Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential 1 Juniper Security Threat Response Manager (STRM) Customer Presentation.

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

Juniper Security Threat Response Manager

(STRM)Customer Presentation


Customer Challenges IT “information” overload

• Flood of logged events from many “point” network and security devices

• Lack of expertise to manage disparate data silos & tools

Compliance mandates• Industry specific regulations mandating

security best practices• Internal IT “risk” assessment programs

Evolving internal and external threats• Insider abuse, theft of intellectual

property• Complex integrated attacks

Dispersed Threats

Industry Regulations

IT Overload


SecurityInformation

& EventManagement

Introducing Junipers SIEM/NBAD SolutionSTRM – “Security Threat Response Manager”

STRM Key application features

• Log Management• Provides long term collection,

archival, search and reporting of event logs, flow logs and application data

• Security Information and Event Management (SIEM)

• Centralizes heterogeneous event monitoring, correlation and management

• Network Behavior Anomaly Detection (NBAD)

• Discovers aberrant network activities using network and application flow data

Integrates Mission Critical Network & Security Data Silos

NetworkBehaviorAnalysis

LogManagement

STRM


STRM’s Key Value Proposition

Threat Detection:Detect New

Threats That Others Miss

Log Management:Right Threats at the

Right Time

Compliance: Compliance and Policy Safety Net

Complements Juniper’s

Enterprise Mgmt PortfolioJuniper’s STRM

Appliance

Enterprise Value


STRM Architecture

STRM – Real time network & security visibility

Data collection provides network, security, application, and identity awareness

Embedded intelligence & analytics simplifies security operations

Prioritized “offenses” separates the wheat from the chafe

Solution enables effective Threat, Compliance & Log Management


Log Management

Is fundamental to any centralized network security management solution

Challenges include STRM enables

Log overload for administrators

Highly scalable log aggregation; Consistent logging taxonomy

Multi-vendor network; Constant change of formats

Broad vendor coverage and extensible APIs for less common formats

Demanding operational requirements

Advanced log management capabilities including tamper proof log archives

Log Management


Unrivalled Data & log Management Networking events

• Switches & routers, including flow data

Security logs• Firewalls, IDS, IPS, VPNs, Vulnerability Scanners, Gateway AV, Desktop AV, &

UTM devices

Operating Systems/Host logs• Microsoft, Unix and Linux

Applications• Database, mail & web

User and asset• Authentication data

Support for leading vendors including:• Networking: Juniper,Cisco, Extreme, Nokia, F5, 3Com, TopLayer and others• Security: Juniper, Bluecoat, Checkpoint, Fortinet, ISS, McAfee,Snort, SonicWall,

Sourcefire, Secure Computing, Symantec, and others• Network flow: NetFlow, JFlow, Packeteer FDR, & SFlow• Operating systems: Microsoft, AIX, HP-UX, Linux (RedHat, SuSe), SunOS, and

others• Applications: Oracle, MS SQL, MS IIS, MS AD, MS Exchange, and others

Security map utilities:• Maxmine (provides geographies)• Shadownet• Botnet

Customization logs through generic Device Support Module (DSM) Adaptive Logging Exporter (ALE)

• Integrate proprietary applications and legacy systems

ComplianceTemplates

ForensicsSearch

PolicyReporting

Log Management


STRM Log Management Tamper Proof Log Archives

Event and flow logs are protected by storing associated check sum for each log file written to disk

Required by specific regulations (i.e. PCI)

Highest level of integrity provided by Secure Hashing Algorithm (SHA) from National Institute of Standards & Technology (NIST)

Hashing algorithms supported include:• MD2: Message Digest algorithm ad defined by RFC1319 • MD5: Message Digest algorithm ad defined by RFC1321 • SHA-1: Secure Hash Algorithm as defined by NIST FIPS 180-1 • SHA-2: Which includes SHA-256, 384 and 512 defined by NIST FIPS

180-2.

Log Management


Reporting 220+ Out of the box report templates Fully customizable reporting engine: creating,

branding and scheduling delivery of reports

Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA

Reports based on control frameworks: NIST, ISO and CoBIT

Log Management


Security Event correlation & threat Management

Is necessary to effectively make sense of all of the collected data

Challenges include STRM provides

Vendor log formats are a moving target

QID map provides intelligent mapping of vendor events

Simplified out-of-the-box building blocks & rules simplify rule management

Constant change on the network

Extensive use of historical profiling for improved accuracy of results

Correlation rules complex to manage

ThreatManagement


STRM Offense Management

Tracks significant security incidents & threats Leverages building blocks & rules Builds history of supporting & relevant information for significant

security incidents• Provides “point-in-time” reference of offending users and vulnerability state• Provides record of first and last occurrence of security incidents

Incorporates network behavior analysis to validate/discredit incidents & detect unknown traffic patterns

Provides prioritization based on: credibility, relevance & severity

ThreatManagement


The Value of JFLOW Passive flow monitoring creates asset

profiles and helps auto-discover/classify hosts

• Passive vulnerability information for correlation

Detection of day-zero attacks that have no signature

Policy monitoring and rogue server detection

Visibility into all communication made by an attacker, regardless of whether it caused an event

Network awareness, visibility and problem solving (not necessarily security related)

• Mail loops, misconfigured apps, application performance issues

ThreatManagement


The Key to Data Management: Reduction and Prioritization

Previous 24hr period of network and security activity

(2.7M logs)

STRM correlation of data sources creates

offenses (129)

STRM

Offenses are a complete history of a

threat or violation with full context

about accompanying network, asset and

user identity information

Offenses are further prioritized by

business impact

ThreatManagement


Offense ManagementIntelligent Workflow for Operators

WhoIs attacking ?

What is being attacked ?

What is the impact ?

Where do I investigate ?

ThreatManagement


STRM System features

Centralized browser based UI

Role based access to information

Customizable dashboards

Real-time & historical visibility

Advanced data mining & drill down

Easy to use rule engine Hierarchical distribution

for scale


STRM Key Benefits Converged network security management console

• Integrates typically silo’d network & security data

Network, security, application, & identity awareness• Unrivaled data management greatly improves ability to meet IT

security control objectives

Advanced analytics & threat detection• Detects threats that other solutions miss

Compliance-driven capabilities• Enables IT best practices that support compliance initiatives

Scalable distributed log collection and archival• Network security management scales to any sized organization


Summary

STRM delivers repeatable security and compliance management:

• Integrated network, security, identity and application aware network security management platform

Gain efficiency through use of a single pain of glass across entire infrastructure

• Advanced correlation to deliver actionable “offenses” Gain unparalleled ability to reduce noise and recognize the

most important security incidents

• Efficient and secure log management Meet logging and auditing requirements for all

internal/external IT security mandates Flexible deployment options - Turnkey log management to

full Network Security Management

Log Management

Log Management

ThreatManagement

ThreatManagement

ComplianceManagement

ComplianceManagement


STRM Products

STRM500

STRM2500

STRM5000

250EPS

15k F

500EPS

15kF

1000EPS

50 & 100k F

2500EPS

50 & 100k F

5000EPS

100 & 200k F

STRM - EP

5000 + EPS

100 & 200k F

STRM - EP

Sm

all

E

nte

rpri

se

Sm

all

M

ed

ium

E

nte

rpri

se

La

rge

e

nte

rpri

se

s

&S

erv

ice

P

rov

ide

rs

Events per sec

Flows per Min


Hardware Summary

Market Segments STRM Models CPU Memory Storage

Small

STRM500-A-BSE

STRM500-ADD-250EPS-15KF

STRM500-UPG-500EPS-15KF

Intel Core 2 Dual 8GB2x 500GB

HDD

RAID 1

Medium

STRM2500-ADD-BSE

STRM2500-ADD-1KEPS-50KF

STRM2500-UPG-2500EPS-50KFSTRM2500-UP-2500EPS-100KF

Intel Core 2 Quad 8GB6x 250GB

HDD RAID 5 array

Large

STRM5K-A-BSE

STRM5K-ADD-5KEPS

STRM5K-ADD-CON

STRM5K-ADD-EP-5KEPS

STRM5K-ADD-FP-200KF

Intel Core 2 Quad 8GB6x 500GB

HDD RAID 10 array


STRM PricingSKU Description List Price

STRM500-A-BSE Base HW Appliance $3,000

STRM500-ADD-250EPS-15KF Add 250EPS and 15K Flows $12,000

STRM500-UPG-500EPS-15KF Upgrade to 500 EPS with 15K Flows $7,000

STRM2500-A-BSE Base HW Appliance $7,000

STRM2500-ADD-1KEPS-50KF Add 1000 EPS and 50K Flows $30,000

STRM2500-UPG-2500EPS-50KF Upgrade to 2500 EPS with 50K Flows $30,000

STRM2500-UPG-2500EPS-100KF Upgrade to 100K Flows $20,000

STRM5K-A-BSE Base HW Appliance $11,000

STRM5K-ADD-5KEPS-100KF Add 5000 EPS and 100K Flows $109,000

STRM5K-UPG-5KEPS-200KF Upgrade to 200K Flows $42,000

STRM5K-ADD-EP-5KEPS Add Event Processor for 5000 Events Per Sec (Distribution) $90,000

STRM5K-UPG-EP-10KEPS Upgrade Event Processor to 10,000 EPS $90,000

STRM5K-ADD-FP-200KF Add Flow Processor for 200K Flows (Distribution) $90,000

STRM5K-UPG-FP-400KF Upgrade Flow Processor to 400K Flows $90,000

STRM5K-UPG-FP-600KF Upgrade Flow Processor to 600K Flows $90,000

STRM5K-ADD-CON Console for Distributed Architecture $35,000


STRM Cisco MARS Arcsight RSA EnvisionMazu/Lancope

/Arbor

Log Management Strong Weak

Disjoint solutions for log and threat management

Limited Flow support

No NBAD

Strong No

Threat Management Strong Cisco-focused Weak

Limited flow support

No NBAD

No event data

Flow data only

Compliance Management Strong Weak Strong Strong Weak

Competitive Summary


Competitive Pricing Analysis

EPS STRM Cisco MARS Q1 Labs EIQ Envision LogLogic ArcSight

500 $22,000 $15,000 $39,900 $43,795 $27,599 $22,000 $67,827

1000 $37,000 $30,000 $39,900 $70,695 $40,857 $22,000 $85,177

2500 $67,000 $67,000 $85,700 $115,395 $78,219 $50,000 $119,177

5000 $120,000 $101,000 $138,700 $276,495 $117,992 $150,000 $259,267

10000 $215,000 $176,000 $268,600 $544,995 $280,455 $225,000 $506,847


STRM Release Schedule

Q108

STRM 500

STRM 2500

Full Soln

Q1 ‘08 Q2 ‘08 Q3 ‘08 Q4 ‘08

Q208

STRM5000

STRM

Log Management and Reporting

only option

Add additional device support

EX, M, MX

STRM 2008.1 STRM 2008.2

Q308

Reporting Enhancements

Time Based Reporting

HA

STRM 2008.3

Planning PhasePlanning Phase

Q408

Integration with NSM

Australia, Viking support

Risk Assessment

STRM 2008.4

Planning Phase


Thank You

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential 1 Juniper Security Threat Response Manager (STRM) Customer Presentation.

Documents

miss log management

juniper networks

cobit log management

log overload

log file

network flow

event management siem

proprietary applications