Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 1 of 6
`
`Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 1 of 6
`
`EXHIBIT 13
`
`

`

`Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 2 of 6
`Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 2 of 6
`
`TechLibrary > Sky Advanced Threat Prevention > Sky Advanced Threat Prevention Administration Guide
`
`Juniper Networks Sky AdvancedThreat Prevention
`
`Juniper Networks Sky Advanced Threat Prevention (Sky ATP) is a security framework that protects all hosts in your
`network against evolving security threats by employing cloud-based threat detection software with a next-generation
`firewall system. See Figure1.
`
`Figure Tl: SkyATP Overview
`
`3—
`tet
`
`ae
`ss
`ao
`e
`
`= Advanced Threat Prevention
`= Sandbox with Deception
`= Static Analysis
`Sky Advanced
`Threat Prevention Cloud
`
`im
`
`@
`
`e@
`e
`
`=
`SRX Series
`
`Customer
`
`8042982
`
`Sky ATPprotects your network by performing the following tasks:
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`
`Deputy Clerk
`
`Trial Exhibit 74
`Case No. 17-CV-05659-WHA
` Entered:
`
`By:
`
`e
`
`e
`
`The SRX Series device extracts potentially malicious objects and files and sends them to the cloudfor analysis.
`
`Known maliciousfiles are quickly identified and dropped before they can infect a host.
`
`e Multiple techniques identify new malware, adding it to the knownlist of malware.
`
`e
`e
`
`Correlation between newlyidentified malware and known Commandand Control (C&C) sites aids analysis.
`The SRX Series device blocks known malicious file downloads and outbound C&Ctraffic.
`
`Sky ATPsupports the following modes:
`
`e
`
`e
`
`e
`
`e
`
`Layer 3 mode
`
`Tap mode
`
`Transparent mode using MAC address. For more information, see Transparent mode on SRXSeries devices.
`
`Secure wire mode (high-level transparent mode using the interface to directly passingtraffic, not by MAC address.) For more
`information, see Understanding Secure Wire.
`
`Sky ATP Features
`
`Sky ATPis acloud-based solution. Cloud environmentsare flexible and scalable, and a shared environment ensures
`that everyone benefits from new threat intelligence in near real-time. Your sensitive data is secured even though it is
`in a cloud shared environment. Security analysts can update their defense when new attack techniques are
`discovered and distribute the threat intelligence with verylittle delay.
`
`In addition, Sky ATP offers the following features:
`
`e
`
`e
`
`e
`
`Integrated with the SRX Series device to simplify deployment and enhancethe anti-threat capabilities of the firewall.
`
`Delivers protection against “zero-day” threats using a combination of tools to provide robust coverage against sophisticated,
`evasive threats.
`
`Checks inbound and outbc
`prevent data exfiltration, a
`
`quarantine infected systems,
`
`FINJAN-JN 005382
`
`

`

`Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 3 of 6
`Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 3 of 6
`e=High availability to provide uninterrupted service.
`
`e
`
`e
`e
`
`Scalable to handle increasing loads that require more computing resources, increased network bandwidth to receive more
`customer submissions, and a large storage for malware.
`
`Provides deep inspection, actionable reporting, and inline malware blocking.
`APIs for C&C feeds, whitel
`for more information.
`
`ist and blacklist operations, andfile submission. See the Threat Intelligence Open API Setup Guide
`
`Figure 2 lists the Sky ATP components.
`
`Figure 2: SkyATP Components
`
`Sky ATP Secure Cloud Service
`
`Command and
`
`Known C&C Servers
`— Feed Analysis and Efficacy
`
`Content
`(File)
`on SRX
`Extraction
`—_—__—™*E
`.
`Fast Verdicts
`
`————
`
`MalwareInspection Pipeline
`
`ane Btu _ g042985
`
`|
`
`|
`
`SRX Series
`
` 7
`
`I
`I
`
`l
`
`l
`I
`
`l I
`
`e
`
`a
`Set
`—s
`—_
`
`jar Secintel Events
`
`(C&C “Hits”)
`
`————
`Quarantine
`Compromised
`Systems
`
`Internal Compromise Detection
`
`NelVar apie)
`Vet
`
`.
`Naea(ot
`
`Web-basedService Portal
`
`:
`
`:
`
`Configuration
`
`:
`
`Table 1 briefly describes each Sky ATP component’s operation.
`
`Table I: SkyATP Components
`
`Component
`
`Operation
`
`Command and
`
`control (C&C) cloud
`feeds
`
`GeolP cloud feeds
`
`C&C feeds are essentially a list of servers that are known command and control for
`botnets. The list also includes servers that are known sources for malware downloads.
`
`GeolP feeds is an up-to-date mapping of IP addresses to geographical regions. This
`gives you the ability tofilter traffic to and from specific geographies in the world.
`
`Infected host cloud
`feeds
`
`Infected hosts indicate local devices that are potentially compromised because they
`appear to be part of a C&C network or other exhibit other symptoms.
`
`FINJAN-JN 005383
`
`

`

`Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 4 of 6
`Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 4 of 6
`
`Component
`
`Operation
`
`Whitelists, blacklists
`and custom cloud
`feeds
`
`A whitelist is simply a list of known IP addresses that you trust and a blacklistis a list
`that you do not trust.
`
`Note: Custom feeds are not supported in this release.
`
`SRX Series device
`
`Submits extracted file content for analysis and detected C&C hits inside the customer
`network.
`
`Performsinline blocking based on verdicts from the analysis cluster.
`
`Malware inspection
`pipeline
`
`Internal compromise
`detection
`
`Performs malware analysis and threat detection.
`
`Inspects files, metadata, and other information.
`
`Service portal (Web
`Ul)
`
`Graphics interface displaying information about detected threats inside the customer
`network.
`
`Configuration management tool where customers can fine-tune which file categories
`can be submitted into the cloud for processing.
`
`How the SRX Series Device Remediates Traffic
`
`The SRX Series devices useintelligence provided by Sky ATP to remediate malicious content through the use of
`security policies. If configured, security policies block that content beforeit is delivered to the destination address.
`
`For inbound traffic, security policies on the SRX Series device look for specific types of files, like .exe files, to inspect.
`When one is encountered, the security policy sends the file to the Sky ATP cloud for inspection. The SRX Series device
`holds the last few KB ofthe file from the destination client while Sky ATP checksif this file has already been analyzed.
`If so, a verdict is returned and the file is either sent to the client or blocked dependingon the file’s threat level and the
`user-defined policy in place. If the cloud has not inspected this file before, the file is sent to the client while Sky ATP
`performs an exhaustive analysis. If the file’s threat level indicates malware (and depending on the user-defined
`configurations) the client system is marked as an infected host and blocked from outbound traffic. For more
`information, see How is Malware Analyzed and Detected?.
`
`Figure 3 shows an example flow of a client requesting a file download with Sky ATP.
`
`Figure 3: Inspecting inboundFiles for Malware
`
`FINJAN-JN 005384
`
`

`

`Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 5 of 6
`Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 5 of 6
`
`Infected
`
`File? Sky Advanced
`
`Threat Prevention
`
`a)©-°
`
`a)
`
`hh
`SRXSeries
`
`C7
`
`INTERNET
`
`9
`8
`300
`
`Step
`
`Description
`
`]
`
`2
`
`3
`
`4
`
`5
`
`A client system behind an SRX Series devices requests a file download from the Internet. The SRX Series
`device forwards that request to the appropriate server.
`
`The SRX Series device receives the downloaded file and checksits security profile to see if any additional
`action must be performed.
`
`The downloaded file type is on the list of files that must be inspected and is sent to the cloud for
`analysis.
`
`Sky ATPhasinspectedthis file before and has the analysis stored in cache. In this example, the file is not
`malware and the verdict is sent back to the SRX Series device.
`
`Based on user-defined policies and because this file is not malware, the SRX Series device sends the file
`to the client.
`
`For outbound traffic, the SRX Series device monitors traffic that matches C&C feeds it receives, blocks these C&C
`requests, and reports them to Sky ATP.A list of infected hosts is available so that the SRX Series device can block
`inbound and outbound traffic.
`
`Sky ATP Use Cases
`
`Sky ATP can be used anywherein an SRX Series deployment. See Figure 4.
`
`Figure 4: SkyATP Use Cases
`
`FINJAN-JN 005385
`
`

`

`Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 6 of 6
`Case 3:17-cv-05659-WHA Document 353-15 Filed 01/10/19 Page 6 of 6
`
`
`
`mr
`
`Sky Advanced A
`
`
`Threat Prevention Cloud
`
` Juniper Cloud
`
`Coat
`
`Data Center
`
`
`SRX Series
`
`
`SRX Series
`
`SRX Series
`
`8042983
`a—_ |-—ao
`
`Campus Locations
`
`Campusedgefirewall—Sky ATP analyzesfiles downloaded from the Internet and protects end-user devices.
`
`Data center edge—Like the campus edgefirewall, Sky ATP prevents infected files and application malware from running on your
`computers.
`
`Branch router—Sky ATP provides protection from split-tunneling deployments. A disadvantage of split-tunneling is that Users can
`bypass security set in place by your company’s infrastructure.
`
`Modified: 2017-08-29
`
`Previous Page
`
`Next Page
`
`FINJAN-JN 005386
`
`