![Page 1: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/1.jpg)
v
Gaining Security Insight Through DNS
AnalyticsScott Penney
Director of Cyber Security Solutions, BlueCat Networks
![Page 2: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/2.jpg)
Agenda
Welcome to the Jungle
Why DNS Matters
Deal with the Facts
The Power of DNS
Q&A
![Page 3: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/3.jpg)
Welcome to
the Jungle
![Page 4: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/4.jpg)
IT Sprawl is out of Control
Source: Gartner (http://www.gartner.com/newsroom/id/3165317)
4.9 Billion“Things” Connected
in 2016
480 Million Smart Phones
Delivered in 2016
65% of Smart Phones
used in BYoDEnvironments
2 Billion Mobile Devices Shipped in 2016
70% of Mobile
Professionals Work on
Personal Devices
Only 1 in 3 Companies
Know How Many Vendors Use their Infrastructure
![Page 5: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/5.jpg)
IT Moving from CENTER to the EDGE…
Business drivers demand DISTRIBUTED RESOURCES to meet local needs, which brings additional CHALLENGES
Added Risk
More attack surface is exposed
Untrusted/managed devices
Loss of visibility
Reduced Control
Costly infrastructure to deploy
Absence of standards & practices
Lack of policy enforcement
![Page 6: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/6.jpg)
2010
And What is the Result?
700
$37
$55
$0
$10
$20
$30
$40
$50
$60
-
100
200
300
400
500
600
700
800
1 2
Security spending has
increased by 49% from 2010 to
2014
The number of records stolen
and exposed through security
breaches has increased 200x
over same period
Increasing spending on more
solutions isn’t working; we need
a new paradigm
Sources: Verizon, Information is Beautiful, RBS, Gartner, Forrester
Mill
ion
s o
f R
eco
rds
Billio
ns Sp
ent
2014
![Page 7: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/7.jpg)
Where to Focus?
“Prevention is a failed strategy.”
Amit Yoran, President, RSA
RSA Conference 2016
![Page 8: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/8.jpg)
Prevention or Detection?
Organizations are focused on PREVENTION of breaches
– 93% use Anti-virus/Anti-malware tools
– 82% use Perimeter Firewalls
– 65% use Intrusion Prevention Systems
– 52% use Unified Threat Management (UTM) Systems
But when breached, attackers have 200-250 days before
they are DETECTED
Organizations need to leverage the power of what they
already have to address this detection gap
![Page 9: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/9.jpg)
Why DNS Matters
![Page 10: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/10.jpg)
Network Security:
IDS/IPS, NAC, DLP,
Messaging, etc.
Perimeter Security:
Firewalls, Content Filters,
Honeypots, etc.
Endpoint Security:
AV, DLP, Patch Mgmt.,
Client Firewalls, IDS/IPS,
etc.
Data Security:
Encryption, IDAM, DLP,
Integrity, DRM
Application Security:
WAF, DB Security, Code
Scanners, etc.
DNS is Foundational
![Page 11: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/11.jpg)
Network Security:
IDS/IPS, NAC, DLP,
Messaging, etc.
Perimeter Security:
Firewalls, Content Filters,
Honeypots, etc.
Endpoint Security:
AV, DLP, Patch Mgmt.,
Client Firewalls, IDS/IPS,
etc.
Data Security:
Encryption, IDAM, DLP,
Integrity, DRM
Application Security:
WAF, DB Security, Code
Scanners, etc.
DNS Security:
Foundation/Visibility/Enfor
cement
DNS is Foundational
![Page 12: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/12.jpg)
DNS is a PERVASIVE SENSORDNS signals INTENT
DNS shows BEHAVIOR
– All device types
– All protocols
– All locations
– Managed AND Unmanaged
– Corporate AND Guest
– Center AND Edge
DNS is REAL TIME
![Page 13: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/13.jpg)
DNS is an IDEAL ENFORCER
Enforce at every level
– Client
– Network
– Enterprise
Configurable Policies
– White & Black Lists
– Geographic
– Time-based
– Risk-based
![Page 14: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/14.jpg)
DNS is Untapped Potential
56% of Large Orgs Don’t Capture DNS Data
63% of Small Orgs Don’t Capture DNS Data
Source: BlueCat Networks/UBM Survey
Of Those Paying Attention –only 75% actually look at it
![Page 15: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/15.jpg)
Insight Through DNS Analytics
The Power of DNS Lets You:
1. See threats emerge before they become “known”
2. Gain equal visibility into internal and external activity
3. Understand who (and what) is accessing your
infrastructure
4. Monitor the activity of all users and devices in real time
5. Protect and control across all device types
![Page 16: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/16.jpg)
Deal with the FACTSGain insights to improve security
![Page 17: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/17.jpg)
Data Versus Facts
“Data is of course important in manufacturing,
but I place the greatest emphasis on facts.”
Taiichi Ohno, Toyota Motor Corporation
Father of Lean Manufacturing
![Page 18: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/18.jpg)
The Big Data Challenge
A Cautionary Tale
Actual query volume from a
very large financial institution
All of which is logged in a very
expensive database
And all they have is a really big
log file, but no FACTS
3.8 Trillion Queries Per Week
![Page 19: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/19.jpg)
awertkin --- - bash --- 140 x 68
07-Oct-2015 19:27:03.760 queries: info: client 172.16.5.197#65503 (www.google.com): view default: query: www.google.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.760 rpz: info: client 172.16.5.197#65503 (www.google.com): view default: rpz QNAME PASSTHRU rewrite www.google.com via www.google.com.allowed07-Oct-2015 19:27:03.762 queries: info: client 172.16.5.197#64055 (www.ohare-airport.org): view default: query: www.ohare-airport.org IN A + (172.16.3.4)07-Oct-2015 19:27:03.762 queries: info: client 172.16.5.197#60475 (www.rosemont.com): view default: query: www.rosemont.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.775 queries: info: client 172.16.21.37#50627 (vortex-win.data.microsoft.com): view default: query: vortex-win.data.microsoft.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.857 queries: info: client 172.16.21.157#64418 (www6vdc.memberdirect.net): view default: query: www6vdc.memberdirect.net IN A + (172.16.3.4)07-Oct-2015 19:27:03.873 queries: info: client 172.16.21.51#55013 (configuration.apple.com): view default: query: configuration.apple.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.894 queries: info: client 172.16.5.131#51806 (safebrowsing.google.com): view default: query: safebrowsing.google.comIN A + (172.16.3.4)07-Oct-2015 19:27:03.898 queries: info: client 172.16.21.189#40353 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.899 queries: info: client 172.16.21.189#45134 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.956 queries: info: client 172.16.5.251#49610 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:03.957 queries: info: client 172.16.5.251#49610 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:03.957 queries: info: client 172.16.5.251#50659 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.013 queries: info: client 172.16.1.1#64745 (83.169.31.172.IN-ADDR.ARPA): view default: query: 83.169.31.172.IN-ADDR.ARPA IN PTR + (172.16.3.4)07-Oct-2015 19:27:04.021 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.106 queries: info: client 172.16.10.145#56385 (changelogs.ubuntu.com): view default: query: changelogs.ubuntu.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.106 queries: info: client 172.16.10.145#56385 (changelogs.ubuntu.com): view default: query: changelogs.ubuntu.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.112 queries: info: client 172.16.5.251#39537 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.112 queries: info: client 172.16.5.251#39537 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.139 queries: info: client 172.16.10.168#59225 (c.na2.content.force.com): view default: query: c.na2.content.force.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.225 queries: info: client 172.16.8.57#61701 (pixel.quantserve.com): view default: query: pixel.quantserve.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.253 queries: info: client 172.16.7.155#52411 (_ldap._tcp.BCNToronto._sites.TORDC02.bluecatnetworks.corp): view default: query: _ldap._tcp.BCNToronto._sites.TORDC02.bluecatnetworks.corp IN SRV + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#7248 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#23910 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.269 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.275 queries: info: client 172.16.21.189#15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.284 queries: info: client 172.16.21.189#32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.286 queries: info: client 172.16.8.57#52184 (engine.adzerk.net): view default: query: engine.adzerk.net IN A + (172.16.3.4)07-Oct-2015 19:27:04.290 queries: info: client 172.16.21.189#22675 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.415 queries: info: client 172.16.5.251#38248 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.415 queries: info: client 172.16.5.251#38248 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.533 queries: info: client 172.16.5.251#47975 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.533 queries: info: client 172.16.5.251#47975 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.572 queries: info: client 172.16.5.251#42115 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.572 queries: info: client 172.16.5.251#42115 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.586 queries: info: client 172.16.10.128#34946 (199.30.27.172.in-addr.arpa): view default: query: 199.30.27.172.in-addr.arpa IN PTR + (172.16.3.4)07-Oct-2015 19:27:04.647 queries: info: client 172.16.5.93#54119 (4.umps2c2.salesforce.com): view default: query: 4.umps2c2.salesforce.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.650 queries: info: client 172.16.5.93#59652 (umps2c2.salesforce.com): view default: query: umps2c2.salesforce.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.686 queries: info: client 172.16.5.251#35414 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.686 queries: info: client 172.16.5.251#35414 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN AAAA + (172.16.3.4)07-Oct-2015 19:27:04.695 queries: info: client 172.16.5.93#64208 (3.umps2c2.salesforce.com): view default: query: 3.umps2c2.salesforce.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.931 queries: info: client 172.16.21.63#64580 (mex06.emailsrvr.com): view default: query: mex06.emailsrvr.com IN A + (172.16.3.4)
Deriving FACTS from DNS Data
![Page 20: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/20.jpg)
DNS SECURITYDeriving FACTS from DNS Dataawertkin --- - bash --- 140 x 68
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :S t a r t - u p s e q u e n c e f o r
a p p l i c a t i o n
07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#7248 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#23910 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.269 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.275 queries: info: client 172.16.21.189#15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.284 queries: info: client 172.16.21.189#32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + (172.16.3.4)
![Page 21: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/21.jpg)
Deriving FACTS from DNS Dataawertkin --- - bash --- 140 x 68
07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#7248 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.266 queries: info: client 172.16.21.189#23910 (i.instagram.com): view default: query: i.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.269 queries: info: client 172.16.21.189#28671 (logger.instagram.com): view default: query: logger.instagram.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.275 queries: info: client 172.16.21.189#15578 (wifi-test.mobidia.com): view default: query: wifi-test.mobidia.com IN A + (172.16.3.4)07-Oct-2015 19:27:04.284 queries: info: client 172.16.21.189#32801 (settings.crashlytics.com): view default: query: settings.crashlytics.com IN A + (172.16.3.4)
CATALOG
LOGGED FACT ACTIVITY
SIGNATURE07-Oct-2015 APP: Dropbox
Communication Fre…
07-Oct-2015 APP: WhatsApp
Startup Sequence
07-Oct-2015 APP: Instagram
Startup Sequence
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :S t a r t - u p s e q u e n c e f o r a p p l i c a t i o n
F A C T C A T A L O G E D• 0 7 - O c t - 2 0 1 5• C l i e n t A p p l i c a t i o n I d e n t i f i e d :
I n s t a g r a m
![Page 22: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/22.jpg)
awertkin --- - bash --- 140 x 68
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :R e p e a t e d q u e r y i n t e r v a l s
CATALOG
LOGGED FACT ACTIVITY
SIGNATURE07-Oct-2015 APP: Dropbox
Communication Fre…
07-Oct-2015 APP: WhatsApp
Startup Sequence
07-Oct-2015 APP: Instagram
Startup Sequence
07-Oct-2015 19:27:03.768 queries: info: client 172.16.21.189#32801 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:28:03.768 queries: info: client 172.16.21.189#7248 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:29:03.768 queries: info: client 172.16.21.189#23910 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:30:03.768 queries: info: client 172.16.21.189#28671 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:31:03.768 queries: info: client 172.16.21.189#15578 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)
Deriving FACTS from DNS Data
![Page 23: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/23.jpg)
awertkin --- - bash --- 140 x 68
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :R e p e a t e d q u e r y i n t e r v a l s – B e a c o n i n g
F A C T C A T A L O G E D• 0 7 - O c t - 2 0 1 5• S e c u r i t y T h r e a t I d e n t i f i e d : M A L W A R E
[ w h a t s m y i p . n e t ]CATALOG
LOGGED FACT ACTIVITY
SIGNATURE07-Oct-2015 APP: Dropbox
Communication Fre…
07-Oct-2015 APP: WhatsApp
Startup Sequence
07-Oct-2015 APP: Instagram
Startup Sequence
07-Oct-2015 MALWARE: whats… Query
Intervals
07-Oct-2015 19:27:03.768 queries: info: client 172.16.21.189#32801 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:28:03.768 queries: info: client 172.16.21.189#7248 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:29:03.768 queries: info: client 172.16.21.189#23910 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:30:03.768 queries: info: client 172.16.21.189#28671 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)07-Oct-2015 19:31:03.768 queries: info: client 172.16.21.189#15578 (whatsmyip.net): view default: query: whatsmyip.net IN A + (172.16.3.4)
Deriving FACTS from DNS Data
![Page 24: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/24.jpg)
awertkin --- - bash --- 140 x 68
07-Oct-2015 19:27:06.319 queries: info: client 172.16.21.96#60830 (c504.leet.cc): view default: query: c504.leet.cc IN A + (172.16.3.4)
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :N e w l y O b s e r v e d D o m a i n
CATALOG
LOGGED FACT ACTIVITY
SIGNATURE07-Oct-2015 APP: Dropbox
Communication Fre…
07-Oct-2015 APP: WhatsApp
Startup Sequence
07-Oct-2015 APP: Instagram
Startup Sequence
07-Oct-2015 MALWARE: whats… Query
Intervals
Deriving FACTS from DNS Data
![Page 25: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/25.jpg)
awertkin --- - bash --- 140 x 68
07-Oct-2015 19:27:06.319 queries: info: client 172.16.21.96#60830 (c504.leet.cc): view default: query: c504.leet.cc IN A + (172.16.3.4)
A C T I V I T Y S I G N A T U R E I D E N T I F I E D :N e w l y O b s e r v e d D o m a i n
F A C T C A T A L O G E D• 0 7 - O c t - 2 0 1 5• S e c u r i t y T h r e a t I d e n t i f i e d : S u s p e c t
A c t i v i t y [ l e e t . c c ]
CATALOG
LOGGED FACT ACTIVITY
SIGNATURE07-Oct-2015 APP: Dropbox
Communication Fre…
07-Oct-2015 APP: WhatsApp Startup
Sequence
07-Oct-2015 APP: Instagram Startup
Sequence
07-Oct-2015 MALWARE: whats… Query Intervals
07-Oct-2015 Suspect: leet.cc Newly
Observed Domain
Deriving FACTS from DNS Data
![Page 26: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/26.jpg)
The Power of DNSAnalytics to drive better security
![Page 27: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/27.jpg)
DNS as a Sensor and Enforcer
What can DNS do for you?
Provide instant VISIBILITY into what’s on your
infrastructure
Identify BEHAVIOR that is suspicious, regardless of the
cause
CONTROL access to resources or data
BLOCK known threats before they manifest
![Page 28: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/28.jpg)
DNS Gives the Facts You Need to Secure
Your Network
#1Leverage What
You Have
• Avoid complexity & cost• No more “layers”• Mine the data you already have
#2Increase Your Visibility
• Use a pervasive technology to gain insight
• Detect events faster to save time, money, and reputation
• Utilize the adaptive nature of DNS • Stop playing catch-up to new
threats
#3Get More Control
• Enforce policies across any device or user type
• Use DNS to assess risk and decide on action
• Secure remote locations without costly infrastructure
• Use dependence on DNS against the bad guys
![Page 29: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/29.jpg)
Questions?
![Page 30: v Gaining Security Insight Through DNS Analytics BlueCat Power of … · Gaining Security Insight Through DNS Analytics Scott Penney Director of Cyber Security Solutions, BlueCat](https://reader033.vdocument.in/reader033/viewer/2022042915/5f535c414ae00421e4471640/html5/thumbnails/30.jpg)