“Too often security departments and network departments ignore … easily accessible INTERNAL INTELLIGENCE.”
This year was the first time I’ve been back to the RSA Conference since 2018. I had the opportunity to experience the post COVID revival of the Security community. It was great to see old friends and meet some new ones.
So, there I was at RSAC on booth duty, and I happened to get into a conversation with members of a SOC team for a large brokerage firm out of Chicago. The team’s lead engineer had stumbled into the booth as he was shaking off some cobwebs from the party the night before and he asked me a few questions about what we do at Infoblox and how we impact security. I explained our DNS security solutions to him and how we can provide all kinds of metadata from DNS, DHCP and other information we collect from our IP Address Management (IPAM) system. While the DNS security was interesting to him, the IPAM information that we can make available almost knocked him over. He said he would be back, and he was going to get his SOC manager.
Sure, enough an hour and a half later he shows up with his SOC manager and, while he knew about our DNS visibility capabilities, our DNS zero-day capabilities and our DNS-centric intelligence feeds, what totally caught his attention was the IPAM information.
“The point is to inform you that IPAM systems, when properly managed and deployed, are a powerful tool for your security and network teams.”
The Security Dance
This reaction was not a surprise to me as I have spent a large part of my career at Infoblox sharing and evangelizing the benefits and value a well-maintained IPAM system can deliver to security teams. As a security professional, I’ve spent many days chasing down bad actors and IP anomalies on my customers’ networks. I know all too well the dance we do bouncing from DNS systems to DHCP logs to Active Directory to network switches or maybe VMware or perhaps the wireless controller. This was back when most enterprises did not have a security team, or the security team and the network team were the same people. Now we have the added barriers of having to depend on the Windows Team or the Network Team to gather the information for the security teams. If we’re lucky, we have good communications channels, and relations between these teams are favorable and we can get valuable timely data. In most environments this is not the case.
IPAM – Telemetry/Targeting System
So back to the point of my story. I explained to the SOC manager that we had the ability to gather the Active Directory user ID and, if using Microsoft DNS/DHCP, all DNS and DHCP information from the Microsoft servers. This process is done with a service account–no agent—as well as login authentication time and device. Then we discover all layer 2 and layer 3 information from your infrastructure–routers, switches, firewalls, wireless controllers, etc. We map all the MAC and port information to the IP address. Finally, the information from virtual systems, such as public and private cloud information and SDN/SDWAN information, is gathered via API. Performing discovery this way gives the security professionals a single place to go for up-to-the-hour telemetry on the internal network.
Think of it as a targeting system or the smarts of a smart bomb or like the HIMARS the Ukrainians are using. IPAM systems can provide the Who, What, Where, When for any system on your network. Who authenticated to what system and when and on what port.
That’s just the beginning. This information is all in one place on the network and accessible through RESTful API. Additionally, there are triggerable automated capabilities that enable events to set off follow-on actions. For instance, when a new device gets discovered for the first time, the system can launch a Vulnerability Assessment tool, or CMDB information to be sent or even a NAC system to isolate a port based on a security event. Anyway, the point is not to sell you on our IPAM system, the point is to inform you that IPAM systems, when properly managed and deployed, are a powerful tool for your security and network teams.
The AHA Moment
So, we’re standing at RSAC and the SOC manager looks at me and says, “so your IPAM system is full of all the data my team needs to identify the who, what, where and when and is a treasure trove of information.” (Honest, I can’t even make that up).
So that’s the point of this article! In the DNS Security business, the use of properly curated reputational intelligence feeds and Newly Observed Domain feeds (we’ll talk about these later) for Response Policy Zones (RPZs) are needed and very relevant. However, too often security departments and network departments ignore the more relevant and easily accessible INTERNAL INTELLIGENCE. It’s not enough to stop the access to the bad sites, whether it’s a bad actor or a disgruntled employee or an infected system; identifying the source and containing it is just as important. A well maintained IPAM system is a required foundation for identification and quick containment.
Remember that Security is simple, so don’t complicate it! Thanks for reading! ADR