Advanced Threat Protection Interview: Mike Berkovitch, Juniper Networks on JATP

Junipers Advanced Threat Protection (JATP) gives service providers and enterprise IT departments the tools they need to find and eliminate malware from their networks more quickly.

AXIANS: IS JUNIPER’S ADVANCED THREAT PLATFORM (JATP) HARDWARE OR SOFTWARE?

Berkovitch: We call it an advanced threat appliance with distributed software that detects, analyses and mitigates against cyber threats. It’s a combination of hardware and software, but like most things from Juniper the hardware and software can reside in different places, either virtual or physical. The core solution – the brains where potential malware gets analysed – is a dedicated hardware appliance, but customers can choose where to deploy it.

AXIANS: WHAT’S THE TARGET MARKET FOR JATP?

Berkovitch: The flexibility of the solution means there is more than one. Enterprises use JATP for user and device asset protection across distributed environments for example. But in addition to that it can help anybody that has migrated their email to Microsoft Office365 or Google Mail, so there is scope for small to medium businesses (SMBs). The distributed architecture also allows service providers to natively embed JATP into their own service platforms, either to protect their customers underlying infrastructure or as part of a broader managed service proposition.

The name of the game is to quickly identify malware, find out where it has gone, mitigate against it, then analyse how well it has been cleaned up.

There is a third, more advanced option for any company building a cyber security practice that needs threat hunting and incident response tools – threat intelligence or security operation centre (SoC) providers for instance. For them the name of the game is to quickly identify malware, find out where it has gone, mitigate against it, then analyse how well it has been cleaned up. It is a time versus cost versus effort play and a tool like JATP cuts the time they spend on those tasks.

AXIANS: HOW DOES JUNIPER ADVANCED THREAT PROTECTION COLLECT TRAFFIC FOR THREAT ANALYSIS?

Berkovitch: The core appliance monitors and analyses its own network traffic but it also takes input from other collectors – those could be a Juniper SRX firewall for example, or similar solutions from third party vendors like Cisco, Palo Alto or Check Point. It can also do analysis on feeds from end point platforms like Carbon Black, SIEM from Splunk or IBM, lots of different security devices.

AXIANS: SMALLER BUSINESSES USUALLY WANT SCALABILITY, HOW DOES JATP DELIVER THAT? 

Berkovitch: Just using the collector embedded in the core appliance is the simplest deployment option, the all in one out of box solution if you will, which is particularly useful in SME environments. But customers also have option of retaining their fixed vendor environment, using JATP’s analysis engine to analyse traffic from somebody else’s firewall or endpoint. Because it is a virtualised solution it is not limited to on-premise hardware. So we can scale to any size or type of network, because each one of them works together but can function independently. We could deploy core collectors in the sensitive parts of the network – a financial transactions database for example – and add secondary cores to increase processing capabilities if those initial cores were not enough, then forward potential malware files for analysis from remote offices back to a centralised location.

AXIANS: WHAT HAPPENS WHEN MALWARE IS DETECTED?

Berkovitch: It depends on how it has been deployed. For known malware, it can publish blocking data to devices like firewalls, intruder prevention systems (IPS) and web gateways via APIs or by configuring rules to automatically push it out when certain thresholds are met. For malware that can be marked with a high probability but are not known, JATP verifies the infection on a suspected endpoint before cleaning it up. That is where we are working with Carbon Black and CrowdStrike to identify where in the network the malware has spread to before blocking it and forwarding the information back.

We are working with Carbon Black and CrowdStrike to identify where in the network the malware has spread to before blocking it and forwarding the information back.

AXIANS: ANY CUSTOMERS CURRENTLY USING JUNIPER ADVANCED THREAT PROTECTION YOU CAN TELL US ABOUT?

Berkovitch: Most customers don’t want to share information on what cyber solutions they are using, but examples include a large manufacturer of consumer electronics goods, an online entertainment service provider; and a leading financial services company alongside various educational and government institutions. Any government body worried about data sovereignty might not want to share metadata with the rest of the world, so they go into airgap mode – taking a downward threat intelligence feed and deploying it but not necessarily sharing the upload feed.That is likely to involve an appliance-based solution because it is easier to police, whereas those organisations just monitoring Office365 or Google Mail messages are going to be more comfortable with their applications being hosted in the cloud so they usually adopt a more hybrid approach. The choice of deployment option often comes down to whether the customer has enough in-house expertise to manage the appliance.

AXIANS: JATP IS ONE OF MANY SECURITY SOLUTIONS ON THE MARKET, HOW IS IT DIFFERENT FROM RIVAL THREAT DETECTION PLATFORMS?

Berkovitch: Firstly it is the architecture we have built into the solution alongside technology acquired from Cyphort – a combination of machine learning and behavioural analysis that optimises threat mitigation. It finds them in seconds rather than minutes or hours and has a lower rate of false positives. Then there are the multiple deployment options we offer, which is significantly different from several competitors in this space.The third advantage is practicality. No customer operates a truly single vendor environment and no partner offers a single vendor portfolio either. Because of that, JATP has been designed to integrate with multiple tools in existing environments – security integration event management (SIEM), cloud access security brokers (CASBs), firewalls etc – to complement what is already there.

JATP has been designed to integrate with multiple tools in existing environments – security integration event management (SIEM), cloud access security brokers (CASBs), firewalls etc – to complement what is already there.

AXIANS: WHAT’S THE ADVANTAGE FOR CUSTOMERS OUTSOURCING THREAT MANAGEMENT TO SERVICE PROVIDERS RATHER THAN DOING IT THEMSELVES?

Berkovitch: The first way to think about Juniper Advanced Threat Protection is as a tool that hunts, stops and cleans malware more efficiently, so deciding who runs it might depend on who has the expertise. It is not a substitute for in-house knowledge, but something that helps the IT department or security team find threats and work out the best way to stop them. In practice, it means somebody is going to increase their efficiency because they spend less time hunting malware, which leaves them fee to address other business priorities.By paying for JATP clean pipe managed service, neither the service provider or the customer has to spend as much time verifying the pipe is clean. It also taps into an extended community of security experts able to share their knowledge [on known threats and how to deal with them].

AXIANS: HOW CAN CUSTOMERS BE SURE JATP DELIVERS RETURN ON INVESTMENT (ROI)?

Berkovitch: There is a free tool called the JATP calculator which is designed to estimate the time and cost savings that can be achieved. The results are generally just as valid to European customers as they are for those in the US, and we have had three out of four telling us they are not far off reality.