Introduction

What is DNS Security

When we access the Internet to view web pages or send emails, we always use DNS to convert domain (host) names (such as www.macnica.co.jp) into IP addresses. is working.

The same is true for malware, which uses DNS when accessing external C&C servers. DNS security is to block DNS communication for unauthorized domains used by malware. By blocking the DNS communication that is performed at the very beginning of Internet access, it is characterized by not generating unnecessary traffic and preventing information leakage using only DNS that cannot be blocked by web and email security. In addition, since it is provided in the cloud, it is possible to protect even mobile PCs and IoT devices that cannot install security software.

Features of B1TD

Infoblox is a company that boasts over 50% of the global market share in the DDI (DNS/DHCP/IPAM) industry, and was one of the first to focus on DNS security. Key features include:

• 1.5 million threat domain updates per day In addition to self-managed threat information from the acquisition of IID in 2016, it features accuracy and volume from more than 20 threat information providers.
• DNS zero-day protection with behavioral detection Tens of thousands of domains are created every day. Even before it is registered as a threat domain, DNS communication behavior protects against leakage of confidential information.
• Batch search of threat information by dossier Provides all the information necessary for risk judgment, such as WHOIS information, threat categories, and antivirus results for downloaded files.
• Providing both in the cloud and on-premise As a unique feature of Infoblox, which provides DNS appliances, it is possible to provide DNS security functions not only in the cloud but also on-premise DNS servers.

About Splunk integration

The product description has become long, but from here I will explain the linkage with Splunk. B1TD's cloud console can display the following reports by default.

With this alone, you can see information such as which clients are hit on the blacklist and how many hits to which threat feeds.

However, by linking with Splunk, it is possible to display more visual and easy-to-understand information such as the following. (View top clients hitting threat feeds, which threat domains are visited the most, etc.)

The linking method is very simple, just install the B1TD linking app on Splunk and enter the API linking key that can be confirmed on the cloud console.

The content to be displayed is preset in advance, so additional settings are not required.

Visualization makes it easier to grasp changes in the situation and make decisions about threats.

For example, in the cloud console, information such as how many hits to which feed has to be displayed numerically or filtered, but in Splunk it can be displayed by the area of each color. Because it is possible, it is possible to catch the change visually.

Summary