Gaining Security Insight Through DNS Analytics

Transcription

1 Gaining Security Insight Through DNS Analytics v Scott Penney Director of Cyber Security Solutions, BlueCat Networks

2 Agenda Welcome to the Jungle Why DNS Matters Deal with the Facts The Power of DNS Q&A

3 Welcome to the Jungle

4 IT Sprawl is out of Control 4.9 Billion Things Connected in Million Smart Phones Delivered in % of Mobile Professionals Work on Personal Devices 2 Billion Mobile Devices Shipped in % of Smart Phones used in BYoD Environments Only 1 in 3 Companies Know How Many Vendors Use their Infrastructure Source: Gartner (

5 IT Moving from CENTER to the EDGE Business drivers demand DISTRIBUTED RESOURCES to meet local needs, which brings additional CHALLENGES Added Risk More attack surface is exposed Untrusted/managed devices Loss of visibility Reduced Control Costly infrastructure to deploy Absence of standards & practices Lack of policy enforcement

6 Millions of Records And What is the Result? $ $60 $50 Security spending has increased by 49% from 2010 to $37 $40 $30 $20 Billions Spent The number of records stolen and exposed through security breaches has increased 200x over same period 200 Increasing spending on more $10 $0 solutions isn t working; we need a new paradigm Sources: Verizon, Information is Beautiful, RBS, Gartner, Forrester

7 Where to Focus? Prevention is a failed strategy. Amit Yoran, President, RSA RSA Conference 2016

8 Prevention or Detection? Organizations are focused on PREVENTION of breaches 93% use Anti-virus/Anti-malware tools 82% use Perimeter Firewalls 65% use Intrusion Prevention Systems 52% use Unified Threat Management (UTM) Systems But when breached, attackers have days before they are DETECTED Organizations need to leverage the power of what they already have to address this detection gap

9 Why DNS Matters

10 DNS is Foundational Perimeter Security: Firewalls, Content Filters, Honeypots, etc. Network Security: IDS/IPS, NAC, DLP, Messaging, etc. Endpoint Security: AV, DLP, Patch Mgmt., Client Firewalls, IDS/IPS, etc. Application Security: WAF, DB Security, Code Scanners, etc. Data Security: Encryption, IDAM, DLP, Integrity, DRM

11 DNS is Foundational Perimeter Security: Firewalls, Content Filters, Honeypots, etc. Network Security: IDS/IPS, NAC, DLP, Messaging, etc. Endpoint Security: AV, DLP, Patch Mgmt., Client Firewalls, IDS/IPS, etc. Data Security: Encryption, IDAM, DLP, Integrity, DRM Application Security: WAF, DB Security, Code Scanners, etc. DNS Security: Foundation/Visibility/Enfor cement

12 DNS is a PERVASIVE SENSOR DNS signals INTENT DNS shows BEHAVIOR All device types All protocols All locations Managed AND Unmanaged Corporate AND Guest Center AND Edge DNS is REAL TIME

13 DNS is an IDEAL ENFORCER Enforce at every level Client Network Enterprise Configurable Policies White & Black Lists Geographic Time-based Risk-based

14 DNS is Untapped Potential 56% of Large Orgs Don t Capture DNS Data 63% of Small Orgs Don t Capture DNS Data Of Those Paying Attention only 75% actually look at it Source: BlueCat Networks/UBM Survey

15 Insight Through DNS Analytics The Power of DNS Lets You: 1. See threats emerge before they become known 2. Gain equal visibility into internal and external activity 3. Understand who (and what) is accessing your infrastructure 4. Monitor the activity of all users and devices in real time 5. Protect and control across all device types

16 Deal with the FACTS Gain insights to improve security

17 Data Versus Facts Data is of course important in manufacturing, but I place the greatest emphasis on facts. Taiichi Ohno, Toyota Motor Corporation Father of Lean Manufacturing

18 The Big Data Challenge A Cautionary Tale 3.8 Trillion Queries Per Week Actual query volume from a very large financial institution All of which is logged in a very expensive database And all they have is a really big log file, but no FACTS

19 Deriving FACTS from DNS Data awertkin bash x Oct :27: queries: info: client #65503 ( view default: query: IN A + 07-Oct :27: rpz: info: client #65503 ( view default: rpz QNAME PASSTHRU rewrite via 07-Oct :27: queries: info: client #64055 ( view default: query: IN A + 07-Oct :27: queries: info: client #60475 ( view default: query: IN A + 07-Oct :27: queries: info: client #50627 (vortex-win.data.microsoft.com): view default: query: vortexwin.data.microsoft.com IN A + 07-Oct :27: queries: info: client #64418 (www6vdc.memberdirect.net): view default: query: www6vdc.memberdirect.net IN A + 07-Oct :27: queries: info: client #55013 (configuration.apple.com): view default: query: configuration.apple.com IN A + 07-Oct :27: queries: info: client #51806 (safebrowsing.google.com): view default: query: safebrowsing.google.com IN A + 07-Oct :27: queries: info: client #40353 (i.instagram.com): view default: query: i.instagram.com IN A + 07-Oct :27: queries: info: client #45134 (i.instagram.com): view default: query: i.instagram.com IN A + 07-Oct :27: queries: info: client #49610 (mex06. srvr.com): view default: query: mex06. srvr.com IN A + 07-Oct :27: queries: info: client #49610 (mex06. srvr.com): view default: query: mex06. srvr.com IN AAAA + 07-Oct :27: queries: info: client #50659 (mex06. srvr.com): view default: query: mex06. srvr.com IN A + 07-Oct :27: queries: info: client #64745 ( IN-ADDR.ARPA): view default: query: IN- ADDR.ARPA IN PTR + 07-Oct :27: queries: info: client #28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + 07-Oct :27: queries: info: client #56385 (changelogs.ubuntu.com): view default: query: changelogs.ubuntu.com IN A + 07-Oct :27: queries: info: client #56385 (changelogs.ubuntu.com): view default: query: changelogs.ubuntu.com IN AAAA + 07-Oct :27: queries: info: client #39537 (mex06. srvr.com): view default: query: mex06. srvr.com IN A + 07-Oct :27: queries: info: client #39537 (mex06. srvr.com): view default: query: mex06. srvr.com IN AAAA + 07-Oct :27: queries: info: client #59225 (c.na2.content.force.com): view default: query: c.na2.content.force.com IN A + 07-Oct :27: queries: info: client #61701 (pixel.quantserve.com): view default: query: pixel.quantserve.com IN A + 07-Oct :27: queries: info: client #52411 (_ldap._tcp.bcntoronto._sites.tordc02.bluecatnetworks.corp): view default: query: _ldap._tcp.bcntoronto._sites.tordc02.bluecatnetworks.corp IN SRV + 07-Oct :27: queries: info: client #7248 (i.instagram.com): view default: query: i.instagram.com IN A + 07-Oct :27: queries: info: client #23910 (i.instagram.com): view default: query: i.instagram.com IN A + 07-Oct :27: queries: info: client #28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + 07-Oct :27: queries: info: client #15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + 07-Oct :27: queries: info: client #32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + 07-Oct :27: queries: info: client #52184 (engine.adzerk.net): view default: query: engine.adzerk.net IN A + 07-Oct :27: queries: info: client #22675 (mex06. srvr.com): view default: query: mex06. srvr.com IN A + 07-Oct :27: queries: info: client #38248 (mex06. srvr.com): view default: query: mex06. srvr.com IN A + 07-Oct :27: queries: info: client #38248 (mex06. srvr.com): view default: query: mex06. srvr.com IN AAAA + 07-Oct :27: queries: info: client #47975 (mex06. srvr.com): view default: query: mex06. srvr.com IN A + 07-Oct :27: queries: info: client #47975 (mex06. srvr.com): view default: query: mex06. srvr.com IN AAAA + 07-Oct :27: queries: info: client #42115 (mex06. srvr.com): view default: query: mex06. srvr.com IN A + 07-Oct :27: queries: info: client #42115 (mex06. srvr.com): view default: query: mex06. srvr.com IN AAAA + 07-Oct :27: queries: info: client #34946 ( in-addr.arpa): view default: query: inaddr.arpa IN PTR + 07-Oct :27: queries: info: client #54119 (4.umps2c2.salesforce.com): view default: query: 4.umps2c2.salesforce.com IN A + 07-Oct :27: queries: info: client #59652 (umps2c2.salesforce.com): view default: query: umps2c2.salesforce.com IN A + 07-Oct :27: queries: info: client #35414 (mex06. srvr.com): view default: query: mex06. srvr.com IN A + 07-Oct :27: queries: info: client #35414 (mex06. srvr.com): view default: query: mex06. srvr.com IN AAAA + 07-Oct :27: queries: info: client #64208 (3.umps2c2.salesforce.com): view default: query: 3.umps2c2.salesforce.com IN A +

20 DNS SECURITY Deriving FACTS from DNS Data awertkin bash x Oct :27: queries: info: client #7248 (i.instagram.com): view default: query: i.instagram.com IN A + 07-Oct :27: queries: info: client #23910 (i.instagram.com): view default: query: i.instagram.com IN A + 07-Oct :27: queries: info: client #28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + 07-Oct :27: queries: info: client #15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + 07-Oct :27: queries: info: client #32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + A C T I V I T Y S I G N A T U R E I D E N T I F I E D : S t a r t - u p s e q u e n c e f o r a p p l i c a t i o n

21 Deriving FACTS from DNS Data awertkin bash x Oct :27: queries: info: client #7248 (i.instagram.com): view default: query: i.instagram.com IN A + 07-Oct :27: queries: info: client #23910 (i.instagram.com): view default: query: i.instagram.com IN A + 07-Oct :27: queries: info: client #28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + 07-Oct :27: queries: info: client #15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + 07-Oct :27: queries: info: client #32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + A C T I V I T Y S I G N A T U R E I D E N T I F I E D : S t a r t - u p s e q u e n c e f o r a p p l i c a t i o n F A C T C A T A L O G E D 07-Oct-2015 C l i e n t A p p l i c a t i o n I d e n t i f i e d : I n s t a g r a m CATALOG LOGGED FACT ACTIVITY SIGNATURE 07-Oct-2015 APP: Dropbox Communication Fre 07-Oct-2015 APP: WhatsApp Startup Sequence 07-Oct-2015 APP: Instagram Startup Sequence

22 Deriving FACTS from DNS Data awertkin bash x Oct :27: queries: info: client #32801 (whatsmyip.net): view default: query: whatsmyip.net IN A + 07-Oct :28: queries: info: client #7248 (whatsmyip.net): view default: query: whatsmyip.net IN A + 07-Oct :29: queries: info: client #23910 (whatsmyip.net): view default: query: whatsmyip.net IN A + 07-Oct :30: queries: info: client #28671 (whatsmyip.net): view default: query: whatsmyip.net IN A + A C T I V I T Y S I G N A T U R E I D E N T I F I E D : R e p e a t e d q u e r y i n t e r v a l s 07-Oct :31: queries: info: client #15578 (whatsmyip.net): view default: query: whatsmyip.net IN A + CATALOG LOGGED FACT ACTIVITY SIGNATURE 07-Oct-2015 APP: Dropbox Communication Fre 07-Oct-2015 APP: WhatsApp Startup Sequence 07-Oct-2015 APP: Instagram Startup Sequence

23 Deriving FACTS from DNS Data awertkin bash x Oct :27: queries: info: client #32801 (whatsmyip.net): view default: query: whatsmyip.net IN A + 07-Oct :28: queries: info: client #7248 (whatsmyip.net): view default: query: whatsmyip.net IN A + 07-Oct :29: queries: info: client #23910 (whatsmyip.net): view default: query: whatsmyip.net IN A + 07-Oct :30: queries: info: client #28671 (whatsmyip.net): view default: query: whatsmyip.net IN A + 07-Oct :31: queries: info: client #15578 (whatsmyip.net): view default: query: whatsmyip.net IN A + A C T I V I T Y S I G N A T U R E I D E N T I F I E D : R e p e a t e d q u e r y i n t e r v a l s B e a c o n i n g F A C T C A T A L O G E D 07- O c t S e c u r i t y T h r e a t I d e n t i f i e d : M A L W A R E [ w h a t s m y i p. n e t ] CATALOG LOGGED FACT ACTIVITY SIGNATURE 07-Oct-2015 APP: Dropbox Communication Fre 07-Oct-2015 APP: WhatsApp Startup Sequence 07-Oct-2015 APP: Instagram Startup Sequence 07-Oct-2015 MALWARE: whats Query Intervals

24 Deriving FACTS from DNS Data awertkin bash x Oct :27: queries: info: client #60830 (c504.leet.cc): view default: query: c504.leet.cc IN A + A C T I V I T Y S I G N A T U R E I D E N T I F I E D : N e w l y O b s e r v e d D o m a i n CATALOG LOGGED FACT ACTIVITY SIGNATURE 07-Oct-2015 APP: Dropbox Communication Fre 07-Oct-2015 APP: WhatsApp Startup Sequence 07-Oct-2015 APP: Instagram Startup Sequence 07-Oct-2015 MALWARE: whats Query Intervals

25 Deriving FACTS from DNS Data awertkin bash x Oct :27: queries: info: client #60830 (c504.leet.cc): view default: query: c504.leet.cc IN A + A C T I V I T Y S I G N A T U R E I D E N T I F I E D : N e w l y O b s e r v e d D o m a i n F A C T C A T A L O G E D 07- O c t S e c u r i t y T h r e a t I d e n t i f i e d : S u s p e c t A c t i v i t y [ l e e t. c c ] CATALOG LOGGED FACT ACTIVITY SIGNATURE 07-Oct-2015 APP: Dropbox Communication Fre 07-Oct-2015 APP: WhatsApp Startup Sequence 07-Oct-2015 APP: Instagram Startup Sequence 07-Oct-2015 MALWARE: whats Query Intervals 07-Oct-2015 Suspect: leet.cc Newly Observed Domain

26 The Power of DNS Analytics to drive better security

27 DNS as a Sensor and Enforcer What can DNS do for you? Provide instant VISIBILITY into what s on your infrastructure Identify BEHAVIOR that is suspicious, regardless of the cause CONTROL access to resources or data BLOCK known threats before they manifest

28 DNS Gives the Facts You Need to Secure Your Network #1 Leverage What You Have Avoid complexity & cost No more layers Mine the data you already have #2 Increase Your Visibility Use a pervasive technology to gain insight Detect events faster to save time, money, and reputation Utilize the adaptive nature of DNS Stop playing catch-up to new threats #3 Get More Control Enforce policies across any device or user type Use DNS to assess risk and decide on action Secure remote locations without costly infrastructure Use dependence on DNS against the bad guys

29 Questions?

30