• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Cloud Security Infrastructure
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • 2020 Cybersecurity trends
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Product

OpenDNS Investigate: Using Good Machines to Fight the Bad Ones

By Stephen Lynch
Posted on July 22, 2015
Updated on April 10, 2020

Share

Facebook0Tweet0LinkedIn0

When it comes to new security technologies, Mark Arnold has seen it all. As a board member for OWASP Boston, an advisor to the SOURCE security conference and Director of Information Security at PTC, he regularly evaluates the most cutting-edge new security technologies available. But when Arnold needs the most timely and accurate threat intelligence available, he says that there is one place that he consistently turns.

Investigate2

“Investigate is very valuable for our team,” says Arnold. “Firstly, it dissects what DNS actually is — it actually takes the protocol apart — and does it in such a way that our team is able to understand every aspect of it. Also, we know that when the data that Investigate uses becomes stale, it’s removed from the system. We want to know what OpenDNS sees in real-time, and Investigate makes that possible.”

“What OpenDNS sees” is the crux of why Arnold and his team are part of a growing number of infosec professionals who are turning to OpenDNS Investigate as a first — or sometimes, last — source of threat intelligence for their day-to-day security operations. And up until now, access to this product OpenDNS’s massive data was only released in limited availability to a few select customers.

Today, OpenDNS officially announced that Investigate is generally available to any security professional who, like Arnold, needs better visibility into the global threat landscape with a vantage point that no other security vendor can provide. OpenDNS Investigate is a security search engine that provides query-based and API-driven access to the massive cross-correlated database of domains, IP addresses and autonomous system numbers (ASNs) that the company collects, categorizes and enriches with its own in-house sophisticated models.

OpenDNS is continually analyzing terabytes of passive DNS data and BGP routes shared by more than 500 peering partners, combined with its own recursive DNS service — which handles over 70 billion DNS requests per day from more than 50 million active daily users in 160 countries — to assemble one of the largest repositories of network traffic data in the world.

But the real value, says Arnold, comes from the next step in the process: the company extracts intelligence from this data using over a dozen models developed by the OpenDNS Security Labs research team. These models range from language-based scoring algorithms like NLPRank that identify likely spear phishing domains to prediction models that replicate specific domain generation algorithms (DGAs) and can catch fast-flux botnet command-and-control servers months before they activate. The resulting dataset not only provides contextual security information, but also reflects the rapidly-changing relationships between domains, IPs, and networks in real-time as an attack unfolds (a stark contrast from other threat intelligence solutions, which typically rely on RSS-like feeds or even emails to provide updates). Investigate provides security teams with a search engine-like interface to this database that can tell them whether a domain or IP is already part of an attack or if it may soon become part of one.

“With the Investigate platform, we’re fairly confident that the data that we’re collecting is accurate,” said Arnold, whose company specializes in connected product and Internet of Things (IoT) solutions. “It’s real-time, too, so as we’re clicking around the logs, we know we’re getting context based on data that is fresh as it can possibly be.”

The interface provides a variety of human-readable data, such as reputation scores, related domains, connected IP addresses, geographic distribution and attribution data for some known-bad sites. Included in the GA release, OpenDNS has added WHOIS data to its database, giving analysts information about who registered a domain, when and where it was registered (including contact information and any changes over time).

Arnold says that while the product can sometimes be an early part of his team’s incident response investigations, it really began to shine after his team began to integrate other systems with the Investigate API.

“Our goal is to automate everything we do, because the attackers have already automated their attack ecosystems,” said Arnold. “In manual investigations, when you stumble upon a site that’s hosting large footprints of malware or hosting domains, it’s easy to say ‘this is pretty bad.’ But for us, automating that is key. From a human point of view, you can’t do all of that work in real-time — Investigate gives us a fighting chance to keep up with these adverseries. We already have a threat intelligence platform that we created in-house which uses the Investigate API to make informed decisions about the data in our security ecosystem. It provides an additional level of context for various feeds that we already have in that intelligence platform.”

He describes this approach as “using good machines to fight bad machines.”
“When we first started using Investigate, we were getting a lot of intelligence from outside PTC, a lot of third-party intelligence,” he said. “We were taking those IOCs and basically submitting them to the Investigate platform to validate what we were seeing in our environment. We aggregate those malicious domains from specific security platforms and then the last level of validation is through Investigate. For our IOCs, it’s the final-final arbiter of truth.”

Arnold also notes that he’s found value from integrating Investigate directly with the next-generation endpoint protection solution his company uses in-house. “Our endpoint solution provides a lot of insight from machines that may be participating in DGA-type activity. OpenDNS has a vast amount of information on DGAs. So immediately for us, that was a point of integration between the endpoint and Investigate. We’re able to tie that system into Investigate to correlate what we’re seeing, which gives us greater validation that something was amiss in our network.”

The trend for more security solutions to be integrated programmatically can be seen in the gradual shift towards interoperable APIs among security vendors. Other parallels can be seen in the rise of the Internet of Things and connected devices in the enterprise. But even with this move towards automation, Arnold says that the data revealed by Investigate still has value for humans, as well. “I’m drawn to Investigate pretty much on a nightly basis,” he said. “Anywhere in the world where I’m connected, I always find myself logging in.”

Want more information on Investigate? Contact Us Here

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Cisco Umbrella Blog
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Cisco Umbrella

Learn more

  • Events
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella