When it comes to new security technologies, Mark Arnold has seen it all. As a board member for OWASP Boston, an advisor to the SOURCE security conference and Director of Information Security at PTC, he regularly evaluates the most cutting-edge new security technologies available. But when Arnold needs the most timely and accurate threat intelligence available, he says that there is one place that he consistently turns.
“Investigate is very valuable for our team,” says Arnold. “Firstly, it dissects what DNS actually is — it actually takes the protocol apart — and does it in such a way that our team is able to understand every aspect of it. Also, we know that when the data that Investigate uses becomes stale, it’s removed from the system. We want to know what OpenDNS sees in real-time, and Investigate makes that possible.”
“What OpenDNS sees” is the crux of why Arnold and his team are part of a growing number of infosec professionals who are turning to OpenDNS Investigate as a first — or sometimes, last — source of threat intelligence for their day-to-day security operations. And up until now, access to this product OpenDNS’s massive data was only released in limited availability to a few select customers.
Today, OpenDNS officially announced that Investigate is generally available to any security professional who, like Arnold, needs better visibility into the global threat landscape with a vantage point that no other security vendor can provide. OpenDNS Investigate is a security search engine that provides query-based and API-driven access to the massive cross-correlated database of domains, IP addresses and autonomous system numbers (ASNs) that the company collects, categorizes and enriches with its own in-house sophisticated models.
OpenDNS is continually analyzing terabytes of passive DNS data and BGP routes shared by more than 500 peering partners, combined with its own recursive DNS service — which handles over 70 billion DNS requests per day from more than 50 million active daily users in 160 countries — to assemble one of the largest repositories of network traffic data in the world.
But the real value, says Arnold, comes from the next step in the process: the company extracts intelligence from this data using over a dozen models developed by the OpenDNS Security Labs research team. These models range from language-based scoring algorithms like NLPRank that identify likely spear phishing domains to prediction models that replicate specific domain generation algorithms (DGAs) and can catch fast-flux botnet command-and-control servers months before they activate. The resulting dataset not only provides contextual security information, but also reflects the rapidly-changing relationships between domains, IPs, and networks in real-time as an attack unfolds (a stark contrast from other threat intelligence solutions, which typically rely on RSS-like feeds or even emails to provide updates). Investigate provides security teams with a search engine-like interface to this database that can tell them whether a domain or IP is already part of an attack or if it may soon become part of one.
“With the Investigate platform, we’re fairly confident that the data that we’re collecting is accurate,” said Arnold, whose company specializes in connected product and Internet of Things (IoT) solutions. “It’s real-time, too, so as we’re clicking around the logs, we know we’re getting context based on data that is fresh as it can possibly be.”
The interface provides a variety of human-readable data, such as reputation scores, related domains, connected IP addresses, geographic distribution and attribution data for some known-bad sites. Included in the GA release, OpenDNS has added WHOIS data to its database, giving analysts information about who registered a domain, when and where it was registered (including contact information and any changes over time).
Arnold says that while the product can sometimes be an early part of his team’s incident response investigations, it really began to shine after his team began to integrate other systems with the Investigate API.
“Our goal is to automate everything we do, because the attackers have already automated their attack ecosystems,” said Arnold. “In manual investigations, when you stumble upon a site that’s hosting large footprints of malware or hosting domains, it’s easy to say ‘this is pretty bad.’ But for us, automating that is key. From a human point of view, you can’t do all of that work in real-time — Investigate gives us a fighting chance to keep up with these adverseries. We already have a threat intelligence platform that we created in-house which uses the Investigate API to make informed decisions about the data in our security ecosystem. It provides an additional level of context for various feeds that we already have in that intelligence platform.”
He describes this approach as “using good machines to fight bad machines.”
“When we first started using Investigate, we were getting a lot of intelligence from outside PTC, a lot of third-party intelligence,” he said. “We were taking those IOCs and basically submitting them to the Investigate platform to validate what we were seeing in our environment. We aggregate those malicious domains from specific security platforms and then the last level of validation is through Investigate. For our IOCs, it’s the final-final arbiter of truth.”
Arnold also notes that he’s found value from integrating Investigate directly with the next-generation endpoint protection solution his company uses in-house. “Our endpoint solution provides a lot of insight from machines that may be participating in DGA-type activity. OpenDNS has a vast amount of information on DGAs. So immediately for us, that was a point of integration between the endpoint and Investigate. We’re able to tie that system into Investigate to correlate what we’re seeing, which gives us greater validation that something was amiss in our network.”
The trend for more security solutions to be integrated programmatically can be seen in the gradual shift towards interoperable APIs among security vendors. Other parallels can be seen in the rise of the Internet of Things and connected devices in the enterprise. But even with this move towards automation, Arnold says that the data revealed by Investigate still has value for humans, as well. “I’m drawn to Investigate pretty much on a nightly basis,” he said. “Anywhere in the world where I’m connected, I always find myself logging in.”