Case 3:17-cv-05659-WHA Document 393-14 Filed 03/14/19 Page 1 of 4
`
`Case 3:17-cv-05659-WHA Document 393-14 Filed 03/14/19 Page 1 of 4
`
`EXHIBIT 12
`
`

`

`Case 3:17-cv-05659-WHA Document 393-14 Filed 03/14/19 Page 2 of 4
`Case 3:17-cv-05659-WHA Document 393-14 Filed 03/14/19 Page 2 of 4
`
`Caos
`NETWORKS
`
`Data Sheet
`
`Advanced Threat
`
`Prevention Appliance
`
`Product Overview
`Juniper Networks Advanced
`Threat Prevention Applianceis
`a distributed software platform
`that combines advanced threat
`detection, consolidated security
`analytics, and one-touch
`threat mitigation to protect
`organizations from cyber attacks
`and improve the productivity
`of security teams. The ATP
`Appliance detects threats across
`web, e-mail, and lateral traffic.
`Additionally, it can ingest logs
`from security devices to present a
`consolidated view of all threats in
`
`the environment.
`
`
`
`Product Description
`Organizations worldwide face security and productivity challenges every day. Zero-day
`malware often goes undetected becausetraditional security devices, which rely on signature-
`based detection, can't see it. Adding to the problem,security teams—overwhelmedbylarge
`volumesof alerts—often fail to recognize and act on critical incidents.
`
`The Juniper Networks® Advanced Threat Prevention Appliance (formerly the Cyphort All-
`in-One system) provides continuous, multistage detection and analysis of Web, e-mail,
`and lateral spread traffic moving through the network. It collects information from multiple
`attack vectors, using advanced machine learning and behavioral analysis technologies to
`identify advanced threatsin aslittle as 15 seconds. Those threats are then combined with
`data collected from other security tools in the network, analyzed, and correlated, creating a
`consolidated timeline view of all malware events related to an infected host. Once threats
`
`are identified, “one-touch” policy updates are pushedto inline tools to protect against a
`recurrence of advancedattacks.
`
`The detection component of the ATP Appliance monitors networktraffic to identify threats
`as they progress through the kill chain, detecting phishing, exploits, malware downloads,
`command and control communications, and internal threats. A multistage threat analysis
`process, which includesstatic, payload, machine learning, and behavior, as well as malware
`reputation analysis, continuously adapts to the changing threat landscape leveraging
`Juniper's Global Security Service, a cloud-based service that offers the latest threat
`detection and mitigation information produced by a team of security researchers, data
`scientists, and ethical hackers.
`
`The threat analytics component of the ATP Applianceoffers a holistic view of identity and
`threat activity gathered from a diverse set of sources such as Active Directory, endpoint
`antivirus, firewalls, secure Web gateways, intrusion detection systems, and endpoint
`detection and response tools. The analytics componentlooks at data from these sources,
`identifies advanced malicious traits, and correlates the events to provide complete
`visibility into a threat’s kill chain. Security analysts receive a comprehensive host and user
`timeline that depicts how the events that occurred on a host or user unfolded. The timeline
`enhances the productivity of Tier 1 and Tier 2 security analysts who work on triaging and
`investigating malware incidents.
`
`The ATP Appliance can integrate with other security devices to mitigate threats, giving
`users the ability to automatically quarantine e-mails on Google and Office 365 using REST
`APIs. Communications between the infected endpoint and the command and control
`servers are blocked by pushing malicious IP addressesto firewall devices. Integration with
`network access control devices can isolate infected hosts. The ATP Appliance’s open API
`architecture also allowsit to integrate with a number of third-party security vendors such
`as Cisco, Palo Alto Networks, Fortinet, Bluecoat, Check Point, Carbon Black, and Bradford,
`among others.
`
`FINJAN-JN 045069
`
`

`

`Case 3:17-cv-05659-WHA Document 393-14 Filed 03/14/19 Page 3 of 4
`Filed 03/14/19 Page 3 of 4
`Case 3:17-cv-05659-WHA Document 393-14
`
`Data Sheet
`Advanced Threat Prevention Appliance
`
`
`Firewall
`
` Collector
` Fabric
`
`Collector
`
`Headquarters
`
`SmartCore
`
`File Upload
`
`Lateral Detection
`
`Collector.‘
`
`<
`
`Lateral Spread
`
`Figure1: Juniper Networks ATP Appliance architecture
`
`Architecture and Key Components
`The architecture of the ATP Appliance consists of collectors
`deployed at critical points in the network, including remote
`locations. These collectors act like sensors, capturing information
`about Web, e-mail, and lateral traffic. Data and related
`executables collected across the fabric are delivered to the
`SmartCore analytics engine. Along with traffic from the native
`collectors, the ATP Appliance also ingests logs from other identity
`and security products such as Active Directory, endpoint antivirus,
`firewalls, secure Web gateways, intrusion detection systems, and
`endpoint detection and response tools. The logs can be ingested
`directly from third-party devices, or they can be forwarded from
`existing SIEM/syslog servers.
`
`Armed with data collected from various sources, the SmartCore
`analytics engine performs the following multistage threat
`analysis processes:
`
`Static analysis: Applies continuously updated rules and
`signatures to find known threats that may have eluded
`inline devices.
`
`Payload analysis: Leverages an intelligent sandbox array
`to gain a deeper understanding of malware behavior by
`detonating suspicious Web andfile content that would
`otherwise target Windows, OSX, or Android endpoint devices.
`
`Machinelearning and behavioral analysis: Employs
`patent-pending technologies to recognize the latest threat
`behaviors (such as multicomponent attacks over time) and
`quickly detect previously unknown threats.
`
`Malware reputation analysis: Compares analysis results
`with similar known threats to determine whether a newly
`detected threat is a variant of an existing issue or something
`completely new.
`
`Prioritization, risk analysis, correlation: Prioritizes threats
`based on threat severity, asset targets in the network,
`endpoint environment, and the threat’s progression
`along the kill chain. For example, a high severity Windows
`malware landing on a Macreceives a lower risk score than a
`medium severity malware landing on a protected server. All
`malware events from the ATP Appliance and other security
`devices are correlated based on endpoint hostname and
`time and then plotted on a host timeline, allowing security
`teams to assessthe risk of a threat and whetherit requires
`immediate attention. For example, a threat detected by the
`ATP Appliance but missed by the antivirus solution receives
`a higherrisk score. This allows security teams to go back in
`time and review all malicious events that have occurred on
`an infected host.
`
`Events Timeline
`Collectors
`DAVE-LAPTOP
`
`System
`Research
`Operations
`Hostname
`Select Vendor's)
`Timeline for Hostname : DAVE-LAPTOP
`Bluecoat Secure Web Gateway
`Carbon Black Response
`Cyphort
`
`Symantec EP
`
`11:53
`Sat 22 July
`
`11:54
`
`11:55
`
`Phishing
`
`@ Download
`
`@® Execution Blocked
`
`Figure 2: ATP Appliance eventstimeline
`
`
`FINJAN-JN 045070
`
`

`

`Case 3:17-cv-05659-WHA Document 393-14 Filed 03/14/19 Page 4 of 4
`Case 3:17-cv-05659-WHA Document 393-14 Filed 03/14/19 Page 4 of 4
`
`
`
` Advanced Threat Prevention Appliance Data Sheet
`
`Features and Benefits
`The ATP Appliance includes the following features and benefits:
`
`Inspects traffic across multiple vectors such as Web, e-mail,
`and lateral spread
`
`Uploads suspiciousfiles through the Web UI for processing
`Supports Windows7 and OSX 10.10 operating systems
`
`- Analyzes multiple file types, including executables, DLL,
`Mach-o, Dmg,PDF, Office, Flash, ISO, ELF, RTF, APK,
`Silverlight, Archive, and JAR
`
`Includes detection techniques such as exploit detection,
`payload analysis, command and control (C&C) detection,
`YARA, and SNORTrules
`Provides comprehensive and well-documented APIs that
`allow easyintegration with third-party security devices
`
`Integrates with Juniper Networks, Palo Alto Networks,
`Checkpoint, Cisco, Fortinet, and Bluecoat solutions to
`automatically block malicious IP addresses and URLs
`- Automatically quarantines Office 365 and Gmail e-mails
`Integrates with Carbon Black Protect and Response
`(endpoint solution) to allow upload of binaries executed on
`endpoints
`
`Product Options
`The ATP Appliance is available as both a physical and virtual
`appliance. Physical appliances can be deployedin all-in-one
`PP
`¥
`PP
`ploy
`mode (SmartCore and Fabric Collector are installed on the same
`physical appliance) or in distributed mode (SmartCore and
`Fabric Collector are installed on separate appliances). Virtual
`appliances can be deployed in distributed mode only.
`
`
`Physical
`:Allin One
`Model
`
`Performance
`
`Performance
`(Objects Detonated)
`AIO-R430
`Up to 30,000 objects/day
`1Gbps
`
`AIO-R730
`Up to 80,000 objects/day
`"-2Gbps
`Smancare
`Model
`SC-R730
`AIO-R730
`
`Performance (Objects Detonated)
`Up to 175,000 objects/day
`Up to 80,000 objects/day
`
`Pakeiceudlactor
`Model
`Performance
`FC-R330
`1 Gbps
`
`FC-R730
`4 Gbps
`
`Integrates with Cloud Access Security Broker vendor
`SkyHigh to protect assets in the cloud
`Manages multiple SmartCore analytics engines via Manager
`of Central Managers functionality
`
`Supports access and authentication using SAML and
`RADIUS
`
`Virtual
`Virtual SmartCore Engine
`Model
`Performance
`(Objects
`Detonated)
`Up to 40,000
`objects/day
`
`vSC-8
`
`Virtual
`CPU
`
`Virtual
`Memory
`
`8
`
`32 GB
`
`Virtual
`Disk
`
`157B
`
`1578
`96 GB
`24
`Up to 140,000
`vSC-24
`objects/day
`
`Virtual Fabric Collector
`
`- Correlates events acrosskill chain stages to monitor threat
`progress and risk
`
`;
`- Visualizes malwareactivity and groups malwaretraits to
`help incident response teamsbetter understand malware
`behavior
`
`Virtual
`Virtual
`Virtual
`Disk
`Memory
`CPU
`16 GB
`15GB
`1
`50 Mbps
`FC-v50M
`lece
`CB
`5
`100 Mbps
`FC-vIOOM
`Prioritizes threats basedonrisk calculated from threat
`FC_vS00M
`ind threat progress, asset value, and other contextual
`500 Mbps
`i
`ECB
`sDGB
`oan SEs oT EE rt PSE FCS SE EoSEER ETS SARSESOR
`ata
`FC-v1G
`1 Gbps
`8
`32 GB
`512 GB
`Provides timeline host view to obtain complete context ae— sucesseaeeurcsce
`about malware events that have occurred on the host
`
`Model
`
`Performance
`
`
`
`
`
`
`
`
`
`Advanced Threat Prevention Appliance
`
`
`
`FINJAN-JN 045071
`
`