v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight...

v

Gaining Security Insight Through DNS

AnalyticsScott Penney

Director of Cyber Security Solutions, BlueCat Networks

Agenda

Welcome to the Jungle

Why DNS Matters

Deal with the Facts

The Power of DNS

Q&A

Welcome to

the Jungle

IT Sprawl is out of Control

Source: Gartner (http://www.gartner.com/newsroom/id/3165317)

4.9 Billion“Things” Connected

in 2016

480 Million Smart Phones

Delivered in 2016

65% of Smart Phones

used in BYoDEnvironments

2 Billion Mobile Devices Shipped in 2016

70% of Mobile

Professionals Work on

Personal Devices

Only 1 in 3 Companies

Know How Many Vendors Use their Infrastructure

http://www.gartner.com/newsroom/id/3165317

IT Moving from CENTER to the EDGE…

Business drivers demand DISTRIBUTED RESOURCES to meet local needs, which brings additional CHALLENGES

Added Risk

More attack surface is exposed

Untrusted/managed devices

Loss of visibility

Reduced Control

Costly infrastructure to deploy

Absence of standards & practices

Lack of policy enforcement

2010

And What is the Result?

700

$37

$55

$0

$10

$20

$30

$40

$50

$60

-

100

200

300

400

500

600

700

800

1 2

Security spending has

increased by 49% from 2010 to

2014

The number of records stolen

and exposed through security

breaches has increased 200x

over same period

Increasing spending on more

solutions isn’t working; we need

a new paradigm

Sources: Verizon, Information is Beautiful, RBS, Gartner, Forrester

Mill

ion

s o

f R

eco

rds

Billio

ns Sp

ent

2014

Where to Focus?

“Prevention is a failed strategy.”

Amit Yoran, President, RSA

RSA Conference 2016

Prevention or Detection?

Organizations are focused on PREVENTION of breaches

– 93% use Anti-virus/Anti-malware tools

– 82% use Perimeter Firewalls

– 65% use Intrusion Prevention Systems

– 52% use Unified Threat Management (UTM) Systems

But when breached, attackers have 200-250 days before

they are DETECTED

Organizations need to leverage the power of what they

already have to address this detection gap

Why DNS Matters

Network Security:

IDS/IPS, NAC, DLP,

Messaging, etc.

Perimeter Security:

Firewalls, Content Filters,

Honeypots, etc.

Endpoint Security:

AV, DLP, Patch Mgmt.,

Client Firewalls, IDS/IPS,

etc.

Data Security:

Encryption, IDAM, DLP,

Integrity, DRM

Application Security:

WAF, DB Security, Code

Scanners, etc.

DNS is Foundational

Network Security:

IDS/IPS, NAC, DLP,

Messaging, etc.

Perimeter Security:

Firewalls, Content Filters,

Honeypots, etc.

Endpoint Security:

AV, DLP, Patch Mgmt.,

Client Firewalls, IDS/IPS,

etc.

Data Security:

Encryption, IDAM, DLP,

Integrity, DRM

Application Security:

WAF, DB Security, Code

Scanners, etc.

DNS Security:

Foundation/Visibility/Enfor

cement

DNS is Foundational

DNS is a PERVASIVE SENSORDNS signals INTENT

DNS shows BEHAVIOR

– All device types

– All protocols

– All locations

– Managed AND Unmanaged

– Corporate AND Guest

– Center AND Edge

DNS is REAL TIME

DNS is an IDEAL ENFORCER

Enforce at every level

– Client

– Network

– Enterprise

Configurable Policies

– White & Black Lists

– Geographic

– Time-based

– Risk-based

DNS is Untapped Potential

56% of Large Orgs Don’t Capture DNS Data

63% of Small Orgs Don’t Capture DNS Data

Source: BlueCat Networks/UBM Survey

Of Those Paying Attention –only 75% actually look at it

Insight Through DNS Analytics

The Power of DNS Lets You:

1. See threats emerge before they become “known”

2. Gain equal visibility into internal and external activity

3. Understand who (and what) is accessing your

infrastructure

4. Monitor the activity of all users and devices in real time

5. Protect and control across all device types

Deal with the FACTSGain insights to improve security

Data Versus Facts

“Data is of course important in manufacturing,

but I place the greatest emphasis on facts.”

Taiichi Ohno, Toyota Motor Corporation

Father of Lean Manufacturing

The Big Data Challenge

A Cautionary Tale

Actual query volume from a

very large financial institution

All of which is logged in a very

expensive database

And all they have is a really big

log file, but no FACTS

3.8 Trillion Queries Per Week

awertkin --- - bash --- 140 x 68

07-Oct-2015 19:27:03.760 queries: info: client 172.16.5.197#65503 (www.google.com): view default: query: www.google.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.760 rpz: info: client 172.16.5.197#65503 (www.google.com): view default: rpz QNAME PASSTHRU rewrite www.google.com via www.google.com.allowed07-Oct-2015 19:27:03.762 queries: info: client 172.16.5.197#64055 (www.ohare-airport.org): view default: query: www.ohare-airport.org IN A + (172.16.3.4)07-Oct-2015 19:27:03.762 queries: info: client 172.16.5.197#60475 (www.rosemont.com): view default: query: www.rosemont.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.775 queries: info: client 172.16.21.37#50627 (vortex-win.data.microsoft.com): view default: query: vortex-win.data.microsoft.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.857 queries: info: client 172.16.21.157#64418 (www6vdc.memberdirect.net): view default: query: www6vdc.memberdirect.net IN A + (172.16.3.4)07-Oct-2015 19:27:03.873 queries: info: client 172.16.21.51#55013 (configuration.apple.com): view default: query: configuration.apple.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.894 queries: info: client 172.16.5.131#51806 (safebrowsing.google.com): view default: query: safebrowsing.google.comIN A + (172.16.3.4)07-Oct-2015 19:27:03.898 queries: info: client 172.16.21.189#40353 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.899 queries: info: client 172.16.21.189#45134 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.956 queries: info: client 172.16.5.251#49610 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.957 queries: info: client 172.16.5.251#49610 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:03.957 queries: info: client 172.16.5.251#50659 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.013 queries: info: client 172.16.1.1#64745 (83.169.31.172.IN-ADDR.ARPA): view default: query: 83.169.31.172.IN-ADDR.ARPA IN PTR + (172.16.3.4)07-Oct-2015 19:27:04.021 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.106 queries: info: client 172.16.10.145#56385 (changelogs.ubuntu.com): view default: query: changelogs.ubuntu.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.106 queries: info: client 172.16.10.145#56385 (changelogs.ubuntu.com): view default: query: changelogs.ubuntu.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.112 queries: info: client 172.16.5.251#39537 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.112 queries: info: client 172.16.5.251#39537 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.139 queries: info: client 172.16.10.168#59225 (c.na2.content.force.com): view default: query: c.na2.content.force.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.225 queries: info: client 172.16.8.57#61701 (pixel.quantserve.com): view default: query: pixel.quantserve.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.253 queries: info: client 172.16.7.155#52411 (_ldap._tcp.BCNToronto._sites.TORDC02.bluecatnetworks.corp): view default: query: _ldap._tcp.BCNToronto._sites.TORDC02.bluecatnetworks.corp IN SRV + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#7248 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#23910 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.269 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.275 queries: info: client 172.16.21.189#15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.284 queries: info: client 172.16.21.189#32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.286 queries: info: client 172.16.8.57#52184 (engine.adzerk.net): view default: query: engine.adzerk.net IN A + (172.16.3.4)07-Oct-2015 19:27:04.290 queries: info: client 172.16.21.189#22675 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.415 queries: info: client 172.16.5.251#38248 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.415 queries: info: client 172.16.5.251#38248 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.533 queries: info: client 172.16.5.251#47975 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.533 queries: info: client 172.16.5.251#47975 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.572 queries: info: client 172.16.5.251#42115 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.572 queries: info: client 172.16.5.251#42115 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.586 queries: info: client 172.16.10.128#34946 (199.30.27.172.in-addr.arpa): view default: query: 199.30.27.172.in-addr.arpa IN PTR + (172.16.3.4)07-Oct-2015 19:27:04.647 queries: info: client 172.16.5.93#54119 (4.umps2c2.salesforce.com): view default: query: 4.umps2c2.salesforce.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.650 queries: info: client 172.16.5.93#59652 (umps2c2.salesforce.com): view default: query: umps2c2.salesforce.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.686 queries: info: client 172.16.5.251#35414 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.686 queries: info: client 172.16.5.251#35414 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.695 queries: info: client 172.16.5.93#64208 (3.umps2c2.salesforce.com): view default: query: 3.umps2c2.salesforce.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.931 queries: info: client 172.16.21.63#64580 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)

Deriving FACTS from DNS Data

DNS SECURITYDeriving FACTS from DNS Dataawertkin --- - bash --- 140 x 68

A C T I V I T Y S I G N A T U R E I D E N T I F I E D :S t a r t - u p s e q u e n c e f o r

a p p l i c a t i o n

07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#7248 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#23910 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.269 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.275 queries: info: client 172.16.21.189#15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.284 queries: info: client 172.16.21.189#32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + (172.16.3.4)

Deriving FACTS from DNS Dataawertkin --- - bash --- 140 x 68

07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#7248 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#23910 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.269 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.275 queries: info: client 172.16.21.189#15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.284 queries: info: client 172.16.21.189#32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + (172.16.3.4)

CATALOG

LOGGED FACT ACTIVITY

SIGNATURE07-Oct-2015 APP: Dropbox

Communication Fre…

07-Oct-2015 APP: WhatsApp

Startup Sequence

07-Oct-2015 APP: Instagram

Startup Sequence

A C T I V I T Y S I G N A T U R E I D E N T I F I E D :S t a r t - u p s e q u e n c e f o r a p p l i c a t i o n

F A C T C A T A L O G E D• 0 7 - O c t - 2 0 1 5• C l i e n t A p p l i c a t i o n I d e n t i f i e d :

I n s t a g r a m


A C T I V I T Y S I G N A T U R E I D E N T I F I E D :R e p e a t e d q u e r y i n t e r v a l s

CATALOG





Startup Sequence


Startup Sequence

07-Oct-2015 19:27:03.768 queries: info: client 172.16.21.189#32801 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:28:03.768 queries: info: client 172.16.21.189#7248 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:29:03.768 queries: info: client 172.16.21.189#23910 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:30:03.768 queries: info: client 172.16.21.189#28671 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:31:03.768 queries: info: client 172.16.21.189#15578 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)



A C T I V I T Y S I G N A T U R E I D E N T I F I E D :R e p e a t e d q u e r y i n t e r v a l s – B e a c o n i n g

F A C T C A T A L O G E D• 0 7 - O c t - 2 0 1 5• S e c u r i t y T h r e a t I d e n t i f i e d : M A L W A R E

[ w h a t s m y i p . n e t ]CATALOG





Startup Sequence


Startup Sequence

07-Oct-2015 MALWARE: whats… Query

Intervals

07-Oct-2015 19:27:03.768 queries: info: client 172.16.21.189#32801 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:28:03.768 queries: info: client 172.16.21.189#7248 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:29:03.768 queries: info: client 172.16.21.189#23910 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:30:03.768 queries: info: client 172.16.21.189#28671 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:31:03.768 queries: info: client 172.16.21.189#15578 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)



07-Oct-2015 19:27:06.319 queries: info: client 172.16.21.96#60830 (c504.leet.cc): view default: query: c504.leet.cc IN A + (172.16.3.4)

A C T I V I T Y S I G N A T U R E I D E N T I F I E D :N e w l y O b s e r v e d D o m a i n

CATALOG





Startup Sequence


Startup Sequence

07-Oct-2015 MALWARE: whats… Query

Intervals



07-Oct-2015 19:27:06.319 queries: info: client 172.16.21.96#60830 (c504.leet.cc): view default: query: c504.leet.cc IN A + (172.16.3.4)

A C T I V I T Y S I G N A T U R E I D E N T I F I E D :N e w l y O b s e r v e d D o m a i n

F A C T C A T A L O G E D• 0 7 - O c t - 2 0 1 5• S e c u r i t y T h r e a t I d e n t i f i e d : S u s p e c t

A c t i v i t y [ l e e t . c c ]

CATALOG




07-Oct-2015 APP: WhatsApp Startup

Sequence

07-Oct-2015 APP: Instagram Startup

Sequence

07-Oct-2015 MALWARE: whats… Query Intervals

07-Oct-2015 Suspect: leet.cc Newly

Observed Domain


The Power of DNSAnalytics to drive better security

DNS as a Sensor and Enforcer

What can DNS do for you?

Provide instant VISIBILITY into what’s on your

infrastructure

Identify BEHAVIOR that is suspicious, regardless of the

cause

CONTROL access to resources or data

BLOCK known threats before they manifest

DNS Gives the Facts You Need to Secure

Your Network

#1Leverage What

You Have

• Avoid complexity & cost• No more “layers”• Mine the data you already have

#2Increase Your Visibility

• Use a pervasive technology to gain insight

• Detect events faster to save time, money, and reputation

• Utilize the adaptive nature of DNS • Stop playing catch-up to new

threats

#3Get More Control

• Enforce policies across any device or user type

• Use DNS to assess risk and decide on action

• Secure remote locations without costly infrastructure

• Use dependence on DNS against the bad guys

Questions?

v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight...

Documents

Transcript of v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight...