Juniper’s Active Network Defence Concept
During Juniper's Security Field Day presentations, it took a while to figure out what Juniper was actually doing. Eventually it became clear that Juniper has a machine-learning based method for doing threat detection, called Advanced Threat Protection. It comes in a couple of flavours: ATP Cloud, which Juniper runs as a central service over the Internet, and an ATP On-Prem appliance that does a similar job but it lives locally inside your network.
The idea of what Juniper has proposed is sound: let the computers handle the boring task of monitoring everything and detect when things look weird. The challenging part is teaching the computer what “looks weird” should mean, and that's where the fancy mathematical models of machine-learning come in.
We already do a simpler version of this with if-then pattern detection things, like when you grep through log files for certain strings or use signature-based anti-virus. Machine-learning is just using more complicated statistical methods in the if statement. You could argue that Bayesian spam detection is a form of machine learning, and I would, because I like Bayesian statistics even though I can't remember Bayes' rule most of the time.
But I digress.
The trouble is, computers are—broadly speaking—very stupid. They do exactly what they're told: no more, no less. This is extremely frustrating when you're trying to get one to do what you mean, not what you told it to do. They're like malicious wish-granting genies that love to ruin your day.
This is one reason why people often turn on intrusion detection systems, but are reluctant to enable the kind of active intrusion prevention that Juniper is promoting here. We just don't trust computers to get it right.
And we don't trust them because we've tested it out, and then had to deal with the outages and messy cleanup that results from the computer thinking the big spike in traffic is a DDoS and not the predictable increase in traffic from a very successful marketing campaign that Marketing didn't tell the CISO was about to run. You don't need to get yelled at by senior VPs very often before you learn not to break production with over-zealous security systems.
This is the environment Juniper is up against with its proposal of active defence.
Progress With Patching
We are getting much, much better at automated protection, though. It wasn't that long ago that automated patching was roundly rejected by most sysadmins because unsupervised upgrades would regularly break things in non-trivial and difficult to fix ways. Yet now it is known-good practice to turn on automatic updates for basically everything.
There are some areas where it still isn't a good idea, such as multi-million dollar medical devices that have an embedded Windows XP system connected to them because the software that runs the device was written so long ago and patching the software means buying an entirely new device. And IoT devices are a hilarious binfire of remotely exploitable vulnerabilities. And then there's the wonderful world of SCADA.
And that's a big problem when it comes to active defence. There are still so very many pockets of danger that an over-enthusiastic machine-learning system/malicious genie could accidentally trip over. We have to do a lot of work to get things into the same sort of state as operating systems have (mostly) arrived at where you can trust that automatic patching won't surprise you with a massive outage at 2am every second Tuesday.
That's why I'm still somewhat sceptical of the “useful right now” potential of these kinds of machine-learning driven systems, mostly because the foundations required to make them useful haven't been built yet in the majority of organisations. This isn't to say there's no merit in the idea. It's more that most of us aren't ready to put this idea into practice yet.
Few organisations have done all the preparation work that's needed. For the rest, there's still a lot of relatively boring and tedious work required before this kind of active defence capability will be reliable enough that it will stay enabled. It might get purchased and turned on, but it will then break something important almost immediately, get turned off, and then never get turned back on again.
Buying the magic widget was supposed to mean we could avoid doing any work, and once you've committed some serious treasure (and personal reputation) to the idea of avoiding hard work, admitting you were wrong and that hard work will actually be required isn't likely to be well received from all the people busy celebrating the end of hard work.
No, I'm not bitter, why do you ask?
Lofty Goals Are Still Worthwhile
However, this sort of solution needs to exist to give us a goal to work towards. We cannot give up on making things better just because we aren't able to get to a more lofty ideal immediately.
Progress takes effort.
It is endlessly frustrating that vendors continue to insist that there exists a single magical widget we can buy to make all our problems go away. It simply isn't true for any non-trivial problem.
I'm much more interested in hearing from vendors about how organisations can start from where they are today and move towards the lofty goal. It's fine to present an appealing vision for the future, but you should also show me how to make steps in the right direction to get there. If your directions begin with “Step 1: Be a completely different company” then what good are they?
Of course, doing this is harder than a lazy “buy our widget and everything will be perfect immediately” fairytale. It is a lie told to children, and as buyers we have to take some responsibility for encouraging this behaviour. Every CIO who buys one of these alleged panaceas because of a fairytale told to them over an expensive lunch is rewarding bad behaviour from vendors. Stop it.
Instead, you'll get a lot better value out of a selection of more prosaic activities, just as washing your hands regularly, getting some regular exercise, and eating better will probably do more for your health than spending a million dollars building a home gym you'll use once.
A million dollars buys a lot of soap.
But I want to be working towards a world that is safe enough that I don't have to wash my hands every 13 seconds in order to not die. Sure, it's better than dying, but it still sucks. So I applaud Juniper for showing us a vision of a better world.
Now show us the map for how to get there from here.
PathSolutions Security Operations Manager looks like a solid option for mid-market firms that want an all-purpose security tool.
VMware has added distributed IPS/IDS to NSX, but is it ready for real-world operations?