In the first of this 3-part blog series, I proclaimed that it has become increasingly popular to depend on shared intelligence when making decisions about what to spend money and time on, both in the consumer and business world. It is no longer satisfying nor desirable to base one’s decision on isolated experiences and data points. Hence, similarly, it is not scalable not practical to solely depend on and focus on security and network context data from disparate and non-interoperable products and technologies.
Infoblox helps become the “hub” for information sharing between essential network control service based solutions, namely DNS, DHCP and IP address management (DDI), and various types of security products you may already be using. It uses a two-fold approach to effectively tackle threats.
Using Threat Intelligence to Take Action
The Infoblox DNS Firewall effectively disrupts advanced persistent threats (APTs) and malware at the DNS layer using threat intelligence from a variety of sources.
- Cloud-based reputational threat intelligence feed – a “black list” of domains and IP addresses known to be associated with suspicious or malicious servers (e.g. ransomware, financial/banking malware, Trojans) or botnets.
- Infoblox DNS Threat Analytics – unique software technology that does streaming analytics on DNS queries/requests to detect data exfiltration; uses behavior modeling and machine learning to detect more sophisticated methods, which don’t have well known signatures (zero-day); after classifying a DNS request as data exfiltration, the destination associated with the data exfiltration is added to a special response policy zone (RPZ) “black list” that is used by DNS Firewall for taking action.
- Local or Enterprise intelligence: You may have identified adversaries, either through your existing advanced security tools like FireEye or through your own malware research team. Infoblox’s flexible and easy to use third-party system interfaces can take this information and create security policies automatically.
Using any one or multiple of these sources of information as part of its built-in DNS response policy zone (RPZ), the Infoblox DNS Firewall automatically takes an action on any DNS request made by an infected endpoint. It may block or redirect it to a walled garden site to prevent the spread of malware and data exfiltration.
Sharing Threat Intelligence to enhance security, simplify incident response, and reduce operational overhead
Infoblox helps shorten the kill chain by both reporting on and automatically sharing valuable network and security threat intelligence with leading security solutions that subsequently take action.
- Infoblox DDI, including our Secure DNS portfolio, products share data with Infoblox Reporting, a dedicated platform which offers at-a-glance dashboard views of top attacks, malicious connections, infected endpoints, and a host of additional data, plus highly customizable reports that can help ease security policy and network management efforts.
- Once an advanced endpoint security solution such as Carbon Black learns from Infoblox DNS Firewall about an endpoint making a malicious DNS request, Carbon Black automatically bans the malicious processes from future execution and connection, thereby effectively quarantining the infected endpoint and preventing data from being exfiltrated, even if a device is outside the enterprise.
- A network access control solution such as Cisco Identity Services Engine (ISE) can update policy for any endpoints it discovers making DNS request to bad domain(s) previously identified by Infoblox. Infoblox also provides contextual data such as endpoint DHCP lease history, MAC address, IP address, operating system, user and device type. This data can be very valuable for security managers to use for detecting trends such as devices with similar attributes or policy having been impacted by the same attack/indicator of compromise, and for evaluating and adjusting security policies across systems network-wide.
In the third of this 3-part blog series, I will share the ways that our DDI solutions seamlessly exchange data with various security technologies and products to make it easy for customers to get more value from their investments.