Risk

10/15/2015
11:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

An Atypical Approach To DNS

It's now possible to architect network instrumentation to collect fewer data sources of higher value to security operations. Here's how -- and why -- you should care.

The idea for this column started when a colleague asked me a few questions about analyzing metadata generated from network traffic. We discussed a few possibilities, including various different types of metadata. A few minutes after our call, I recalled an email thread I had seen discussing ways to collect metadata about DNS transactions. Most of the solutions offered on that thread involved deploying new equipment to collect additional telemetry data. 

Suffice it to say, based on the discussions I have with customers, yet another piece of equipment to deploy, manage, and maintain is not high on their wish list. On the other hand, DNS data is extremely valuable for security operations and incident response. So how can we rectify this discrepancy? Perhaps taking an atypical approach to DNS is the answer.

Almost five years ago, I gave a talk at the GFIRST conference entitled "Uber Data Source: Holy Grail or Final Fantasy?" In this talk, I proposed that given the volume and complexity that a larger number of highly specialized data sources brings to security operations, it makes sense to think about moving towards a smaller number of more generalized data sources.  

One could also imagine taking this concept further, ultimately resulting in an "uber data source." Or, how about a more detailed discussion working within the context of network traffic data sources?  I consider host (AV logs), system (Linux syslogs), and/or application level (web server logs) data sources beyond the context of what I would consider generalizing into an uber data source, at least for network traffic data and meta-data.

Begin at the beginning

Let's start by looking at the current state of security operations in most organizations, specifically as it relates to network traffic data log collection. In most organizations, a large number of highly specialized network traffic data sources are collected. This creates a complex ecosystem of logs that clouds the operational workflow.  

In my experience, the first question asked by an analyst when developing new alerting content or performing incident response is "To which data source or data sources do I go to find the data I need?" I would suggest that this wastes precious resources and time. Rather, the analyst's first question should be "What questions do I need to ask of the data in order to accomplish what I have set out to do?" This necessitates a "go to" data source -- the "uber data source."

Additionally, it is helpful to highlight the difference between data value and data volume. Each data source that an organization collects will have a certain value, relevance, and usefulness to security operations. Similarly, each data source will also produce a certain volume of data when collected and warehoused. Data value and data volume do not necessarily correlate. For example, firewall logs often consume 80% of an organization's log storage resources, but actually prove quite difficult to work with when developing alerting content or performing incident response. Conversely, as an illustrative example, DHCP logs provide valuable insight to security operations, but are relatively low volume.

There is also another angle to the data value vs. data volume point. As you can imagine, collecting a large volume of less valuable logs creates two issues, among others:

  • Storage is consumed more quickly, thus reducing the retention period. (This can have a detrimental effect on security operations when performing incident response, particularly around intrusions that have been present on the network for quite some time.)
  • Queries return more slowly due to the larger volume of data. (This can have a detrimental effect on security operations when performing incident response, since answers to important questions come more slowly.)

Those who disagree with me will argue: "I can't articulate what it is, but I know that when it comes time to perform incident response, I will need something from those other data sources."  To those people, I would ask: If you're collecting so much data, irrespective of its value to security operations, that your retention period is cut to less than 30 days and your queries take hours or days to run, are you really able to use that data you've collected for incident response?  I think not.

If we take a step back, we see that the current "give me everything" approach to log collection involves a large number of highly specialized data sources. This is the case for a variety of reasons, but historical reasons and a lack of understanding regarding each data source's value to security operations are among them.  

A better way

If we think about what these data sources are conceptually, we see that they are essentially metadata from layer 4 of the OSI model (the transport layer) enriched with specific data from layer 7 of the OSI model (the application later) suiting the purpose of that particular data source. For example, DNS logs are essentially metadata from layer 4 of the OSI model enriched with additional contextual information regarding DNS queries and responses found in layer 7 of the OSI model. I would assert that there is a better way to operate without adversely affecting network visibility.

The question I asked back in 2011 was "Why not generalize this?" Why collect DNS logs as a specialized data source when the same visibility can be provided as part of a more generalized data source of higher value to security operations? It is now possible to architect network instrumentation to collect fewer data sources of higher value to security operations. This has several benefits:

  • Less redundancy and wastefulness across data sources
  • Less confusion surrounding where to go to get the required data
  • Reduced storage cost or increased retention period at the same storage cost
  • Improved query performance

There is no doubt in my mind that DNS is an incredibly valuable data source for security operations and incident response. Unfortunately, many organizations do not collect DNS data, only to find out later that not doing so has caused them great harm. Based on feedback I receive, one of the main reasons more organizations do not collect DNS data is because of the complexity, load, and cost associated with doing so. This is where the concept of the "uber data source" can help. Providing organizations a simpler, lighter-weight and cost-effective way to collect, retain, and analyze valuable layer 7 enriched metadata is a way to encourage them to collect DNS data, along with other valuable metadata. In this case, I think less is more.

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.