Infoblox Threat Insight
DNS is a critical infrastructure element and can be used as an effective enforcement point against data exfiltration. Threat Insight is a unique patented technology that detects and automatically blocks data exfiltration via DNS without the need for endpoint agents or additional network infrastructure. It uses real-time streaming analytics of live DNS queries and machine learning to accurately detect presence of data in queries. Available as an optional module with Infoblox DNS Firewall, Threat Insight provides protection against both DNS tunneling and sophisticated data exfiltration techniques. Infoblox is the only vendor to offer DNS infrastructure with built-in analytics for protection of your data.
Active Blocking of Data Exfiltration Attempts
Threat Insight automatically blocks communications to destinations associated with data exfiltration attempts by adding the destinations associated with data exfiltration to the blacklist in DNS Firewall. In addition, it scales enforcement to all parts of the network through Grid-wide update to all Infoblox members with DNS firewalling/RPZ capability.
Integrated into DNS
Unlike approaches that analyze log data in batches and after the compromise, Threat Insight is built directly into a DNS appliance, which is in the path of exfiltration, and provides real-time detection and blocking. There is no need for additional network infrastructure, agents, or new inline appliances.
Threat Insight provides visibility into infected devices or potential rogue employees trying to steal data. It provides identifying information such as user name (through Identity Mapping), device IP and MAC address, and device type. Reports can be accessed through the Infoblox Reporting and Analytics server.
Unique Patented Technology
Threat Insight is a patented technology that uses machine learning and performs real-time streaming analytics on live DNS queries to detect data exfiltration. It examines host.subdomain and TXT records in DNS queries and uses entropy, lexical analysis, time series, and other factors to determine presence of data in queries.
Automated Security Response with Integrations
When an endpoint is trying to exfiltrate data, DNS Firewall provides indicators of compromise to endpoint remediation solutions such as Carbon Black. Using this intelligence, Carbon Black automatically bans the malicious processes from future execution and quarantines the infected endpoint. This accelerates security response and extends Infoblox protection beyond the network perimeter. Infoblox also exchanges security event information with Cisco Identity Services Engine (ISE) and provides robust restful APIs, which can be used to enrich your SIEM with additional contextual data.