Editor’s note: Later today, OpenDNS CEO David Ulevitch will be speaking at BoxWorks 2014 alongside Box Chief Trust Officer Justin Somaini and Securosis CEO and Analyst Rich Mogull about the role of cloud services in the security transformation. In advance of BoxWorks, the blog team at OpenDNS sat down with David to get his perspective on how the cloud can make us more secure and why he decided to start a security company.
You’ve been in the security game for a long time. How did you first become involved in security?
DU: Basically, I fell into security out of a need to protect my company.
In 2001 I founded my first company, EveryDNS. We would eventually provide authoritative DNS services for over 135,000 domains, but in the beginning we just wanted to provide the best and fastest experience possible.
After launching, we discovered that there were two security challenges that we needed to address. The first challenge was that we were being targeted by phishers, spammers and found ourselves on the receiving end of what was (up to that point) the largest DDoS attack in history. The other problem was that we were providing a reliable, fast service that was free — so bad guys started using our service as part of their infrastructure.
We had to become very good at dealing with abuse, proactively getting rid of the bad guys and responding to malicious activity. In a short period of time, we went from hosting bad guys to finding them and removing them quickly. We went from being under attack to blocking bad guys at the edge of our network.
That led to the creation of OpenDNS.
What do you think is the biggest challenge facing CISOs today?
DU: The biggest challenge for CISOs, by far, is getting more visibility into their IT infrastructure so they can understand the scope of their security problems. It makes sense that this would be an area of focus for them, as more visibility gives them a better sense of their risk exposure, security posture and helps them know what their priorities should be.
Visibility has become a problem as people have changed the way that they work. You get less visibility as people move out of the office and start using more cloud services. Shadow IT in general is a huge source of blind spots. IT infrastructure that the IT group doesn’t know about is a huge blind spot and one area that lots of the CISOs that I talk to would like to improve.
That’s probably the reason why there have been dozens of cloud visibility services that have sprung up in the last few years — there is a huge need for more visibility into the Shadow IT problem.
How do you improve visibility into Shadow IT?
DU: Companies often have multiple, siloed data sources that can be combined to address the visibility problems I just mentioned.
For instance, take a company that is running FireEye. You could be using FireEye to protect yourself from some threats, but if you’re not connecting FireEye and Splunk, you’re not harnessing that data to make your security smarter. You could have one part of your infrastructure that is under attack and another part that will be under attack. If you can’t use the data from every attack to make yourself more secure, you’re missing an opportunity. We know that attackers are constantly trying to perform reconnaissance to gather more intelligence on their targets. Enterprises need to be doing the same thing for their own security.
Another area where you can improve your visibility is through intelligence sharing. Customers are finally beginning to share threat intelligence with each other. Companies in financial services industry, for example, are now realizing that if one of them gets attacked, they all might be attacked by the same group. A year ago, no one in security would have been able to guess how quickly enterprises would be sharing threat intelligence with each other. Two years ago, no one would do this kind of community intelligence sharing. Now, it’s all for one and one for all.
What’s the advantage to running security through a cloud-delivered DNS service?
DU: DNS is the first point of contact for most of the traffic on the Internet.
Although people would agree that DNS is a fundamental part of the way the Internet works, they may have never considered how that translates into a security advantage.
To illustrate how DNS offers a security advantage, look at something like Lockheed’s Cyber Kill Chain. The basic premise of the kill chain model is that attackers have gotten so good at finding innovative ways of breaking into networks. So we need to build a structured feedback loop to help our networks improve their defenses and recover from attacks more quickly.
One of the key takeaways for most enterprises from work on the Cyber Kill Chain is that it’s progressively less expensive to block a threat earlier in the chain. That means early prevention is the cheapest option, and reacting to an attack afterwards is the most expensive one.
We focus on two parts of the kill chain: early prevention and preventing the exfiltration of data.
Since DNS is the first point of contact for most of the Internet, it can block more attacks at the first point in the kill chain. DNS is port and protocol agnostic, so it can see and block more traffic from more of the Internet regardless of the vector.
Where most proxies only try to protect against incoming threats, we can also detect malware and botnets that are trying to beacon out to a command and control server. We can also detect outbound connections that are attempting to connect to a hacker’s own infrastructure and may be an attempt to exfiltrate data.
Also, DNS is important for the entire Internet, not just the Web. The Internet is more than just the Web, by the way, especially when it comes to malware.