Cracked Eggshells, Infoblox and IID: A New Way of Looking at Enterprise Security

Ashish_Gupta

On Feb. 8, we made a big announcement: Infoblox has acquired IID, a leader in global cyberthreat intelligence. You can learn more at www.infoblox.com/iid.

 

I’d like to share my own view on why this acquisition is important to Infoblox and to our customers.

 

Enterprise security is rapidly transitioning away from the old “eggshell” model, which called for building a hardened outer perimeter to keep threats from penetrating the network. By using network and business context data in combination with threat intelligence, enterprises can now also protect the “inner core” or soft inner side of the egg by taking action based on context-aware security insights. They don’t need to play their odds like Humpty Dumpty in the famous poem that mostly talks about preventing the egg from falling.

 

“You cannot count on your prevention tactics – they are insufficient,” said Mike Rothman of the research firm Securosis in a very insightful white paper titled “Network-based Threat Detection,” published last year.

 

Instead, organization must be prepared to rapidly identify, contain and block threats that get through any possible cracks in the eggshell. This requires mastering two new skills: analytics and context.

 

Analytics, in this case, is the ability to find suspicious patterns of activity by tracking and extracting meaning from the massive flow of data moving through an organization’s network.

 

“Regardless of whether the attack happens as a result of malware, stolen credentials, social engineering or any other means of compromising the device, the attackers need to actively communicate with the device,” Rothman writes. “Attackers bet they will be able to obscure their communications within the tens of billions of legitimate packets traversing enterprise networks on any given day, and on defenders’ general lack of sophistication preventing them from

identifying giveaway patterns. But if you can identify the patterns you have an opportunity to detect the attacks.”

 

One way of doing this is analyzing Domain Name System (DNS) traffic. DNS is often not protected or even considered to be a threat vector. Yet what if command-and-control systems are using DNS queries as a means for data exfiltration from your CFO’s PC that might be infected? Wouldn’t you want to secure that by using network context (the IP address making the query), business context (the CFO probably has sensitive data), and threat intelligence information (the domains known to be bad)? Absolutely, and this is the reason we acquired IID: So that our customers can have context-aware security insights that allow them to take actions at scale.

 

Infoblox is the industry leader in enterprise-grade management of DNS, DHCP and IP addresses – the category known as DDI, and we began offering secure DNS solutions almost three years ago.

 

With the addition of IID’s ActiveTrust platform for collecting and sharing threat intelligence, Infoblox is now better prepared than ever to make DNS a central control point for detecting, analyzing and prioritizing malicious activity, then taking instant action to prevent outbound communication and data exfiltration by infected devices.

 

Rothman says this type of security automation “is still in its infancy.” That may be true, but Infoblox is now moving beyond baby steps in bringing together threat indicators with network data to create actionable intelligence.