Augmenting jATP Security Defense with DNIF

Juniper Advanced Threat Prevention (jATP) is a cloud based service as well as on-premise appliance that provides advanced malware detection, automated analytics, and one touch mitigation to improve security operations productivity and strengthen security. jATP’s detection alerts of malicious attacks can be easily ingested by DNIF HyperScale SIEM that will provide critical awareness of the suspicious events taking place in your enterprise’s environment.

This article will help you understand how to synergise jATP and DNIF HyperScale SIEM to bring out the best from both these powerful products.

Integration of jATP with DNIF HyperScale SIEM

This is the foundation step for ingesting jATP logs to DNIF. DNIF has published integration manuals for all the technologies that can interact with it.

Here are the steps for jATP. One can refer to detailed steps of integrating jATP here:

1. Log in to Juniper Advanced Threat Prevention using the web interface and Navigate to the Config > Notifications page.
2. Select SIEM Settings from the left panel menu.
3. Click Add New SIEM Connector to set up a new Events, System Audit or System Health log notification in CEF format.
4. Select from the available options and modify the configurations

Steps to integrate jATP

Parsing the jATP information at DNIF HyperScale SIEM

DNIF uses the ‘Extractor’ based on CEF events from Juniper ATP. One can see the Extractor is part of DNIF’s standard extractors that are shipped with the product. For more on DNIF’s Standard Extractors please check out DNIF’s GIT repository.

The parsed information gets streamed and is seen on the console as follows:

DNIF Advantage

Threat signals from jATP, better known as ‘Pass Through Content’, add more context to the DNIF’s log correlation mechanism. Alerts detected by security appliances are consumed by DNIF in order to provide key insights of threats lurking in your environment. DNIF achieves this by collecting all the threat signals and segregating them based on angles such as suspicious origin, targeted host, malicious file, its path, name of the malware and then correlates them with different attacks taking place in the organization. One can have a detailed understanding of every signal raised from rule based correlation, on-demand outlier detection and anomaly models with DNIF’s Connected Graph. The Pass through content provides a richer source of information to Connected Graph and helps security analysts visualise and diagnose all the connected anomalies and compromises that happened at one place.

DNIF Connected graph helps security analyst get a quick look at the sequence of the possible compromise and evaluate the quickest response. In the following screenshot, one can see Juniper ATP has produced the threat signal named ‘TROJAN_Zemot.CY’. Let us look into more detail how this signal from jATP amplifies with other signals in the same environment.

Footprints of Attacker with DNIF’s Connected Graph

1. The attacker is 198.15.XX.XX who has established a successful connection via RDP to 10.7.XX.XX. The attacker is hence the Suspect and is marked in RED.
2. Using the out of the box detection rules, DNIF HyperScale SIEM has detected that a download from a suspicious TLD and Flash player update is observed to be originating from 10.7.XX.XX and both these are flagged as signals.
3. The host 10.7.XX.XX is highlighted in Yellow as it has been compromised and has established communication with other systems namely MUM017, MUM010, MUM015, MUM011, making it appear more prominent to security analysts. They can easily spot the footprints of the adversary along with the signal raised by Juniper cortex
4. Now that the security analyst is fully aware that the host 10.7.XX.XX has been compromised and can isolate it from the network to stop the propagation of malware.
5. The compromised host 10.7.XX.XX has successfully infected a user named ‘Steve’ which unfortunately was sabotaged to gain persistence in the environment.
6. DNIF has detected that Steve has been connected to a large number of systems and has been marked in Red as suspect of spreading infection. The analyst can suspend the account to contain the incident and can also perform a clean up activity on the connected systems MUM017, MUM010, MUM015, MUM011.

This is how DNIF HyperScale SIEM connects signals together and detects compromised entities to contain the incident at the earliest.

DNIF and Automation

DNIF is also a strong automation platform that offers large number of our of the box automation that can be used to integrate multiple third party endpoints that will allow one to create connections and ingest activity and enrichment data from antivirus tools, DLP, IAM tools, web proxy, SIEM, third-party intelligence, email security, operating systems, enterprise applications, and many more. To read more visit Automation.

DNIF Dashboards

DNIF also provides a threat alert monitoring dashboards where an analyst can see all crucial information on one page. Widgets such as Top Threats, Top System Affected will be convenient for monitoring purposes.

Summary

jATP is just one of the many examples of security appliances, and DNIF can work with any end point or network security application along with its rich set of out of the box detection rules to bring you meaningful insights of your environment.

Author: Sherin Salam