WIXLIB

Juniper’s Innovation inSecuring the NetworkSecuring Education&SDSNSoftware Defined Secure NetworksMark SnyderSSS-SME - Full Stack Security PractitionerCISSP CISM CISA CEH

Securing Education &SDSN Software Defined Secure NetworksAgenda Securing Education Education challenges todayThreats impacting educationRisk and remediation strategiesJuniper security controls SDSN The need for SDSN Too many Systems Administration Zero trust Secure networks

Mark Snyder

Securing Education

Connect everything andempower everyoneEducation challenges today

Issue In Education –Changing Business ModelsHow Are Changing Expectations Effecting Higher Education?Online Learning Is Gaining Popularity With Adult StudentsWhy do people choose to learn online? Participants could cite multiple reasons.To better juggle family andwork responsibilities with schoolTo be able to do schoolwork anywhere at any timeAvailability ofaccelerated coursesLower costoverall* hedistance.pdfExpansion of Engaging andRelevant Learning for StudentsInstructors Are UsingTechnology More EffectivelyPercentage of students whostrongly agree that theirinstructors deliver these benefits:Percentage of students who saytheir instructors use technologyextremely effectively:Laptop computerDesktop computerDoctorate Associate’s53%66%52%62%52%51%Document cameraPrinterInteractive AR National Study of Undergraduate Students and Information TechnologyControl of my own learningLow High32%26%Makes learning more creative24%Extends learning beyond the classroom57%52%48%Better prepares to enter workforce26%47%Makes learning more fun24%47%

Higher Education Industry: Mobility TrendsUndergraduates Are Equipped With TechnologyProviding 24/7 connectivity andsecure access for studentsA majority of undergraduatesown about a dozen devices 53% 55% 55% 56%81%70% 75%62% 66%87% 38%8% 11% 12% *CDE12 Yearbook*ECAR National Study of Undergraduate Students and Information TechnologyStudents Expect Basic Online ServicesPercentage of students who say their institution does anexcellent or good job at these online services:86%Laptop computer81%Desktop computer75%Document camera70%Printer70%Interactive whiteboardScanner53%*ECAR National Study of Undergraduate Students and Information Technology21% of community colleges have plans toimplement unified communications, voice,data or video in 2012-201340% of community colleges noteinfrastructure initiatives87% of higher education IT professionalsreport they need to upgrade infrastructurein order to incorporate more technologyand digital content38% of higher education IT professionalsreport that IT security is a required areaof modernization1100 1 0 10010010000 1 0 00011110101 1 0 1101101000 1 0 10111010 110 1 0 00110110000 1 0 00011010101 1 0 0101101010 010 1011111Digital Content & Curriculum isnow the norm 80% of higher education faculty use digitalcontent in the classroom48% of students would like faculty toincorporate more digital contentInstructors report the most commonly usedtechnology resources are websites (56%),online images (44%), online games (43%),online video content (33%), online lessonplans (30%)*CDE12 Yearbook

Critical Role of the NetworkReliable: Reliability of thenetwork is crucial to meetcommon core state testingrequirements and to supportnew instruction models likeblended learning.Robust: Higher Educationnetworks must be robust so thatstudents and staff can accessdigital content from anywhereon campus.Flexible: Networks need to beflexible and scalable in orderto cope with an influx ofdevices and run smoothlyduring peak usage hours.

Securing EducationEnabled and OpenDisabled and Closed

Securing EducationDefence Offence

Threats - Education Impact

Securing EducationExploits / Threats Verizon DBIRIBM X-force Threat Intelligence IndexSan FranciscoFancy BearAPT28Sofacy“Know Thy Enemy

Securing EducationCybercrime Organization / business plan VisionMission StatementValue propositionOrganization chartManagementMentoring

Securing EducationWhere is your Gold Data Data

Securing EducationWhere is your Data PCI, # of transactions x level processerPII, for student recordsHIPAA – students, residence and facilityResident students, privacy, game consolesFBI subpoena; digital piracy, grant fraud, academic freedomIP, research, GMT, enrollment Data retention, data for video, PII, faculty, file, email Disaster Recovery, Business continuity, Incident Response Plans

Trends Impacting Education SecurityTHREAT SOPHISTICATIONCLOUDINFRASTRUCTURE Zero day attacks Virtualization and SDN Hybrid cloud deployments growing Advanced, persistent, targeted attacks Applications, data, managementin the cloud Device proliferation and BYOD Adaptive malware Application proliferation IoT and big everywhere

Securing EducationIoT and your Data How is your data connected Building bridges between (E-W) Connected devices Business partners PrintersAnything connected is a potential threat

Risk and remediation strategies

Securing EducationRisk and remediation strategiesSecurity business and technical architecting methodologies Business Transformation GRC Adopt a framework Have a plan Incident Response Plan Technical Controls Data Segmentation / Isolation Visibility, Detection, Inspection,Prevention, Threat Intelligence,Reporting, Forensics Identity and privileged accessmanagement

Securing EducationBusiness Transformation - GRC Governance Risk Management Compliance PeoplePoliciesProcessControls

Securing EducationCybersecurity StandardsFrameworks ETSI Cyber Security Technical Committee ISO 27001 and 27002 Standard of Good Practice NERC NIST ISO 15408 RFC 2196 ISA/IEC-62443 (formerly ISA-99) IEC 62443 Conformity Assessment Program IASME U.S. Banking Regulators

Securing EducationCenter for Internet Security (CIS) Top 201: Inventory of Authorized and Unauthorized Devices2: Inventory of Authorized and Unauthorized Software3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, workstations, andServers4: Continuous Vulnerability Assessment and Remediation5: Controlled Use of Administrative Privileges6: Maintenance, Monitoring, and Analysis of Audit Logs7: Email and Web Browser Protections8: Malware Defenses9: Limitation and Control of Network Ports, Protocols, and Services10: Data Recovery Capability

Securing EducationCIS Top 2011: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches12: Boundary Defenses13: Data Protection14: Controlled Access Based on the Need to Know15: Wireless Access Control16: Account Monitoring and Control17: Security Skills Assessment and Appropriate Training to Fill Gaps18: Application Software Security19: Incident Response and Management20: Penetration Tests and Red Team Exercises

Securing EducationIncident Response Plan

Securing EducationBusiness Transformation Test your plan Red Team vs Blue Table Top Exercise

Security controls

Securing EducationCategories Advanced Persistent ThreatProtection (APT) Forensics Fraud Prevention Anti Malware Identity Management Application Security Internet of Things Security (IoT) Cloud Security Intrusion Detection & Prevention Compliance Solution Managed Security Service Mobile Security Data Leakage Prevention (DLP) Database Security Email Security Network Access Control (NAC) Embedded Security Network Security Encryption Policy and User Management Endpoint Security Security AnalyticsMulti-Factor Authentication Security Information and EventSecurity Monitoring Social Media Security Unified Threat Management (UTM) Vulnerability om/faqs/

Securing EducationVisibilityUnified ThreatManagementSecurity IntelligenceSKY ATPDetection, Inspection, PreventionSecurity controlsApplication ControlAnti-virusCommand & controlThreat IntelligenceGeoIP feedsIntrusion PreventionWeb/Content FilteringUser-based firewallAnti-spamReportingCustom feedsAnti MalwareSRX IntegratedDeception TechniquesJunos SRX FoundationAccess ManagementFirewallManagementVPNNATData Segmentation/ r Security Analytics &Integrated Logging and reportingNext Generation FirewallServices

Securing EducationJuniper security controlsSecurity DirectorSRX300BranchSkyATP4Gb/s (2 vCPU)25Gb/s (16 RU40Gb/sSRX500SRX1500SRX4100SRX4200Campus*2017*80G 1RU,320G 3RU8RU960Gb/s5RU480Gb/sSRX5400SRX5600SRX5800Data Center

Bringing it all together

Juniper’s Innovation inSecuring the NetworkSoftware Defined Secure Networks

Juniper’s Innovation inSecuring the NetworkThe need for SDSNThere are too many device

Threat Landscape is MassiveCISOs “Treading Water”Pouring money into security, yet not any more secure- Average of 4,000 nodes with 5 security vendorsSuccess measured by number of blocked attacks vs.reduction of business riskAttackers are always innovating to increase their ROICost of managing cyber security risk will increase 38% over the next 10 years36

Traditional Security is Not EnoughLayered on top -- not an integralfunctionUnified ThreatManagementInline IntrusionPreventionApplicationSecurityAdvanced ThreatPreventionData LossPreventionDesigned to trust inside activityRelies mostly on traditional firewalls fordata and insightToday’s network security must be dynamic, automated and intelligent toeffectively detect and stop evolving threats

Consider malware in 2016 431,000,000New pieces of malware written and used13That’severy second

Juniper’s Innovation inSecuring the NetworkSystems Administrations & Security

To Stop Threats Faster Start thinking about Secure NetworksRealize threats are already inside. They walked in yourfront doorRecognize perimeter security isn’t enoughEnable detection and enforcement anywhereAcknowledge horizontal and vertical vulnerabilities40

Evolution in Systems age41

Evolution in Systems administrationsDev/OpsSystemsNetworksStorage42

Evolution in Systems etworksStorage43

Evolution in Systems administrationsSoftware Defined Secure Networks (SDSN)Dev/OpsSystemsAutomationNetworksStorage44

Juniper’s Innovation inSecuring the NetworkZero trust Secure networks

Software Defined Secure NetworksPOLICYCreate and centrally orchestrate intent-based policy – alignyour security to your business imperativesDETECTIONGather and distribute threat intelligence from multiplesources – stop sophisticated cyber crimeLeverage cloud economics for real time analysis – identifyrisks soonerENFORCEMENTAutomatically apply policy in real time – secure thenetwork in real time46

Perimeter Oriented SecurityPerimeterHyper-connected NetworkSecurity at PerimeterOutside(Untrusted)Complex Security PoliciesLateral Threat PropagationInternal(Trusted)Limited Visibility

Software Defined Secure NetworkDelivers Zero Trust Security ModelPerimeterSecure NetworkOutside(Untrusted)Simplified Security PolicyBlock Lateral ThreatPropagationInternal(Also Untrusted)Comprehensive Visibility

Everything on Your Networkis a Potential ThreatNormal behavior: call homebeacons, energy utilizationAnomalous behavior: bursting traffic,abnormal high data download rateIs this normal? How do we mitigate risk?

The Right Policy for the Right JobSoftware Defined Secure Network (SDSN)Policy Orchestration EnforcementKillillegitimateThe need for SDSNtunnelShut downlight bulbORDifferent threat levels needdifferent policiesAnomalous lightbulb?Quarantine and create new policy forappropriate behaviorCompromised core switch?Neutralize the threat and shut downthe tunnel vs. killing the switch

SDSN Simplified Scenario: Traveling EmployeeArrivalsDepartureswww.pdf.com!

SDSN Simplified Scenario: Sunnyvale HQL2 VLAN!

SDSN Simplified Scenario: Sunnyvale HQSky AdvancedThreat Prevention CloudInfectedSandboxLaptop AddressATPw/DeceptionMAC: 3A-34-52-C4-69-b4IP: 172.16.254.3StaticAnalysisL2 VLAN01010101010101010 01110101 01101110 01101001 01110000SRXCommand & Control Server

SDSN Simplified Scenario:Sunnyvale HQSky AdvancedThreat Prevention OLICYThird PartyThreat IntelSecurityPOLICYDirector Policy EnforcerPolicy Enforcement, Visibility, AutomationL2 VLANDETECTIONSRXENFORCEMENTPhysical FirewallEX & QFXSwitchesQuarantinedvSRXMXRouters*Virtual FirewallThird Party Elements*Command & Control Server