The least surprising observation is that the 2021 security landscapes are far more complicated and attacker-friendly due to changes such as remote sites, IoT, soaring cloud use and partners demanding an ever-increasing amount of access to sensitive operational data.
What is, however, surprising is how many enterprises are not leveraging DNS, IPAM and related tools that already exist in their environments. Indeed, one of the most useful things about DNS and IPAM is that they can detect patterns of movement within the enterprise that many other tools miss.
The best cybersecurity word for today’s enterprise environments is porous. Make that really porous. Although there is far more risk everywhere in these environments, the biggest gaps in the security posture come from remote sites aka work-from-home situations. Those gaps come from inconsistent security arrangements made in almost every one of those locations, with an unlimited variety of different equipment and an at-whim approach to maintenance of patch implementations. (Some enterprises can strongly influence patches on some equipment, but others–such as employee-purchased routers–are the wild west.)
IoT is highly problematic as well, but the second-biggest element of network confusion (think of confusion as losing the battle of signal-vs-noise) are apps of all kinds flooding the network with overwhelming communications, right alongside millions of IoT and IIoT devices communicating to Lord knows who.
DNS and IPAM can cut through much of that confusion and immediately paint a more comprehensive and accurate view of what is going on in the network and especially what is going on that should not be going on.
IP Address Management (IPAM) is especially critical in the detection cycle. Anything that moves across the network needs to interact with IPAM and that leaves a footprint. IPAM doesn’t merely help detect malicious activity (along with non-malicious but still destructive unintentional behavior by employees/contracts/users), but it is also extremely helpful later on, when a forensic team is trying to figure out how the attacker gained access and exactly what the attacker did while inside.
DNS is also helpful with tracking aberrant behavior within the LAN, but cyberthieves and cyberterrorists have both been known to use DNS exfiltration, as a low-visibility way to steal the content and whisk it away to their hideout. That is why closely tracking DNS activity delivers multiple benefits. Many enterprises will get strong insights by monitoring DNS domain addresses to determine who was infected after an attack and how that progressed. This tells them many details about how much information the attacker accessed.
The NSA argued that “security teams use designated DNS resolvers to lockdown DNS over HTTPS (DoH), effectively preventing eavesdropping, manipulation and exfiltration of DNS traffic,” according to an SCMagazine report. “Although using DoH with external resolvers (servers that receive DNS queries) can work for home or mobile users and networks that do not use DNS security controls, for enterprise networks, NSA guidance released Thursday recommends using only designated enterprise DNS resolvers to leverage enterprise security defenses, facilitate access to local network resources, and protect internal networks.”
Infoblox, for example, doesn’t merely filter out bad known IP addresses. There’s a lot more finesse in using AI/ML to see the problematic activity before it’s labeled. If a domain looks ok but was created four hours earlier, the risk is high. Infoblox can find the IOCs (indicators of compromise) for sophisticated new attacks, attacks that most systems don’t even know about.
Another consideration: Logs on a company’s servers may be tampered with, but Infoblox logs aren’t local and are therefore much more secure. The chance of an attacker breaching the enterprise’s security and then somehow also breaching Infoblox cloud security is infinitesimal.