v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight...
Transcript of v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight...
v
Gaining Security Insight Through DNS
AnalyticsScott Penney
Director of Cyber Security Solutions, BlueCat Networks
Agenda
Welcome to the Jungle
Why DNS Matters
Deal with the Facts
The Power of DNS
Q&A
Welcome to
the Jungle
IT Sprawl is out of Control
Source: Gartner (http://www.gartner.com/newsroom/id/3165317)
4.9 Billion“Things” Connected
in 2016
480 Million Smart Phones
Delivered in 2016
65% of Smart Phones
used in BYoDEnvironments
2 Billion Mobile Devices Shipped in 2016
70% of Mobile
Professionals Work on
Personal Devices
Only 1 in 3 Companies
Know How Many Vendors Use their Infrastructure
IT Moving from CENTER to the EDGE…
Business drivers demand DISTRIBUTED RESOURCES to meet local needs, which brings additional CHALLENGES
Added Risk
More attack surface is exposed
Untrusted/managed devices
Loss of visibility
Reduced Control
Costly infrastructure to deploy
Absence of standards & practices
Lack of policy enforcement
2010
And What is the Result?
700
$37
$55
$0
$10
$20
$30
$40
$50
$60
-
100
200
300
400
500
600
700
800
1 2
Security spending has
increased by 49% from 2010 to
2014
The number of records stolen
and exposed through security
breaches has increased 200x
over same period
Increasing spending on more
solutions isn’t working; we need
a new paradigm
Sources: Verizon, Information is Beautiful, RBS, Gartner, Forrester
Mill
ion
s o
f R
eco
rds
Billio
ns Sp
ent
2014
Where to Focus?
“Prevention is a failed strategy.”
Amit Yoran, President, RSA
RSA Conference 2016
Prevention or Detection?
Organizations are focused on PREVENTION of breaches
– 93% use Anti-virus/Anti-malware tools
– 82% use Perimeter Firewalls
– 65% use Intrusion Prevention Systems
– 52% use Unified Threat Management (UTM) Systems
But when breached, attackers have 200-250 days before
they are DETECTED
Organizations need to leverage the power of what they
already have to address this detection gap
Why DNS Matters
Network Security:
IDS/IPS, NAC, DLP,
Messaging, etc.
Perimeter Security:
Firewalls, Content Filters,
Honeypots, etc.
Endpoint Security:
AV, DLP, Patch Mgmt.,
Client Firewalls, IDS/IPS,
etc.
Data Security:
Encryption, IDAM, DLP,
Integrity, DRM
Application Security:
WAF, DB Security, Code
Scanners, etc.
DNS is Foundational
Network Security:
IDS/IPS, NAC, DLP,
Messaging, etc.
Perimeter Security:
Firewalls, Content Filters,
Honeypots, etc.
Endpoint Security:
AV, DLP, Patch Mgmt.,
Client Firewalls, IDS/IPS,
etc.
Data Security:
Encryption, IDAM, DLP,
Integrity, DRM
Application Security:
WAF, DB Security, Code
Scanners, etc.
DNS Security:
Foundation/Visibility/Enfor
cement
DNS is Foundational
DNS is a PERVASIVE SENSORDNS signals INTENT
DNS shows BEHAVIOR
– All device types
– All protocols
– All locations
– Managed AND Unmanaged
– Corporate AND Guest
– Center AND Edge
DNS is REAL TIME
DNS is an IDEAL ENFORCER
Enforce at every level
– Client
– Network
– Enterprise
Configurable Policies
– White & Black Lists
– Geographic
– Time-based
– Risk-based
DNS is Untapped Potential
56% of Large Orgs Don’t Capture DNS Data
63% of Small Orgs Don’t Capture DNS Data
Source: BlueCat Networks/UBM Survey
Of Those Paying Attention –only 75% actually look at it
Insight Through DNS Analytics
The Power of DNS Lets You:
1. See threats emerge before they become “known”
2. Gain equal visibility into internal and external activity
3. Understand who (and what) is accessing your
infrastructure
4. Monitor the activity of all users and devices in real time
5. Protect and control across all device types
Deal with the FACTSGain insights to improve security
Data Versus Facts
“Data is of course important in manufacturing,
but I place the greatest emphasis on facts.”
Taiichi Ohno, Toyota Motor Corporation
Father of Lean Manufacturing
The Big Data Challenge
A Cautionary Tale
Actual query volume from a
very large financial institution
All of which is logged in a very
expensive database
And all they have is a really big
log file, but no FACTS
3.8 Trillion Queries Per Week
awertkin --- - bash --- 140 x 68
07-Oct-2015 19:27:03.760 queries: info: client 172.16.5.197#65503 (www.google.com): view default: query: www.google.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.760 rpz: info: client 172.16.5.197#65503 (www.google.com): view default: rpz QNAME PASSTHRU rewrite www.google.com via www.google.com.allowed07-Oct-2015 19:27:03.762 queries: info: client 172.16.5.197#64055 (www.ohare-airport.org): view default: query: www.ohare-airport.org IN A + (172.16.3.4)07-Oct-2015 19:27:03.762 queries: info: client 172.16.5.197#60475 (www.rosemont.com): view default: query: www.rosemont.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.775 queries: info: client 172.16.21.37#50627 (vortex-win.data.microsoft.com): view default: query: vortex-win.data.microsoft.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.857 queries: info: client 172.16.21.157#64418 (www6vdc.memberdirect.net): view default: query: www6vdc.memberdirect.net IN A + (172.16.3.4)07-Oct-2015 19:27:03.873 queries: info: client 172.16.21.51#55013 (configuration.apple.com): view default: query: configuration.apple.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.894 queries: info: client 172.16.5.131#51806 (safebrowsing.google.com): view default: query: safebrowsing.google.comIN A + (172.16.3.4)07-Oct-2015 19:27:03.898 queries: info: client 172.16.21.189#40353 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.899 queries: info: client 172.16.21.189#45134 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.956 queries: info: client 172.16.5.251#49610 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.957 queries: info: client 172.16.5.251#49610 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:03.957 queries: info: client 172.16.5.251#50659 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.013 queries: info: client 172.16.1.1#64745 (83.169.31.172.IN-ADDR.ARPA): view default: query: 83.169.31.172.IN-ADDR.ARPA IN PTR + (172.16.3.4)07-Oct-2015 19:27:04.021 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.106 queries: info: client 172.16.10.145#56385 (changelogs.ubuntu.com): view default: query: changelogs.ubuntu.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.106 queries: info: client 172.16.10.145#56385 (changelogs.ubuntu.com): view default: query: changelogs.ubuntu.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.112 queries: info: client 172.16.5.251#39537 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.112 queries: info: client 172.16.5.251#39537 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.139 queries: info: client 172.16.10.168#59225 (c.na2.content.force.com): view default: query: c.na2.content.force.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.225 queries: info: client 172.16.8.57#61701 (pixel.quantserve.com): view default: query: pixel.quantserve.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.253 queries: info: client 172.16.7.155#52411 (_ldap._tcp.BCNToronto._sites.TORDC02.bluecatnetworks.corp): view default: query: _ldap._tcp.BCNToronto._sites.TORDC02.bluecatnetworks.corp IN SRV + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#7248 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#23910 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.269 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.275 queries: info: client 172.16.21.189#15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.284 queries: info: client 172.16.21.189#32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.286 queries: info: client 172.16.8.57#52184 (engine.adzerk.net): view default: query: engine.adzerk.net IN A + (172.16.3.4)07-Oct-2015 19:27:04.290 queries: info: client 172.16.21.189#22675 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.415 queries: info: client 172.16.5.251#38248 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.415 queries: info: client 172.16.5.251#38248 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.533 queries: info: client 172.16.5.251#47975 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.533 queries: info: client 172.16.5.251#47975 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.572 queries: info: client 172.16.5.251#42115 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.572 queries: info: client 172.16.5.251#42115 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.586 queries: info: client 172.16.10.128#34946 (199.30.27.172.in-addr.arpa): view default: query: 199.30.27.172.in-addr.arpa IN PTR + (172.16.3.4)07-Oct-2015 19:27:04.647 queries: info: client 172.16.5.93#54119 (4.umps2c2.salesforce.com): view default: query: 4.umps2c2.salesforce.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.650 queries: info: client 172.16.5.93#59652 (umps2c2.salesforce.com): view default: query: umps2c2.salesforce.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.686 queries: info: client 172.16.5.251#35414 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.686 queries: info: client 172.16.5.251#35414 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.695 queries: info: client 172.16.5.93#64208 (3.umps2c2.salesforce.com): view default: query: 3.umps2c2.salesforce.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.931 queries: info: client 172.16.21.63#64580 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)
Deriving FACTS from DNS Data
DNS SECURITYDeriving FACTS from DNS Dataawertkin --- - bash --- 140 x 68
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :S t a r t - u p s e q u e n c e f o r
a p p l i c a t i o n
07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#7248 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#23910 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.269 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.275 queries: info: client 172.16.21.189#15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.284 queries: info: client 172.16.21.189#32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + (172.16.3.4)
Deriving FACTS from DNS Dataawertkin --- - bash --- 140 x 68
07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#7248 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#23910 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.269 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.275 queries: info: client 172.16.21.189#15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.284 queries: info: client 172.16.21.189#32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + (172.16.3.4)
CATALOG
LOGGED FACT ACTIVITY
SIGNATURE07-Oct-2015 APP: Dropbox
Communication Fre…
07-Oct-2015 APP: WhatsApp
Startup Sequence
07-Oct-2015 APP: Instagram
Startup Sequence
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :S t a r t - u p s e q u e n c e f o r a p p l i c a t i o n
F A C T C A T A L O G E D• 0 7 - O c t - 2 0 1 5• C l i e n t A p p l i c a t i o n I d e n t i f i e d :
I n s t a g r a m
awertkin --- - bash --- 140 x 68
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :R e p e a t e d q u e r y i n t e r v a l s
CATALOG
LOGGED FACT ACTIVITY
SIGNATURE07-Oct-2015 APP: Dropbox
Communication Fre…
07-Oct-2015 APP: WhatsApp
Startup Sequence
07-Oct-2015 APP: Instagram
Startup Sequence
07-Oct-2015 19:27:03.768 queries: info: client 172.16.21.189#32801 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:28:03.768 queries: info: client 172.16.21.189#7248 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:29:03.768 queries: info: client 172.16.21.189#23910 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:30:03.768 queries: info: client 172.16.21.189#28671 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:31:03.768 queries: info: client 172.16.21.189#15578 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)
Deriving FACTS from DNS Data
awertkin --- - bash --- 140 x 68
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :R e p e a t e d q u e r y i n t e r v a l s – B e a c o n i n g
F A C T C A T A L O G E D• 0 7 - O c t - 2 0 1 5• S e c u r i t y T h r e a t I d e n t i f i e d : M A L W A R E
[ w h a t s m y i p . n e t ]CATALOG
LOGGED FACT ACTIVITY
SIGNATURE07-Oct-2015 APP: Dropbox
Communication Fre…
07-Oct-2015 APP: WhatsApp
Startup Sequence
07-Oct-2015 APP: Instagram
Startup Sequence
07-Oct-2015 MALWARE: whats… Query
Intervals
07-Oct-2015 19:27:03.768 queries: info: client 172.16.21.189#32801 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:28:03.768 queries: info: client 172.16.21.189#7248 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:29:03.768 queries: info: client 172.16.21.189#23910 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:30:03.768 queries: info: client 172.16.21.189#28671 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:31:03.768 queries: info: client 172.16.21.189#15578 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)
Deriving FACTS from DNS Data
awertkin --- - bash --- 140 x 68
07-Oct-2015 19:27:06.319 queries: info: client 172.16.21.96#60830 (c504.leet.cc): view default: query: c504.leet.cc IN A + (172.16.3.4)
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :N e w l y O b s e r v e d D o m a i n
CATALOG
LOGGED FACT ACTIVITY
SIGNATURE07-Oct-2015 APP: Dropbox
Communication Fre…
07-Oct-2015 APP: WhatsApp
Startup Sequence
07-Oct-2015 APP: Instagram
Startup Sequence
07-Oct-2015 MALWARE: whats… Query
Intervals
Deriving FACTS from DNS Data
awertkin --- - bash --- 140 x 68
07-Oct-2015 19:27:06.319 queries: info: client 172.16.21.96#60830 (c504.leet.cc): view default: query: c504.leet.cc IN A + (172.16.3.4)
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :N e w l y O b s e r v e d D o m a i n
F A C T C A T A L O G E D• 0 7 - O c t - 2 0 1 5• S e c u r i t y T h r e a t I d e n t i f i e d : S u s p e c t
A c t i v i t y [ l e e t . c c ]
CATALOG
LOGGED FACT ACTIVITY
SIGNATURE07-Oct-2015 APP: Dropbox
Communication Fre…
07-Oct-2015 APP: WhatsApp Startup
Sequence
07-Oct-2015 APP: Instagram Startup
Sequence
07-Oct-2015 MALWARE: whats… Query Intervals
07-Oct-2015 Suspect: leet.cc Newly
Observed Domain
Deriving FACTS from DNS Data
The Power of DNSAnalytics to drive better security
DNS as a Sensor and Enforcer
What can DNS do for you?
Provide instant VISIBILITY into what’s on your
infrastructure
Identify BEHAVIOR that is suspicious, regardless of the
cause
CONTROL access to resources or data
BLOCK known threats before they manifest
DNS Gives the Facts You Need to Secure
Your Network
#1Leverage What
You Have
• Avoid complexity & cost• No more “layers”• Mine the data you already have
#2Increase Your Visibility
• Use a pervasive technology to gain insight
• Detect events faster to save time, money, and reputation
• Utilize the adaptive nature of DNS • Stop playing catch-up to new
threats
#3Get More Control
• Enforce policies across any device or user type
• Use DNS to assess risk and decide on action
• Secure remote locations without costly infrastructure
• Use dependence on DNS against the bad guys
Questions?