The enterprise security world changed forever in March 2020, with almost all enterprises flipping from 90 percent of people and information flow happening inside to 90 percent (or more) happening outside. The implications of this, coupled with sharp increases in cloud and IoT, has forced CISOs to deal with an environment completely different than what they are used to, and what they were trained for.
This change has meant that many long-trusted security tools (especially VPNs and SIEMs) are much less effective and security executives need to find replacements. Or do they? One area where enterprise security executives have routinely under-utilized existing resources is DNS tracking. By leveraging the DNS records that every company already uses, just about every interaction can be tracked, analyzed and, when needed, blocked. DNS doesn’t care whether the dataflow is headed into on-prem (which may or may not exist much longer), the cloud, to a remote site or in between different remote sites. In short, DNS tracking is impervious to the massive change implications of this 90-10 reversal and can deliver far better security than many CISOs realize.
But this goes far beyond Authenticated DHCP. Enterprises in recent years have grown sloppy, partially due to Shadow IT (which does a lot more damage than merely spinning up hidden cloud accounts) and lax enforcement of governance rules. Mobile devices, for example, do not routinely use their enterprise’s corporate directory service. Some enterprises find themselves using multiple DNS from different sources—which undercuts the centralized security that aggressively-used DNS can deliver. Companies need that birds’ eye view of who is accessing what, when and how.
So what is the path to better enterprise security via leveraging DNS, DHCP and IPAM for threat containment and security operations? The biggest initial hurdle is keeping up with the volume of alerts. Although that sounds like a very familiar age-old issue—partially because, well, it is—it is far worse in the era of COVID-19. With this 90-10 flip comes the sobering reality that the number of initially-unrecognized contact attempts is several orders of magnitude higher than they were as recently as February 2020.
This is severely aggravated by the fact that enterprises were forced to rush these remote sites, pushing out sometimes more than 100,000 new remote sites in a few days, instead of the typical month or multiple months. And, yes, this was typically done with no additional budget (and sometimes done with budget cuts). In short, far more of these new dataflow contacts are going to be initially unrecognized. This is why attackers are having a field day, squeezing out as many attacks as they can before enterprise CISOs update their defense strategies to match their new environment. This is where DNS, DHCP and IPAM analysis can make a huge difference.
Consider: Some 91 percent of malware relies on DNS as a control plane. Phishing attacks, the prelude to other attacks especially ransomware, may start with email or a text, but it can’t do much damage before encountering DNS. Even D-DOS attacks have to start with DNS and DNS is the ideal data source for anomaly based (zero day) threat detection leveraging machine learning and other forms of AI.
Enterprises already use a wide range of threat feeds, but a properly managed DNS global threat feed can prove to be not only more effective but also far more all-encompassing, both in terms of the extensive and current nature of its data as well as the number of security defenses (network access controls, firewalls, SIEM, APT/malware detection, etc.) it supports and defends.
Without DHCP data, it’s hard to correlate disparate events related to the same device under investigation especially in dynamic environments. Without DNS and DHCP, operations teams struggle to accurately identify compromised machines and have limited visibility into what resources that user has been accessing. And Without public passive DNS and domain registration data, it’s difficult to fully understand the scope of adversaries’ malicious infrastructure and link events.
Remember that there are many attacks that are specifically written to ride DNS and to explicitly sidestep threat intelligence defenses. Those attacks can be thwarted, but only by deeply analyzing DNS data. After increased cloud and remote sites, the biggest change to the security environment is IoT attacks. (Note that there is some overlap here with those new remote sites, as they are specifically opening the door to attacks leveraging consumer-grade IoT that try and travel through the VPN to corporate systems.) DNS is a common denominator for IP-connected IoT devices, which means that profiling based on DNS activity can provide early warnings of IoT-fueled compromise attempts.
As enterprises today are being forced to both do-more-with-less as well as finding new ways to defend against a sharply-different attack surface, re-exploring your DNS capabilities is a highly attractive course.