{"id":989,"date":"2018-05-30T15:45:29","date_gmt":"2018-05-30T15:45:29","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=989"},"modified":"2020-05-06T10:27:05","modified_gmt":"2020-05-06T17:27:05","slug":"why-you-need-reporting-amp-analytics-with-query-logging","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/community\/why-you-need-reporting-amp-analytics-with-query-logging\/","title":{"rendered":"Why You Need Reporting & Analytics with Query Logging"},"content":{"rendered":"

The Need for DNS Query Logs<\/h1>\n

DNS is a known threat vector for malware<\/h2>\n

DNS is a known critical exploit path for malware, ransomware and data exfiltration.\u00a0 In fact, malware command and control (C&C) is the number one threat vector for crimeware (Verizon Data Breach Investigations Report, 2016).\u00a0 Further, 91% of malware uses DNS to carry out malicious campaigns (Cisco Annual Security Report, 2016).\u00a0 According to a recent study, this can cost companies more than $500 per minute of downtime caused by DDoS attacks (Ponemon Institute, Cost of Data Breach Study, 2016).\u00a0 Yet, 70% of survey respondents in another report (Ponemon Institute, Second Annual Study on Exchange Cyber Threat Intelligence, 2015), felt that their threat intel was not timely enough for defense and mitigation.<\/p>\n

You are sitting on a wealth of threat mitigation data, a.k.a., your DNS query logs.<\/h2>\n

Surprisingly, many Security teams are often blind to the value of threat mitigation data available through their core network.<\/p>\n

If network conflicts, performance issues or outages occur, teams need access to the raw data found in network log files for fast root cause resolution.\u00a0 Raw data can be used by Security teams for\u00a0investigations and<\/em><\/strong>\u00a0forensics<\/em><\/strong>\u00a0to uncover a detailed query history of infected clients.\u00a0 It can further be used by Security and Audit teams for\u00a0access logging<\/em><\/strong>\u00a0to gain visibility into which clients queried which domains and which domains were queried by which clients for a given date and time range.\u00a0 Query logging can also aid\u00a0Compliance and audit<\/em><\/strong>\u00a0efforts by providing historical records of device and domain queries.\u00a0 To have this information on-demand through a few keystrokes up to two years back reduces the stress of an on-demand audit and provides significant peace-of-mind and high value when it comes to root cause discovery, analysis and resolution.<\/p>\n

But, there are significant challenges to use DNS query logs without impacting DNS performance<\/h2>\n

Unfortunately, access to readily consumable DNS query logging is a lot more difficult than just turning up the logging feature of your DNS services. \u00a0\u00a0Infoblox Reporting and Analytics with Query Logging moves these functions out of the critical path while minimizing the impact on the DNS infrastructure.<\/p>\n

Here are the top three obstacles teams face:<\/p>\n

    \n
  1. Resource Strain.\u00a0<\/strong>Windows event logs or Unix Syslogs are two operating system-level logging facilities often used for query logging.\u00a0 In environments with high DNS query volumes, these facilities can overload server resources, impacting and degrading DNS core and hosted service availability and performance. \u00a0This occurs because system logging facilities aren\u2019t designed to manage hundreds, thousands or more messages per second.\u00a0 Resources needed to log and format messages along with the underlying metadata places heavy compute demands on the CPU and storage utilization.<\/li>\n<\/ol>\n
      \n
    1. Data Management.\u00a0<\/strong>The next challenge is how to efficiently organize and store data in a searchable format and ensure the needed redundancy to keep data accessible. Even a couple of hundred queries per second can easily require gigabytes of storage each day, snowballing into significant memory requirements over weeks, months and years.\u00a0 It can take months to years to get a system designed, vetted, approved and deployed to manage extensive data redundancy on disk, accommodate successful disaster recovery, yet support searchability for forensic security investigations, compliance, and audit.<\/li>\n<\/ol>\n
        \n
      1. Data Access Delays.\u00a0<\/strong>Even with a well-designed platform and suitable infrastructure, log data must still be parsed, and search\/visualization tools must be engaged to view and manage the data. \u00a0Depending on the amount of data and cross-functional team dynamics, even many enterprise-grade tools can take days to deliver search results.<\/li>\n<\/ol>\n

        Once you have an integrated, scalable platform in place, you still have to create the reports and visualizations to simplify the potentially enormous amounts of data into timely, actionable intelligence within CapEx and OpEx constraints.\u00a0 This can take months to plan, budget and build out, but the threats are active now–and you can\u2019t afford a data breach, so the need is more immediate.<\/p>\n

        Efficient Query Logging with Infoblox Reporting & Analytics in 20 Minutes<\/h1>\n

        If this describes your situation, the Infoblox solution warrants serious consideration.\u00a0 It streamlines architecting and deploying an efficient query logging infrastructure that can be turned-up in as little as 20 minutes.<\/p>\n

        Infoblox Reporting & Analytics with Query Logging is a complete solution that solves data access, visibility challenges and more.\u00a0 Powered by a Splunk reporting and visualization engine, it includes an appliance that simply plugs into the Infoblox Grid Master to provide visibility and access to the breadth of network data from a single convenient platform.<\/p>\n

        \"Infoblox<\/p>\n

        It efficiently collects DNS query data and enables clustering of multiple appliances for High Availability (HA), Disaster Recovery (DR) and scalability to accommodate virtually whatever amount of data needed.<\/p>\n

        Better Performance through Connected Data<\/h2>\n

        Part of the Infoblox solution is a free component called the Infoblox Data Connector VM.\u00a0 It\u2019s a cool utility running on a virtual appliance that reduces bandwidth and DDI performance impacts when dealing with large, highly-active grids, syslog data, and DNS query and response logging.\u00a0 It works by collecting DNS query and response data, offloading resource-impacting DNS\/DHCP processing and applying user-defined filtering to reduce data quantity.\u00a0 It then formats and sends the data for report generation, ingestion by the Infoblox ActiveTrust cloud or to third-party Splunk Indexers using an SCP protocol via HTTP requests.\u00a0 It\u2019s the central point of network data collection that improves performance by reducing the impact of data exchange across the network.\u00a0 Further, it runs on VMware ESXi servers and is easily installed and registered on the Infoblox Grid (running NIOS 7.3 and later) in a matter of minutes.<\/p>\n

        Converting Raw Data to Actionable Insights<\/h2>\n

        Accessing raw network data is one thing, seeing it is another, but it takes planning, data selection, organization, formatting, and distribution to make it truly actionable\u2014and this takes time.\u00a0 Fortunately, Infoblox offers over 120 engineered, pre-built and customizable reports available through a single, unified console dashboard, so teams can get instant access to data without the time, expense and hassle of spinning-up a DIY project. \u00a0Infoblox documents many of these reports in a\u00a0Sample Report Guide<\/a>\u00a0which includes dashboards, audit logs, device, DNS, DHCP, ecosystem, internal, Global Server Load Balancing (GSLB), security, system\/appliance reports and other categories.\u00a0 Further, since Infoblox uses the Splunk reporting and visualization engine, users with Splunk programming ability can customize any of the pre-built reports to better meet their needs.\u00a0 Reports are integrated with the Microsoft server environment for even greater visibility.\u00a0 Run individual ad-hoc reports or automate regular distribution across teams.\u00a0 Further, there is a Reporting Experts Community Forum that shares newly developed reports, enables participants to exchange information, resolves problems and discusses best practices.<\/p>\n

        Infoblox\u00a0Reporting & Analytic<\/a>s with\u00a0Query Logging<\/a>\u00a0provides uncompromised visibility now across the network, instant access to current data, enables customized views, streamlines and automates operations, saves time and money, and delivers fast actionable insights enabling you to be a better manager of the network and resources in your care.<\/p>\n

        To Learn More:<\/h1>\n