Infoblox Experiences Zero Ransomware with Infoblox Threat Defense™ and SOC Insights
“Infoblox Threat Defense creates a cycle that continuously improves our security. It allows us to be more proactive so we face fewer critical threats and spend less time in response. That extra time we gain is spent being more proactive—hunting new threats and embarking on new projects to improve our security posture.”
- Ed Hunter, CISO Infoblox
OVERVIEW
As the undisputed leader in the DDI (DNS, DHCP and IP address management) market, we have been helping companies improve the agility, automation and scalability of their network infrastructure for more than two decades.
This focus on innovation and customer-centric passion drove us to undertake a new challenge in 2019—leverage DNS to detect sophisticated cyberthreats and block them at the source.
Yet innovation alone is not enough. To ensure our solutions perform in complex environments for our customers, we deploy and rigorously test them within our own global enterprise first. Acting as “Customer Zero,” our IT, InfoSec, Product and Engineering teams partner closely to validate performance at scale, refine capabilities and ensure our technologies address the same operational and security challenges that our customers face every day.
THE SITUATION
Overwhelmed by Alerts, Limited by Resources
While firewalls and endpoint detection and response (EDR) are the most wellknown tools in a security stack, that technology only detects cyberthreats after patient zero. Additionally, a firewall cannot protect remote users whose traffic does not pass through it. Relying solely on security information and event management (SIEM) for detecting and alerting on suspicious activity is untenable. For example, our own SIEM receives billions of alerts from other platforms, and like most companies, we struggle to process the overwhelming volume of data, not to mention the high cost of doing so.
Customer: Infoblox
Industry: Information Technology and Related Consulting
Location: Santa Clara, California
Objectives: Adopt more proactive, defensein-depth security posture, Improve time-consuming, labor-intensive analysis of suspicious domains, Reprioritize SOC workload to focus on more valuable threat actor hunting and investigation activities
Results: Reduction in SIEM traffic and licensing costs by 50%, Translation of 1.5M DNS security events into 17 actionable insights, 4x improvement in SOC efficiency with expedited threat investigation and resolution
Products: Infoblox Threat Defense™ SOC Insights
These tools also largely stop at identifying potential threats, a service of marginal value when only about 4 percent of alerts can even be investigated due to staffing limitations.1 This can lead to data breaches, which can take an average of 292 days to identify and result in the loss of $4.88 million per year,2 not to mention the impact on brand reputation.
Recognizing that many organizations face these same challenges, we saw a clear opportunity to leverage DNS as a first line of defense, stopping threats earlier in the attack chain. This led to the development of Infoblox Threat Defense™, which combines advanced threat intelligence with deep network visibility to proactively block DNS-based attacks. Because DNS underpins how every user and system connects to the internet—and is often the first step in nearly every cyberattack—it is uniquely positioned to serve as a foundational layer of security.
Building on this foundation, we then extended these capabilities with our AI-powered SOC Insights add-on, which prioritizes and optimizes DNS events for SIEM and SOC platforms, accelerating investigation and response for SecOps teams.
THE CHALLENGES
Scaling DNS Security beyond the Firewall
DNS underpins every organization’s IT architecture, yet it is often overlooked in a security context. This is largely because many companies mistakenly believe their firewall extends protection to DNS at the endpoint. However, in today’s highly mobile workforce, organizations cannot rely solely on enterprise firewalls. This was best evidenced by the severe drop-off in traffic going through the f irewall of 90 percent when approximately the same percentage of employees stopped frequenting an Infoblox office during COVID-19.
While existing tools are great at serving their specific purpose, they cannot do it all. As Infoblox CISO Ed Hunter describes, “No one would be on the internet without a firewall. No one would accept email from the internet without filtering. If you don’t have something inspecting your DNS traffic, that’s a big risk. You’re leaving an avenue where data can be exfiltrated and leveraged for attacks.”
Prior to Threat Defense, our InfoSec team tested importing DNS intelligence into the firewall, but it was not able to scale sufficiently to handle the sheer volume of data, accepting only 50,000 records, a mere fraction of the millions of sites that Threat Defense can protect against. Further, it was cost prohibitive to license a firewall large enough to handle the amount of threat intelligence required and it fell short of providing end-to-end DNS security.
Beyond scaling, we also learned firsthand the limitations of other security platforms and their ability to generate alerts on DNS data. While SIEMs function well at detecting abnormal activity, today’s sophisticated attackers often attempt to exploit vulnerabilities through seemingly “normal” means, even something as routine as resolving a name to an IP address. In fact, the SIEM generated very few alerts when we fed all DNS activity into it—a reminder that SIEMs are not DNS experts.
An IT strategy that incorporates DNS tools is the difference between checkbox security and true security. DNS is a blind spot for many companies, and that is exactly what Threat Defense is designed to address. “When it comes to security, ‘good enough’ often isn’t good enough. You have to go to the experts, and in the case of DNS, that’s Infoblox,” explains Hunter.
THE SOLUTION
Putting DNS to the Test as the First Line of Defense
Our CIO organization leads a crucial “Infoblox on Infoblox” program, in which the utility of new Infoblox products is deployed, tested and validated. As “Customer Zero” for Threat Defense, we quickly confirmed the value of the solution’s filtering capabilities. For example, Threat Defense automatically blocked several hundred domains within the first few months that no other tool had ever marked as suspicious, granting our InfoSec team a newfound level of visibility and protection against malicious domains.
To further elevate our security position, the InfoSec team then deployed our latest security add-on, SOC Insights. Because SOC Insights distills vast amounts of DNS data sourced from every device and system on the network into a detailed set of actionable security insights, we successfully reduced total traffic to the SIEM by 50 percent. The enhanced filtering not only improved information fidelity but decreased data storage requirements and slashed Infoblox’s SIEM licensing in half.
The combination of Threat Defense and SOC Insights provides even greater defensive depth and scalability to capture millions of security events that other tools will likely never see, resulting in a much more proactive and efficient security posture. Infoblox has experienced the impact of this powerful combination firsthand.
THE RESULT
Zero Infections, Maximum Efficiency
The early and obvious successes have withstood the test of time. Since deploying Threat Defense, we have experienced zero successful infections of systems or ransomware attacks. As Hunter describes, “Like every CISO, my job is to constantly push to improve the security posture of the company. Ultimately, adopting Threat Defense is one of the key ways that CISOs can enhance their security level.”
The addition of SOC Insights to our Threat Defense system greatly enhanced an already-impressive security stack. Prior to SOC Insights, our SOC analysts were conducting painfully time-consuming analysis of each suspicious domain and hopping from system to system to investigate further. In today’s increasingly lean climate, addressing all of those alerts with only a handful of analysts is unfeasible. In just the first month post-implementation, SOC Insights reduced 1.5 million DNS security events into a miniscule 17 alerts, none of which had been detected by any prior tool. These 17 alerts represented a much more manageable workload, easily investigated by a single analyst within a day or two. This improvement lifted a tremendous weight off analysts’ shoulders, reducing burnout and freeing them up for other important duties.
With SOC Insights, a single dashboard displays the alert, provides valuable summaries and trends about malicious activity, and even allows users to block the threat. All leading to faster response times and a minimized risk window. As an Infoblox SOC analyst describes, “When you’re looking at suspicious events in SOC Insights, everything you need is in one place. Meaning a junior analyst can go in and understand the threat quite easily. The tool can fill the experience gaps on a SOC team, raising the contribution and value of each member.” Thanks to the capabilities of SOC Insights, the process of investigating and resolving an alert dropped from 60 minutes to just 15, translating to a 4x increase in SOC efficiency. “The increase in accuracy and decrease in manual effort required to investigate threats are night and day from where we were six years ago,” explains Anthony Ciarochi, senior manager of security operations.
The gains seen in operational efficiency enabled a complete shift in our security mindset. Between Threat Defense and SOC Insights, we have addressed issues that previously required lengthy detection, investigation and response processes. The result is a streamlined process across every step and a team who is leveraging DNS data to proactively block access to malicious domains and prioritize critical alerts. With less time wasted uncovering and responding to bad actors, that recouped time is better spent hunting and investigating evolving bad actors and threats.
Maintaining an organization’s security is a moving target, and with the ever-evolving threat landscape and fastpaced digital world we live in, that target will continue to become progressively harder to hit. A well-positioned security posture needs to have multiple layers, ease of scalability and the adaptability to manage change. Whether it is the trending move to cloud-native technology or the increasingly mobile nature of remote work, there will always be new and unexpected challenges to address. Knowing that, we adopted Threat Defense with SOC Insights to fill the gaps that no other security tool could, to shift the mindset from reactive to proactive and to continue pushing the limits of true security.
- Building a Detection Strategy with the Right Metrics, Engel, Giora, August 9, 2016, Dark Reading.
- Cost of a Data Breach Report 2024, July 2024, IBM Corporation and Ponemon Institute.