Augmenting jATP Security Defense with DNIF

Integration of jATP with DNIF HyperScale SIEM

This is the foundation step for ingesting jATP logs to DNIF. DNIF has published integration manuals for all the technologies that can interact with it.

  1. Log in to Juniper Advanced Threat Prevention using the web interface and Navigate to the Config > Notifications page.
  2. Select SIEM Settings from the left panel menu.
  3. Click Add New SIEM Connector to set up a new Events, System Audit or System Health log notification in CEF format.
  4. Select from the available options and modify the configurations
Steps to integrate jATP

Parsing the jATP information at DNIF HyperScale SIEM

DNIF uses the ‘Extractor’ based on CEF events from Juniper ATP. One can see the Extractor is part of DNIF’s standard extractors that are shipped with the product. For more on DNIF’s Standard Extractors please check out DNIF’s GIT repository.

DNIF Advantage

Threat signals from jATP, better known as ‘Pass Through Content’, add more context to the DNIF’s log correlation mechanism. Alerts detected by security appliances are consumed by DNIF in order to provide key insights of threats lurking in your environment. DNIF achieves this by collecting all the threat signals and segregating them based on angles such as suspicious origin, targeted host, malicious file, its path, name of the malware and then correlates them with different attacks taking place in the organization. One can have a detailed understanding of every signal raised from rule based correlation, on-demand outlier detection and anomaly models with DNIF’s Connected Graph. The Pass through content provides a richer source of information to Connected Graph and helps security analysts visualise and diagnose all the connected anomalies and compromises that happened at one place.

Footprints of Attacker with DNIF’s Connected Graph

  1. The attacker is 198.15.XX.XX who has established a successful connection via RDP to 10.7.XX.XX. The attacker is hence the Suspect and is marked in RED.
  2. Using the out of the box detection rules, DNIF HyperScale SIEM has detected that a download from a suspicious TLD and Flash player update is observed to be originating from 10.7.XX.XX and both these are flagged as signals.
  3. The host 10.7.XX.XX is highlighted in Yellow as it has been compromised and has established communication with other systems namely MUM017, MUM010, MUM015, MUM011, making it appear more prominent to security analysts. They can easily spot the footprints of the adversary along with the signal raised by Juniper cortex
  4. Now that the security analyst is fully aware that the host 10.7.XX.XX has been compromised and can isolate it from the network to stop the propagation of malware.
  5. The compromised host 10.7.XX.XX has successfully infected a user named ‘Steve’ which unfortunately was sabotaged to gain persistence in the environment.
  6. DNIF has detected that Steve has been connected to a large number of systems and has been marked in Red as suspect of spreading infection. The analyst can suspend the account to contain the incident and can also perform a clean up activity on the connected systems MUM017, MUM010, MUM015, MUM011.

DNIF and Automation

DNIF is also a strong automation platform that offers large number of our of the box automation that can be used to integrate multiple third party endpoints that will allow one to create connections and ingest activity and enrichment data from antivirus tools, DLP, IAM tools, web proxy, SIEM, third-party intelligence, email security, operating systems, enterprise applications, and many more. To read more visit Automation.

DNIF Dashboards

DNIF also provides a threat alert monitoring dashboards where an analyst can see all crucial information on one page. Widgets such as Top Threats, Top System Affected will be convenient for monitoring purposes.

Summary

jATP is just one of the many examples of security appliances, and DNIF can work with any end point or network security application along with its rich set of out of the box detection rules to bring you meaningful insights of your environment.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
DNIF

DNIF

22 Followers

The “Open” Big Data Analytics platform that offers solutions to the world’s most challenging cyber security problems with real-time data analytics.