dns-delivered network & endpoint security - · pdf filedns-delivered network &...

1 CONFIDENTIAL

DNS-Delivered Network & Endpoint Security

2 CONFIDENTIAL

PRODUCTS & TECHNOLOGIES

UMBRELLA Enforcement Network security service protects any device, anywhere

INVESTIGATE Intelligence Discover and predict attacks before they happen

3 CONFIDENTIAL

TRUSTED by Enterprises Worldwide

4 CONFIDENTIAL

What is DNS? DNS = Domain Name System

IP: 31.13.92.36

Any Device DNS

.de

.com

.domain

www.facebook.de?

Phone user Cisco Systems GmbH?

0800 - 187 36 52

5 CONFIDENTIAL

Calling a bad site

Any Device OpenDNS badguys.com?

blockpage

6 CONFIDENTIAL

+ 80M+ malicious requests

blocked/day

=

GLOBAL NETWORK

• 80B+ DNS requests/day

• 65M+ biz & home users

• 100% uptime

• Any port, protocol, app

UNIQUE ANALYTICS

• security research team

• automated classification

• BGP peer relationships

• 3D visualization engine

Why OpenDNS? DNS Services Built for World’s Largest Security Platform

7 CONFIDENTIAL

Apply statistical models and

human intelligence

Identify probable

malicious sites

Ingest millions of data

points per second

To Summarize.. How It Works

.com

.cn

.ru

.net

.com

8 CONFIDENTIAL

Used to detect:

• Compromised systems

• Command & control callbacks

• Malware & phishing attempts

• Algorithm-generated domains

• Domain co-occurrences

• Newly registered domains

Any Device

Authoritative Logs

Recursive DNS

Gather Intelligence & Enforce Security at the DNS Layer

Authoritative DNS

root

com.

domain.com.

Used to find:

• Newly staged infrastructures

• Malicious domains, IPs, ASNs

• DNS hijacking

• Fast flux domains

• Related domains

Request Patterns

9 CONFIDENTIAL

Malaysia Airlines DNS Hijack January 25, 2015

Play in slide show mode to see animation

10 CONFIDENTIAL

MALICIOUS ASN/IP IDENTIFIED Owned by Lizard Squad who hacked PS3 and Xbox Networks in December 2014

11 CONFIDENTIAL

OpenDNS recognized the domain hijacking on Jan 25th and blocked the DNS request, and hence any

subsequent attack

12 CONFIDENTIAL

2016 Cisco Annuual

Security Report WEB NON-WEB

15% of C2 bypasses

Web ports 80 & 443

DNS IP IP

91% of C2 can be blocked

at the DNS layer

Why Add Security at the DNS Layer?

Lancope Research

68% of orgs don’t monitor

recursive DNS

13 CONFIDENTIAL

What is the OpenDNS Solution?

14 CONFIDENTIAL

Enterprise Location A

Internal InfoBlox

Appliance

Enterprise Location C

Internal BIND Server

Enterprise Location B

Internal Windows DNS Server

Home Users

Roaming Laptops

Mobile Devices

Remote Sites

ISP 1

mobile

carrier

ISP 2

ISP 3

ISP ?

ISP ?

ISP ?

CHALLENGES

Multiple Internet Service Providers

Direct-to-Internet Branch Offices

Users Forget to Always Turn VPN On

Different DNS Log Formats

Who Resolves Your DNS Requests?

Authoritative DNS for Intranet Domains

Recursive DNS for Internet Domains

BENEFITS

Global Internet Activity Visibility

Network Security w/o Adding Latency

Consistent Policy Enforcement

Internet-Wide Cloud App Visibility

ISP 1

mobile

carrier

ISP 2

ISP 3

ISP ?

ISP ?

ISP ?

Authoritative DNS for Intranet Domains

Recursive DNS for Internet Domains

Leveraging a Single Global Recursive DNS Service

15 CONFIDENTIAL

ZERO added latency

peer w/top 500 ISPs & CDNs

2% worldwide

activity

globally-shared DNS cache

100% uptime

since 2006

400+ Gbps capacity, DDoS protection &

global fail-over

Global Network Built into the Fabric of the Internet

16 CONFIDENTIAL

INTERNET

MALWARE

BOTNETS/C2

PHISHING

LANCOPE

WSA (+ESA)

FIREPOWER

AMP AMP

AMP AMP

AMP

AMP

AMP AMP

MERAKI

AMP AMP

ASA

MID LAYER

LAST LAYER

MID LAYER

LAST LAYER

MID LAYER

HQ

Branch Branch

Mobile

Mobile The Power of Cisco + OpenDNS

17 CONFIDENTIAL

INTERNET

MALWARE

BOTNETS/C2

PHISHING

FIRST LAYER

LANCOPE

WSA (+ESA)

FIREPOWER

AMP AMP

AMP AMP

AMP

AMP

AMP AMP

MERAKI

AMP AMP

ASA

MID LAYER

LAST LAYER

MID LAYER

LAST LAYER

MID LAYER

HQ

Branch Branch

Mobile

Mobile

BENEFITS

Alerts Reduced 2x; Improves your SIEM

Block malware before it hits the enterprise

Contains malware if already inside

Internet access Is faster; Not slower

Provision globally in under 30 minutes

18 CONFIDENTIAL

Umbrella: The Fastest & Easiest Way To Block Threats

208.67.222.222

MALWARE

C2 CALLBACKS

PHISHING

CATEGORY IDENTITY

INTERNAL IP

HOSTNAME

AD USER

BENEFITS

Simple to point DNS w/o technical or pro services

No hardware to install No software to maintain

Provision globally in under 30 minutes

Infinitely scalable enforcement platform

19 CONFIDENTIAL

DNS is Used by Every Device on Your Network

ANY OPERATING SYSTEM Win, Mac, iOS, Android,

Linux, custom app servers,

and even IoT

ANY TOPOLOGY no matter how your

LAN or WAN is set up,

it simply works

ANY OWNER network’s DHCP tells

every connected device

where to point DNS

20 CONFIDENTIAL

Prevent infection

Block Malware, Exploit-Kits,

malvertising and DriveBy-Downloads

Web Content Filtering and Cloud / IoT Visibility

Enforce acceptable use, see

cloud services & IoT devices in

use, and keep guest Wi-Fi safe

Problems We Solve

Breach Protection

Prevent botnet communication,

data exfiltration of compromised

systems by blocking

C2 callbacks

21 CONFIDENTIAL

“ OpenDNS was able to classify & block 100% of the tested 338 C&C servers. ”

“Due to its unique approach to

protect the endpoint on the DNS

level it has also no additional

performance impact.”

Tested 4 May 2015

1,844 domains

338 domains

51 domains

22 CONFIDENTIAL

Global Recursive DNS

Egress points or virtual appliance,

roaming client or mobile app

forwards DNS to our global network

Unique Algorithms Applied to Unique Data

Observes relationships in global

DNS and internet infrastructure to

discover where attacks are staged

Real-time Activity With Log Storage

View your most recent global

activity from all locations, Store

DNS logs for as long as you want

DNS xyz.com 1.2.3.4

How We Do IT

23 CONFIDENTIAL

A New Layer of Breach Protection

Threat Prevention Not just threat detection

Protects On & Off Network Not limited to devices forwarding traffic through on-prem appliances

Partner & Custom Integrations Does not require professional services to setup

Block by Domains for All Ports Not just IP addresses or domains only over ports 80/443

Always Up to Date No need for device to VPN back to an on-prem server for updates

UMBRELLA Enforcement

24 CONFIDENTIAL

How OpenDNS Complements On-Network Security

ENDPOINT SECURITY (block by file, behavior)

NETWORK FIREWALL (block by IP, packet)

WEB PROXY (block by URL, content)

OpenDNS UMBRELLA (block by domain/IP, URL)

25 CONFIDENTIAL

MEASUREABLE VALUE ADD

<30 2X+ 10X ≥1 MINUTES TO GET

WORLDWIDE COVERAGE

COMPROMISED SYSTEMS

IDENTIFIED

REDUCTION IN ALERT NOISE

Using DHCP or

AP controllers,

thousands of devices

and locations are

secured

Than traditional

network/endpoint

security systems

or other

advanced threat

defenses

Through integrating

our global threat

intelligence into your

SIEMs and IR

processes via our APIs

26 CONFIDENTIAL

PRODUCTS & TECHNOLOGIES

UMBRELLA Enforcement Network security service protects any device, anywhere

INVESTIGATE Intelligence Discover and predict attacks before they happen

27 CONFIDENTIAL

Live graph of DNS requests and other contextual data

Correlated against statistical models

Discover & predict malicious domains

Enrich security data with global intelligence

OpenDNS INVESTIGATE

DOMAINS, IPs & ASNs

CONSOLE SIEM, …

API

28 CONFIDENTIAL

A Single, Correlated Source of Information

INVESTIGATE

WHOIS record data

ASN attribution

IP geolocation

IP reputation scores

Domain reputation scores

Domain co-occurrences

Anomaly detection (DGAs, FFNs)

DNS request patterns/geo. distribution

Passive DNS database

Internet-wide Visibility

Speed up incident response

with a live, up-to-date

view of the Internet

29 CONFIDENTIAL

Links & Resources

30 CONFIDENTIAL

Links

Umbrella Packages

Free Trial (14 days)

Documentation

OpenDNS labs

31 CONFIDENTIAL