The 2014 Verizon Data Breach Investigations Report calls a company’s DNS connection “the single best source” for detecting data exfiltration and command-and-control traffic from compromised hosts. It also recommends integrating DNS logs with other threat intelligence sources for stronger correlation and attribution. But despite this, according to the report, most organizations don’t integrate DNS logs into their SIEM, leaving them blind to an entire spectrum of Internet traffic. This blindspot includes traffic from external domains (i.e., most malware command-and-control traffic) and Internet requests using IRC, SSH, and other non-standard ports and protocols.
A common refrain from infosec analysts, customers, and the broader professional community is you can’t have security without first having visibility. OpenDNS – a leading provider of network security and DNS services – offers a response today by announcing Log Management with Amazon S3, a new way to centrally collect, manage, and store DNS logs in the cloud. Log Management provides a simple cloud-to-cloud storage solution for all of a company’s DNS logs that customers can deploy in less than half an hour. It also takes advantage of pre-built integrations between leading SIEM solutions – such as Splunk – and Amazon S3 to import DNS logs in minutes.
To do their work properly, investigators need clear insight into past events. Log Management provides a way to keep DNS log archives long past the time a breach occurs. FireEye reports that it can take businesses an average of 205 days to find a breach, which is why historical data is crucial to investigations. During a post-breach investigation, incident response teams need to retroactively analyze Internet activity to discover all compromised devices – on and off the network. With Log Management, OpenDNS customers get the visibility needed to collect, analyze, and trace breaches to their origin.
To trial Log Management with Amazon S3, contact your OpenDNS sales rep or email sales@opendns.com. Existing Umbrella Insights and Umbrella Platform customers can access Log Management with Amazon S3 via the dashboard.
