BloxOne™ Threat Defense Advanced makes threat landscape less ominous

Securing DNS infrastructure has never been more critical for partners: More than 90% of malware incidents and more than half of all ransomware and data theft attacks rely on the DNS vector. The good news is that new and evolving technologies designed to improve DNS privacy are making significant headway. Leading browser organizations have announced go-live plans for introducing DNS privacy in their respective browsers. Here’s how partners can bring these advanced security features to their customers with the latest releases from Infoblox BloxOne™ Threat Defense.



Although our most recent release of BloxOne™ Threat Defense has dramatically improved endpoint scalability and management, and enhanced investigation and threat response capabilities, customers continue to be excited about some of the industry-first innovations introduced in February. These address several high-risk trends that have become even more important under our new reality. Here are some key features introduced in this release:



● DNS over HTTPS (DoH) Solution

DNS over HTTPS (DoH) is beginning to be supported by all major browsers, designed to offer increased privacy for some users, though at the expense of enterprise security best practices. By enabling DoH, devices will be sending all DNS traffic to an external third-party DNS resolver, bypassing internal enterprise DNS infrastructure. Organizations wishing to utilize internal DNS infrastructure, including the ability to provide security policy enforcement through DNS, need to implement controls to block the use of these third-party DoH resolvers. The Infoblox Threat Intelligence service includes a feed called “Public-DoH” (public-doh.infoblox.local), which provides a negative response to “DoH Canary” domains (such as use-application-dns.net) and signals compliant browsers that DoH should not be used within the existing environment. Browsers will gracefully fall back to the organization’s managed DNS without interrupting user activity.



● Custom Look-Alike Domain Monitoring

Existing look-alike domain defenses, which are designed to address threats that abuse popularly targeted brands such as PayPal, have been extended to allow users to submit their own specific critical domains for look-alike monitoring. Customers can now submit the company’s own domain, or domains frequently visited or controlled by the organization, to the Infoblox Cyber Intelligence Unit (CIU), which will determine high-risk look-alike domains for initial assessment and monitoring. Customers are notified of suspicious activity related to these look-alike domains for visibility and as an advanced warning to help the organization potentially avert targeted employee attacks to compromise the network, or threats targeting customers that can damage the organization’s brand reputation.



● Data Connector Enhancements

Data Connector is now enabled to forward DNS Firewall (RPZ) logs to Splunk and Infoblox Reporting for easier access to important details that can further accelerate incident investigations and support more rapid and effective threat response planning. Data Connector is available for subscribers of BloxOne Threat Defense Business Cloud, Advanced, and Security Ecosystem Business.



● Comprehensive Security Reports

Partners can now equip customers with Comprehensive Security Reports. These reports help users determine what information to display in the Cloud Services Portal by familiarizing them with the breadth of statistics and other data available. Additionally, information from these reports can be exported to a security information and event management (SIEM) solution or integrated into other security tools for further correlation, assessment, or sharing.



● Executive Summary Report: Additional Data Reporting

This feature enhancement adds two additional graphical report types to the already available report – “Data Exfiltration Activity and Access to Unauthorized Web Categories” – which documents the unauthorized transfer of data from a computer. DNS threat analytics can detect and automatically block data exfiltration attempts via DNS, without the need for endpoint agents or additional network infrastructure. The target domains can originate from any geographic location. The “Access to Unauthorized Web Categories” report displays a breakdown of web activity at sites classified as unauthorized by the user by means of a content category.



Driven by user feedback and changes in the threat landscape, Infoblox continues to address some of the unmet challenges in the security industry with this release. BloxOne™ Threat Defense provides immediate value as it secures often under-defended attack vectors, but also helps partners with foundational security services to improve the effectiveness of other solutions within the security stack.



Bob Hansmann, senior product marketing manager for security at Infoblox, has over three decades of experience helping global enterprises and government agencies uplift their cyberthreat prevention, detection, investigation, and response capabilities. Having worked in a number of areas, from threat research and engineering to product management and marketing, Hansmann has helped pioneer many of today’s security industry standards and has a unique perspective on the organizational challenge of balancing security needs with productivity success requirements.