By Bob Rose, Sr. Product Marketing Manager, Solutions Marketing & DDI Value-Added Services at Infoblox
DNS provides extensive insight about what’s actually happening on an organization’s network—whether on-premises or in a hybrid, multi-cloud environment. When (and not if) you’re attacked, your ability to effectively lessen the impact depends on automated, real-time detection, visibility, threat context, triage, communications and quick defensive action. Yet for many companies, it takes an average of 197 days—over 6.5 months—just to identify a breach and another 69 days on average to contain it. But with DNS, real-time network data is already available on the network, so the journey begins with discovery, context and how to access it.
Get 100+ Customizable DNS Security Reports
These DNS security reports are just a sampling of the over 100 customizable dashboards and reports available to increase network visibility, protect data and infrastructure, automate and better manage network security and operations. For more information download your copy of the Sample Report Guide today.
While DNS threats and attacks are growing, Infoblox Reporting and Analytics, integrated with core network services, can make security threats visible in real-time for quick response and remediation. This helps organizations in detecting three major attacks—DNS NXDOMAIN / NOERROR, Malware and Tunneling and DNS RPZ violations—to better protect the infrastructure and data.
DNS NXDOMAIN / NOERROR
DNS attacks target network infrastructure to compromise availability. A barrage of DNS queries can quickly fill-up the DNS server cache with non-existing domains. When filled, the network grinds to a halt and legitimate queries don’t get answered quickly, if at all.
The Infoblox Reporting & Analytics NXDOMAIN / NOERROR report helps network teams quickly identify problems with domains or clients that have been mistyped, misspelled, misconfigured, renamed, changed, expired or removed by showing live queries actively seeking the target. For security teams, this report identifies when a client is doing something harmful on the network.
The NXDOMAIN / NOERROR report is a standard report available through the DNS Dashboard and requires Advanced DNS Protection (ADP). Filtering is robust, flexible and intuitive making it quick and easy to get the needed information. Flexible configurations can be set for monitored timeframes, data displays (e.g., from visualized bar charts to raw data tables), top domains identified, filtration by members, DNS views and more. The Splunk interface allows a view of the raw dataset, and custom dashboards or reports can be created without starting from scratch. This gives enterprise IT teams quick visibility to see a troubled or malware-infected domain rather than getting caught long after the damage is done.
Top Malware and DNS Tunneling by Client
This report lists clients with the most outbound queries (via Response Policy Zone (RPZ) hits) and DNS tunneling activities in a given timeframe. For network and security teams, it identifies the top infected clients making outbound malicious queries. It also identifies IP addresses tied to DNS tunneling, helps prioritize DNS security efforts to prevent malware spread and damage and reveals bad actors trying to remove data from the network.
It is accessed through the security dashboard along with a variety of filters. BloxOne Threat Defense displays the top client IP culprits, the number of associated tunneling events, the number of malicious queries and the date/time last seen. The admin can drill down for historical data, sort by the top number of queries, the most recent, or most prolific to identify and arrest bad actors engaged in malware or data exfiltration activities.
DNS Top RPZ Hits
The DNS Top RPZ Hits report shows which clients have the most malicious activities using threat intel RPZ rules defined through BloxOne Threat Defense. Network admins need to know which clients are conducting harmful DNS network queries for monitoring and pre-emptive action. Security admins need to identify malicious real-time and historical clients and domains to cut response time for damage mitigation and resolution.
Powerful search and flexible filtering can quickly parse the domains that are of major concern to initiate virus scans or further action by the security team. This report can also be saved to run automatically at regular intervals, and if rules are violated, it can be programmed to trigger alerts, transfer processing files, run scripts, send emails, share data with the security ecosystem and more.
Rapidly expanding threat surface and the increase in bad actors seeking to infiltrate networks and extract sensitive information are complicating the situation for enterprises. Users are now accessing cloud applications anytime, anywhere through an escalation of devices. Remote and branch offices with direct Internet access are seldom fully protected by the headquarters security suite. And endpoints, like lightweight IoT devices, are susceptible without robust endpoint security. In such a volatile scenario, it becomes pertinent for partners to keep their customers one step ahead of the cyberattacks. Improving threat visibility with actionable reporting features is a powerful way to achieve this goal.
Author Bio:
Bob Rose
Sr. Product Marketing Manager, Solutions Marketing & DDI Value-Added Services at Infoblox
Bob has over 25 years of mid-to-senior level experience in B2B and B2C product marketing, product, project, program and partner management. This includes 14 years in technology (DDI, RPA, fintech, wireless and mobile apps, GIS and biometrics), 9 years in financial services, 3 years in healthcare and 2 years in manufacturing. He did his post-graduate work in Project Management and Quality and holds a Marketing Management BBA from Pacific Lutheran University in Tacoma, WA. He spends his personal time engaged in adult and youth ministries, coaching and watching soccer (go Liverpool FC & Sounders FC), sailing, camping, and listening to a variety of Christian, jazz and instrumental music.