Web 

+ Endpoint + DNS Security

Broader Protection, Faster Remediation

rupa Srivatsan, Senior Product Marketing Manager, Infoblox
n Scholten, Technical Marketing Engineer, McAfee
Agenda
• The DNS Blind Spot
• Operational Challenges
• An Ecosystem Approach
– Web + DNS Security for broader protection
– Data exchange for faster remediation
– DNS + SIEM for better visibility and correlation
• Next Steps
 DNS is a Blind Spot in Networks
Identifying The Leading Culprit APT/Malware Proliferation 
in Data Exfiltration Rooted in DNS

$3.6M 46%
Average  % of survey 
45%% of survey 
91% 431M
Of malware uses DNS  New unique pieces 
#1
Malware C&C is #1 
consolidated cost  respondents that  respondents that  to carry out  of malware in  responsible vector for 
of a data breach3 experienced DNS  experienced DNS  campaigns5 20156 crimeware7
data exfiltration4 tunneling4

Intruders rely on DNS to infect devices & 
DNS tunnels used send sensitive information out propagate malware

Data embedded in DNS queries Malware designed to morph, hide in your 
infrastructure

3. Source: Ponemon Institute, 2017 Cost of Data Breach Study
4. Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds” Longer it takes to discover, higher the 
5. Source: Cisco 2016 Annual Security Report
6. Symantec 2016 Internet Security Threat Report  7. Verizon 2016 Data Breach Investigations Report cost of damage
Security Operational Challenges

1000+
VENDORS
Too many security tools 
that work in silos

Threat Intelligence Challenges: 
1. Poor incident response
2. Manual processes
3. Lack of prioritization and 
context slows remediation

1. Source: Ponemon Institute, 2016 Second Annual Study on Exchange Cyber Threat Intelligence: There Has to Be a Better Way 
 DNS Security for Data Protection and Malware Mitigation
Protect devices everywhere with on‐premises deployment and/or SaaS service

Block C&C/botnet  Stop  Actionable  Unified  Orchestrated 

communications data  threat intelligence  policy management  ecosystem 
exfiltration & investigation & reporting integrations
The Secret Sauce (components)
• DNS Security
• Secure Web Gateway
• Browser Isolation
• SIEM (Security Information Event Management)
• Systems Management Platform
• Message Broker
• Threat Intelligence
Components Discussed

Devices DNS Web Browser Systems Security Message Threat

Security Gateway Isolation Mgmt. Mgmt. Broker Intelligence
Redirect to Cloud/SWG
• Client machine is DHCP'd, using DNS Firewall
• Demo block via DNS Firewall, domain is blackholed
• Demo SWG redirected DNS query
– SSL Inspected
– Show off Content Inspection
• CDR, Integrations, DLP
Redirect to Cloud/SWG

DNS Security Threat Intelligence

Devices Web Gateway
Internet

Browser Isolation
[Demo]
ipconfig /all | findstr /R "DNS\ Servers"
SSL Inspection:
https://badssl.com/dashboard/
Eicar

Browser Isolation w/CDR Example:
https://www.alchemistowl.org/pocorgtfo/

DLP Example:
https://dlptest.com/sample‐data.xls
Data Exfiltration Attempt
• Powershell script, exfiltrating data via DNS
• Threat information shared over message bus
– Show Message Bus Console
• Event received by WG
– Device is quarantined, show blockpage
• Show SIEM where security events are populated
• SIEM has tagged the endpoint for remediation
 Data Exfiltration Attempt
Internet
Path

Devices DNS Security Web Gateway

Internet
Message
Bus

Message Broker

Systems Security 3rd Party

Management Management Integrations
[Demo]
Summary and Next Steps
• Security Team Challenges
o DNS is a blind spot 
o Manual Processes and Lack of Context Slows Remediation
• Ecosystem Approach 
o Eliminates silos
o Orchestrates DNS threat response
o Provides deep visibility into DNS threats
• Contact McAfee or Infoblox for deep dive on products
[Backup Slides]
Components Discussed

Devices DNS Web Browser Systems Security Message Threat

Security Gateway Isolation Mgmt. Mgmt. Broker Intelligence
 Data Exfiltration Attempt
Internet
Path

Devices DNS Firewall Web Gateway

Internet
Message
Bus

Message Broker

Systems Security
Management Management
 Web + Endpoint + DNS Security
Broader Protection, Faster Remediation
On Premises Cloud
Logs McAfee GTI
ActiveTrust® Cloud

IoCs
McAfee Enterprise  McAfee Web Gateway 
McAfee Security Manager ActiveTrust® Cloud Service
ePO

Conditional redirect  DNS request to 
to Web Gateway  malicious domain
Remediate DNS requests based on DNS  McAfee
response ePO
Endpoint

Subscribe  DDI McAfee ePO deploys 

to IoCs Per‐session Proxy: 
Infoblox ActiveTrust® 
additional traffic monitoring 
Endpoint 
DXL and filtering
Endpoint with 
Publish IoCs and 
VULN SIEM EMM IAM UEBA network events ActiveTrust®
Endpoint Agent

Holistic visibility Unified web and DNS security on  Accelerated threat response

and off premises
DNS Security and Web Gateway

Cloud Challenge

McAfee GTI
• Customers want initial DNS threat filtering
ActiveTrust® Cloud
performed prior to sending http traffic to their
IoCs web gateway for deeper inspection.
McAfee Web Gateway 
Cloud Service
Solution
Conditional redirect  DNS request to 
to Web Gateway  malicious domain
based on DNS  McAfee • ActiveTrust Cloud combined with McAfee Web
response ePO Gateway provides a 1-2 approach to increased
protection.
McAfee ePO deploys 
Per‐session Proxy: 
Infoblox ActiveTrust® 
additional traffic monitoring 
and filtering
Endpoint  Benefits
Endpoint with 
ActiveTrust®
Endpoint Agent • Offload known DNS threat load from your Web
Gateway, faster response, optimized workflows,
best-in-class protection.
SaaS DNS Security with Automated Endpoint Deployment
Challenge
Cloud
• Deploying Endpoint on devices individually takes
McAfee GTI
time
ActiveTrust® Cloud
• Need a way to mass deploy
IoCs

Solution

DNS request to 
malicious domain
• Deploy Infoblox ActiveTrust Endpoint Agent using 
McAfee ePO

McAfee ePO deploys 
Infoblox ActiveTrust® 

Endpoint with 
Endpoint  Benefits
McAfee
ActiveTrust® ePO
Endpoint Agent • Automates and simplifies deployment of Infoblox
ActiveTrust Endpoint Agent for large enterprises. 
• Easily plugs into existing workflow processes
• Orchestrates DNS Threats for faster remediation
DNS Security and Data Exchange Layer
Challenge

• Security ecosystem lacks visibility into DNS based

threats and attacks.
• They can’t take action on such threats

Solution
• Critical data on network and DNS security events along with context 
can be published over a data exchange layer like DXL 
Subscribe*

Network & Threat  • Other security ecosystem products subscribing to the published topics 
Publish

DXL
events w/ indicators  can respond to these network events and threats
of compromise (IoC) • Distributes DNS Threats over DXL to EPO dashboards & DXL Partners  

Benefits
• Automatic notification when threats are detected, enabling faster 
response and orchestration
Enforce  DXL &  Integration (including  • Contextual information to prioritize threats and actions
ePO/Active Response policy  3rd party DXL partners)
• Improved ROI for security investments already made 
DNS Security and SIEM
Challenge

• SIEM solutions have limited visibility into DNS

based security events and threats
Logs

Solution
McAfee Enterprise  ActiveTrust
Security Manager
• SIEM receives networking and DNS security events, IP 
addresses, DHCP fingerprint from DNS solution
DNS Request to  • SIEM can then perform comprehensive threat data 
malicious domain
correlation and detection

Benefits
Endpoint DDI

• Visibility into DNS security incidents, threat data, IP 
address, DHCP fingerprint, lease history, and more to 
assess risk and prioritize alerts 
• Threat data correlation to prioritize, investigate, and 
respond to stealthy threats and simplify actions