Professional Documents
Culture Documents
Web Endpoint DNSSecurity
Web Endpoint DNSSecurity
+ Endpoint + DNS Security
Broader Protection, Faster Remediation
rupa Srivatsan, Senior Product Marketing Manager, Infoblox
n Scholten, Technical Marketing Engineer, McAfee
Agenda
• The DNS Blind Spot
• Operational Challenges
• An Ecosystem Approach
– Web + DNS Security for broader protection
– Data exchange for faster remediation
– DNS + SIEM for better visibility and correlation
• Next Steps
DNS is a Blind Spot in Networks
Identifying The Leading Culprit APT/Malware Proliferation
in Data Exfiltration Rooted in DNS
$3.6M 46%
Average % of survey
45%% of survey
91% 431M
Of malware uses DNS New unique pieces
#1
Malware C&C is #1
consolidated cost respondents that respondents that to carry out of malware in responsible vector for
of a data breach3 experienced DNS experienced DNS campaigns5 20156 crimeware7
data exfiltration4 tunneling4
Intruders rely on DNS to infect devices &
DNS tunnels used send sensitive information out propagate malware
Data embedded in DNS queries Malware designed to morph, hide in your
infrastructure
3. Source: Ponemon Institute, 2017 Cost of Data Breach Study
4. Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds” Longer it takes to discover, higher the
5. Source: Cisco 2016 Annual Security Report
6. Symantec 2016 Internet Security Threat Report 7. Verizon 2016 Data Breach Investigations Report cost of damage
Security Operational Challenges
1000+
VENDORS
Too many security tools
that work in silos
Threat Intelligence Challenges:
1. Poor incident response
2. Manual processes
3. Lack of prioritization and
context slows remediation
1. Source: Ponemon Institute, 2016 Second Annual Study on Exchange Cyber Threat Intelligence: There Has to Be a Better Way
DNS Security for Data Protection and Malware Mitigation
Protect devices everywhere with on‐premises deployment and/or SaaS service
DNS Security Threat Intelligence
Devices Web Gateway
Internet
Browser Isolation
[Demo]
ipconfig /all | findstr /R "DNS\ Servers"
SSL Inspection:
https://badssl.com/dashboard/
Eicar
Browser Isolation w/CDR Example:
https://www.alchemistowl.org/pocorgtfo/
DLP Example:
https://dlptest.com/sample‐data.xls
Data Exfiltration Attempt
• Powershell script, exfiltrating data via DNS
• Threat information shared over message bus
– Show Message Bus Console
• Event received by WG
– Device is quarantined, show blockpage
• Show SIEM where security events are populated
• SIEM has tagged the endpoint for remediation
Data Exfiltration Attempt
Internet
Path
Message Broker
Message Broker
Systems Security
Management Management
Web + Endpoint + DNS Security
Broader Protection, Faster Remediation
On Premises Cloud
Logs McAfee GTI
ActiveTrust® Cloud
IoCs
McAfee Enterprise McAfee Web Gateway
McAfee Security Manager ActiveTrust® Cloud Service
ePO
Conditional redirect DNS request to
to Web Gateway malicious domain
Remediate DNS requests based on DNS McAfee
response ePO
Endpoint
Cloud Challenge
McAfee GTI
• Customers want initial DNS threat filtering
ActiveTrust® Cloud
performed prior to sending http traffic to their
IoCs web gateway for deeper inspection.
McAfee Web Gateway
Cloud Service
Solution
Conditional redirect DNS request to
to Web Gateway malicious domain
based on DNS McAfee • ActiveTrust Cloud combined with McAfee Web
response ePO Gateway provides a 1-2 approach to increased
protection.
McAfee ePO deploys
Per‐session Proxy:
Infoblox ActiveTrust®
additional traffic monitoring
and filtering
Endpoint Benefits
Endpoint with
ActiveTrust®
Endpoint Agent • Offload known DNS threat load from your Web
Gateway, faster response, optimized workflows,
best-in-class protection.
SaaS DNS Security with Automated Endpoint Deployment
Challenge
Cloud
• Deploying Endpoint on devices individually takes
McAfee GTI
time
ActiveTrust® Cloud
• Need a way to mass deploy
IoCs
Solution
DNS request to
malicious domain
• Deploy Infoblox ActiveTrust Endpoint Agent using
McAfee ePO
McAfee ePO deploys
Infoblox ActiveTrust®
Endpoint with
Endpoint Benefits
McAfee
ActiveTrust® ePO
Endpoint Agent • Automates and simplifies deployment of Infoblox
ActiveTrust Endpoint Agent for large enterprises.
• Easily plugs into existing workflow processes
• Orchestrates DNS Threats for faster remediation
DNS Security and Data Exchange Layer
Challenge
Solution
• Critical data on network and DNS security events along with context
can be published over a data exchange layer like DXL
Subscribe*
Network & Threat • Other security ecosystem products subscribing to the published topics
Publish
DXL
events w/ indicators can respond to these network events and threats
of compromise (IoC) • Distributes DNS Threats over DXL to EPO dashboards & DXL Partners
Benefits
• Automatic notification when threats are detected, enabling faster
response and orchestration
Enforce DXL & Integration (including • Contextual information to prioritize threats and actions
ePO/Active Response policy 3rd party DXL partners)
• Improved ROI for security investments already made
DNS Security and SIEM
Challenge
Solution
McAfee Enterprise ActiveTrust
Security Manager
• SIEM receives networking and DNS security events, IP
addresses, DHCP fingerprint from DNS solution
DNS Request to • SIEM can then perform comprehensive threat data
malicious domain
correlation and detection
Benefits
Endpoint DDI
• Visibility into DNS security incidents, threat data, IP
address, DHCP fingerprint, lease history, and more to
assess risk and prioritize alerts
• Threat data correlation to prioritize, investigate, and
respond to stealthy threats and simplify actions