5. Juniper STRM / IBM Q1Labs QRadar Architecture
STRM – Real time network &
security visibility
Data collection provides
network, security, application,
and identity awareness
Embedded intelligence &
analytics simplifies security
operations
Prioritized “offenses”
separates the wheat from the
chafe
Solution enables effective
Threat, Compliance & Log
Management
6. Unrivalled Data & log Management Log
Management
• Networking events
– Switches & routers, including flow data
• Security logs Compliance Forensics Policy
– Firewalls, IDS, IPS, VPNs, Vulnerability Scanners, Gateway Templates Search Reporting
AV, Desktop AV, & UTM devices
• Operating Systems/Host logs
– Microsoft, Unix and Linux
• Applications
– Database, mail & web
• User and asset
– Authentication data
• Support for leading vendors including:
– Networking: Juniper,Cisco, Extreme, Nokia, F5, 3Com,
TopLayer and others
– Security: Juniper, Bluecoat, Checkpoint, Fortinet, ISS,
McAfee,Snort, SonicWall, Sourcefire, Secure Computing,
Symantec, and others
– Network flow: NetFlow, JFlow, Packeteer FDR, & SFlow
– Operating systems: Microsoft, AIX, HP-UX, Linux (RedHat,
SuSe), SunOS, and others
– Applications: Oracle, MS SQL, MS IIS, MS AD, MS Exchange,
and others
• Security map utilities:
– Maxmine (provides geographies)
– Shadownet
– Botnet
• Customization logs through generic Device
Support Module (DSM) Adaptive Logging Exporter
7. Q1Radar Key Value Proposition
Threat Detection:
Detect New
Threats That Others Miss
Log Management:
Right Threats at the Right
Time
Compliance:
Compliance and Policy
Safety Net
Enterprise
Value
Complements
Juniper’s Enterprise
Juniper’s STRM Mgmt Portfolio
Appliance
13. ®
The Secret Sauce: Deep Session Inspection
• Total visibility and control over inbound and outbound network traffic
• Deep, session-level application, payload and content decoding and analysis
• Flexible, multi-level policy engine with multiple real-time enforcement options
(visualize, alert, prevent, etc)
• Scalable up to multiple Gbps of analyzed throughput in a single device
14. Fidelis SSL Inspector Solution
• Identifies and decrypts all SSL/TLS encrypted traffic
– Based on SSL/TLS handshake detection, not on TCP port (port-independent)
– Decrypts everything over SSL (HTTP, POP3, SMTP….) – not just HTTPS
• Forwards ALL traffic (SSL and non-SSL) to XPS for analysis
• Completely transparent to endpoints at the IP, TCP and HTTP levels
– Don’t need to configure endpoints to “point at” it – it’s an SSL proxy, not an HTTP proxy
– Just need to install an endpoint-trusted CA certificate on the SSL Inspector
• Scales up to 1 Gbps in a single device
15. Fidelis Extrusion Prevention System®―Fidelis XPS™
Comprehensive Information Protection
• Content protection
• Application activity control
• Encryption policy enforcement
• Threat mitigation
Deep Session Inspection™ Platform
• Comprehensive visibility into content
and applications
• Prevention on all 65,535 ports The Power to Prevent:
• Wire-speed performance It’s the Next Generation
Network Appliance
• Fast to deploy = quick time-to-value
• Easy to manage
• Enables zones of control
16. Policy Engine: Power of Context
•In addition to pre-built policies, customer-specific policies can
easily be built using Fidelis XPS’ powerful policy engine.
• Policy = group of one or more rules
• Rule = logical combination of one
or more triggers delivers context
Trigger > Content Trigger > Location Trigger > Channel
Sensitive information defined Sender and recipient Details about the
in content information information flow
analyzers
1. Smart Identity Profiling 1.source IP address 1.Application / protocol
2. Keyword 2.destination IP address (port -independent)
3. Keyword Sequence 3.Geographical Data–the country in 2.Application-specific Attributes
4. Regular Expressions which the IP address is registered (e.g., user, e-mail address, subject,
5. Binary Signatures 4.Username filename, URL, encrypted, cipher,
6. Encrypted Files 5.LDAP directory attributes and many more)
7. File Names 3.Port (Source / Destination)
8. Exact File Matching 4.Session length / size
9. Partial Document Matching 5.Day of week / Time of day
10.Embedded Images 6.Session duration
7.Decoding path
17. Social Network whilst Mitigating Risk
• Technical and Business Controls
• Ensure employees code-of-conduct policies covers social networking
– Who can speak on behalf of the company
– What can employees use social network for
• Train employees on roles and risks of social networking
• Create official profiles for corporate executives
– Even if they will not actually be used
– Request sites block executives account
• Implement technical controls that address how social network is used
• Social Networking is here to stay
– Security Policy needs to address how it is used
17
18. Fidelis XPS: Risk assessment in vivo
• 88 suspects culled out of >150,000 transactions in a 24
hour period.
Price list trawling in password-
protected areas
PII over FTP in clear text
File transfers of confidential office
documents using MSN Messenger.