dns-delivered network & endpoint security - · pdf filedns-delivered network &...
TRANSCRIPT
1 CONFIDENTIAL
DNS-Delivered Network & Endpoint Security
2 CONFIDENTIAL
PRODUCTS & TECHNOLOGIES
UMBRELLA Enforcement Network security service protects any device, anywhere
INVESTIGATE Intelligence Discover and predict attacks before they happen
3 CONFIDENTIAL
TRUSTED by Enterprises Worldwide
4 CONFIDENTIAL
What is DNS? DNS = Domain Name System
IP: 31.13.92.36
Any Device DNS
.de
.com
.domain
www.facebook.de?
Phone user Cisco Systems GmbH?
0800 - 187 36 52
5 CONFIDENTIAL
Calling a bad site
Any Device OpenDNS badguys.com?
blockpage
6 CONFIDENTIAL
+ 80M+ malicious requests
blocked/day
=
GLOBAL NETWORK
• 80B+ DNS requests/day
• 65M+ biz & home users
• 100% uptime
• Any port, protocol, app
UNIQUE ANALYTICS
• security research team
• automated classification
• BGP peer relationships
• 3D visualization engine
Why OpenDNS? DNS Services Built for World’s Largest Security Platform
7 CONFIDENTIAL
Apply statistical models and
human intelligence
Identify probable
malicious sites
Ingest millions of data
points per second
To Summarize.. How It Works
.com
.cn
.ru
.net
.com
8 CONFIDENTIAL
Used to detect:
• Compromised systems
• Command & control callbacks
• Malware & phishing attempts
• Algorithm-generated domains
• Domain co-occurrences
• Newly registered domains
Any Device
Authoritative Logs
Recursive DNS
Gather Intelligence & Enforce Security at the DNS Layer
Authoritative DNS
root
com.
domain.com.
Used to find:
• Newly staged infrastructures
• Malicious domains, IPs, ASNs
• DNS hijacking
• Fast flux domains
• Related domains
Request Patterns
9 CONFIDENTIAL
Malaysia Airlines DNS Hijack January 25, 2015
Play in slide show mode to see animation
10 CONFIDENTIAL
MALICIOUS ASN/IP IDENTIFIED Owned by Lizard Squad who hacked PS3 and Xbox Networks in December 2014
11 CONFIDENTIAL
OpenDNS recognized the domain hijacking on Jan 25th and blocked the DNS request, and hence any
subsequent attack
12 CONFIDENTIAL
2016 Cisco Annuual
Security Report WEB NON-WEB
15% of C2 bypasses
Web ports 80 & 443
DNS IP IP
91% of C2 can be blocked
at the DNS layer
Why Add Security at the DNS Layer?
Lancope Research
68% of orgs don’t monitor
recursive DNS
13 CONFIDENTIAL
What is the OpenDNS Solution?
14 CONFIDENTIAL
Enterprise Location A
Internal InfoBlox
Appliance
Enterprise Location C
Internal BIND Server
Enterprise Location B
Internal Windows DNS Server
Home Users
Roaming Laptops
Mobile Devices
Remote Sites
ISP 1
mobile
carrier
ISP 2
ISP 3
ISP ?
ISP ?
ISP ?
CHALLENGES
Multiple Internet Service Providers
Direct-to-Internet Branch Offices
Users Forget to Always Turn VPN On
Different DNS Log Formats
Who Resolves Your DNS Requests?
Authoritative DNS for Intranet Domains
Recursive DNS for Internet Domains
BENEFITS
Global Internet Activity Visibility
Network Security w/o Adding Latency
Consistent Policy Enforcement
Internet-Wide Cloud App Visibility
ISP 1
mobile
carrier
ISP 2
ISP 3
ISP ?
ISP ?
ISP ?
Authoritative DNS for Intranet Domains
Recursive DNS for Internet Domains
Leveraging a Single Global Recursive DNS Service
15 CONFIDENTIAL
ZERO added latency
peer w/top 500 ISPs & CDNs
2% worldwide
activity
globally-shared DNS cache
100% uptime
since 2006
400+ Gbps capacity, DDoS protection &
global fail-over
Global Network Built into the Fabric of the Internet
16 CONFIDENTIAL
INTERNET
MALWARE
BOTNETS/C2
PHISHING
LANCOPE
WSA (+ESA)
FIREPOWER
AMP AMP
AMP AMP
AMP
AMP
AMP AMP
MERAKI
AMP AMP
ASA
MID LAYER
LAST LAYER
MID LAYER
LAST LAYER
MID LAYER
HQ
Branch Branch
Mobile
Mobile The Power of Cisco + OpenDNS
17 CONFIDENTIAL
INTERNET
MALWARE
BOTNETS/C2
PHISHING
FIRST LAYER
LANCOPE
WSA (+ESA)
FIREPOWER
AMP AMP
AMP AMP
AMP
AMP
AMP AMP
MERAKI
AMP AMP
ASA
MID LAYER
LAST LAYER
MID LAYER
LAST LAYER
MID LAYER
HQ
Branch Branch
Mobile
Mobile
BENEFITS
Alerts Reduced 2x; Improves your SIEM
Block malware before it hits the enterprise
Contains malware if already inside
Internet access Is faster; Not slower
Provision globally in under 30 minutes
18 CONFIDENTIAL
Umbrella: The Fastest & Easiest Way To Block Threats
208.67.222.222
MALWARE
C2 CALLBACKS
PHISHING
CATEGORY IDENTITY
INTERNAL IP
HOSTNAME
AD USER
BENEFITS
Simple to point DNS w/o technical or pro services
No hardware to install No software to maintain
Provision globally in under 30 minutes
Infinitely scalable enforcement platform
19 CONFIDENTIAL
DNS is Used by Every Device on Your Network
ANY OPERATING SYSTEM Win, Mac, iOS, Android,
Linux, custom app servers,
and even IoT
ANY TOPOLOGY no matter how your
LAN or WAN is set up,
it simply works
ANY OWNER network’s DHCP tells
every connected device
where to point DNS
20 CONFIDENTIAL
Prevent infection
Block Malware, Exploit-Kits,
malvertising and DriveBy-Downloads
Web Content Filtering and Cloud / IoT Visibility
Enforce acceptable use, see
cloud services & IoT devices in
use, and keep guest Wi-Fi safe
Problems We Solve
Breach Protection
Prevent botnet communication,
data exfiltration of compromised
systems by blocking
C2 callbacks
21 CONFIDENTIAL
“ OpenDNS was able to classify & block 100% of the tested 338 C&C servers. ”
“Due to its unique approach to
protect the endpoint on the DNS
level it has also no additional
performance impact.”
Tested 4 May 2015
1,844 domains
338 domains
51 domains
22 CONFIDENTIAL
Global Recursive DNS
Egress points or virtual appliance,
roaming client or mobile app
forwards DNS to our global network
Unique Algorithms Applied to Unique Data
Observes relationships in global
DNS and internet infrastructure to
discover where attacks are staged
Real-time Activity With Log Storage
View your most recent global
activity from all locations, Store
DNS logs for as long as you want
DNS xyz.com 1.2.3.4
How We Do IT
23 CONFIDENTIAL
A New Layer of Breach Protection
Threat Prevention Not just threat detection
Protects On & Off Network Not limited to devices forwarding traffic through on-prem appliances
Partner & Custom Integrations Does not require professional services to setup
Block by Domains for All Ports Not just IP addresses or domains only over ports 80/443
Always Up to Date No need for device to VPN back to an on-prem server for updates
UMBRELLA Enforcement
24 CONFIDENTIAL
How OpenDNS Complements On-Network Security
ENDPOINT SECURITY (block by file, behavior)
NETWORK FIREWALL (block by IP, packet)
WEB PROXY (block by URL, content)
OpenDNS UMBRELLA (block by domain/IP, URL)
25 CONFIDENTIAL
MEASUREABLE VALUE ADD
<30 2X+ 10X ≥1 MINUTES TO GET
WORLDWIDE COVERAGE
COMPROMISED SYSTEMS
IDENTIFIED
REDUCTION IN ALERT NOISE
Using DHCP or
AP controllers,
thousands of devices
and locations are
secured
Than traditional
network/endpoint
security systems
or other
advanced threat
defenses
Through integrating
our global threat
intelligence into your
SIEMs and IR
processes via our APIs
26 CONFIDENTIAL
PRODUCTS & TECHNOLOGIES
UMBRELLA Enforcement Network security service protects any device, anywhere
INVESTIGATE Intelligence Discover and predict attacks before they happen
27 CONFIDENTIAL
Live graph of DNS requests and other contextual data
Correlated against statistical models
Discover & predict malicious domains
Enrich security data with global intelligence
OpenDNS INVESTIGATE
DOMAINS, IPs & ASNs
CONSOLE SIEM, …
API
28 CONFIDENTIAL
A Single, Correlated Source of Information
INVESTIGATE
WHOIS record data
ASN attribution
IP geolocation
IP reputation scores
Domain reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database
Internet-wide Visibility
Speed up incident response
with a live, up-to-date
view of the Internet
29 CONFIDENTIAL
Links & Resources
30 CONFIDENTIAL
Links
Umbrella Packages
Free Trial (14 days)
Documentation
OpenDNS labs
31 CONFIDENTIAL