`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 1 of 23
`
`
`
`
`
`EXHIBIT 5
`EXHIBIT 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 2 of 23
`
`enlene
`
`Santanu Ganguly <santanu@juniper.net>
`
`| .LAR N——.
`oky ATP Advanced Threat protectic
`Juniper’s Sky IS the limit!
`
`Juniper Networks, April 2016
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 3 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 3 of 23
`
`An Evolving Threat Landscape
`
`New actors, new threats, and new technologies means the threat
`landscapeis constantly evolving.
`
`¢ State sponsored actors and targeted attacks change the landscape
`e Attackers are constantly looking for, and finding, new vectors
`¢ Security solutions need to be agile to keep up
`¢ The impact of security breaches can't be understated
`
`The Head of CyberofBritish Intelligence, in his first public, yet anonymous
`interview stated: “There are nowthree certainties in life: there's death, there's
`taxes and there's a foreign intelligence service on your system."
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 4 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 4 of 23
`
`Impact of security breaches:
`Target breach (2013)
`
`Target Stolen Data: 110M Records
`
`
`
`PonemonInstitute:
`Average breach costs $214 per record stolen
`
`
`
`eoy
`W.
`y ;
`
`Rrlorenieetienn
`progress, lost customers
`
`Cost ofthe breach:
`* Gross expense of $191M
`* Net cost of $162M
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 5 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 5 of 23
`
`Current solutionsfail to protect
`organizations fromsophisticated, evasive
`eae)
`
`Sky Advanced Threat Prevention to the Rescue n
`
`Simple Threats
`
`Sophisticated Threats
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 6 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 6 of 23
`
`What is Sky Advanced Threat Prevention
`
`x
`i Sky ATP
`2 C A 1https://amer.skyjunipersecurity.net
`= ad
`
` c
`
`inet
`
`Wikeigy
`
`foue Lotabom ieCotegorAaere ie Cores
`
`
`
`CHC Sever & Uaeere
`Ti
`Coros med
`we erty
`Be ietected
`Scanned
`——e
`—
`=
`=.
`“| a
`es
`ee
`=
`=
`ros
`— =
`ae
`=
`=
`
`Threat Count
`
`
`
`—— TT
`
`Copyright © 2016 Juniper Networks, Inc
`
`€
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 7 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 7 of 23
`
`Why Cloud?
`
`¢ Cloud environmentsare flexible and massively scalable
`¢ Ashared platform means everyone benefits from new threat
`intelligence in near real-time
`¢ Security developers can update their defenses as new attack
`techniques cometolight, with no delayto distribute the threat
`intel.
`¢ On-site platforms offer lower efficiency, scalability, efficacy
`and agility.
`The connection between the SRX and the Cloud is encrypted. Customer data exported to the Cloud is destroyed after analysis. Customer data is isolated to ensure privacy.
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 8 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 8 of 23
`
`oky Advanced Threat Prevention Architecture:
`Sky components are divided between the SRX, embeddedin Junos,
`and the cloud
`
`¢ Components in Junos:
`— Secintel Service
`
`* Receives feeds from the cloud
`
`— GeolP
`
`— Command and Control
`
`— Infected Hosts
`— Sky ATP Service
`« Passes incomingfiles to the Cloud for analysis
`¢ Enforces policies based on Cloud verdicts
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 9 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 9 of 23
`
`sky Advanced Threat Prevention Architecture:
`Sky components are divided between the SRX, embeddedin Junos,
`and the cloud
`
`¢ Components in the Cloud:
`— Analytics
`¢ Malware analysis pipeline
`¢ C&C / Malware Event correlation
`
`— Threat feeds
`
`* Cascade — generating the C&C Feed
`¢ GeolP — externally sourced
`¢ Infected Hosts — Generated by event correlation
`— Management
`¢ Web UI for all your management love and affection
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 10 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 10 of 23
`
`oky Advanced Threat Prevention
`Infected Hosts:
`
`The Infected Hosts feed allows automated
`quarantining and active responsesto internal
`threats. This is an “Event Driven’ feed, created
`in the Cloud based on what's actively
`happening on a protected network.
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 11 of 23
`
`
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 12 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 12 of 23
`
`Sky Advanced Threat Prevention
`Use Cases
`
`Use casesacross the deployment
`spectrum of SRX
`
`A. CampusEdgeFirewall
`¢
`Protection of end user
`devices from files
`downloaded from the
`Internet
`
`a
`
`|
`
`|
`
`Data Center
` B. Branch Router
`
`¢ Protection for split-tunnel
`deployments
`
`C. Data Center Edge
`¢ Application protection
`from infectedfiles
`
`Campus Locations
`
`Copyright © 2016 Juniper Networks,Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 13 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 13 of 23
`
`Sky Advanced Threat Prevention in action
`
`
`
`
`Spotlight Secure Cloud Service
`
`
` Malware Inspection Pipeline
`
`Feed Analysis & Efficacy
`
`Sky ATP Secure Cloud Service
`
`j
`
`Dynamic
`
`Internal Compromise Detection
`eS ee a
`Identified
`C&C
`Analvti
`Malware
`AVA=1O)
`Pe Ae
`
`Web-based Service Portal
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 14 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 14 of 23
`
`The ATP verdict chain
`Staged analysis: combining rapid response and deepanalysis
`
`saat
`
`Suspectfiles enter the analysis chain in the cloud
`
`Cache lookup: (~1 second)
`Files we’ve seen before are identified and a verdict immediately goes back to SRX
`
`Anti-virus scanning: (~5 second)
`Multiple AV enginesto return a verdict, which is then cachedfor future reference
`
`Static analysis: (~30 second)
`Thestatic analysis engine does a deeperinspection, with the verdict again cached
`for future reference
`
`Dynamic analysis: (~7 minutes)
`Dynamic analysis in a custom sandbox leverages deception and provocation
`techniquesto identify evasive malware
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 15 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 15 of 23
`
`Anti-Virus: First Pass
`
`* Overcoming False Positives (FP) and False Negatives (FN)
`* Use multiple AV engines
`* Combine with Machine Learning
`
`Seee E>
`Anti-virus Client #2
`==>
`Anti-virus Client #3
`==>
`
`=>
`===> oe =» Verdict
`
`==>
`
`ele!
`
`.
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 16 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 16 of 23
`
`Static Analysis: Pulling apart the code
`
`aa
`j
`
`¢ Break file down into features
`
`¢ File structure
`* Meta info (file name, vendor, etc...)
`* Categories of instructions used
`* File entropy
`* Etc.
`
`)=|7
`
`74]
`©Oo
`
`PCIE)
`ile)PelaP
`OSMkyAt
`
`.2
`
`¢ Feed features into machine learning algo
`¢ First teach it what malware looks like
`
`* Thenask if something is malware
`
`Static analysis is traditionally done with rules. Argon extends
`this by adding machine learning to improve verdict accuracy.
`
`J
`
`Verdict
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 17 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 17 of 23
`
`Dynamic Analysis: Sandboxing
`Inside a custom Sandbox environment
`
`i
`
`.
`
`|
`
`cm
`
`¢ Generate a verdict with Machine Learning vmware
`
`¢ Spool up a live desktop
`¢ Hook into the OS to record everything
`¢ Upload and execute the suspectfile
`¢ Apply Sky’s Deception and Provocation Techniques
`* The full run takes approximately 7 minutes
`¢ Download the activity recording for analysis
`¢ Tear downthelive desktop
`
`At release: Windows 7
`Future: Windows8, 10, Android, Linux, other.
`
`a
`af
`
`a
`oad
`
`Windows*® Windows’ /
`es Windows8
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 18 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 18 of 23
`
`sandboxing: Behavioral Analysis
`
`Behavior analysis gives us a better understanding of what a suspect
`file is trying to do. Some behaviors are usually considered benign,
`while others may be benign, but are also seen in malicious programs.
`Still others are usually associated with attack behaviors. Some
`examples:
`
`° Ex@atdtoméiosieene espiog directory
`hteeeeRGepataMOttosackANGtist
`
`Copyright ©2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 19 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 19 of 23
`
`Machine Learning
`Digging through massivepiles of data:
`letting machines do what machines do
`
`best
`
`
`
`— ¢ Compare a new
`n” to see howcloselyit —
`amples
`
`—
`
`Ps festa
`nn
`8
`
`este
`pc“
`nor EX cl
`RL!
`
`t
`
`resembles good
`
`Weelfimel veedichis digseithonsttowi draGbaaunewebtanipixkireserniblesthedmotvn
`gaonleskcksamplesodsy eonpaong any’ featunetescrdséslanigesdatacsaiiqnevior
`campelivey weky @cousatepiesults.
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 20 of 23
`
`
`
`Copyright © 2016 Juniper Networks,Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 21 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 21 of 23
`
`How is Sky ATP Different?
`
`¢ High Efficacy, Scalable and Tightly integrated solution
`¢ Distributed sensing and enforcement on SRX (no additional sensors)
`¢ Actionable Intelligence
`¢
`In-line blocking to prevent zero-day infections from getting in
`¢ Unique deception & provocation techniques to counter evasive threats
`¢ Advanced machine learning
`¢ Support for different types of analysis targets
`¢ Multi-platform executable and application support
`¢ Exploits and malicious content embedded in documents (MS Office, PDF)
`¢ Dangerous web applications (Java, Flash) — future
`¢ Cost-effective, non-intrusive solution with full network coverage
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 22 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 22 of 23
`
`Summary
`Leveraging the Cloud to provide efficacy and agility
`
`
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 23 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 23 of 23
`
`JunIPer
`
`NETWORKS Thank You!
`
`
`
`