True security requires integration and automation
Businesses keep acquiring security solutions to counter new threats, not realising without integration and automation they may still be vulnerable to attack. The
domain name system (DNS) has a vital role to play here.
Peter Goodwin, Sales Director for Service Providers for Infoblox EMEA region, says businesses need to integrate and automate their disparate security solutions so they proactively notify the security ecosystem when it’s under attack.He explains: “You can use DNS and IP address management to kick off various automated processes in a security environment. Today, most companies are heavily invested in an assortment of different point security products. As things evolve and threats change, they´re having to buy new products to cope with new and evolving cyber threats. However, they still need all of their existing – and older – solutions to counter older threats, resulting in a somewhat cluttered and complex security environment.”Businesses tend to look for best-of-breed solutions in the security space. They choose fit-for-purpose solutions that slot into their network and start reporting when they see security issues come up. Some of the challenges that arise are that these security products are each in their own siloed environments, with the various teams equally siloed.For example, the focus of the network team is on network availability and ensuring people have access to the applications and resources they need. To this end they have monitoring tools that keep an eye on how the network is running. The security team is in a different silo, where it’s primarily concerned with risk mitigation, ensuring the network is secure from today’s known threats and future possible threats, and they have their own monitoring solution. In many companies, there are gaps between the different silos’ monitoring activities, with zero communication or integration.Also, sometimes the different silos’ requirements and views conflict. However, DNS and DHCP (Dynamic Host Configuration Protocol) are fundamental to all networks. When you first log on, you get an IP address from the DHCP server; now, if the DHCP server can integrate into the active directory and pull your login details and attach that to the IP address, as well as the device type used to access the network, that data can be used to provide more contextual information down the line.This type of information could be useful to improve the performance of vulnerability assessment and remediation tools, which require a fair investment by the business. The tool has to ensure that devices on the company network are compliant. However, it can only do this if it knows that the device is on the network in the first place. Once aware of a device on the network, the tool (or user) needs to schedule a scan of that laptop, tablet, smartphone or PC.If the DHCP server could notify the scanner that a new device has logged on, providing the IP address, the user ID and the operating system that it’s using, then the vulnerability scanner can just go and scan that device automatically. This is just one way that the DNS and DHCP can assist a security solution to perform better than it would in isolation.Another example provided by Goodwin is if a device on the network is infected with malware that isn’t apparent to the user during their day-to-day usage of the device, but that tries to infiltrate the network, and the company is using a DNS server with threat feeds included in it. When the malware makes an attempt to communicate out to the Internet, an alert could be issued from the DNS server to tell the network access controller that the user, on a specific IP address and on a particular device, has just made a DNS request associated with this piece of malware. By supplying contextual information, the device can be isolated and removed safely from the network without requiring any operator input. This makes the security team more efficient.The data collected can be shared with the security information event manager so that when the security operations centre analyst clicks on the event, he or she has more contextual information about where the event came from and is able to work out how to respond that much faster. The ability to isolate the device in the interim helps prevent the malware from getting a foothold in the network.The aim is to use integration so the different security products, including end-point managers, vulnerability scanners, next-gen firewalls, SIEM solutions and sandboxing solutions, are able to trigger events in other security products. This enables the company to do more with its existing security infrastructure.Find out more about automating incident response using ecosystem integration by watching this video.