Craig Sanderson

Senior Director, Product

Management (Security)
Insight Driven Networks Create Enterprise Value

Next Generation Security and Digital

Data Center Compliance Economy

Actionable Network Intelligence Platform

Noise Business Outcomes
Eco-system Analyze APIs
Network Your Customer Experience
Devices Network
PCs
Risk Management
Mobile
Devices
Control Secure
IoT Your Operational Efficiency
Your
Network Network
SaaS

Malicious Visibility
Intent
Authoritative Distributed Database

On Premise Hybrid Cloud

Security Landscape
DNS Threat Index DNS – The Hacker’s Threat Intelligence
The threat index reached a Control Plane Data Sharing
record high in Q1 2016 to 91% of malware—relies on DNS for Cybersecurity Information Sharing
137—surpassing the previous command and control Act of 2015
record high of 133 set in Q2
2015. 431M #1 The Automated Indicator Sharing
(AIS) initiative
New unique pieces of Malware C&C is #1
malware in 20152 responsible vector for
Crimeware3
The Security Silo –
DNS-based Data Industry Analyst
Exfiltration “Silos between network, edge,
endpoint, and data security
"Multigrain" PoS malware systems and processes can
exfiltrates card data over DNS restrict an organization’s ability to
prevent, detect, and respond to
46% >$3.8M advanced threats…”
Of large businesses The average cost of a
have experienced DNS single data theft
exfiltration1 occurrence2
Infoblox Security Vision

Deliver Industry Leading DNS Security Solutions

• Protect DNS
• Break the Malware Control Plane

Become the Threat Data and Intelligence control plane for

security deployments
• Deliver a Threat Intellligence Data Exchange
• Break the Security Deployment Siloes
 Security Strategy
Solution Breaking the
Threat Intel Data Security Control & Data
Strategy Secure DNS Malware Control
Exchange Plane
Plane

SaaS/
Cloud

Reflection
DNS DoS

Exploits
Vulnerability
Scanning Endpoint

Infoblox
DDI &
Active
Trust

SEIM NAC &

Firewall

APT/
Malware

Product Advanced DNS DNS Firewall ActiveTrust™ & Dossier Secure Data Exchange
Strategy Protection (DDoS) Threat Insight Ecosystem API’s

Technology Ecosystem
Strategy Analytics
Threat Intelligence
Data Sharing
 Secure DNS: Infoblox Advanced DNS Protection
Protecting critical DNS services

Legitimate Traffic
• Hardened OS
• Dedicated
Infoblox platforms
Threat-rule designed to
Server
withstand DDOS
attacks
Automatic Updates
• Signatures to
(Threat Adapt) Infoblox detect and block
Advanced DNS
Protection Infoblox Advanced
exploitation of
(External DNS) DNS Protection vulnerabilities
(Internal DNS)
Data for
Reports

Grid Master

Reporting
and Analytics
Reports on attack types, severity
Breaking the Malware Control Plane
Malware & Data Exfiltration
Threat Intel Platform
• Malware containment and control
• DNS Firewall: Ubiquitous visibility and blocking
• Adding high quality Threat Intelligence
• Offer additional 3rd party Threat data INTERNET

• Dossier: Threat intelligence research tool to INTRANET

accelerate incident analysis IP traffic

• Endpoint containment via ecosystem partnerships
• Open APIs enabling 3rd party devices to block
using DDI infrastructure
• Threat Insight – Streaming analytics
• Data Exfiltration detection and prevention
• Blocks known and custom exfiltration tools
 Extending Protection Outside the Enterprise
DNS Firewall as-a-service
Security Services DNS Firewall
1. Threat Intelligence
Threat Intelligence 2. DNS Firewall
3. Threat Insight • Deploy on premise, private/public cloud, Internet

Reporting and Unified Reporting and Analytics

Analytics
• Unified view for on and off-premise users and
devices for internal and external applications
• Pinpoint exact device, switch and port for malware
• 10+ ecosystem integrations with leading security
vendors
DNS Firewall
w/Threat Insight DNS Threat Intelligence
Forwarder
• Leverage investment across all deployments

Advanced Threat Analytics

Central Office / Data Center Devices On Premise Devices Roaming Devices • Data exfiltration prevention
with Mobile Client with Mobile Client • Malware containment and control
On Premise Off Premise
Threat Intel Data Exchange - Ecosystem

Verified, validated
threat intelligence Contextual Threat Data,
ActiveTrust
Indicators of Compromise

Machine Readable SIEM, Vulnerability scanners, NAC,

Threat Intelligence Endpoint agents
Network Context

Verified, validated Action (Block, Redirect, Audit)

threat intelligence Infoblox DDI
Malicious Hostname

DNS Firewall
as-a-service
Context Driven Threat Intelligence Driving Operational
Efficiency
Network Context and Control Collective Threat Intelligence

• Ubiquitous Tier-1 network control points • Verified and accurate MRTI

• Unique network position to provide device • Distills data from thousands of sources,
information and metadata processes and services that IID offers
• DNS audit trail of system and user activity • Federated platform for threat data sharing

Context-Aware Security
• Prioritize response to threats based on enterprise context and risk
• Protect by instantly blocking malicious activity on both on-premise and
off-premise devices; share threat data with ecosystem for additional action
• Predict threats using ecosystem, vertical and geo data
Security Analytics Strategy
Leveraging Threat
Intelligence, DDI and What’s on my network?
Are devices compliant to policy?
3rd party data to Are admins compliant to policy?
provide
• New and Deeper
insights into threats Infoblox:
Actionable Which devices are infected & how?
• Automation of Network How do I prioritize security events
Intelligence and eval risk?
analysis and How do I auto-gather data to do
compliance to save incident response?

time and accelerate

response

© 2013 Infoblox Inc. All Rights Reserved.

DDI & DNS Security: A Control & Data Plane for Security
Deployments

DNS Security DDI Data

Breaking the malware control Security Operations

plane Efficiency

DDI & DNS Security

Ecosystem & Data

Exchange Enforcement & Mitigation

Real time Threat Intelligence Pervasive mitigation and

exchange between diverse enforcement
security platforms
Infoblox Data: Relevance to Security
DNS
IPAM

A DHCP assignment signals the Fixed IP addresses are typically DNS is the first step in almost every
insertion of a device on to the assigned to important devices: activity, good or bad.
network
• Data center servers, network DNS query data provides a “client-
• Includes context: Device info, MAC, devices, etc. centric” record of activity
lease history
• IPAM provides “metadata” • Includes internal activity inside the
• DHCP is an audit trail of devices on (additional business context) via security perimeter
the network EAs: Owner, app, security level,
location, ticket number • Includes BYOD and IoT devices

• And the business importance of the • This provides an excellent basis to

asset determines level of risk! profile device & user activity

Security Relevant Data and Context Using Network Infrastructure

 Breaking the Security Silo
Infoblox, FireEye and Carbon Black
5
Malicious Infoblox threat
Internet intelligence feed
destinations Malicious hostnames

INTERNET
3
INTRANET

Malware/APT
1 3
2 Infoblox DNS Firewall

Infoblox DNS Firewall sends alert to

6
Carbon Black Infoblox Reporting
and Analytics
FireEye detects APT-based malware Carbon Black correlates endpoint
Malware/APT infects a device 4 and network data and remediates
inside the network and tries to
infected endpoint automatically
call home

1 An infected device brought into the office. 3 Infoblox DNS Firewall blocks endpoint DNS query
and sends alert to Carbon Black. 5 An update will occur every 2 hours (or more
often for significant threat).

2 FireEye detects the APT-based malware communication to

malicious domain destination, and shares this information 4 Carbon Black correlates its own endpoint data 6 Pinpoint. Infoblox Reporting and Analytics lists DNS
Firewall action as well as the:
with DNS Firewall. and network data from Infoblox and remediates
infected endpoint. • User name
• Device IP address
• Device MAC address
• Device type (DHCP fingerprint)
• Device host name
• Device lease history
Summary
• Infoblox is committed to provide best in class security to both
protect DNS and break the malware control plane.
• Infoblox DDI platforms as the control and data plane for network
security
• Busting the silo’s through open API integration
• A platform for real time data exchange and Threat Intelligence
• Leveraging the inherently valuable DDI data to improve security operations
and efficiency