Put an Umbrella over your endpoint devices to stop malware, botnets and phishing

Did you know that malware and botnet detection spikes 200% every Monday? The OpenDNS Umbrella Security Service is designed to to put an end to Malware Mondays.

You’ve heard of Cyber Monday, but how about Malware Monday? Cyber Monday is that first Monday back to work after a long Thanksgiving holiday weekend where workers use their office Internet access to shop online. Cyber Monday occurs just once a year and its impact is diminishing as consumers increasingly have high speed Internet access at home. Malware Monday is any Monday where malware traffic spikes—and this happens pretty much every week, 52 times a year.

According to Dan Hubbard, CTO of OpenDNS and the head of its Umbrella Security Labs research group, there is about a 200% increase in malware and botnet traffic every single Monday. This pattern has been observed fairly consistently across the company’s 50 million customers around the world over a two-year timeframe.

“We theorize this is because people take their laptops home over the weekend and on Monday they come back in and reconnect to the network. Our security service detects the malware that was most likely picked up when the computer was off the corporate network and left unprotected against malicious activity,” says Hubbard.

Malware Mondays prove how important it is to provide proactive protection against malware, botnets and phishing attacks for any device, at any time, in any location—on or off the corporate network. OpenDNS’s cloud-based Umbrella Security Service is designed to deliver that level of protection for all types of endpoint devices.

The Umbrella service is similar to a secure Web gateway, except that it is 100% cloud-based rather than being an appliance. In addition, the service doesn’t just protect HTTP traffic like a gateway appliance does; the Umbrella service protects basically any traffic that is coming in or going out of a company’s DNS server. OpenDNS inspects the traffic and blocks suspected bad traffic.

OpenDNS identifies traffic as “bad” in a rather unique way. With most security solutions that attempt to detect malware, the research teams typically reverse engineer or pull apart and decompose current or known threats. The researchers may look for behavioral patterns or other characteristics that allow them to flag traffic or payloads as malware.

The Umbrella Security Labs certainly does its share of studying known threats, but it really focuses on building predictive algorithms to detect things before they are known. “There is no reliance on a sample of code or a customer saying ‘Here’s something we think is bad’ or for us to collect something through a honeypot,” says Hubbard. “What we do is all algorithmic and it’s at the intersection of big data and security. We use literally billions of DNS requests per day across all of our customers around the world to perform our analysis and make our predictions.”

Hubbard says they are “super confident” in the efficacy of their predictive analysis methods. “We are using this service in the wild with our customers, and every day we are finding hundreds of thousands of things to help protect our customers from unknown threats that other people don’t know about. Just as important, we catch the things that others are catching, too, which is critical if we are asking people to replace other security solutions with ours.”

Another differentiator for the Umbrella Security Service is its combination of “prevent, contain and inform” methods. Most security products today are designed with “full prevention” as the intent. In other words, the product is designed to prevent every bad thing that’s out there. In reality, prevention is somewhat easy with less nefarious malware but difficult to do with very nefarious, hidden, targeted and under-the-radar types of attacks called advanced malware or advanced persistent threats.

So, OpenDNS uses a combination of methods, one of which contains botnets and their communication and the information they are trying to send back to the attacker. The Umbrella service contains the attack from leaving the affected network, laptop or phone and then informs the administrator of what is going on. Umbrella can identify whose device is infected, what department they are in, what the attack is, and what is happening with the attack so it can be remediated. Meanwhile, the information is contained so it cannot be extricated.

Deploying the Umbrella Security Service is simple. It starts with the DNS server administrator pointing all the DNS traffic to the OpenDNS Umbrella Security Service. Then every time someone on that network looks up a website, that request goes to OpenDNS in the cloud. OpenDNS looks at the request and the predictive security system matches it against the set of policies the company has defined. If the end user is attempting to access, say, Badsite.com, instead of responding with the real site and the real content that would potentially infect the user’s device, OpenDNS displays a blocked page message. Globally, Umbrella blocks more than 80 million requests daily.

That procedure is all completely transparent for any user on the network. If a user has a device that goes “off network,” like a PC or Mac notebook that he takes home, or a smartphone or tablet that uses external Wi-Fi networks, the device can use a roaming service that redirects all web traffic back to the Umbrella Security Service. A small configuration setting on the mobile device sets up that roaming service in a matter of minutes.

It’s this service that puts an end to Malware Mondays because users can take their devices anywhere they want and they are still protected by the Umbrella service. The roaming service has only been available since November 2012, but Hubbard says that OpenDNS is already seeing a reduction in the detection of malware on customers’ devices when they go “on network” on Mondays.

The Umbrella Security Service also blocks phishing sites, and the management console can tell an administrator who in the company falls for a phishing attack. This can help pinpoint the need for end user security awareness training.

There’s nothing to install to get started with or to use the OpenDNS Umbrella Security Service. By redirecting the DNS traffic to OpenDNS, a company can have this solution in place in less than an hour.Linda Musthaler is a Principal Analyst with Essential Solutions Corporation.  You can write to her at:LMusthaler@essential-iws.com.

About Essential Solutions Corp:  Essential Solutions  researches the practical value of information technology, and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.  

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.