Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 1 of 81
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 1 of 81
`
`
`
`EXHIBIT 14
`EXHIBIT 14
`
`UNREDACTED VERSION OF
`UNREDACTED VERSION OF
`DOCUMENT SOUGHT TO BE
`DOCUMENT SOUGHT TO BE
`SEALED
`SEALED
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 1 of 81
`
`
`
`EXHIBIT 14
`EXHIBIT 14
`
`UNREDACTED VERSION OF
`UNREDACTED VERSION OF
`DOCUMENT SOUGHT TO BE
`DOCUMENT SOUGHT TO BE
`SEALED
`SEALED
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 2 of 81
`
`eee
`
`peo
`
`
`
`ates
`ae
`Rees
`pecmereeseccenes
`oeecrees
`perenne
`Siac
`
`so)oe
`peespoe
`
`BRSSS
`Reesah
`
`sarewenconntSS
`
`SSS
`ee
`
`Ses
`See
`SOS
`Seas
`
`RResaaSANYRe
`oes
`
`Sees
`See
`
`SSRNes
`
`TERRESS
`
`a-
`
`SuanERSERSSERN!epoanrny
`
`
`CORRRRCEES
`SERSGNannieSSRANE
`SRMERSNSSN
`
`EESRR
`
`ERGeeSUEC
`
`PESaNOSEOEORSeS
`
`UNITED STATES DISTRICT COURT
`5a3&0a9a:2AZzBixzx94
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 3 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 3 of 81
`
`ty~
`
` é
`
`ty:
`4
`é
`}
`:
`Ps
`7
`Service £
`%
`ox,Provider
`
`Juniper’s Security Focus
`
`se
`“ a i;
`&
`“iy
`
`eensmanonnes
`Automation and Operator Efficiency
`
`
` Fs * Branch ¢ ‘
`
`Sea
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 4 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 4 of 81
`
`software Defined Secure Networks (SDSN)
`Unified Security Platform
`
`<<
`
`
`
`© Fast, effective protection from advanced threats
`|
`ee
`-
`Integrated threat intelligence
`
`©
`
`« Adaptive enforcementto firewalls, switches, 3'¢
`party devices and routers
`
`«
`
`“Robustvisibility and management
`
`
`
`ae _in
`co
`:_.
`
`
`
`oo
`oo
`
`oo
`ee
`We
`spunea orton ereioraicoenaa
`tereieeree
`Policy
`nae
`
`
`28 -
`
` *Roadmap, subject to change
`
`ee
`
`Enforcement
`
`
`
`
`
`* Consistent protection across physical/virtual
`
`
`
`
`* Open and programmable environment
`_SES
`esoe
`Siisanne
`
`ee
`
`
`
`.o
`
`s =a
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 5 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 5 of 81
`
`Threats are Everywhere
`
`Perimeter security isn’t enough.
`Malware walks in with your employee!
`Stop Threats. Faster.
`
`Increasing sophistication
`
`
`
`
`
`
`Increasing variability
`
`
`
`
`
`Keeping data secure throughout your networkis key!
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 6 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 6 of 81
`
`Speaker Notesfor Slide 4
`
`Outside your network, inside your network and between endpoints and the cloud apps your employees use.It’s a zero trust world.
`(Zero trust can be the only security posture.)
`
`Threats have changed. From phishing, anti-malware, and morphing executables to security hackers whoinfiltrate Enterprises to
`retrieve data for financial gain. The attacks are targeted, focused and use advanced persistent threats. And today, these attackers
`have the advantageof time on their side. Enterprises have the disadvantage of the complexity of their networks as well as
`organizational complexity working against them.
`
`Attackers are also are increasingly able to socially engineer their way into your internal network. The variability of threats range from
`large, organized and systematic attacks to employees of a company who may have accessed public Wi-Fi or inadvertently clicked on
`the wrong link and as a result is now unknowingly infected with malware. They then spread the threat as their device connects
`directly within the network. The best (and only) security approach has te assumethat threats are already inside your enterprise
`perimeter. And it must assume that new types of threats will pop up every day, which means your security approach needs to be
`more agile than ever and more decisive once a breach is found.
`
`Security used to only need to be at the edge of your network. Now you have to secure at every point of access in your network,
`becauseit’s not just the intrudertrying to break in. The threat can now be your employee who has walked through your front door
`with malware on their device or an employee who was developing in a container and accidentally copied malware into his code. (And
`with the proliferation of BYOD and IoT, trying to secure endpoints is nearly impossible) Enterprise security posture today requires
`zero trust of anything entering or leaving the network.
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 7 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 7 of 81
`
`Malware continues to dominate
`
`
`
`
` Source:Verizon DBIR 2016 report
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 8 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 8 of 81
`
`Speaker Notesfor Slide 5
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 9 of 81
`
`Case 3
`
`17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 9 of 81
`
`Impact of secur
`Target breach
`
`Target Stolen Data
`
`110M Records
`
`ty breaches:
`
`PonemonInstitute
`Average breach'costs $214 per record’stolen
`
`as
`
`canceeaeeaneeeaeeaeeaeSagaaieaaaaagasBaeERSSNease:
`SSSSRSHSaisastaaaseisastassiicaer
`BERGASeasAeaeSSNSaReesNSNsaapesUNs
`
`tHERUSANGSEARUNRSESSSSSSGSSGssaeSasaanisssarnaannssanaaarresaerSSSuRSSUSSUStyASSTMSETAAETNEONEeoBSRSesSaaaBERSENS
`
`
`
`iSuinguanrsssansauinansanscauugacaniaanuaeensCasaaenaaaaaeSTURNSORCC
`CESARuteriSoeoe,SRaasSaaSSESSaaaaRSSSRAINYthAAASONEeeeeeaeSeuenceMeEeEa
`ESEEESWSEsa==aIhmenas==eisai
`SOSeaSacSNSSSstmaSisorisoriey
`POURSaaanaanBaaaddGaiancaaeaseranmaaee;:
`
`
`
`SigSaalieese.
`aaaaaeRReeCnceSSagCraRaacaCraRaasCapaaAGSataaNaaoSeeeebss:RaeeyonaSe
`SRSAesoSoSiaoSioe
`cenecrecenanen
`SSERSaaaaaTASSEARSRAERRR
`oeASFasaSESSOESEAYSSOSASSSAASSSRSSESSSARSaSOASSERSSaSRSTSOE
`
`
`
`
`oSaesAIRESESASSSSREUSAESAORASTISI
`painsansaiinenmints
`
`SSSAINSEAMASUSSeanBoe
`Sa
`SOAs
`ee:EOLARRC
`
`
`
`
`
`Sanaacausatanrosaanrasaangain
`
`SERBIASESASSESSIRRee
`Seeae.aBANAaee
`ae
`SESEREBP
`SareesoeaBe
`RSSRSNNNtsOEESSCRSSSRCSRRSS
`
`SESSssaSissiHESSSSNSNeherSSS
`SERRERUNONSaniSERENEANSsaessissOseee
`
`SIRESREEESUSUSSRRESONASN
`
`SESSASCISSOReenaReaeeecaey
`EESEEationann
`
`RSSueaueneucucuenerarene
`eeeeeeereat
`EgMIEMLoeeeeeoe.
`aaa,SSassshseseaneg
`ayPOUOTs
`
`segaeeceacnccan
`
`GOREEECA
`Bassesssasiescisncycechats
`
`SaasSanaa
`
`Cost of the breach
`Gross expensé of SIS1M
`Net .cost.of S162M
`
`« *
`
`
`
`
`
`Raearearse
`SERRANONCR
`an
`Laas
`
`
`
`SSSASasa
`
`
`
`SOLA
`
`see
`
`Sean
`
`z
`
`eer
`
`
`
`
`
`eee
`Sass
`
`BAERS
`
`Ree
`
`
`ee
`
`Ss
`
`A dozen lawsuits in progress, lost customers
`
`oo
`RaaaeBo
`
`ie
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 10 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 10 of 81
`
`Speaker Notesfor Slide 6
`
`While the monetary cost of a breach is relatively easy to calculate the cost in
`reputation and public trust can be much greater, as well as moredifficult to
`estimate. Several organizations have been target more than once, with huge
`costs in both financial and more ephemeral terms.
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 11 of 81
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 12 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 12 of 81
`
`Speaker Notesfor Slide 7
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 13 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 13 of 81
`
`Malware Evolution and Sky ATP Targeted
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 14 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 14 of 81
`
`sky ATP Efficacy
`
`
`:
`+ Rapid
`
`+ Defense in
`development
`
`
`and deployment
`
`
`ofsecurity”
`
`
`
`Open platform
`RESTful APIs to
`
`
`
`
`
`Accurate
`yerdicts mean
`actionable
`
`
`intellig
`
`“Fraineé
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 15 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 15 of 81
`
`What is Sky Advanced Threat Prevention
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 16 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 16 of 81
`
`oky ATP Threat Intelligence Feeds
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 17 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 17 of 81
`
`Command and Control feeds
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 18 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 18 of 81
`
`
`
`
`
`Integrated open source feeds
`
`eS
`eS
`aeOoa
`—
`
`eeSeeSRws mae
`
`
`
`a.
`
`
`
`
`aan
`BS
`ee
`
`
`Be
`.
`
`
`ee
`ee
`a
`:— 3
`ae
`se
`3—SESSSSSRSaunas
`Le
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`SESSSSSRSUcana
`acenensas
`a
`3 SeeceeeeaS
`
`
`
`mm
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 19 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 19 of 81
`
`Sky ATP Highlights
`
`
`
`
`HTTP, HTTPs, Email - SMTP(s)
`
`
`
`only File Types
`All supportedfile.
`types
`Executables, PDF, MSOffice,
`
`File Types
`Archives, Java, Flash, DLLs,
`Media,etc.
`
`
`
`Executables
`
`
`
`
`
`Sky ATP follows a “FREEMIUM pricing: model
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 20 of 81
`
`ENee<SS
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 21 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 21 of 81
`
`Licensing Model
`» Sky ATP offers a “Freemium’ modeli.e. limited features for ‘FREE’, charge
`
`for other features
`
`» 1YR,3YR and 5YRsoftware subscription SKUs
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 22 of 81
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 23 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 23 of 81
`
`Spotlight Secure — Security Director 16.1
`
`
`
`CC*,GeolP
`
`API
`
`feeds
`
`
`
`All feeds
`
`SRX
`
`
`
`*CC = Command and Control
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 24 of 81
`
`Case 3
`
`17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 24 of 81
`
`Transi
`
`lon componen
`
`ts
`
`
`
`SSStiBNiiSERSdi
`
`2,iiSEESStiSRSSSiiRASSt!
`
`See4i"BERaSiiRSSiia3fiiOoxi3xiiu)xi4axqfM48t41
`:ti
`ii-’itiSy|2ii4jioof}©}3AiAFH
`
`eck
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 25 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 25 of 81
`
`Threat Feeds deployment models
`
`Sky ATP ‘Basic’ Feed-only mode
`
`Spotlight Secure
`
`
`
`‘All Feeds - CC,GeolP,custom
`
`*
`
`SRX
`
`
`
`
`
`
`CC,GeolP
`
`:
`
`Policy
`
`All Feeds
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 26 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 26 of 81
`
`Spotlight vs Threat Feed vs Sky ATP
`
`
` Malware detection
`reqd.
` License example
`
`SDSN Policy Enforcer
`
`SPOT-CC-1500-1
`
` SRX1500-THRTFEED-1
`
`SRX1500-ATP-1
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 27 of 81
`
`eeecesar
`
`oo—|se
`_esa_
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 28 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 28 of 81
`
`PLACES IN THE NETWORK
`
`Use cases across the deployment
`spectrum of SRX
`
`A. Campus Edge Firewall
`.
`Protection of end user
`devices from files
`downloaded from the
`Internet
`
`B. Branch Router
`¢ Protection for split-tunnel
`deployments
`
` rancideetins
`
`
`
`
`
`
`
`
`
`
`
`
`C. Data Center Edge
`¢ Application protection from
`infectedfiles
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 29 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 29 of 81
`
`FedRAMP:Sky ATP Cloud for US Federal/DoD
`
`LJ FedRAMP = Federal Risk and Authorization Management.Program
`
`LJ Applicable to Cloud based services — part of the “Cloud-first’initiative
`announcedin Dec. 2010
`
`LJ CSPs undergo an extensive certification process to become FedRAMP
`certified: One of the most in-depth compliance exercise any organization
`can attempt
`
`LJ Prior to FedRAMP, every Federal agency conducted its own risk
`assessmentservice for every procured Cloud service: resulted in
`redundancy
`
`LJ CSPs that complete a FedRAMP assessment.obtain an ATO (Authority to
`Operate) i.e. becomeseligible for procurement by Federal agency
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 30 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 30 of 81
`
`FedRAMP:Sky ATP offering
`
`Runs onthird party DC
`
`AWSGovCloud (US)
`
`
`
`
`
`Note: VMwaresold its vCloud Government Service to Carpathia, which was then:aéquired by QTS
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 31 of 81
`
`eeecesar
`
`oo—|se
`_esa_
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 32 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 32 of 81
`
`Sky ATP architecture
`
`
`
`
`
`Command and
`Control (C&C)
`
`
`
`Sscrnecrneecccucrncecmneecccee
`
`eseeenenee
`
`sone
`
`‘s
`
`aieeeeeeeee
`
`Quarantine
`Compromised
`Systems
`
`
`
`
`
`SRX Series
`
`
`
`
`
`Secintel Events
`(C&C “Hits”)
`
`
`
`
`
`
`Cantont (File)
`Extraction on SRX
` nercscnrsecrrconnnccscessosessnnrercsccrsccorrrcuits
`
`Fast Verdicts
`for in-line BlockingnnnnnnBDASBATSBODAESIECAESAEDIIECIESIESIESS
`
`
`
`
`
`oeSs
`SEES
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 33 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 33 of 81
`
`The ATP verdict chain
`Staged analysis: combining rapid response and deep analysis
`
`Suspectfiles enter the analysis chain in the cloud
`
` Cachelookup: (~1 second)
`
`
`Files we’ve seen before are identified and a verdict:immediately goes back to SRX
`
`Anti-virus scanning: (~5 second)
`Multiple AV engines to return a verdict, which is then cached. for future-reference
`
`Static analysis: (~30 second)
`The static analysis engine does a deeperinspection, with the verdict again cached
`for future reference
`
`
`
`
`
`
`Dynamic analysis: (~7 minutes)
`Dynamic analysis in a custom sandbox leverages: deception:and provocation
`techniques to identify evasive malware
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 34 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 34 of 81
`
`Private (hash only) mode
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 35 of 81
`
`Case 3
`
`17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 35 of 81
`
`-VAnt
`
`Iirus
`
`irsF
`
`t Pass
`
`=
`
`Ver
`
`com
`
`
`
`ERS
`eee
`RCSs
`Vee
`Sea
`
`SEme&RemeEEseaEee
`
`ESSESR
`
`SERRATEEESES
`==SEE
`Sateen
`
`EESeesSe
`
`
`
`SEmeestersRemeEEsteahraesa
`
`EEEhaesaruwwgremagceoneteNTe:
` SeaSSE,aSSEER
`
`BaasSerene,
`
` =
`
`SNOE
`
`ESERIES
`EeSES
`SESS:RaS
`
`
`
`=ERR
`
`SursteieniBSSE
`SERREReSe
`
`SE:See
`SEESSEES
`
`SESE
`
`33
`
`SEEMEDses
`
`Res
`SEES:Se
`
`Renae
`sehen,
`
`
`SE
`
`See
`
`seoeantenan
`
`Sees
`
`SESE
`
`s
`
`RRSRESEYRRS.
`SeatedRARER
`
`
` acess.sarees
`
`ERESE
`
`SES
`See
`
`
`
`SEES
`z
`
`te
`
`SESAGS
`
`shea
`
`sR
`
`STsRe
`
`
`
`Shpsccoad
`
`
`
`Soest
`SEES
`
`SESEBENatt
`ake
`
`
`
`eeeSRaaeeeRE
`
`
`
`
`
`Eas:SCOREAGCREEGn
`Peauaeeee
`
`SEOSEEREEEEESRees
`
`eae
`RR
`
`
`
`seecuesevensa
`
`
`
`eeeeeEe
`EERESieouhouraheuroananemeer
`
`SENBeSeeee:
`
`
`
`
`
` SECRETECSERSSRCeSchreent)hotPenneeeCRP
`
`EES
`IEEE
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 36 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 36 of 81
`
`Static Analysis: Pulling apart the code
`
`* Breakfile down into features
`
`* File structure
`
`* Meta Info (file name, vendor, etc...)
`« Categories of instructions used
`* Fille entropy
`* Fic...
`
`* Feed features into machine learning algo
`* First teach it what malware looks like
`
`* Then ask if something is raiware Static analysis
`
`is traditionally done with rules. Argon extends
`this by adding machine learning to Improve verdict accuracy.
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 37 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 37 of 81
`
`Dynamic Analysis: Sandboxing
`
`Inside a custom Sandbox environment
`
`
`
`Spool up a live desktop
`Hookinto the OS to record everything
`Upload and execute the suspectfile
`Apply Sky’s Deception and Provocation Techniques
`* The full run takes approximately 7 minutes
`Download the activity recording for analysis
`Tear downthelive desktop
`Generate a verdict with Machine Learning
`
`Today: Windows7,Android
`Future: Windows 10, OSX,ofher.
`
`
`
`
`if
`Wind 28 Windaws 7
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 38 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 38 of 81
`
`Machine Learning
`Digging through massive piles of
`data: letting machines do what
`machines do best
`
` This is
`
`unknown
`are.Bad
`
` These
`
`
`
`
`
`Thefinal verdict is based on how much a new example resembles the kno\
`
`good or bad samples. By comparing many features across large data se
`
`
`can deliver very accurate results.
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 39 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 39 of 81
`
`Speaker Notesfor Slide 33
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 40 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 40 of 81
`
`Deception and Provocation
`
`Provoking Maiwere.
`
`
`
` Provocation
`
`Juniper’s Sky Advanced Threat Prevention looks for over 300 different malware
`behaviors and includes over 50 different deception techniques to provoke malware
`into revealing itself.
`
`
`
`Deception: Convinceit it’s on a valid target to get a reaction
`Provocation: Poke it with a stick and see how it reacts
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 41 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 41 of 81
`
`sandboxing: Behavioral Analysis
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 42 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 42 of 81
`
`Email — how it comes together
`
`(Sender)
`
`(Recipient)
`
`
`
`
`
`
`
`
`MTA = Mail Transfer Agent
`
`MUA = Mail User Agent aka ‘mail client’
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 43 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 43 of 81
`
`So what doesthis mean for Sky ATP?
`
`eB
`
`tem&
`ee
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 44 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 44 of 81
`
`SMTP support — cheat sheet
`
`15.1X49-D80 release. Supported platforms: SRX1500,SRX5K,SRX4K. Other
`platforms will be supported in 17.4
`
`» SMTPs supported — mid-session STARTTLS and implicit TLS
`
`Emails with malicious (based on cache check) attachments can be:
`
`¥ Quarantined — replacement email sent to end user
`¥ Tag-and-deliver
`o X-Distribution, X-Spam-Flag, Subjectline prefix
`¥ Permit
`
`» Release options
`o Recipient can release (careful!)
`o Recipient can request Admin to release
`
`
`
` H
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 45 of 81
`
`eeecesar
`
`oo—|se
`_esa_
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 46 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 46 of 81
`
`sky ATP in Action: Detecting Locky
`
`Locky
`
`
`
`‘Traitsseenin
`Good
`Malicious
`
`‘‘Locky’
`'
`documents
`|
`documents
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 47 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 47 of 81
`
`sky ATPin Action: Detecting Locky
`
` { is ‘5
`
`
`| Malware
`Good applications
`
`
`9.5%
`121.8%
`
`
`} 4
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 48 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 48 of 81
`
`sky ATPin Action: Detecting Locky
`
`
`
`File
`
`
`
`: Features Examined
`
`an goad dar
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 49 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 49 of 81
`
`sky ATPin Action: WannaCry
`
`The origins
`
`Exploits Windows SMB (Server Message Block) vulnerability
`
`Vulnerability originally discovered by NSA and codenamed‘Eternal Blue’
`
`NSA did not inform Microsoft (why botherright?) but was made public by Shadow Brokers dump
`leaking classified NSAtoolkit
`
`Following leak by Shadow Brokers, Microsoft issued patch (MS17-010) but patch application
`months, sometimes years
`
`takes
`
`Threat vector
`
`Possibly Email (phishing) or HTTP, not definitely known
`
`Kill Switch
`
`
`
`The malwarestarts by attempting to connectto: www.iugerfsodp9ifiaposdfihgosuriifaewry
`Abortsif attempt succeeds.
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 50 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 50 of 81
`
`sky ATP in Action: WannaCry mitigation
`
`2
`.
`:
`Se
`:
`d
`—
`as
`:
`.
`
`SESSScans ae i t t
`
`
`
`SSSRascent
`=Sapo
`ee
`:
`i
`I m e Oo
`SUCeheeeeen
`:
`Seen
`detection
`
`=
`:
`
`:
`
`ee
`
`» 24 unique
`samples
`examined
`as of 5/12
`
`= 30
`
`Popboccebeossscuususueson
`Eccceehoceeeeessccouoes
`Sook
`Popboccebeossscuususueson
` ce ee ee
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 51 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 51 of 81
`
`sky ATP in Action: WannaCry mitigation
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 52 of 81
`
`eeecesar
`
`oo—|se
`_esa_
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 53 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 53 of 81
`
`Open API Framework
`
`domain into CE feed #30 named feeds
`
`
`sl[nject IP, URL or
`
`supported
`«\Whitelists/Blacklists
`supported — named
`IP/URLs
`
`*BL/WL already
`available on Ul
`
`*Programmatic way to
`update BLAWE
`«No named option
`
`«Update IPFilter
`dynamic address
`objects to use in
`firewall policies as
`SRC/DST
`«Named feeds
`supported
`
`) RESTful API — standard methods include POST,PATCH,GET,DELETE
`
`L) Supports a Swagger API specification in JSON format. APIs conform to a standard called the
`OpenAPI Initiative. Programmers can interact with both APIs using auto-generated code
`
`
`
`L) Application token required to interact — generated per Sky ATP realm
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 54 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 54 of 81
`
`Juniper Security Alliances
`
`ABM YOUENDEoerTs
`
`.
`:* Cloud App risk mgmt.
`+ Visibility & Control
`+ Cloud malware & threat
`protection
`'e Extend security policy
`
`—
`:
`
`_° Continuous Policy
`:
`© Context-Based
`:
`_
`Enforcement
`'« BYODOnboarding
`_
`+ Discovery ofall end-
`« Role-based Network
`_
`Access Assignment points
`'
`« NAC/Access Policy
`* Vulnerability and
`Enforcement
`Patch management
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 55 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 55 of 81
`
`
` Security
`
`Events
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 56 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 56 of 81
`
`Advanced Threat Protection
`
`
`Advanced Malware Protection
`
`
`
`Juniper Sky ATP
`
`Data
`Security
`
`|
`
`
`
`
`Threat
`Protection
`
`:
`§
`
`
`
`Available Now
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 57 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 57 of 81
`
`Threat Intelligence Sharing
`
` Unsafe Cloud App URLs
`URL,, URL,,..URL,
`Available Now
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 58 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 58 of 81
`
`Threat Intel Sharing from SkyATP
`
`(STIX/TAXIN)
`
`
`
`Detected
`1OC Event
`
`Sky ATP API
`
`Query End Point for Threats
`Protect & Remediate
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 59 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 59 of 81
`
`Speaker Notesfor Slide 52
`
`THREATINTEL: FROM SKY ATP To Cb
`
`10+ lOCsthat include File Hash, File Name, IP address, malicious URLs & more
`more
`API
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 60 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 60 of 81
`
`Infected Host Report from Endpoint
`
`Infected Host
`
`Sky ATP API
`
`Infected Host
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 61 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 61 of 81
`
`Speaker Notesfor Slide 53
`
`In this solution, we are receiving INFECTED HOST INTEL: FROM Cb TO SKY ATP
`
`Note CB has nearrealtime capability of detecting infected end points.
`
`We are using Sky ATP API (RESTFul API) for 1H
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 62 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 62 of 81
`
`Malware Detection & Remediation
`
`
`
` Step 3
`
`SkyATP analyses
`the binary & assigns
`a Threat Score or
`
`sends the score of a
`
`
`
`SkyATPAPI
`Step 4
`Carbon Black takes
`action based on
`
`
`threat score
`
`
`
`
`Step 1
`
`User inserts a
`USB
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 63 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 63 of 81
`
`Speaker Notesfor Slide 54
`
`Specially useful in the off-line devices , that go On-net and are infected.
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 64 of 81
`
`eeecesar
`
`oo—|se
`_esa_
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 65 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 65 of 81
`
`Case Study: Malware detection at scale
`
`Sky ATP deployed in TAP mode on SRX5600 by ISP in North America.— primarily serving educational
`institutions
`
`Ingress and egresstraffic inspected. Inline blocking not enabled
`
`7 day period in March 2017
`
`935,302
`
`Total Files Processed
`
`99,629
`
`Unique Files
`
`
`69%
`31 %,
`Outboundhighrisk
`CC connections:
`DiscoveredMalwarewas
`waspreviouslyunseen
`843,346 (1 day)
`
`
`
`.
`
`Di
`
`Mal
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 66 of 81
`
`Case 3
`
`17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 66 of 81
`
`Case Study
`
`Botnet detect
`
`lion W
`
`ith Sky ATP feeds
`
`Large IT consulting and managedIT service provider wanted a robust-edge protection so
`campus andbranchoffices
`
`lut
`
`ion for its
`
`ions No
`
`rrRa.
`AS
`
`
`
`Ex
`
`ist
`
`ing
`
`desktop and server based AV solut
`
`3anneBy4
`
`”-x2edowciuxre>4a)iu>¢a-Y)a;:ui=oem4=EeoO-+wvY)oSi
`:zLUOULEs<iui~IcL4
`
`t detect
`
`ing a
`
`dvanced threats
`
`awuw>m~
`
`uw.’<°>Lu~<Zz°6+ia)©©eal
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 67 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 67 of 81
`
`Case Study: Automated enforcement with API
`
`=» Major Service Provider in LATAM has to comply with government regulations that
`require blocking access to questionable content — pedophile sites, gambling, etc.
`
`=» New sites/URLs constantly being added so needs dynamic programmatic solution to
`updatefirewalls. Also requires ability to redirect to web portals
`
`40Gbps IMIX, 600K cps, 100-150M sessions
`
`Solution: Juniper SRX5800 +“ ATP
`
`Malicious URLs — custom feed
`categories
`
`
`he— «,
`Custom:Msg:n
`
`
`
`O
`
`4
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 68 of 81
`
`ENee<SS
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 69 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 69 of 81
`
`Sky ATP cloud — geo locations
`
`Runs onthird party (Internap) DC
`
`Stages 1 -> 3
`
`Run on AWS
`(Amazon Web Services)
`
`Stage 4
`(Sandboxing)
`
`
`
`SRX
`
`a%
`
`;
`
`4
`
`Internap DBE
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 70 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 70 of 81
`
`Sky ATP Security and Privacy
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 71 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 71 of 81
`
`Sky ATP Security and Privacy
`
`
`
`
`
`‘North Amerca
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 72 of 81
`
`ENee<SS
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 73 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 73 of 81
`
`« Thermostat ransomware'
`
`« Amazon cameras malw2re<
`
`Real world examples of lol malware / ransomware
`
`
`
`
`
`¢ Jeep remote control®
`
`
` 1.
`
`htto://motherboard.vice.com/reac/tie
`Tunos-ransomware-smartthermostat
`http:/Awww.securityweek.com/malware-found-iot-cameras-sold-amazon
`2.
`
`3.
`https:/Awww.wired.com/2015/07/hackers-remotely-kill-|eep-highway/
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 74 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 74 of 81
`
`Getting ransomware and malwareinto lol networks
`
`¢ DNS spoofing
`
`
`
`
`
`
`¢« Default passwords
`
`¢« Phishing attacks
`
`
`
`ioT apps=AEP’ CDP
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 75 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 75 of 81
`
`Targets for lol ransomware and malware
`
`lol devices
`
`loT application servers
`loT application servers
`¢« Application Enablement Platforms
`¢ Connected Device Platforms
`
`servers CDP
`
`AEP
`
`servers
`
`
`
`
`
`App servers
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 76 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 76 of 81
`
`lol specific Advanced Threat Detection
`
`servers
`
`CDP
`
`App servers
`loT servers
`¢ Based on Windowsor Linux
`
`e Juniper Policy Enforcer can
`stop East-West propagation
`
`lol devices
`¢ Many are Linux based
`¢ Sky ATP: static and dynamic
`analysis for loT malware
`¢ Will be tailored for specific
`devices / applications
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 77 of 81
`
`ENee<SS
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 78 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 78 of 81
`
`Competitive differentiators
`
`Other ATP vendors
`
`
`
`Juniper Sky ATP
`
`
`
`
` | 10MB maximum file size
`| 32MB maximum file size
`
`
`
` _ Only ZIP file type support
`
`_ TAR, RAR, 7ZIP file types supported
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 79 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 79 of 81
`
`Sky ATP: Threats prevented
`stage
`
`¥ Machine Learning at every
`
`Exploits vulnerabilities in SMBv1 that allows remote code execution
`
`
`
`Uses VB macros to download payload, encrypts disk with key
`obtained from C&C server
`
`
`
`Locky variant that renamesfiles with .zepto extension
`
`
`
`Almost fileless malware! Uses obfuscated Javascript and ‘garbage’
`batch files
`
`¥ Deception Techniques and
`Behavioral analysis are
`used to differentiate
`malware from-good
`software
`¥ Thousands offeaturesfrom
`static, dynamic and hybrid
`analysis are extracted from
`a large, continually-
`updated collection of
`samples — both malicious
`and benign — to construct a
`machine learning classifier
`that identifies and blocks
`previously unseet
`dware
`types
`
`
`bette eee cette cee e ee eee es and many more!
`
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 80 of 81
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 80 of 81
`
`Howis Sky ATP Different?
`
`¢« High Efficacy, Scalable and Tightly integrated solution
`¢ Distributed sensing and enforcement on SRX (no additional sensors)
`* Actionable Intelligence
`¢
`In-line blocking to prevent zero-day infections from getting in
`¢ Unique deception & provocation techniques to counter evasive threats
`¢ Advanced machine learning
`¢ Support for different types of analysis targets
`¢ Multi-platform executable and application support
`« Exploits and malicious content embedded in documents (MS Office, PDF)
`¢ Dangerous webapplications (Java, Flash)
`¢ Cost-effective, non-intrusive solution with full network coverage
`
`
`
`Case 3:17-cv-05659-WHA Document 500-4 Filed 05/30/19 Page 81 of 81
`
`Remo
`SeserseeeenanvOneaote
`Cee
`
`pose
`
`ee
`
`Santeeeeeee
`
`os
`
`See
`Seesecco
`
`ee
`Seeecco
`
`See
`
`pescccserees
`
`Sees
`SAStae Saheseuervecsewseneenes
`eneeee
`eee loSoSeanaRaoo
`eee
`Scereceeceeeee see
`SeerereeiemmereeeTS Sones See pieesehennerenracerees
`SeSeagoaSoe eeeeeaaUTESeaeUUseapeeupeecemreeaeoemRESoo
`Seeeeee
`SSE
`SSSoubeesueeetees
`os
`sibensonecnrereteeea
`
`Poseeesses
`
`sieeeconaeenen
`
`e
`
`3
`
`sooseoeen
`:
`SERSSReaeean
`
`eee
`
`Rear:
`pegeeeeeececcenns
`oneeuncuneeneeees
`
`Pantrenntcssnesonnecerren
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
