Leveraging AI in with asset management–on top of DNS management–can accelerate detection and blocking of an attack some 60 times. That means that a detection/blockage that would 3-4 hours without leveraging DNS files could happen in 3-4 minutes. During, for example, a ransomware attack, that could easily make the difference between losing sensitive data and potentially control of your environment and shutting the bad guys out before they do any serious damage.
But the issue here is not merely speed. It is about asset visibility as well as–in many situations–asset controls. CISOs track assets well, but they often spend insufficient effort focusing on networking. That is where the complexity is, with IoT, IIoT, cloud, Shadow IT, branch users, remote sites, etc. By leveraging network elements such as IPAM and DNS, CISOs and CIOs have far greater visibility and control.
For example, consider a routine IOT device such as a GE smart thermostat. IT and Security know that the device routinely checks in with the GE network, but are they aware if it visits an unrelated network? Do they know if it radically increases its communications or, even worse, starts moving increasingly larger amounts in either direction? DNS knows.
Many tools today deliver limited information, such as an IP address, but it doesn’t report on the roles of the asset. Is it a server running a financial application? IPAM metadata reports far more information including the MAC address, operating system details, what part of the network it’s on (subnet, physical location). Leveraging a configuration management database (CMDB) simply doesn’t deliver enough details.
That said, by combining CMDB information and correlating it with information from other databases managed by other groups (such as security, network admin, etc.), IPAM can detect data asset problems that the isolated resources can’t. When there’s DNS data exfiltration, many enterprises won’t detect it.
The next step is to make sure that IPAM data feeds into other applications such as a NAC app. That would mean that if a non-sanctioned device is added to the network, the NAC can block the device from the network by quarantining it. With all assets monitored, if a big increase in DNS data going to an unrecognized cloud, it will be detected. It might be an attack or it might simply be an employee violating the rules. Such is the joy of Shadow IT. Either way, rules can be written (or a SOC staffer could manually) add the cloud server to a block list.
Is something on the network making 1,000 or more DNS requests a minute? That’s a ransomware red flag that might be missed if network tools aren’t being closed monitored. That’s where machine learning (ML) can be an enterprise-saver. Attackers today are quite fond of embedding malware into DNS requests.
