Case 3:17-cv-05659-WHA Document 435-9 Filed 04/12/19 Page 1 of 5
`Case 3:17-cv-05659-WHA Document 435-9 Filed 04/12/19 Page 1of5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 6
`EXHIBIT 6
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 435-9 Filed 04/12/19 Page 2 of 5
`
`· · · · · · · · · · UNITED STATES DISTRICT COURT
`
`· · · · · · · · · ·NORTHERN DISTRICT OF CALIFORNIA
`
`· · · · · · · · · · · ·SAN FRANCISCO DIVISION
`
`· · · ___________________________________
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · FINJAN, INC., a Delaware· · · · · ·)
`· · · Corporation,· · · · · · · · · · · ·)
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · · · · · · · · Plaintiff,· · · · · ·)
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · vs.· · · · · · · · · · · · · · · · )· No. 3:17-CV-05659
`· · · · · · · · · · · · · · · · · · · · ·)· · · WHA
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · JUNIPER NETWORKS, INC., a· · · · · )
`· · · Delaware Corporation,· · · · · · · )
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · · · · · · · · Defendant.· · · · · ·)
`· · · ___________________________________)
`
`·
`
`· · · · · · ·HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`· · · · · · · ·VIDEOTAPED DEPOSITION OF YULY TENORIO
`
`· · · · · · · · · · · · · · · VOLUME I
`
`· · · · · · · · · · · · · · ·May 9, 2018
`
`· · · · · · · · · · · · · · · 9:04 a.m.
`
`· · · · · · · · · ·1133 Innovation Way, Building A
`
`· · · · · · · · · · · · Sunnyvale, California
`
`·
`
`·
`
`·
`
`· · · REPORTED BY:
`
`· · · LANA L. LOPER,
`
`· · · RMR, CRR, CCP, CME, CLR, CSR No. 9667
`
`

`

`Case 3:17-cv-05659-WHA Document 435-9 Filed 04/12/19 Page 3 of 5
`
`Page 6
`
`·1· · · · · · · · · · ·Sunnyvale, California;
`·2· · · · · · · · Wednesday, May 9, 2018, 9:04 a.m.
`·3
`·4· · · · · · ·THE VIDEOGRAPHER:· Good morning.· We are now on
`·5· · the record.
`·6· · · · · · ·This is the recorded video deposition of Yuly
`·7· · Tenorio, in the matter of Finjan, Inc., versus Juniper
`·8· · Networks, Inc., taken on behalf of the plaintiff,
`·9· · Finjan.
`10· · · · · · ·This deposition is taking place at Juniper
`11· · Networks, Inc., 1133 Innovation Way, Building A,
`12· · Sunnyvale, California 94089, on May 9, 2018.· The time
`13· · is 9:04 a.m.
`14· · · · · · ·My name is Kevin McMahon.· I'm the
`15· · videographer, with U.S. Legal Support, located at 440
`16· · Montgomery Street, Suite 550, San Francisco, California,
`17· · 94104.
`18· · · · · · ·Video and audio recording will be taking place,
`19· · unless all counsel have agreed to go off the record.
`20· · · · · · ·Would all present please identify themselves,
`21· · beginning with the witness.
`22· · · · · · ·THE WITNESS:· My name is Yuly Tenorio.
`23· · · · · · ·MS. CARSON:· Rebecca Carson, of Irell &
`24· · Manella, on behalf of Juniper Networks.
`25· · · · · · ·MR. LEE:· Michael Lee, from Kramer Levin,
`
`Page 8
`·1· · component called the Web API; the UI API; a product that
`·2· · we call Cascade; any related features to the Web API,
`·3· · including RDB, mostly.
`·4· · · · · · ·That's what comes to mind at this moment.
`·5· · · · Q· · You mentioned Web API, correct?
`·6· · · · A· · Correct.
`·7· · · · Q· · What is Web API?
`·8· · · · A· · The Web API is the internal API that the --
`·9· · what we call the adapters use to get new samples to
`10· · analyze, so made results of analyzed samples; and let
`11· · the SkyATP -- let the Web API know --
`12· · · · · · ·THE REPORTER:· I'm sorry, SkyAP...?
`13· · · · · · ·THE WITNESS:· SkyATP, let the system know
`14· · whether they're having any issues, like errors.
`15· · · · · · ·Primarily, it's that, uh-huh.
`16· · BY MR. LEE:
`17· · · · Q· · When you say Web API is an internal API, can
`18· · you elaborate?
`19· · · · · · ·Like, can you elaborate what it means to a
`20· · layperson, what "internally" means?
`21· · · · · · ·MS. CARSON:· Objection.· Form.
`22· · · · · · ·THE WITNESS:· What I mean is we -- in SkyATP,
`23· · we have various deployments.· Each deployment is its own
`24· · virtual private cloud.· It's internal to the private
`25· · cloud.· It's not publicly available.· It's API.· It's
`
`Page 7
`
`·1· · representing Finjan.
`·2· · · · · · ·THE VIDEOGRAPHER:· The court reporter is Lana
`·3· · Loper.
`·4· · · · · · ·Would you please swear in the witness.
`·5· · · · · · · · · · · · · YULY TENORIO,
`·6· · · · · · ·having been first administered an oath
`·7· · · · · · ·in accordance with CCP Section 2094, was
`·8· · · · · · ·examined and testified as follows:
`·9
`10· · · · · · ·THE VIDEOGRAPHER:· Please proceed.
`11
`12· · · · · · · · · · · · · ·EXAMINATION
`13· · BY MR. LEE:
`14· · · · Q· · Where do you work?
`15· · · · A· · I work at Juniper Networks.
`16· · · · Q· · What is your position at Juniper Networks?
`17· · · · A· · I'm a senior software engineer.
`18· · · · Q· · What are your responsibilities as senior
`19· · software engineer?
`20· · · · A· · I design program tests, in charge of any -- any
`21· · issues that come up with the features that I am
`22· · responsible for.
`23· · · · Q· · What features are you responsible for?
`24· · · · A· · It varies from time to time.
`25· · · · · · ·At this moment, I'm responsible for the
`
`Page 9
`·1· · only available to the adapters that are internal to the
`·2· · VTC.
`·3· · · · · · ·There are -- some adapters are external, but
`·4· · they're white-listed, so no one else can really
`·5· · interface with this API.
`·6· · · · Q· · You mentioned adapters.· Which adapters?
`·7· · · · · · ·MS. CARSON:· Objection.· Form.
`·8· · · · · · ·THE WITNESS:· All of the adapters interface
`·9· · with the Web API.
`10· · BY MR. LEE:
`11· · · · Q· · Can you name the adapters?
`12· · · · A· · I can name the ones that come to mind: the hash
`13· · lookup adapter; the meta-defender adapter; greyduckling
`14· · adapter; the verdict engine adapter; the Reputation.
`15· · The URL Reputation is considered an adapter, but it's
`16· · not really an adapter.· There's also the Reputation.
`17· · · · · · ·I think those were named hash lookup.· And the,
`18· · what we call, the deception adapter, which interfaces
`19· · with Joe Sandbox.
`20· · · · · · ·THE REPORTER:· Just a moment.
`21· · · · · · ·I'm having trouble -- since you're not looking
`22· · towards me, I'm having trouble hearing you.
`23· · · · · · ·THE WITNESS:· I'm sorry.
`24· · · · · · ·THE REPORTER:· I'm moving around.· It's okay;
`25· · it's just that you're facing away from me a little bit.
`
`

`

`Case 3:17-cv-05659-WHA Document 435-9 Filed 04/12/19 Page 4 of 5
`
`Page 154
`
`·1· · · · · · ·MS. CARSON:· Objection.· Form.
`·2· · · · · · ·THE WITNESS:· If there were results available
`·3· · for this adapter, and the file actually went through in
`·4· · this adapter, then, yes, the results would be stored in
`·5· · the schema-less results table.
`·6· · · · · · ·MS. CARSON:· We've been going about an hour.
`·7· · Is now a good time for a break?
`·8· · · · · · ·MR. LEE:· Yeah, sure.
`·9· · · · · · ·THE VIDEOGRAPHER:· We're going off the record.
`10· · The time is 1:54 p.m.
`11· · · · · · ·(Discussion off the record.)
`12· · · · · · ·THE VIDEOGRAPHER:· We are back on the record.
`13· · The time is 2:07 p.m., and this is the beginning of
`14· · Media No. 3, in the deposition of Yuly Tenorio, on
`15· · May 9, 2018.
`16· · · · · · ·Please proceed.
`17· · BY MR. LEE:
`18· · · · Q· · Previously, did you say that you had to look at
`19· · the source code for Joe Static in order to describe how
`20· · it operates?
`21· · · · A· · I would need to look at the source code for the
`22· · adapter to see -- to see how it calls.· It depends on
`23· · what you mean by, how it operates.
`24· · · · · · ·I know that it calls the Joe Sandbox -- that
`25· · Joe provided binary to perform the nondynamic analysis.
`
`Page 156
`·1· · because we don't know exactly what it does.· We just get
`·2· · an output, giving this path to the file.
`·3· · BY MR. LEE:
`·4· · · · Q· · If you had the source code, would you be able
`·5· · to describe the output of Joe Static?
`·6· · · · · · ·MS. CARSON:· Objection.· Form.
`·7· · · · · · ·THE WITNESS:· I don't know.· It depends on the
`·8· · source code.
`·9· · · · · · ·I haven't -- I don't remember seeing it, so I
`10· · don't know exactly what it does with the output. I
`11· · don't know if, for example, it just gets it and called
`12· · over to the API to submit the result or if it does
`13· · something else.· I don't recall.
`14· · BY MR. LEE:
`15· · · · Q· · Can you look at the source code during a break
`16· · and describe what kind of results are outputted from Joe
`17· · Static?
`18· · · · · · ·MS. CARSON:· Objection.· Form.
`19· · · · · · ·And we don't have the source code here, so...
`20· · · · · · ·THE WITNESS:· I -- no.
`21· · BY MR. LEE:
`22· · · · Q· · If you did have the source code here, would you
`23· · be able to describe what results that Joe Static
`24· · outputted?
`25· · · · · · ·MS. CARSON:· Objection.· Form.
`
`Page 155
`
`·1· · I know that it does do that process call.
`·2· · · · · · ·Other than that, for that, I would check the
`·3· · code.· I don't know what else it does.
`·4· · · · Q· · So you can't elaborate beyond that, without
`·5· · looking at the code, right?
`·6· · · · A· · Yes, I couldn't elaborate more on that, uh-huh.
`·7· · · · Q· · Can you look at the code right now to determine
`·8· · how Joe Static operates?
`·9· · · · A· · All I could look up is how the adapter
`10· · interacts with the binary from Joe Sandbox.
`11· · · · · · ·That would not give you much, because the --
`12· · the meat of what the adapter would respond with would be
`13· · what's the output from what the Joe binary returned.· So
`14· · probably, without looking at the code -- even with
`15· · looking at the code, I couldn't say exactly what it
`16· · does, because the meat of it is in this binary from Joe
`17· · Sandbox, which is a black box to us.· We don't really
`18· · look at it.
`19· · · · Q· · So there's no way for you to determine --
`20· · there's no way for you to describe how Joe Static
`21· · operates?
`22· · · · · · ·MS. CARSON:· Objection.· Form.
`23· · · · · · ·THE WITNESS:· Not beyond what I just said,
`24· · which is Joe Static, the adapter that we wrote, it calls
`25· · this binary that we treat as a black box basically
`
`Page 157
`·1· · · · · · ·THE WITNESS:· As you answered this -- asked
`·2· · this already, and I answered, I don't know what the
`·3· · source code -- the source code says.
`·4· · · · · · ·All I know is that it calls the binary from Joe
`·5· · Sandbox, which is a black box.· I don't know if it does
`·6· · anything with the output of this analysis or does it
`·7· · actually try to get things.· I don't know.
`·8· · · · · · ·So I don't know how much I would be able to get
`·9· · from looking at the source code.
`10· · BY MR. LEE:
`11· · · · Q· · Are you aware of which features does --
`12· · · · · · ·THE REPORTER:· I'm sorry, does?
`13· · BY MR. LEE:
`14· · · · Q· · -- does greyduckling extract from PDF?
`15· · · · · · ·MS. CARSON:· Objection.· Form.
`16· · · · · · ·THE WITNESS:· You asked this earlier.
`17· · · · · · ·Do you want to refer to that answer?
`18· · BY MR. LEE:
`19· · · · Q· · I don't remember you saying what features are
`20· · that are extracted by greyduckling in a PDF.
`21· · · · A· · I answered this question already, and
`22· · specifically for the PDF stuff, which is, again, not
`23· · something I have worked on for greyduckling.
`24· · · · · · ·What I recall is that it can -- I believe some
`25· · of the features is maybe the header of the file, the
`
`

`

`Case 3:17-cv-05659-WHA Document 435-9 Filed 04/12/19 Page 5 of 5
`
`Page 222
`·1· · Joe Static results from the Joe Sandbox binary, to
`·2· · perform nondynamic analysis.· But that's my opinion.
`·3· · BY MR. LEE:
`·4· · · · Q· · Do you see there's three cylindrical figures
`·5· · under the internal compromise detection box?
`·6· · · · A· · I see that.
`·7· · · · Q· · Do you have any understanding of what those
`·8· · three cylindrical figures represent?
`·9· · · · · · ·MS. CARSON:· Objection.· Form.
`10· · · · · · ·THE WITNESS:· Based on seeing this document for
`11· · the first time, my opinion would be that those signify
`12· · databases in the general term, without saying which kind
`13· · of database they mean.
`14· · · · · · ·For C&C events, for example, we use MySQL to
`15· · keep events from -- we keep a database for -- MySQL
`16· · database for every customer that we have.· So it's
`17· · self-contained to the customer.
`18· · · · · · ·For every customer, we have a table for events,
`19· · of C&C events, so that we can display them on SkyATP UI.
`20· · I think that is what this second C&C events mean.
`21· · · · · · ·For example, identified malware, I would -- my
`22· · opinion would be that it means what the Results DB
`23· · component would get from querying the schema-less
`24· · database, when asking it for, what is the score,
`25· · numerical score, for a given sample.
`
`Page 224
`
`·1· · adapter results, other than DynamoDB?
`·2· · · · · · ·MS. CARSON:· Objection.· Form.
`·3· · · · · · ·THE WITNESS:· SkyATP stores results from
`·4· · adapters in the schema-less DynamoDB results table, as
`·5· · well as the storage solution from AWS, which is called
`·6· · S3, when the results are really large.· So it's both.
`·7· · BY MR. LEE:
`·8· · · · Q· · Do you have any idea of how S3 organizes the
`·9· · data it stores?
`10· · · · A· · S3 is an AWS solution.· I don't have insight
`11· · into how S -- AWS S3 is coded.
`12· · · · · · ·For us, it's a black box.· It's basically a
`13· · file system.· We just push this file.· And when we want,
`14· · we give it a path, and it gets the whole file.· It's
`15· · like a file system.
`16· · · · Q· · So you don't have any understanding of how S3
`17· · stores its data?
`18· · · · A· · As a black box, I would say that it's a cloud
`19· · solution distributed, because you can get it from any --
`20· · any subnet within your -- your VPC is distributed.· It
`21· · autoscales, so you can put lots and lots of files in
`22· · there, and it doesn't slow down.
`23· · · · · · ·I don't know how -- how they're doing it
`24· · inside, because I don't work for AWS.· But that's how we
`25· · treat it.· It's just a file disk.
`
`Page 223
`·1· · · · · · ·And for analytics, my opinion would be that it
`·2· · is talking about how we keep track of what a single user
`·3· · inside a customer's network has done that could be
`·4· · indicative of malicious behavior, such as contacting a
`·5· · server that it shouldn't have or talking to weird ports,
`·6· · thinks like that.
`·7· · BY MR. LEE:
`·8· · · · Q· · Is there a separate database for analytics that
`·9· · is separate from DynamoDB and MySQL?
`10· · · · · · ·MS. CARSON:· Objection.· Form.
`11· · · · · · ·THE WITNESS:· We have many databases that we
`12· · use inside of SkyATP.
`13· · · · · · ·We have Redis, for example, which is a key
`14· · value store database in which --
`15· · · · · · ·THE REPORTER:· We have what?
`16· · · · · · ·THE WITNESS:· Redis, R-e-d-i-s.
`17· · · · · · ·In Redis, we keep track of some counters which
`18· · could count as analytics.
`19· · · · · · ·In MySQL, we have -- we keep track of the
`20· · customers' host or users.
`21· · · · · · ·We just have a lot of things that could count
`22· · as analytics.· I don't know what the author really
`23· · meant.
`24· · BY MR. LEE:
`25· · · · Q· · Are you aware of any other databases that store
`
`Page 225
`·1· · · · Q· · Are you aware of any data stored in DynamoDB
`·2· · that is not stored in S3?
`·3· · · · · · ·MS. CARSON:· Objection.· Form.
`·4· · · · · · ·THE WITNESS:· Can you be more specific?
`·5· · · · · · ·What do you mean?· What data?· What other data?
`·6· · · · · · ·Can you repeat your question?
`·7· · BY MR. LEE:
`·8· · · · Q· · Are you aware of any data stored in DynamoDB
`·9· · that's not stored in S3?
`10· · · · · · ·MS. CARSON:· Objection.· Form.
`11· · · · · · ·THE WITNESS:· So SkyATP has a lot of data.
`12· · · · · · ·I mean, any -- there's a lot of data that's not
`13· · in Dynamo, that could be Redis, for example.· It can be
`14· · in S3.· There can be in MySQL.· So it really depends on
`15· · what specifically you're asking about.
`16· · · · · · ·What kind of data are you referring to?
`17· · BY MR. LEE:
`18· · · · Q· · For example, the sample ID and the results,
`19· · both of that is stored in S3, right?
`20· · · · A· · That is not what I said prior.
`21· · · · · · ·We store adaptive results, all of them, both in
`22· · schema-less DynamoDB and S3, when the results are really
`23· · large.
`24· · · · · · ·To my knowledge, we don't store results from
`25· · adapters anywhere else.
`
`