With the plethora of security tools that most enterprise Security operations use, on top of the various verticals, geographies, and platforms (cloud, remote site, IoT, partner sites, etc.) that need protecting, CISOs are faced with a frustrating reality: some of the threat landscape is well-protected (indeed some are double- and triple-protected) while others have gaping security holes that are all but completely unmonitored.
This means two things. First, CISOs and others in Security must re-evaluate all tools and defense strategies to see which ones truly make sense in today’s new environments, while eliminating overlaps that inadvertently lead to yet more security holes. It’s akin to having four anti-virus packages. Contrary to the hope that this makes it more likely that any and all viruses will be detected and stopped, what is much more likely is that each anti-virus executable will react negatively to the others, offering a slew of false positives as well as false negatives.
Second, though, CISOs must examine all existing resources for better ways to defend intellectual property. And among the most overlooked approaches is robust DNS analytics. Not only is DNS more comprehensive than other security mechanisms—an attack can’t even begin without interacting with DNS, regardless of where the attack originates and the target—but it is far superior at identifying and halting a wide range of attacks.
One of the reasons that DNS is often overlooked by CISOs and SOC teams is corporate history. DNS has typically been handled by the network side of the house so security analysts don’t have a track record of having to leverage it. But now they must. It’s not dissimilar from how in-house IoT first became such a threat.
Consider that IoT lightbulbs and IoT door locks had traditionally been purchased by maintenance and facilities—and they had never needed to get anyone’s permission before making those purchases. It took a couple of years before CISOs weighed and said “Whoa! There is a massive difference.”
Different times demand different responses and today, it’s security analysts and the rest of the SOC that need to own DNS—or, at the very least, have unfiltered access to all DNS records. Why? Because with today’s new threat landscape, DNS could be the best friend that a CISO needs. It provides the global enterprise-wide detection and control mechanisms that no other single tool has.
How much of a security difference can DNS analysis make? This summer, the U.S. National Security Agency (NSA) launched a pilot program to bolster the U.S. defense industrial base against malware. The test opted to focus solely on DNS protections to see how much of a difference it would make. According to Anne Neuberger, the NSA’s head of it’s Cybersecurity Directorate, “Our analysis highlighted that using Secure DNS would reduce the ability for 92 percent of malware attacks.”
DNS stands alone in its ability to filter out almost all of these attacks because it gives the SOC visibility into literally every device in the enterprise, including process controls and ATM. DNS is the front-line of visibility into knowing what these devices can do and what outside entities are interacting with these devices. From a protection perspective, DNS shines a very visible spotlight on all of these devices.
Even today’s more cutting-edge defense tactics can’t replicate what DNS can deliver, especially when fighting a large active attack. Maybe ML can find an attack pattern in a month but DNS delivers immediate visibility. This impacts all verticals—and all geographies—but some verticals tend to be much more device-friendly. Consider healthcare. Every medical device is a potential attack entry point and it’s well known how much cyberterrorists love hitting hospitals with ransomware attacks. DNS negates that risk quite effectively.
In today’s scary environments, how can Security afford to not explore every aspect of DNS analysis?