Article content
Michael Ell (00:01.966)
Hello, I'm Michael Ell with Empowered Networks, the Network Intelligence experts. With me is Tom Grimes, who's the Director of Cybersecurity with one of our favorite partners, Infoblox. At Empowered Networks, we focus on helping customers to maximize their Network Intelligence. And for those of you that may not be familiar with Network Intelligence, it's a practice that aims to develop a complete and timely understanding of the entire network. So, this includes things like what the network is made up of as well as what's attached to it. But not just the inventory, we also want to understand things like what's the configuration of those network devices and how are they performing?
Now in addition, it also considers the full lifecycle and that means understanding change and detecting it, whether it's planned change or unplanned change. As well as having an awareness of things like security vulnerabilities and compliance to standards. Now, as I said, Network Intelligence is a practice, it's not a product. But that being said, in order to develop that practice, you do need to implement certain core capabilities.
One of the most important of these is DNS. And it's for that reason, actually, that we work really closely with Infoblox as they're the industry leader in the enterprise DNS space. So Tom, a lot of people think of DNS as just a utility that matches up names with IP addresses. But given its role at the beginning and initial step of almost every network communication, it provides a huge amount of additional information that's really useful, and it's why we have it as one of our core pillars of Network Intelligence at Empowered Networks. That extra data is brilliant because it helps us understand not just operational, but security issues and threats on the network. Can you give us a bit of a background or an overview on how Infoblox views the DNS's role in cybersecurity?
Tom Grimes (02:14.832)
Yeah, thank you, Michael. So I've always said that DNS is like the flight data recorder for all your network connections. The average PC does around 3000 DNS connections a day, right? And that really produces a wealth of information that both networking and security teams can use from a protection point of view and for hunt for cyber threats. I always said like 1,589 top level domains like .com and .net that are out there on the internet today. There was one that was created as a joke, .wtf. It means exactly what you're thinking about right now. And there's over 2 million hosts that are associated with that. So, a lot of times I'll ask customers, “Can your mission critical devices resolve an address in the .wtf domain?”
There's a lot of vanity domains and things like that. Originally, when people developed the DNS for their organizations, a lot of times it was treated like a utility. So what we at Infoblox are doing is saying, "Hey, can we use that point of DNS resolution to provide protection and visibility for organizations?" And that's the core of what our product, BloxOne Threat Defense, is all about.
Michael Ell (03:35.692)
Interesting. So, if you talk about this approach to using DNS for security, how does that differ from how some of the more traditional security approaches, things like firewalls and IDS, would approach security?
Tom Grimes (03:52.068)
Yeah, great question. This is one that we help security teams understand what our value in a security stack is. When you think about a lot of those security devices, whether it's EDRs or network detection and responses, or you name the packet security tool that you're using, it really kind of starts with a patient zero. Typically, there's some piece of malware or ransomware or something that gets exploded in a sandbox and then they start to look for indicators based on processes and domains and IP addresses and then they put that into their product, and they'll actually start blocking it.
What we're actually doing is if you look at all of those threat actors, a lot of times they have to start with creating their own infrastructure for things like malware downloads or command and control. And a lot of times we'll see that at the start of the connection. So they create these domains, whether it's phishing domains or malware download domains. These are new domains that are created or reused existing ones. And that's really where fundamentally we're looking at that. So, if we can start blocking those domains early before we even see the malicious behavior, on average, we block it about 63 days earlier than your traditional devices.
I was working on one recent ransomware case where we blocked three days before. And what that three days actually provides you before the security industry knew about it is now even before your users click, we've already had that as a domain block in our system today. So that delta between the three days could be you getting ransomware or you being not a victim of ransomware.
Michael Ell (05:38.296)
Yeah, and we know that timing is so important, particularly in those sort of zero day attacks that are occurring. One of the other things that I'm interested in is sort of attribution. So one of the things that we find is useful about DNS from a security point of view is the fact that it's kind of unique in that it's a service that's directly accessed by end users. So this isn't some external thing that securities tax on, but it's something that's used directly by users every day. So I'm assuming that this provides opportunities to understand what's happening from a security point of view at a much more granular level. Can you talk about that at all?
Tom Grimes (06:22.66)
Yeah, one of my favorite conversations with a CISO around these DNS security blocks and he says, "Hey Tom, that's great that you block this, but that's the end of your problem in the start of mine. I have a device on my network that's actually trying to talk to a C2 Russian C2 site, so I need to go and find this device and re image it or take it off my network or do something with it". And if you look at all of your security tools that you have today, a lot of times they're giving you alerts based on IP addresses. And we all know the way IP addresses work. They're very transient. I may have this one here and this one over there. But us being a DDI vendor, so DNS DHCP IP address management vendor, we can tie that DDI metadata. So when that device requests an IP address, we'll take a look at things like what type of device is it? What's the operating system? Is there a logged in user?
And then when we do have these blocks based on DNS security events, we can tie this together. So we can tell you, hey, that ransomware alert is a device that's on your guest Wi -Fi versus this is a command and control alert and a block, but it's your CFO's laptop. So we'll be able to tie basically that IPAM metadata together with your DNS security alerts to allow you to make faster triage of your security events.
Michael Ell (07:51.042)
Yeah, okay, that's really interesting. So really it goes beyond just the core DNS. It's the fact that Infoblox is able to provide that as a full platform with the additional metadata and understanding of the IPAM, et cetera, that allows that.
Alright. Now, so far we've been talking about how DNS is useful in the security space at sort of a general level, but I know that Infoblox also provides assessment offerings that can help individual organizations understand how DNS security applies to them. Can you tell us a little bit more about that?
Tom Grimes (08:31.12)
Yeah, the power of Infoblox is really showing this capability of early protection. So that 63 days that I was talking about on average, we block things before security tools see it. So being able to see some of these blocks that we're doing from a suspicious or malicious point of view, the best way to do that is with an Infoblox security assessment. So we work with customers, we set up our portals so that you have the access to see the power of this early protection, and either you can point your DNS, existing DNS infrastructure to us and show you exactly what we would do, or we can just replay some of your existing DNS logs to show you in a non-impactful way. But basically, at the end of the day, we'll show you what DNS threat actors we found in your network and some of the power of this early blocking.
Michael Ell (09:23.566)
That is pretty amazing, particularly the fact that it's something that you can do in a non-impactful way without getting in the middle of their everyday operations while they're evaluating. Well, I think that's all the time we have for today, but I want to thank you for the great information. It's clear that DNS can play a pivotal role in pretty much any organization's security strategy.
And I also want to thank everyone who's joined us for this discussion. Please reach out to us if you'd like to find out more about DNS security or if you just want to schedule your free DNS security assessment. We at Empowered Networks are here to help and working again with our partners at Infoblox, we can find a solution for you. Thanks, and have a good day.