Facebook Live Transcript***
July 19th, 2017
Good morning, and welcome to this Facebook Live session from Infoblox. And today’s topic is going to be about why network and security tools should talk to each other for a better incident response.
Security’s always been a defense index strategy, and today we’re going to talk about some of the unintended consequences around that approach. I’m Srikrupa Srivatsan. I’m Senior Product Marketing Manager here at Infoblox.
When you think about security organizations have procured and deployed a lot of tools on their network to detect and mitigate against various types of threats. But the unintended consequence of that is, security operations team are getting inundated with a lot of alerts, and it’s hard for them to understand which alerts they need to address first, and which threats are higher risk.
The other challenge with security tools is that they have limited visibility into the network. So they don’t know when new devices join the network, or when new virtual workloads are getting sent off. And visibility is actually more and more of a challenge in today’s world of BYOB, IoT, and Cloud deployment and the likes.
So joining me today, to discuss these use cases, is Troy Hager, Senior Director of Business Development and Product Management here at Infoblox. He has been leading our strategy around ecosystem integration, where we can integrate network tools with the security tools that our customers already use in their network, and why that’s a good thing.
So Troy, why don’t we start with discussing some of the challenges that security operations team face today around visibility?
Yeah, and I think you touched on a lot of them … thanks for the introduction, Krupa. The soft teams are dealing with a lot of things, from the landscaping you described, the changes and the growth, from virtual to Cloud, to SAS, to different application developments and architectures, and workplace changes, how employees are working, remote, more multiple devices… Just all the complexity and changes. The other thing is, that the bad guys are also evolving. We don’t talk enough about the bad guys and what they’re up to. Things over the last so many years have evolved from phishing, to Malware, to Malware C2s, to DGA, to domain attacks. And now we’re seeing Ransomware, and DOS-based DNS attacks, and service attacks. So, just in the landscape of the bad guys is constantly changing, and they’re always reacting and evolving their approach.
Lately, we’ve see a lot of DNS-based attacks with tunneling and signature-based stuff, and predictive and pattern matching. So we’ve been really trying to react, I think a lot, and also get ahead of some of the trends that you’re seeing with the bad guys.
Security teams also, if you look at the increased coverage, being all of the different networks and applications they have to support, plus the security teams now have to keep up with what the bad guys are doing and what the latest trends are, and then I think the other thing that people don’t talk enough about is the resources. I mean, the security team resources are at a very all-time low. I mean, try to find and hire security research experts, people that actually have a background in security, whether it be reverse engineering or Malware or being able to look at alerts. I mean, you talked about all of these different solutions out there, whether they’re SIMS, or firewalls, or IDS/IPS, DNS firewalls, and exfiltration products, email-based products, all of those things generate alerts.
It takes a lot of education and different knowledge and tools to be able to effectively evaluate those tools and address them. I think that the combination of landscape, complexity, and resourcing are kind of the primary challenges that they’re facing today.
Great. And that’s totally true. When I talk to customers, or when I’m attending some CISO panels, I always hear about the resource constraints that starts that up, right? So, security researchers, really good ones are hard to come by, and security operations sites are expensive resources. So, organizations want to use them in the most efficient way possible. Right? And one of the ways to do that is to take off some of the manual costs to do, like automate a lot of things. And Sean has been leading our effort to improve automation between the networking and the security tools, right?
So Sean, I guess the next question to you, and we talk about these elaborations, but what is the … why should customers get the data from the network? What can they get out of the network-based data that we can share with the security?
Well, that’s a great question. I mean, Infoblox has a lot of data. Our customers rely on us to be kind of their … in most cases, the single source of truth of all of their networking, device data, IPAM data. Of course, we have domain data, DNS data, passive DNS data, so we’re sitting on a lot of data. Now, having a lot of data, and knowing what to do with it and how to properly share it with our customers for their benefit to the appropriate solutions, is always kind of the key piece that needs to be done with these integrations.
We also are hearing a lot from customers around DNS information, not just IPAM data, or IP addresses, or MAC addresses, or user information. I mean, those are obviously critical to be sharing to these security solutions. But also, now, we’re working a lot with sharing threat-based data. What happened … where did the user or the compromised machine try to reach out to? And what is that? What is that domain? How is that bad? Is that a Ransomware? Is it an infection? Is it DNS tunneling? Do we see exfiltration packets? So just being able to share more data and the right data to the right partner, I think, is really the focus that we’ve been working on.
Yeah, and that’s a great point, right? So getting data is one thing, but having actionable data is another thing, right? How can you use that data to prioritize the alert that you’re getting from your regular security tools? I think that’s critical. Getting context around those steps, is it a high profile asset in the organization that is infected? It’s important to address those steps first to minimize risk to the business.
Right, and that’s a good point. People want to know what’s the criticality, what’s the severity, what’s the threat classification? I mean, being able to be more specific. I mean, people talk about sharing data all the time, but it’s sharing the right data with the right amount of context. Because the last thing … I mean, think about it, you have a team, a security team, they’re already overworked, they’re hard to find, and there’s all these products that they’re using to protect their infrastructure and they all need administration. They all need monitoring, and researching, and the last thing they need is more information that they don’t know what to do with, that isn’t relevant. So that’s kind of where we’re trying to be real focused at.
Right. So Sean, can you talk about … We talked about the importance of data, we talked about automation and making sure the resources are used efficiently. So, you’ve been leading this effort from Infoblox side to really have a robust, integrated solution, that works well with what the customer’s already have. So can you tell me some of the use cases that our customers are using these integrations for. What are they doing with integration?
Yeah, absolutely. I mean, it all comes down to the use cases and value, right? If you’re not delivering on the value to the products and working with our partners on, what is our product do? What are we good at? How do customers use our products? What does our partner solution do? How do we properly hand that baton off so that they get the information into their solution that they need, so that they go can extend their use cases and features and continue the orchestration story? Right? So that’s what our focus has been.
As far as our specific use cases, there’s probably quite a few different use cases we hear from customers. I’ll just highlight a couple of the most common ones. One of the biggest things we hear, because we’re the single source of truth in a lot of cases for our customers’ networking and configuration in DNS is, “Hey, as we’re detecting, or as they’re using our products, or we’re discovering devices, they want all that rich discovery and networking data to be transmitted and shared with the appropriate products that can utilize it.” Otherwise, they’re in the situation where, if it’s a scanning system, vulnerability of product, or if it’s a network access control product, or if it’s a SIM, or whatever, or a ticketing system, right? All of those products have the need to administrate their assets and their network so that the scans can run. Or that they can identify the different machines on the network, and set policy with them.
By us being able to share as we discover new networks or as our customers have to do redundant data entry and manage both systems independently, and they can assess and scan new machines and assets faster. The second use case, had a bundle that we do a lot with our partners today is, around our security products. So, whether it’s a compromised machine, or an infection, or a machine seen having data exfiltration outside the network, we’re able to go in and identify that exact machine on the network, along with the MAC address, the user, all the other attribution, and kind of signal over to our security partners, “Hey, there is this machine that needs remediation or it needs orchestration.”
Being able to send that over to get it scanned and get it remediated, in some cases, or get it quarantined with MAC providers, or even send it in to a ticketing system for IT. Whatever the products they’re using, being able to kind of work those use cases and share our data out of our environment, helps them identify the machines quicker, remediate the problems faster, and makes their staff more productive. So that’s kind of the value of those use cases.
And you brought up a good word; orchestration. So orchestration is when you’re using automation to give up some of those minor tasks and making the suite of tools, like the security tools they’re using today, work together..
And that is a critical part of improving their day-to-day operations and making sure the security guys are using their time more effectively. So maybe they want to do more threat hunting instead of just looking at all of these alert objects, right? Would you say that’s right?
Yeah, I think so. Not just looking at the alerts. I mean, I think if you ask any security soc person, the first thing they’d say is there’s no way to look at all the alerts. There’s too many of them. I mean, even within certain solutions, I mean, imagine if I’ve got five different solutions and they all generate an infinite amount of alerts. It really comes back to how they combine those alerts, kind of funnel them together, what they’re work flow is, and how they’re going to determine which ones are critical versus high priority. Again, that’s where being able to share with them the information, “Oh, this alert is a Malware C2 or a DNS exfiltration or tunneling.” Those are going to be a higher priority type of an alert than say, some work stations browsed a phishing’s website, right?
And so, depending on what department, or if you’re in finance, and your machine’s seen going to exfiltration, that would probably be another way to look at how critical, like which one’s am I going to work on and what order, right? That’s really what they’re going to be looking at. And so, I think that’s where we’re again trying to provide value in saying, “Look, we know that this compromised machine is in a certain network, or a certain department of a certain user with this kind of access to company information. And we know that it’s seen doing this kind of an activity.” Those are the types of data points that help you kind of prioritize your pipeline of work, right? And/or automate.
A lot of companies are working at trying to automate, or sift, or filter, like with nightly jobs, or daily automation. Which ones are they really going to bubble up, and which ones are gonna kind of get put to the back burner, so to speak, right? So, that’s all important.
Good point. Can you tell us a little bit about your strategy, and specifically, which security tools that you integrate with today? And which ones are in consideration? And which ones we should prioritize for the integration?
We have a few different lenses that we look through to determine all of that, and I won’t go into all of those at this time, but I will say that our Infoblox is TAP, it’s our Technical Alliance Program. We have technology partners, we have strategic partners, we have channel partners. So there’s a broad range of partners, Infoblox.
We work with over 100 partners, I believe, in different categories. And as far as the ecosystem and what we’re talking about today, how we kind of … who we’ve been working with and how we select them, primarily comes back to customer input. I mean, we really work hard to work with our field team and our customers to identify what are they looking for, which of those use cases, and which of those integrations bring them the most value in terms of that limited resource, or the amount of work that they have to do to double enter things, or to watch stuff in multiple applications, right?
So today, what we focused on in the last 24 months has been primarily things like vulnerability scanning. I think we do a really good job working with the natural fit of, “Hey, if we know something’s compromised, getting that over to the scanning and vulnerability products makes really good sense for customers.” Also, network access control. If we know something is new, just an IoT device, or it’s infected, being able to notify the customer’s network access control provider so that they can enforce the proper policies on this new device, or check … Those are the kinds of things that we’ve been doing.
We’re also getting into end point management providers and solutions. We work with SIMS. We work with thread intelligence providers, from cyber security experts, and research organizations, all the way through companies who write reports about bad actors. We really try to bring all that information together to help customers with the orchestration. So, a lot of stuff there to talk about. Probably can’t cover it all today, but we’re really focused on what the customers are asking for.
As Sean mentioned, we could probably not cover everything today, but we will be in future sessions on maybe vulnerability scanners, etc
Troy, thank you so much. This has been very informative. And the viewers, I’m sure, have gotten a good insight into what we’re doing from the ecosystem perspective. I think our customers are benefiting from these integrations and I’m sure other organizations will as well.
For more information on these integrations, we do have a robust community site that Sean has been kind of spearheading. We have a lot of information there, we have demo videos of these integrations, we have solution notes… If you have any questions for Troy or others on the team, you can always post them on the community site at community.infoblox.com. And your questions will be answered. And of course, reach out to Infoblox if you have a request in. But thank you so much for joining us today on this Facebook Live session.
All right. Thanks. Talk to you soon. Bye-bye now.