Threat Containment and Operations
SOLUTION NOTE
Summary Eliminating silos between networking and security technologies and improving the ROI from their security investments is at the heart of Infoblox’s Threat Containment and Operations solution. The solution brings situational awareness to security events by gathering and analyzing a broader set of data to provide context, so that the events that pose the greatest harm to an organization are found and prioritized in a timely manner.
The Security You Want is Not Often the Security You Get There are four key operational gaps in security—existence of silos, lack of context required to prioritize and resolve threats, manual approaches that slow down resolution, and fragmented threat intelligence. Silos: Most organizations have adopted a defense-in-depth strategy, which more often that not, results in proliferation of security tools. These tools and processes often live in silos between network and security teams, resulting security gaps, slower detection of vulnerabilities, and time consuming processes to remediate threats. Lack of Context: Security operations teams are inundated with thousands of alerts each day with insufficient means to prioritize them based on actual risk. Threat Intelligence and the network are a gold mine of data that can be used to provide actionable intelligence and context around threats. But the lack of visibility into network data inhibits taking the right action based on context. Lack of Automation: Being able to know and respond in real time to activities seen by network tools can go a long way in accelerating incident response. But without automation, operations teams are left with assembling data from various sources manually. Often the security teams don’t even get a notification when a vulnerability is discovered. Fragmented threat intelligence: Most organizations are not aware that they may be using multiple sources of threat intelligence, which could lead to higher false positive rate, conflicting information, and inefficient use of resources. Such siloed threat intelligence adds cost, reduces effectiveness, and erodes trust. All these challenges lead to a poor security posture and inefficient security operations.
Key Elements of Threat Containment and Operations Solution Infoblox’s solution to contain threats and improve the effectiveness of your existing security infrastructure includes the following key components:
• • • •
Optimizing threat intelligence Automating for faster remediation Sharing the context require to prioritize threats Bridging silos with shared data
Threat Intelligence Optimization Optimizing threat intelligence involves policy enforcement using timely, consolidated, and high quality threat intelligence that is aggregated from multiple sources, verified, and curated by an in-house threat research team. It eliminates conflicts between sources and distributes uniform threat intelligence to the existing security infrastructure, providing a single source of truth.
© Infoblox, Inc. All rights reserved. SN-0233-00 1705 - Threat Containment and Operations
Threat Containment and Operations
SOLUTION NOTE
Security Orchestration Security orchestration involves automatically sharing network events and indicators of compromise in real time with existing security tools such as Next-gen endpoint protection (NGEP), next-gen firewalls (NGFW), and network access control(NAC), and vulnerability scanners and SIEM for more effective and timely incident response. For example, when Infoblox detects DNS based data exfiltration or malware from an infected host, it can automatically notify an endpoint security solution to clean the infected endpoint. It can trigger a vulnerability scan when a new device joins the network or trigger a NAC solution to prevent the endpoint from getting on the network until it is deemed compliant. In addition to sharing indicators of compromise, Infoblox also shares valuable network context and actionable network intelligence including user name, MAC address, device type, VLAN, and lease history to help assess risk and prioritize remediation. Security Orchestration is key to improving your security posture with your existing security infrastructure.
Rapid Triage Infoblox helps security analysts and researchers investigate threats faster by providing a single yet broad source of truth through our partners and marketplace. Infoblox Intelligence provides timely context (including type of malware, domain registration information, associated campaigns). The threat analyst and incident responder can leverage Infoblox API to gather information from multiple sources on an individual indicator, including antivirus analysis, domain reputation score, passive DNS, and who is information to name a few. These searches are done with Infoblox masking the customer. Infoblox’s Threat Intelligence Data Exchange provides accuracy and context for each indicator enabling the security personnel to focus on the most critical indicators and ignore false positives, thereby freeing up the security personnel to take on other tasks.
Mining Valuable Historical DNS Data for Security and Troubleshooting DNS, DHCP, and IPAM (DDI) data is a gold mine that can be used for forensics and security operations. DDI data provides information such as which device/user went to which destinations in a specified period of time, which devices are critical high value assets in the network that needs to be protected, etc. Operations teams can determine scope of a security incident, or automate correlation of network context and data with security events. They can get access to audit trails to profile device and user activity. Using Infoblox API, historical passive DNS data can also be harvested, providing the basis for further data mining and business intelligence for your organization.
© Infoblox, Inc. All rights reserved. SN-0233-00 1705 - Threat Containment and Operations
Threat Containment and Operations
SOLUTION NOTE
Roaming Clients Infoblox Research
Infoblox Threat Intel
Partner Research
Partner Threat Intel
X
Cloud-based Recursive/Caching (ActiveTrust® Cloud)
Threat Intelligence Data Exchange
DNS-related Threat Intelligence
Perimeter Security, F/W, IDS/IPS, etc.
Security Ecosystem
Customer Generated Threat Intelligence
Threat data feeds for use in ecosystem
Security Research and Automation
DNS-related Threat Intelligence
SIEM
Vulnerability Scanner
NAC
DNS, DHCP, IPAM, and Secure Recursive DNS
Security events with context
Endpoint Security
DNS
X Device Discovery
Network Infrastructure (Switches, Routers, Firewalls, Load-balancers, etc.)
APT/Malware Detection
Firewall Internal Clients
Figure 1: Infoblox solution for Threat Containment and Operations
Summary With Infoblox you get a solution that bridges silos instead of creating a new one. Infoblox provides organizations the ability to increase the effectiveness of the security solutions they already have in place. It does so by providing timely and necessary context required to prioritize and remediate threats. It also enables automation to resolve issues faster and ensures that organizations have access to the most comprehensive and updated threat intelligence. Infoblox makes your network intelligence actionable.
Learn More Learn more about the solution at https://www.infoblox.com/solutions/network-security.
About Infoblox Infoblox delivers Actionable Network Intelligence to enterprises, government agencies, and service providers around the world. As the industry leader in DNS, DHCP, and IP address management (DDI), Infoblox provides control and security from the core—empowering thousands of organizations to increase efficiency and visibility, reduce risk, and improve customer experience. Corporate Headquarters:
+1.408.986.4000
1.866.463.6256 (toll-free, U.S. and Canada)
[email protected]
© Infoblox, Inc. All rights reserved. SN-0233-00 1705 - Threat Containment and Operations
www.infoblox.com
