Juniper Adds Deception Tactics To SRX Series Gateways To Identify Malware, Thwart Infections

Juniper Networks is unveiling a new feature to its SRX Series Services Gateways that it said adds deceptive tactics to detect sophisticated malware attacks.

The networking vendor unveiled Argon Secure at RSA Conference 2014, applying a mixture of triggers that it calls intrusion deception techniques to the network layer and at endpoints to detect advanced threats. The company is extending the malware deception engine used in its WebApp Secure for the data center to the SRX Series appliances. The new service in the SRX Series platform uses its firewall features as an enforcement engine aimed at removing infected devices before cybercriminals can steal data.

Juniper Networks SRX Series appliances have focused on routing and switching capabilities for availability. The appliances contain a firewall, intrusion detection and prevention, and built-in denial-of-service protection. The product line starts at the low end as a desktop device for securing small, distributed enterprise locations with security, routing, switching and WAN connectivity. The product line also includes a massive appliance suited for large enterprise data centers, hosted or co-located data centers, and service providers, which supports a 200-Gbps firewall -- a 100-Gbps IPS.

[Related: Juniper Rolls Out SDN Controller, Software For Service Providers ]

Sponsored post

The company's new CEO, Shaygan Kheradpir, who took the helm in January, said the company remains committed to the channel, despite a difficult year in which the company lost at least seven high-level channel executives. Juniper named a new channel chief in January, tapping Jonathan Belcher, Juniper's vice president of partner sales for Asia-Pacific, greater China and Japan to lead the company's channel strategy. Juniper said its engineering teams are busy building out advanced, hybrid cloud ecosystems connected by highly intelligent networks. In a recent interview with CRN, Kheradpir said the needs of Juniper's service provider and enterprise customers have blurred, with large enterprises requiring the company's carrier-grade SRX appliances.

Pat Grillo, president and CEO of Atrion Communication Resources, a Branchburg, N.J.-based Juniper partner, said he was glad to see Juniper updating its SRX line, given perceptions that the company has "fallen behind" in the security market over the past couple of years.

Juniper in January reported growth across nearly all of its product segments for its fiscal fourth quarter, but said revenue for its security business fell 7 percent year-over-year to $157 million.

Still, Grillo said Juniper's security line is one of Atrion's fastest-growing segments.

"They had fallen behind a little bit. You never want to stand still, and I think they were kind of standing still," Grillo said. "But, for us, our security business with them has been great. We have been growing tremendous amounts."

Grillo didn't cite specific numbers, but said his Juniper security business has been growing by "leaps and bounds," with a couple of major deals in the pipeline now.

John O'Shea, senior vice president of Vology, a Tampa, Fla.-based solution provider and Juniper partner, said Juniper's security line has been a "key element" of Vology's overall Juniper business, and that he's excited to add Argon Secure to its portfolio. "Addressing the day-zero vulnerabilities with Argon Secure enables us to bring compelling new value to our customers as their trusted adviser," O'Shea said.

Dan Thormodsgaard, vice president of Solution Architecture at FishNet Security, an Overland Park, Kansas-based Juniper partner, said FishNet also is eager to start offering Argon Secure. "Having the combination of both a network-based and an agent-based solution provides much greater protection and increased visibility for organizations to combat against malware attacks," Thormodsgaard said. "Juniper has it right with these new capabilities, and we look forward to introducing this to our customers."

NEXT: Juniper's New Deception Tactics

Deceptive tactics can thwart malware infection, especially attacks using malware designed to detect the presence of malware analysis tools and other programs used by security vendors. Sandboxing features, typically a virtual machine designed to analyze suspicious files, can prevent malware from executing and avoid infecting a system, said Kyle Adams, chief software architect for Junos WebApp Secure, Juniper Networks' web application intrusion deception system. Malware takes great care not to run in a sandbox environment, Adams said, speaking Sunday to other security experts at the B-Sides San Francisco Conference.

"This is a business for malware authors, and the longer they can infect systems, the more money they will make," Adams said. "They'll go to great strides to avoid detection."

The SRX appliances will use 50 deception techniques embedded in the network infrastructure to force malware to expose itself even after entering a network, Juniper said. For example, one of the tactics involves creating a fake network process that emulates network share drives so when malware seeks out the files, Argon Secure can identify them and push out fake files. Juniper said it plans to sell the service as a subscription for the SRX Series and will be generally available in the third quarter 2014.

Adams explained that he and other Juniper researchers have been figuring out a variety of ways to trigger malware to avoid infections altogether. Using a variety of deceptive techniques to mimic malware analysis environments, Juniper Networks researchers were able to prevent 20 percent of malware activity observed in a sample time period, Adams said. Rather than dropping its payload, Adams showed examples of malware that terminates when it detects subtle signs that it is being observed. The goal of malware authors is to avoid being detected by signature writers, which greatly reduces the infection rate and, in turn, the amount of money the cybercriminals could make.

The web-based attacks observed by Adams found tiny features built into malware that will cause it to go dormant. Some malware can detect if a software debugger is running on a system, a virtual machine is detected or if the system has sandbox software installed. The malware also can detect subtle system timing issues that could signal an environment designed to run malware analysis tools.

Meanwhile, the malware will typically execute and drop its payload on a system with a full Internet connection, account data present to webmail and social networks, and has correct software and operating system versions.

Adams said his team found success in preventing infections by installing a debugger, hooking into every process automatically and spoofing VMware artifacts. The team also skewed the system clock, changing it to be one year behind or disabled clock syncing.