Behavioural analytics applied to DNS traffic helps enterprises and services providers prevent data theft
Infoblox Inc. (NYSE:BLOX), the network control company, introduced Infoblox DNS Threat Analytics, the first technology that applies behavioural analytics to DNS queries in real time to detect and actively block data exfiltration attempts using DNS as a communications pathway. Stealing proprietary information through DNS has recently become commonplace among cybercriminals, and Infoblox is uniquely positioned to help block loss of valuable data.
This growing problem is creating concern among enterprises and service providers:
- Nearly half (46 percent) of large businesses have experienced DNS-based data exfiltration and 45 percent experienced DNS tunnelling in the previous year, according to a December 2014 survey.
- According to a 2015 report, the average total cost of a data breach to an enterprise is $3.8 million, including forensic efforts, resolution, and the consequences of customer defection.
- A data breach at a major U.S. health insurance company reported earlier this year could ultimately cost the firm more than $100 million.3
As the leader in enterprise-grade DNS technology, Infoblox is making significant investments in building technologies to help secure DNS. Infoblox DNS Threat Analytics further enables enterprises and service providers to protect their DNS infrastructure and leverage DNS as a control point to defeat cybercrime. Infoblox is the first to offer a DNS server with built-in behavioural analytics to address DNS-based threats.
Domain Name System (DNS) queries are typically small packets of data that make a simple request: translating a domain name such as Infoblox into an Internet Protocol (IP) address such as 54.235.223.101 that computers and endpoints understand. However, cybercriminals have learned to exploit DNS to smuggle out an organization’s data—including highly sensitive information such as trade secrets and customer credit card numbers.
Infoblox DNS Threat Analytics examines outgoing DNS traffic for characteristics that are associated with data exfiltration attacks in real time. These characteristics include:
- Size: The query is larger than normal, or contains more information than normal.
- Encryption: The query contains encrypted data.
- Timing: The query is being repeated at precise intervals, unlike the intermittent DNS requests initiated by humans.
Traditional reputation-based and signature-based security—already built into Infoblox DNS security appliances—can already block known threats that have been identified by threat intelligence researchers. Infoblox DNS Threat Analytics goes a step further with its ability to automatically block so-called zero-day threats—attacks that haven’t yet been discovered—after analysing DNS queries and spotting suspicious behaviour. There’s no need to install additional software on end-user devices or to deploy additional devices in the data center. Infoblox DNS Threat Analytics can scale to provide enforcement across the network and provide visibility into infected devices or rogue employees trying to steal data. Infoblox can also notify other security systems when threats are detected, accelerating remediation.
“For the Golden Nugget, data security is paramount to our success as a business,” said Shannon Provence, executive director of IT at Golden Nugget Hotel & Casino in Las Vegas. “We see value in Infoblox DNS Threat Analytics because it provides real-time streaming analytics on DNS queries. In our recent evaluation, the analytics helped us identify threat patterns that were otherwise hard to detect using alternate solutions. Infoblox DNS Threat Analytics gave us more visibility than we ever had before and allowed us to quickly identify, evaluate, and block suspicious DNS-based activity before it became an issue or caused data loss.”
The unique real-time analysis and detection capability in Infoblox DNS Threat Analytics works as queries are being processed. This is essential to fast identification of indicators of compromise (IOC). Other off-line approaches such as gathering mountains of log data and analysing these files after the fact can take weeks to months—which is unacceptable in todays’ high-stakes security environments.
“Most firewalls and other security solutions don’t examine or understand the structure of DNS queries, a vulnerability that hasn’t escaped the attention of cybercriminals,” said Scott Fulton, executive vice president of products at Infoblox. “Infoblox DNS Threat Analytics continues our leadership in delivering innovations in DNS security and helps our customers close the door on DNS as a channel for data theft.”
About Infoblox
Infoblox delivers critical network services that protect Domain Name System (DNS) infrastructure, automate cloud deployments, and increase the reliability of enterprise and service provider networks around the world. As the industry leader in DNS, DHCP, and IP address management, the category known as DDI, Infoblox reduces the risk and complexity of networking.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.