Learn About Secure AnalyticsThis Learn About introduces you to the fundamentals of security information andevent management (SIEM) and Juniper Secure Analytics (JSA). It explains theseessential network security technologies and shows why they are essential in today’snetworks. For those of you who need field knowledge, this Learn About also reviewseach of the core functions of a SIEM and JSA implementation and describes how aSIEM and JSA are used.Secure the NetworkNetworks are growing larger and more complex than ever before. At the same time,multiple threats to the security of those networks are emerging and spreading rapidly.As shown in Figure 1, there are also more possible points of entry into any givennetwork because of the increase in user mobility, the number of remote locations thatmight exist, and the sheer number of devices accessing the network.Figure 1Enterprise Network
2Learn About Secure AnalyticsA security breach is one of theearliest stages of a securityattack by a malicious intruder,such as a hacker, cracker, ornefarious application. Securitybreaches happen when thesecurity policy procedures areviolated or there is an intruder inthe system. Depending on thenature of the incident, a securitybreach can be anything fromlow risk to highly critical.The digital market economy, with its continual barrage of new applications andtechnologies, also creates additional risks and invites a slew of new attacks onnetworks. In some organizations security breaches can go completely undetected formonths, while others have IT departments with staff dedicated to protecting anetwork against malicious activity. They must analyze data from a multitude ofsources in order to understand what threats are facing a network, then they mustdetermine what actions to take to address those threats.What IT staffs need is a complete, holistic solution that provides layered security toprotect from threats that occur at all layers and at every location of a network,including branch offices, campuses, and extended enterprises. Without such asolution, IT professionals cannot fully manage all the threats a network can incur.They need:§§ Comprehensive visibility that can analyze everything happening in the network.§§ Analytics that will analyze and investigate potential threats in near real time.§§ Actionable intelligence that will identify targets, threats, and incidents.IT departments also need to keep abreast of compliance requirements, providing:§§ Accountability that can survey the reports on who did what and when.§§ Transparency that can provide visibility into the security controls, business applications, and assets that are being protected.§§ Measurability that can provide metrics and reporting around IT risks within acompany.Introduction to SIEMSIEM software provides a powerful way for organizations to detect the latest securitythreats to their networks before they can cause damage. SIEM provides a holisticview of an organization’s IT security by providing real time reporting coupled withlong-term analysis of security events.SIEM software logs event records from sources throughout a network. Those logsprovide important forensic tools to an IT staff, which the software then helps toanalyze. Complete log collection also helps address many compliance reportingrequirements.Parsing and normalization maps log messages from different systems into a commondata model, enabling IT professionals to better connect and analyze related events,even if those events are initially logged in different source formats. Additionally,correlation links log events from disparate systems or applications, which greatlyspeeds not only the detection of, but the reaction to, security threats.SIEM aggregation can also reduce the volume of event data by consolidating duplicate event records and then reporting on the correlated, aggregated event data in realtime, comparing it to long-term summaries.
3Learn About Secure AnalyticsHow SIEM Works in an AttackLet’s begin with a look at a basic network attack as shown in Figure 2.Figure 2Example of a Basic Attack to a NetworkIn Figure 2, the attacker on the left scans the perimeter defenses to find a hole in thenetwork. The attack bypasses network defenses and compromises web servers using avulnerability exploit. From the web server the attack pivots to the database server,which holds confidential data and installs malicious software that opens a backdoorfor the attacker to steal data.How would one detect such an attack without using SIEM? Figure 3 shows the steps ina traditional network defense.Figure 3Analyzing the Basic Attack Without Using SIEMYou can see, in Figure 3, that the network uses:§§ Firewall logs with events for reconnaissance, scanning, and so on.§§ Intrusion detection service (IDS) or intrusion prevention system (IPS) logs haveexploit signatures triggering (both behavior and anomaly).§§ There will be web or application server logs (access inbound or outbound traffic).§§ And of course, database logs.
4Learn About Secure AnalyticsIn Figure 4, when the same attack occurs in a network using SIEM, the softwareprovides insight into all the IT components (gateways, servers, firewalls, and so on).Figure 4SIEM Holistic ViewA perimeter is the fortifiedboundary of the networkthat might include: routers,firewalls, IDSs, IPSs, VPNdevices, softwarearchitecture, DMZs, andscreened subnets.SIEM software centrally collects, stores, and analyzes logs from perimeter to enduser. It monitors for security threats in real time for quick attack detection, containment, and response with holistic security reporting and compliance management.It’s time for SIEM software in any network that is open to attacks.Juniper Networks Secure AnalyticsOnce you realize the value of a SIEM and its functionality, you need to understandhow JSA can support SIEM security and compliance requirements.A JSA Series appliance is a SIEM appliance that solves many requirements of IT staffsaround the world. To better understand how JSA works, let’s briefly review its keycomponents and how they operate as a SIEM solution.Event Collection and ProcessingJSA combines many key SIEM features (see Table 1) but the core components of theJSA Series are an event processor, a flow processor, an event collector, and a magistrate (console).A log source is a data sourcethat creates an event log.An event is a record from a log source, such as a firewall, a router, a server, an IDS, oran IPS, that describes an action on a network or a host.As shown in Figure 5, JSA event processing involves the following steps:1. Log sources typically send syslog messages (but they can use other protocols, too).2. The event collector receives the raw events as log messages from a wide variety ofexternal log sources.
5Learn About Secure Analytics3. Device Support Modules (DSMs) in the event collectors parse and normalize rawevents as the raw log messages remain intact.A rule is a collection of teststhat triggers an action whenspecific conditions are met.Each rule can be configuredto capture and respond to aspecific event, sequence ofevents, flow sequence, oroffense. The actions thatcan be triggered includesending an email orgenerating a syslogmessage.Figure 54. The classification engine and the rules are responsible for processing eventsreceived by JSA and comparing them against defined rules, keeping track of systemsinvolved in incidents over time, generating notifications to users, and generatingoffenses.5. Event processors receive the normalized events and raw events to analyze and storethem.6. The magistrate correlates data from event processors and creates offenses.7. Event storage (Ariel) is a time series database for events and flows where data isstored on a minute-by-minute basis. Data is stored where the event is processed.Event Collection and Processing Flow DiagramFlow Collection and ProcessingA flow is a communication session between two hosts that provides informationabout network traffic and can be sent to JSA in various formats, including networktaps, span or mirror ports, flowlog files, NetFlow, J-Flow, sFlow, and Packeteer.The flow processing (see Figure 6) involves the following steps:1. The flow collector reads different types of flow data and creates flow records to beprocessed.2. The event collector completes a number of flow processing functions, such as:§§ Removing duplicate flows when multiple flow collectors are providing data to flowprocessor appliances.§§ Recognizing flows from each side and combining them into one record. When datais not received from both sides, the event collector then analyzes and combines theexternal flow sources, such as NetFlow, that might only report ingress or egresstraffic, as well as instances where span traffic enters a network from a single point,and exists through another, creating asymmetric reporting of data to flow collectors.§§ Monitoring the number of incoming events and flows to the system to manageinput queues and licensing.
6Learn About Secure Analytics§§ Applying routing rules for the system, such as sending data to offsite targets,external syslog systems, JSON systems, other SIEMs, and so on.3. Classification engine and the rules are responsible for processing events received byJSA and comparing them against defined rules, keeping track of systems involved inincidents over time, generating notifications to users, and generating offenses.4. Event processors parse the message’s fields (IP address, ports, and so on) and storedata in the Ariel database.Figure 6Flow Collection and Processing Flow DiagramAs you can see, JSA goes beyond traditional SIEM products and network behavioranalysis (NBA) products to create a command-and-control center that delivers threatanalytics, log analytics, and complete compliance measurability.When it comes to secure analytics, JSA Series appliances can protect your network.Let’s look very briefly at all the features and benefits of the JSA Series.JSA Appliance Features and BenefitsJSA Series appliances come in several form factors to enable you to scale theirfeatures and benefits:§§ JSA Virtual Appliance – A virtualized platform that can be deployed as an all-inone appliance or in a distributed setup as a console, or as an event or a flowprocessor. A JSA virtual appliance can also be deployed as a store and forwardevent collector.§§ JSA3800 – An enterprise-class appliance that provides a scalable network securitymanagement solution for medium-to-large size companies, including globallydeployed organizations. It is also the base platform for an enterprise-class scalablesecure analytics solution. JSA3800 can be deployed as an all-in-one appliance or ina distributed setup as a dedicated event, flow, or combination processor. It can alsobe deployed as a store and forward event collector.§§ JSA5800 – An enterprise and carrier-class appliance that provides a scalablenetwork security management solution for medium-size companies and scales tosupport large, globally deployed organizations. JSA5800 can be deployed as anall-in-one appliance or in a distributed setup as a console or dedicated event or flowprocessor. It can also be deployed as a store and forward event collector.
7Learn About Secure Analytics§§ JSA7500 – An enterprise and carrier-class appliance that provides a scalablenetwork security management solution for large, globally deployed organizations.JSA7500 can be deployed as a console or distributed event or flow processor. It canalso be deployed as a store and forward event collector.Table 1 details some of the major features and benefits of owning and using JSAappliances, many of which go beyond the SIEM discussions in this Learn About.Table 1JSA Features and BenefitsFeaturesDescriptionBenefitsAll-in-one applianceEvent collection, flow collection,event processing, flow processing,correlation, analysis, and reportingare all embedded within JSA.All core functions are available within the system and it iseasy for users to deploy and manage in minutes.Distributed supportAbility to scale to large distributeddeployments that can support up to 5million events per second.Gives users flexibility to scale to large deployments astheir business grows and can be easily deployed in largedistributed environments.HDD implementationUtilizes SAS HDD in RAID 1 andRAID 10 setups.SAS HDD is designed for 24x7 operations.Quick installComes with an easy, out-of-the-boxsetup wizard.Users can install and manage JSA Series appliances in acouple of steps.Automatic updatesAutomatically downloads anddeploys reputation feeds, parserupdates, and patches.Users do not need to worry about maintaining applianceand OS updates and patches.High availabilityUsers can deploy all JSA Seriesappliances in HA mode.Users can deploy JSA with full active or passiveredundancy. This supports both deployment scenarios:all-in-one and distributed.Built-in compliance reportsOut-of-the-box compliance reportsare included with the JSA.Provides more than 500 out-of-the-box compliancereports.Reporting and alertingcapabilities for controlframeworkControl Objectives for Informationand related Technology (CobiT)International Organization forStandardization (ISO) ISO/IEC 27002(17799)Enables repeatable compliance monitoring, reporting,and auditing processes.The architecture provides a streamlined solution forsecure and efficient log analytics.RAID 1/10 implementation provides best possibleperformance and redundancy.Common Criteria (CC) (ISO/IEC15408) NIST special publication800-53 revision 1 and FederalInformation Processing Standard(FIPS) 200Compliance-focusedregulation workflowPayment Card Industry Data SecurityStandard (PCI DSS)Health Insurance Portability andAccountability Act (HIPAA)Sarbanes-Oxley Act (SOX)Graham-Leach-Bliley Act (GLBA)Federal Information SecurityManagement Act (FISMA)Supports multiple regulations and security best practices.Includes compliance-driven report templates to meetspecific regulatory reporting and auditing requirements.
8Learn About Secure el reportson overall security stateThe JSA reports interface allows youto create, distribute, and managereports that are generated in PDF,HTML, RTF, XML, or XLS formats.Users can use the report wizard to create executive andoperational level reports that combine any networktraffic and security event data in a single report.One-stop supportJuniper Networks TechnicalAssistance Center (JTAC) supports allaspects of JSA.Users do not need to go to several places to get support,even for multivendor issues.JSA Use CaseAs a final step, let’s review a use case for JSA, and follow the requirements and thesolution. This use case concerns the Payment Card Industry Data Security Standardthat was created by major credit card companies to ensure privacy and security ofcredit card holders. All organizations that deal with credit card processing andtransactions need to comply with these standards to avoid fees and penalties, and thisuse case will show you how JSA addresses the six main PCI DSS objectives.PCI DSS RequirementsThe PCI DSS standard outlines six relatively broad control objectives for networksecurity:§§ Build and maintain a secure network§§ Protect cardholder data§§ Maintain a vulnerability assessment (VA) program§§ Implement strong access control measures§§ Regularly monitor and test networks§§ Maintain an information security policyIt is not an easy task for IT administrators to implement these standards across theirnetwork as there is no single product that complies with all six standards. ManySIEM and log management products claim to answer all these concerns, but the PCIDSS standard calls for more than the collection and correlation of logs. Insight intothe network from the passive monitoring of network communications must be put inplace in conjunction with aggregation and correlation of logs from the security andnetwork infrastructure.The SolutionNBAD is the continuousmonitoring of a proprietarynetwork for unusual events ortrends. NBAD is an integralpart of NBA.JSA is a network security management platform that facilitates the comparison ofdata from the broadest set of devices and network traffic. It combines log management, SIEM, and network behavior anomaly detection (NBAD), into a single integrated end-to-end network security management solution. This allows administratorsto get a complete picture of their network security posture. This surveillance capability brings together all pertinent PCI DSS data for the purpose of executing andmaintaining an organization’s PCI DSS program. Table 2 details the JSA approach tomeeting PCI requirements. Whether it’s for the PCI industry, the Federal InformationSecurity Management Act (FISMA), or any other compliance-driven organization,JSA has a complete solution.
9Learn About Secure AnalyticsTable 2JSA Approach to Meeting PCI RequirementsPCI RequirementJSA ApproachBuild and maintain asecure network§§Detection and classification of protocols and applications within the network.§§Automatic policy creation through learning normal traffic behavior and acceptableprotocols, alerting when traffic deviates from normal patterns, and alerting when newservers, databases, protocols, or applications are discovered in the DMZ.§§Layer 7 visibility detects and alerts risky or secure protocols running over non-standardports, which indicates suspicious behavior.§§Real time intuitive views of network traffic by protocol or application allow for in-depthanalysis and troubleshooting.§§Stores flows like NetFlow, SFlow, and JFlow and allows for detailed forensic searching ofnetwork communications associated with risky or mistrusted protocols.§§Default PCI report templates and a flexible reporting wizard provide in-depth reports onPCI-related networks and services.Protect card holder data§§Send alert and notification of any suspicious attempts to access sensitive data.§§Detect unencrypted data even in the absence of intrusion detection systems.§§Store the content from flows, which allows detection of unencrypted user name andpasswords, or information on potential data theft.§§Logging from encryption technologies such as SNMPv3 devices.Maintain VA program§§Automatic correlation of antivirus data with other logs and network information foraccurate detection and prioritization of threats.§§Reporting and real time viewing of antivirus logs.§§Integration with vulnerability management and assessment tools used for creation of asset/host profiles.§§Asset profiles are centrally stored within the JSA and used for detection of new hosts on thenetwork, new services running on a host or network, and accurate prioritization of threatsbased on vulnerability information.§§Use real time passive profiling to augment vulnerability data, which is typically not kept upto date, by using network communications to profile which services are running on hostsand keep asset profiles current.Implement strong accesscontrol measures§§Complete auditing and alerting for access, configuration changes, and data changes tosystems and databases with cardholder data.§§Detection of multiple logins that are followed by a failed login from suspicious orunknown hosts.§§Default, out-of-the-box authentication log correlation rules allow for easy identification ofregulatory compliance servers and quick configuration of internal policies.Regularly monitor andtest networks§§Out-of-the-box customizable access and authentication rules allow for easy detection ofthreatening or invalid access attempts.§§Deep inspection analyzes all log data and network communications to monitor and auditall activity around an access offense.§§File integrity monitoring and notification through log analysis.§§Backup and archive of access audit trails.§§Provides continuous monitoring of security, systems, and processes.§§Real time alerting and notification of changes to the network, threats or violations thatimpact meeting compliance, and views a