications, such as Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII).

» Management and reporting are proprietary and tightly integrated within a vendor’s solution, and they don’t easily integrate with third-party solutions.

» The product is complex to deploy and needs significant customization and/or professional services from the vendor, requiring extensive training to enable staff to become proficient in its use.

To address the challenges of both vendor sprawl and vendor lock-in, organizations need to implement solutions that are based on open platforms that can be seamlessly integrated with a broad ecosystem of third-party solutions and services.

Getting Past Products that Overpromise and Underdeliver

Yet another challenge for organizations is the problem of security products that overpromise and underdeliver. This often happens when a vendor attempts to position its product as the “Swiss army knife” of solutions when, in fact, the product may do a few things extremely well (its “core functions”) but everything else is a “bolt-on” feature.

Ironically, the key to addressing this challenge is to avoid vendor lock-in (discussed in the preceding section) by selecting a few, key best-of-breed solutions potentially from different vendors, which may lead to vendor sprawl (also discussed in the preceding section).

Work with a vendor that doesn’t try to be “all things to every-one” and snatch up market share. A vendor that acknowledges there are other solutions that may be better for specific problems by offering an open integration framework compatible with other solutions is more than a vendor; it’s a partner committed to your success.



Leveraging Third-Party IntegrationsThe increasingly sophisticated cyberattack landscape demands that businesses deploy a comprehensive security platform that not only unites and coordinates various threat analytics plat-forms but also provides a simpler policy mechanism as well. This requires leveraging the entire network as a threat detection and enforcement tool.

Juniper Connected Security (discussed in Chapter 4) enables network devices — not just perimeter firewalls — to work together as a threat detection and security enforcement domain. Juniper Networks Security Director with Policy Enforcer manages the security environment and orchestrates policies, including those created by the Juniper Advanced Threat Prevention cloud-based malware detection solution. Policy Enforcer then distributes those policies to Juniper switches, third-party switches, and Wi-Fi access points, as well as the physical and virtual Juniper Networks SRX Series Enterprise Network Firewall.

One example of how Juniper Connected Security integrates with third-party solutions to deliver comprehensive security is ForeScout CounterACT. This integrated solution gives operational teams the unique ability to see new devices the instant they con-nect to or leave the network, allowing them to continuously mon-itor, control, and remediate these devices.

Working together, Juniper and ForeScout create a secure, end-to-end, multilayer network by defining risk mitigation policies and implementing them at the access, aggregation, core, and network perimeter, greatly enhancing the system’s overall security profile.

With its agentless approach, ForeScout CounterACT occupies a unique space among network security solutions. Available as both a physical and virtual solution, ForeScout CounterACT uses active and passive techniques to discover and classify endpoints as they connect to the network, including “bring your own device” (BYOD), guest, and nontraditional devices — such as Internet of Things (IoT), handhelds, and sensors — as well as unknown and rogue endpoints (unauthorized endpoints, switches, routers,



and wireless access points). None require management agents or previous device awareness.

CounterACT uses agentless visibility to check for device posture and compliance according to established security policies and then, depending on the device classification and/or posture, coor-dinates an automated host- or network-based response. Working as part of Juniper Connected Security, Juniper and third-party switches are transformed into policy enforcement and control points at the access, aggregation, core, and perimeter.

This innovative approach mitigates risk and noncompliance at multiple levels while increasing protection. Using standard protocols, CounterACT classifies and assesses device compliance posture. It tightly integrates with Juniper Policy Enforcer to take action on the device, which could be wired or wireless, through automated policies when an indicator of compromise (IoC) is detected.

The joint solution empowers enterprises to defend themselves against the lateral movement of threats by blocking or quaran-tining infected hosts, even when users move and IP addresses change. This workflow is the same for endpoints that connect to the network via wireless access points.

As shown in Figure 3-1, Juniper Security Director provides a single pane of glass to enforce threat remediation and micro- segmentation policies on a variety of network and security devices. These devices include Juniper virtual and physical SRX Series firewalls, EX Series and QFX Series switches, third-party switches, and wireless networks. The solutions work together to automatically detect and block attacks. The following example describes a typical workflow for the Juniper/ForeScout integrated solution:

1. An endpoint device downloads a suspicious file from the Internet.

2. A Juniper SRX Series firewall sends the file to Juniper Cloud Advanced Threat Prevention (ATP) for analysis.



3. Juniper Cloud ATP determines the threat level and communicates that information to the SRX Series firewalls and Juniper Policy Enforcer.

4. SRX Series firewalls are updated and prevent the file from being downloaded based on dynamically generated policies and the threat level score from Juniper Cloud ATP.

At the same time, based on the threat intelligence received from Juniper Cloud ATP, Policy Enforcer determines that the host that downloaded the file is infected.

5. Policy Enforcer reports the infected host’s IP address to ForeScout CounterACT.

6. ForeScout CounterACT enforces policy actions as defined by the user, including blocking or quarantining the infected host or device.

7. Policy Enforcer mitigates lateral propagation of the threat by tracking infected host movement and taking remedial actions such as quarantining/blocking the host, even if its IP address changes.

The joint Juniper-ForeScout security solution gives enterprises complete end-to-end monitoring, automated policy enforce-ment, and threat mitigation with unparalleled visibility into wired and wireless networks.

Juniper Cloud ATP

Infected Endpoint Information

SDSN Policy Enforcer

Policy Controller

Connector API

Central Management

Juniper Security Director

Juniper SRXSeries NGFW

Access

Juniper Networks EX Seriesswitches or third party switches Wireless access controllers

Third Party SW Connector

FIGURE 3-1: Juniper Connected Security and ForeScout CounterAct solution.



VirtualArmour USES OPEN SECURITY INTELLIGENCE TO PROTECT CUSTOMERSAs cyberattacks become more sophisticated, companies struggle to stay ahead of cybercriminals. VirtualArmour provides a range of managed services, professional services, and software development solutions to help organizations protect their networks from new and advanced threats.

No two organizations are alike, and VirtualArmour wanted to find a way to standardize its processes and solutions, while giving custom-ers something better than a one-size-fits-all solution. To achieve this goal, VirtualArmour sought an open, scalable platform that could eas-ily integrate with third-party apps or custom data feeds and seam-lessly mitigate advanced security threats.

To help its customers thwart malware and advanced threats, VirtualArmour leverages Juniper Networks Spotlight Secure, vSRX Services Gateway, SRX Series Services Gateways, and Junos Space Security Director.

Spotlight Secure, Juniper’s threat intelligence platform, provides adap-tive threat protection, linking security intelligence to policy enforce-ment. Spotlight Secure aggregates feeds from multiple sources and brings actionable intelligence to VirtualArmour’s security operations. These sources include Juniper and third-party threat feeds, as well as threat detection technologies, allowing VirtualArmour to choose the most appropriate threat detection technologies. Spotlight Secure works in conjunction with SRX and vSRX Series security platforms, which provide high-performance, scalable protection and security service integration for the network operations center (NOC) and edge. The NOC team uses Junos Space Security Director for centralized security policy management that is enforced across emerging and traditional threat vectors.

Juniper’s powerful, open, scalable, and intelligent security has given VirtualArmour the foundation it needs to provide an agile response to the rising volume and sophistication of cyberthreats. “Security intelli-gence from Juniper allows us to be more efficient and more proactive

(continued)



and also include additional feeds that might be value-added services,” says Mark Precious, chief technology officer of VirtualArmour. “We can automatically input alerts from our security information and event management (SIEM) solution directly into perimeter security in an automated, hands-off way.”

With tailored threat intelligence feeds, VirtualArmour can tailor protec-tions to address customers’ specific risks and respond more quickly to incidents with a minimum of manual effort. “When customers are advised of a certain threat, we can apply security intelligence to our global infrastructure so they’re protected,” Precious says. “Juniper’s open, intelligent framework allows us to do that in a much more auto-mated fashion and gives us the capability to handle large data sets in a dynamic and timely way.”

(continued)

CHAPTER 4 Exploring Juniper Connected Security 29


Chapter 4

IN THIS CHAPTER

» Looking at the solution architecture

» Realizing the benefits of the solution

» Defending against an attack

Exploring Juniper Connected Security

In this chapter, you find out how Juniper Connected Security integrates, centralizes, and automates enterprise defense strategies.

Outlining the Solution ComponentsJuniper Connected Security delivers adaptive detection, auto-mated enforcement, and one-touch mitigation to defend against today’s sophisticated and rapidly evolving threats. It transforms your network into a cyber-defense system that streamlines security operations, so you can mitigate threats faster and more efficiently. It enforces a consistent security posture across envi-ronments, from on-premises infrastructure to cloud workloads and reduces complexity by prioritizing security alerts into a single timeline view.



Cybersecurity solutions from Juniper Networks are

» Automate: Dynamic detection and mitigation of advanced threats

» Protect: Continual enforcement and remediation ecosystem

» See: Visibility across your infrastructure to streamline security operations and accelerate time to action

Juniper Connected Security is built on the following foundational components:

» Sophisticated threat detection engine

» Centralized management, visibility, and analytics

» Security enforcement everywhere

These components are detailed more in Figure 4-1.

Juniper Connected Security combines network security and detec-tion with centralized management visibility and analytics to deliver pervasive security. Juniper’s open, multivendor ecosystem enables enterprises to use network and security elements already in their environments to strengthen their security posture.

Advance ThreatPrevention

Visibility &Management

Detection

Threat Conditions

ThreatIntelligence

AutomateProtect

See

APIs

Partner Ecosystem

Cloud/CASB

NetworkAccess Endpoint

Consistent Enforcement

Dynamic Policy Actions

Network Devices

Policy, Users, Apps,Devices, Sites

Multicloud

Workloads

FIGURE 4-1: Juniper Connected Security building blocks.



Sophisticated threat detection engineJuniper Networks Advanced Threat Prevention (ATP) is a cloud-delivered malware detection solution that accurately detects known and unknown threats. Its construction is shown in Figure 4-2. It uses real-time information from the cloud to pro-vide antimalware protection and defends against sophisticated cyberattacks, including advanced persistent threats (APTs) and ransomware.

The key features of Juniper Networks Cloud ATP include

» Cloud-based analysis: Extracts compromised files and sends them to the cloud for advanced malware analysis to generate a security verdict

» Instant malware identification: Rapidly detects malware and communicates the verdict to SRX Series firewalls to provide inline blocking of the attacks

» Comprehensive reporting and analytics: Provides a web interface for performing management tasks, including configuration and product updates, and provides compre-hensive reporting and analytics tools for visibility into threats and compromised hosts

» Systems quarantine: Feeds information about compro-mised systems to SRX Series firewalls to quarantine the affected systems

Customand third

party intel

Cloud ATP

Sandbox

10111000 01101010011

MachineLearning

Analysis

vSRX / SRX

C&CGeo IP

Zero DayMalware

FIGURE 4-2: Juniper Networks Cloud ATP.



» Command-and-Control (C&C) data: Provides C&C data to SRX Series firewalls to prevent internal systems from communicating with the affected devices

» Email analysis and remediation: Isolates and quarantines malware, preventing email from being used as an attack vector

Machine learning algorithms analyze email traffic, detect malicious attachments, and block files at the firewall.

» Threat intelligence: Uses powerful open application programming interfaces (APIs) for seamless integration with third-party vendors to give you multiple threat intelligence feeds and reduce the attack surface; leverages Structured Threat Information eXpression (STIX) or Trusted Automated eXchange of Indicator Information (TAXII) to enable threat intelligence sharing in a standard format

Similar to Juniper Networks Cloud ATP, Juniper Networks on- premises ATP solution provides comprehensive on-premises ana-lytics to detect sophisticated threats (see Figure 4-3). The Juniper ATP Appliance uses advanced machine learning and behavioral analysis technologies to identify existing and unknown advanced threats in near real time. It does this through continuous, mul-tistage detection and analysis of Web, email, and lateral traffic moving through the network.

Juniper ThreatPrevention

Advanced Threat Analytics2

One-Touch Threat Mitigation3Advanced Threat Detection1

FIGURE 4-3: Juniper Networks ATP components.



The key features of the Juniper Networks ATP include

» Flexible deployment options: Physical or virtual appliance solutions that work alongside any firewall or SIEM

» Multi-vector traffic inspection: Inspects traffic across multiple vectors, including Web, email, and lateral spread

» Multiple file type analytics: Analyzes multiple file types, including executables, dynamic link libraries (DLL), Mach Object File Format (Mach-o), Apple Disk Image File (DMG), Portable Document Format (PDF), Microsoft Office, Adobe Flash, ISO image files, Executable and Linkable Format (ELF), Rich Text Format (RTF), Android Package (APK), Microsoft Silverlight, Archive, and Java Archive (JAR)

» Effective detection techniques: Employs advanced threat detection techniques, including exploit detection, payload analysis, C&C detection, YARA, and SNORT rules

» Endpoint integration: Integrates with Carbon Black Protect and Response (endpoint solution) to allow upload of binaries executed on endpoints

» Extensive data correlation: Correlates events across threat life cycle to monitor threat progress and risk, visualizes malware activity, and groups malware traits to help incident response teams better understand malware behavior

» Contextual threat prioritization: Prioritizes threats based on risk calculated from threat severity, threat progress, asset value, and other contextual data

» Threat behavior timeline: Provides timeline host view to obtain complete context about malware events that have occurred on the host

» Automated threat mitigation on email, Web, and lateral traffic: Quarantines malicious Office 365 and Google emails automatically; integrates with Bluecoat, Check Point, Cisco, Fortinet, and Palo Alto Networks solutions to automatically block malicious IP addresses and URLs

Known threats are detected by the ATP solution by consolidating threat intelligence information from a variety of sources:

» C&C servers

» Geographic IP address lookup (GeoIP)



» Third-party devices via Representational State Transfer (REST) APIs

» Aggregated information from in-house log servers

Unknown threats are identified by the ATP solution using tech-nologies such as

» Sandboxing

» Machine learning

» Threat behavior analytics and correlation

Centralized management, visibility, and analyticsJuniper Networks Security Director provides visabilty and man-agement through an intuitive, centralized interface. It offers policy enforcement and orchestrarion across emerging and tra-ditional risk vectors. Using intuitive dashboards and reporting features, organizations gain insight into threats, compromised devices, risky applications, and more.

Policy Enforcer, a key component of Security Director, automates threat remediation and micro-segmentation policies across the entire network. Armed with advanced threat intelligence gathered and reported by Juniper Networks Advanced Threat Prevention service, Policy Enforcer does the following:

» Dynamically adapts to new threats

» Automatically updates policies

» Takes action to stop lateral propagation of threats

» Enables metadata-based security controls to protect private and public cloud workloads

Policy Enforcer automates threat remediation workflows and real-time remediation of infected hosts (see Figure 4-4).



The key features of Security Director and Policy Enforcer include

» Centralized security management: Configure and manage application security, firewalls, and security intelligence, along with virtual private networks (VPNs), intrusion prevention systems (IPS), and network address translation (NAT) security policies, all through a single interface.

» Policy definition and enforcement: Define and enforce policies for controlling use of specific applications, such as Facebook and embedded social networking widgets.

» Automated enforcement and orchestration: Apply consis-tent threat remediation across heterogeneous network environments that span SRX Series firewalls, EX and QFX switches, and third-party network switches.

» Scalable security policy: Extend a security policy across multiple SRX Series firewalls and manage several logical system (LSYS) instances on a single SRX Series device.

» New threat detection: Detect new threats and deploy new enforcement policies automatically to firewalls and switches through Policy Enforcer.

» Automated security policies: Automate security policies for improved enforcement accuracy, consistency, and compliance.

Enforce security everywhereJuniper Connected Security leverages any network element as an enforcement point. It is built on an open, multivendor ecosystem to detect and enforce security across Juniper solutions, cloud, and third-party security products (see Figure 4-5).

JuniperOn-premises ATP

Cloud ATP

CloudPublic Cloud Private Cloud

Premise

Users

FIGURE 4-4: Policy Enforcer automates threat remediation workflows.



Juniper delivers the ability to rapidly block or quarantine threats to prevent north-south or east-west threat propagation. The auto- provisioning of Juniper vSRX virtual firewalls on VMware NSX hosts provide micro-segmentation for private cloud workloads in an NSX domain by ensuring advanced security (Level 7 firewall and intrusion preventions system) and consistent management experience (see Figure 4-6).

FIGURE 4-5: Juniper’s open, multivendor ecosystem detects and enforces security across Juniper solutions, cloud, and third-party security products.

Cloud ATP

Policy Enforcer

Plug-In API

NSX Plug-In

NSX Manager VMware vCenter

Juniper SRX Series Perimeter Firewalls

NSX Domain

VM VM VM VM

NSX Virtual Distributed Switch

NSX Managed Workloads

FIGURE 4-6: Auto-provisioning of vSRX virtual firewalls on NSX hosts provides micro-segmentation for private cloud workloads.



Recognizing the Benefits and Advantages

Enterprises must take a synergistic approach to cybersecurity that leverages both security and network elements that operate in unison to protect the organization with automated policy, threat behavior analytics, and simplified management to strengthen their security posture.

Juniper Connected Security delivers the following benefits and advantages:

» Pervasive security: Extends security across the network, from firewalls to switches and Wi-Fi access points. By supporting different deployment models ranging from on-premises physical deployments or private clouds (such as VMware NSX and Juniper Contrail) to public clouds (such as Amazon AWS and Microsoft Azure), the platform delivers robust security and maximum flexibility.

» Open, multivendor ecosystem: Most enterprises are multivendor environments. Any security solution that requires swapping out existing infrastructure during a refresh cycle, or locks customers into a single vendor, will impose significant restrictions with respect to introducing new capabilities and adopting new trends and technologies. Juniper Connected Security takes an open approach, allowing enterprises to keep most of their existing network gear while transitioning to a more secure network. By partnering with other network and security vendors, Juniper offers a truly collaborative and comprehensive approach to security.

» Global policy management and orchestration: Security Director with Policy Enforcer delivers consistent enforcement regardless of local or global footprint. Security administra-tors gain visibility into threat conditions and enforcement, helping them strengthen their security posture.



» Dynamic, automated threat remediation: The ability to quickly respond to threats is critical to cybersecurity. Threats are accurately and continuously detected by Juniper’s Advanced Threat Prevention service, native threat intelli-gence, and third-party sensors. Policy Enforcer automatically takes corrective action against these threats, blocking or quarantining them almost immediately.

Getting ResultsTo understand how Juniper Connected Security better protects enterprises, take a look at Juniper cybersecurity in action. Figure 4-7 shows Juniper SRX Enterprise Network Firewall deployed at the perimeter and connected to Juniper’s Advanced Threat Prevention service, for anti-malware services. Security Director with Policy Enforcer is the centralized console that man-ages different network elements to deliver global enforcement.

Clients/endpoints are connected to access switches or wireless access points with endpoint protection software. Policy Enforcer can communicate with the access devices to share intelligence and deliver mitigation.

2

3

5

4

4

6

1

SRX

EX/QFX switch

On-premises ATP

Cloud ATP

Any 802.1x Switch or ForeScout

Policy Enforcer

Security Director

File scanned; unknownmalware not detected

Malwaredetected

Unknown malwareenters the network

Infected endpointquarantined

Threat containmentautomatically

deployed

Threat containmentpackage authored

FIGURE 4-7: Juniper cybersecurity in action.



Here’s how an attack scenario plays out:

1. A client attempts to download unknown malware.

2. The file is scanned by the perimeter SRX Series firewall.

3. The SRX Series firewall sends the file to Juniper Advanced Threat Prevention service.

4. Juniper Advanced Threat Prevention service determines the file is malware and notifies the SRX Series firewall and Policy Enforcer.

5. The SRX Series firewall blocks the file from being downloaded.

6. Policy Enforcer quarantines the host to a special virtual LAN (VLAN) at the switch until further investigation is possible. Policy Enforcer can also optionally disable the switch port or Wi-Fi access point that the client is connected to.

7. The targeted client is now prevented from infecting other hosts in the network.

East-west and north-south malware propagation is halted. Policy Enforcer remembers the client, so even if it moves to another switch or Wi-Fi access point, Policy Enforcer recog-nizes the threat and blocks it from the network.

CHAPTER 5 Ten Steps to Cybersecurity Automation 41


Chapter 5

IN THIS CHAPTER

» Getting started with detection and response

» Knowing your capabilities and skills, and maximizing your resources

» Monitoring and logging activity

» Deriving actionable intelligence with machine learning

» Performing root cause analysis and automating action

Ten Steps to Cybersecurity Automation

To help you get started today with cybersecurity automation to strengthen your organization’s security posture, here are ten tips:

» Begin with a detection and response workflow and then adopt the right tool to help you automate the process.

» Investigate risky scenarios specific to your organization and then build detection rules around those scenarios.

» Understand your capabilities, build your playbooks, and find automation tools that address the most important parts of your security posture.

» Ensure your security team has the skills and time to tune your automated solution. If they can’t tune it, they won’t see the value.



» People should focus on the things they do well. Failing to automate relevant security tasks can be a waste of resources. Scarce security teams should work on the tasks that require their expertise.

» Know what you have and be able to monitor and log all activity related to your IT assets and resources including data, endpoints, infrastructure, networks, and services. Automation can help you discover assets in a rapidly changing environment (such as the cloud) and parse and analyze logs and alerts for actionable intelligence.

» Build your own rule sets to deliver the kind of actionable intelligence that security analysts need.

» Enable machine learning because it’s essential when processing data from multiple tools and sources. It enables actionable intelligence to be quickly surfaced while eliminating redundant or irrelevant data.

» Integrate machine learning across all threat prevention products in a security solution. It enables continuous and dynamic analysis and correlation to identify normal behavior in software structure, software behavior, and network traffic patterns. Millions of variables and data points can be analyzed at once to flag anomalous behavior that could signal an impending breach.

» Use advanced tools. These can identify and track unusual activity and provide information about exactly what was happening in the network at the time the activity began. Taking action is the ultimate goal, and this, too, is becoming automated.


Notes

http://Dummies.com

WILEY END USER LICENSE AGREEMENTGo to www.wiley.com/go/eula to access Wiley’s ebook EULA.

http://www.wiley.com/go/eula

These materials are © 2019 John Wiley & Sons, Inc. …...the prior written permission of the...

Documents

Transcript of These materials are © 2019 John Wiley & Sons, Inc. …...the prior written permission of the...