Infoblox is to integrate its DDI Technology into the Qualys Cloud Platform. The goal is to improve the ability to detect new devices on the network and malicious events. This is the first DDI (DNS, DHCP and IP Address) Management solution integrated into the Qualys Cloud Platform. It is expected to deliver a single set of trusted DNS data for customer networks.
According to Scott Fulton, executive vice president of products at Infoblox: “Cybercriminals rely on critical network infrastructure such as DNS to infect devices, spread malware and steal data—and the longer it takes to discover, the higher the cost of damage. Sharing Actionable Network Intelligence with the Qualys Cloud Platform provides our joint customers unparalleled visibility into every connected device and end host on corporate networks. The rich context and out-of-the box integration accelerate remediation and allow customers to effectively manage risk.”
What is the problem with the network?
As companies have adopted a Bring Your Own Device (BYOD) policy they have lost control of the devices on their network. Users are not just connecting a single device to the corporate network. They are connecting laptops, tablets, smartphones and even personal storage devices to the company network. They are moving data on and off these devices as well into their own apps and cloud services. This is not malicious behaviour just users taking advantage of technology and services that they find more accessible than those provided by IT.
There has also been a surge in Internet connected devices inside the network. Organisations have TVs, DVD players, dishwashers, fridges, CCTV cameras and other non IT technology on their networks. These are just some of the Internet of Things devices appearing inside enterprises. Many of these are invisible to the IT departments and often connected to the network by users not the network team.
All of these devices create a platform on which malware can be introduced to a company and data stolen. Without better control of the network and the devices on it, IT security teams cannot protect data. The number of devices also makes it easy to hide malicious behaviour.
What are Infoblox and Qualys delivering?
The integration of the two vendors technology is designed to deliver visibility of all these devices. The idea is to prevent any device from being connected to the network without IT detecting it. This will allow IT departments to immediate scan the device for malware and check for its patch level. It will also provide an asset management database that is accurate. The challenge however will be determining ownership of the assets.
The press release lists four key capabilities this partnership will deliver:
- Asset Management: Infoblox provides device discovery and a single source of truth for devices and networks, which Qualys can leverage for organising new assets, automated tracking, and a detailed view of the network.
- Visibility: Infoblox delivers outbound notifications to Qualys to provide visibility into new networks, hosts, and IP-connected devices (IoT) joining the network, including contextual information such as where on the network an infected device is and to whom the device is assigned. This detailed context allows IT departments to prioritise response and remediation.
- Malware and Data Exfiltration Threat Identification: Infoblox uses advanced threat intelligence to detect and control malware communications at the DNS level by disrupting command-and-control communications to proactively control the spread of malware such as ransomware that uses DNS. These indicators of compromise can be easily shared with Qualys for further analysis and remediation.
- Compliance and Audit: Infoblox triggers Qualys when new devices join the network—physical, virtual, or cloud—to check for compliance.
It will be interesting to see how this impacts the use of behavioural analytics inside customers. Many companies struggle with the contextual information around users, devices and applications. This means that they find it hard to distinguish unusual behaviour especially for users who are highly mobile. The result is that they can often miss early indicators of an attack against corporate systems.
Greater use of threat intelligence data
Infoblox is a significant player in the threat intelligence industry. It’s tools are already integrated with threat intelligence services such as STIX and TAXII. Combine this with the data gathered by Qualys and it should make it easier for IT security teams to spot attacks on the network.
One area where this should have an immediate benefit is in better use of indicator of compromise (IoC). Using IoC data customers should be able to detect the Command and Control (C&C) server IP addresses quickly. This will not only help minimise attacks but also make it clear that an attack is taking place. It will allow companies with a ransomware mitigation policy to put it into action immediately.
The use of threat intelligence is also important in spotting long-term attacks. There has been a rise in this type of security breach that takes months even years to detect. With a wider pool of threat intelligence data that can be applied it is possible to identify parts of these attacks. As such damage to companies can be limited.
With the rise in fines for data and privacy breaches many companies are trying to roll out their own security solutions. This is challenging for many as they lack the tools required. Even those with the tools find themselves having to write complex integration software. This creates opportunities for malware writers to exploit as they target weaknesses in the integration components.
It is likely that we will see more and more of the smaller security companies integrate their solutions with each other. Larger vendors such as IBM are creating complex security platforms through development and acquisition. This means that the point solution vendors have to band together and this deal is a good example of benefits to customers and vendors.