Question: How can directors use DNS telemetry to enrich NetFlow information in detecting and stopping threats?
David Ratner, CEO, Hyas: For a few years, DevSecOps groups relied closely on move information (the data collected by NetFlow and comparable expertise) to glean perception into occasions occurring inside their networks. However, move information’s usefulness has waned with the shift to the cloud and elevated community complexity.
Monitoring community visitors is the brand new large information drawback. You both pattern a smaller quantity of move information or incur the excessive prices of receiving a extra complete set. But even with all the information, detecting delicate anomalous incidents (maybe involving only one or a handful of gadgets and comparatively low-volume visitors) that point out malicious exercise continues to be like in search of a needle in a haystack.
Administrators and safety groups can regain visibility into their very own networks with DNS telemetry. It is is less complicated and cheaper to observe than move information and may establish unknown, anomalous, or malicious domains primarily based on risk intelligence information. These companies can alert DevSecOps directors and supply data on precisely the place to look to research the incident. If vital, directors can entry the corresponding move information to get further actionable details about the occasion, establish if the occasion is innocuous or malicious, and cease nefarious exercise in its tracks. DNS telemetry solves the massive information drawback by letting groups extra rapidly and effectively zero in on the areas that want consideration.
An straightforward technique to visualize the issue is to think about staking out all of the payphones in a neighborhood to intercept calls associated to prison exercise. Actively watching every payphone and monitoring the content material of every name constituted of every payphone could be extremely tedious. However, on this analogy, DNS monitoring would notify you {that a} sure payphone made a name, when it made it, and who it referred to as. With this data, you’ll be able to then question move information to seek out out further pertinent data, like if the individual on the opposite finish picked up the decision and the way lengthy they spoke.
An actual-world state of affairs may happen like this: Your DNS monitoring system notices a number of gadgets making calls to a website flagged as anomalous and doubtlessly malicious. Even although this specific area has by no means been used earlier than in an assault, it’s uncommon, anomalous, and requires further and instant investigation. This triggers an alert, prompting directors to question move information for these specific gadgets and the particular communication with that area. With that information, you’ll be able to rapidly decide if malicious exercise is definitely occurring and, whether it is, you’ll be able to block the communication, chopping the malware off from its C2 infrastructure and stopping the assault earlier than main injury is finished. On the opposite hand, there could have been some official purpose for anomalous visitors, and it isn’t really nefarious — possibly the system is just reaching out to a brand new server for updates. Either approach, now you realize for positive.