The first line of defence

Typically, the idea of network intelligence is information you would find from log files. In our case, it is IP addresses and DND queries, which are essential to understanding what is going on in the network, mainly who had what IP address at what point in time, and what applications were they trying to access.

Network intelligence is essentially the history of everything that is going on in the network. And what we have worked hard at is finding ways to make that actionable. In today’s world where the network has become a critical business enabler, dumping log files into some kind of analytics system is just not cutting it, especially when it comes to cybersecurity.

I meet with many CISOs, and they tell me, especially in large banks, that they get millions of events in a day and are trying to correlate that information to find out what is most critical. We can help them with the data that we have. For example, if we see an IP address that is making a query to a domain name that we know is on the blacklist, we could block that and notify the vulnerability scanners in our customers’ networks. That is what we mean by actionable network intelligence.

We have a threat intelligence platform called ActiveTrust, which is used by large organisations across the world to correlate and manage all the threat intelligence they have.

We were the first to launch what is known in the industry today as a DNS firewall. The idea of a DNS firewall is that you look at every domain name you are querying and if it is a bad one, you block it. Initially, we partnered for that threat intel but three years ago, we bought a company called IID, which has now become our ActiveTrust platform. The list of bad domain names changes many times every single day, and you have to manage it actively.

There is a lot more attention paid to it now. The issue with old technologies is that there are more ways to protect it, so how do you make it a priority and what can vendors really do? Many things have been written about Cisco Umbrella, Zscaler and Palo Alto Networks in the DNS security space. All of these vendors can do a decent job when you are looking at the public Internet, but they don’t know the context of what really went on in the network. When you think of how DNS works in a corporate network, there are all these recursive resolvers all over the world depending on how big is the company. They all recurse up to what is called an internal authoritative DNS server, which is a box that forwards traffic to the public Internet. So the only thing the Cisco Umbrellas of the world sees is the IP address of that box – they don’t know which IP address on the network made that query because that is lost in the recursion. We are the only vendor who has that context.

With digital transformation initiatives, it has become very apparent to companies that if DNS is down, or DHCP for that matter, nothing works. It is literally like electricity and running water these days – it is a tier 1 network service. Another driver of DNS security is the extension into the cloud. If you are putting more and more applications on the cloud, you need an infrastructure for DNS and DHCP that allows you to extend your network to the cloud. Once you have that automation and enterprise-grade infrastructure in place, you need to secure it and make sure that someone can’t hijack those servers.

You may have heard of DNS-based DDoS attacks, but there are more harmful attacks as well. If someone takes over your DNS server, they can redirect traffic to an application server in their control, which means all your customers and partners are logging into the wrong site where their information is compromised. What we did was to create hardened instances for the DNS and control access by other protocols such as FTP and TCP/IP. The next thing we did was to protect DNS infrastructure by calling out bad applications with DNS firewall.

If you look at how companies are using the cloud today, they are extending their data centres to the cloud. They are moving more applications to the cloud, and they are leveraging cloud-based applications such as Office 365, Salesforce, Workday and others. That means, by definition, they are extending their network as well. Since DNS needs access to all these applications and because latency really matters, your DNS server needs to be near where your applications and users are. It is why you should extend your DNS into the cloud.