Cyber-attacks work the same way the Internet does, using the Domain Name System (DNS) to distribute malware, control botnets and phish login credentials. With the mainstream adoption of cloud services, bring-your-own-device programs and off-network workers, the attack surface has expanded beyond the traditional corporate network perimeter.
This device and network diversity has created an environment where organizations must protect any device, anywhere it roams. Today’s security platforms, which are plagued by reactive intelligence, gaps in enforcement, and the inability to integrate the two, can’t keep up. This has paved the way for a new category of cyber-security platform called a Secure Cloud Gateway (SCG).A Secure Cloud Gateway uses a DNS-based foundation to provide broader security, improved coverage and deeper visibility. Legitimate Web browsing occurs on only two protocol (port) pairs — HTTP (80) and HTTPS (443). Yet malware is occasionally distributed over non-standard ports to infect devices, and botnets regularly use non-Web protocols to breach networks and steal data. A Secure Cloud Gateway uses DNS to provide protection across all ports, protocols and applications.Today, threats are targeted, but the targets are everywhere. Unmanaged, personal devices routinely connect to the corporate network, while employees take company devices containing sensitive data off the network and roam outside the secure perimeter. By using DNS a Secure Cloud Gateway provides security coverage for devices regardless of the network or location from which they connect.The appearance and behavior of cyber threats vary infinitely, yet they all originate from a finite number of Internet hosts. Some often share the same criminal infrastructures. To extract accurate security intelligence a Secure Cloud Gateway uses DNS infrastructure and Anycast routing technology to map every connection request across the Internet both spatially and temporally.While the vast majority of Web domains can be classified as either safe or malicious, some Internet hosts are harder to classify. That’s because they store both safe and malicious Web content, or their Internet origins are suspicious. However, performing deep inspection for every Web connection significantly reduces performance. In addition, redirecting every Web connection can significantly reduce manageability. A Secure Cloud Gateway identifies high-risk or suspicious domains and uses DNS redirection to route them for deeper inspection.Unlike Secure Web Gateway (SWG) appliances or services that send every Web connection through a proxy, a Secure Cloud Gateway only routes risky Web connections for deeper inspection. This concept is called Intelligent Proxy. Here’s how it works:
Scenario 1: An employee attempts to visit site #1. A Secure Cloud Gateway has already determined that this domain is malicious, based on the risk score for the host. Perhaps the domain is related to an infrastructure known to be used for criminal attacks or there is a pattern where the domain is always requested after other malicious host requests. A Secure Cloud Gateway returns the IP address to its block page server instead of the malicious domain, thus protecting the organization’s network and data.
Scenario 2: An employee attempts to visit site #2. A Secure Cloud Gateway continually analyzes the Internet origins of the site’s content hosts – both spatially (e.g. geography, network) and temporally (e.g. request volume, co-occurrences). Based on both known data and algorithmic risk predictions, a Secure Cloud Gateway determines that the site #2 domain is too low of a risk to proxy and it returns the IP address to connect directly to site’s host. The employee experiences no latency or any disruptions when accessing this host.
Scenario 3: An employee attempts to visit site #3. A Secure Cloud Gateway has determined the content host for this domain is too risky and returns the IP address to its proxy. The proxy provides deeper inspection beyond just the host’s Internet origins – domain and IP address. After these inspections, if the content is deemed safe, it is sent to the browser, connecting the employee to the domain. If the domain is malicious, a Secure Cloud Gateway sends back a block page and the employee is prevented from accessing a malicious domain.
Integrating Intelligence with Enforcement
Effective security requires both intelligence and enforcement to protect against advanced threats and targeted attacks. Intelligence without timely enforcement will fail to block malware or contain botnets. Meanwhile, enforcement without predictive intelligence will fail to stay ahead of the most complex threats. A Secure Cloud Gateway reconciles intelligence and enforcement in new ways.Actionable intelligence requires maximum coverage and visibility. A Secure Cloud Gateway, because it uses the DNS infrastructure, can gather a tremendous volume, velocity and variety of data — enough to predict the Internet origins of emerging threats even if the attack, binary file or exploit is unknown. This data it collects reflects patterns of use across all devices regardless of network, location, type or ownership, and across all Internet connections, context and content regardless of port or protocol.Meanwhile, enforcement requires a security technology with maximum breadth and depth. Using recursive DNS a Secure Cloud Gateway can enforce security policy on traffic across 65,535 network ports and an unlimited number of protocols and apps. To provide advanced threat protection, a Secure Cloud Gateway redirects high-risk Web requests to its Intelligent Proxy which performs deeper inspection to detect and block malicious content hidden within Web sessions.Rather than using a traditional proxy or in-line architecture, a Secure Cloud Gateway uses a cloud-based infrastructure that integrates multiple security enforcement technologies with Internet scale threat intelligence gathering capabilities. This enables a Secure Cloud Gateway to stay ahead of constantly evolving attacks and emerging threats, without sacrificing performance and manageability.Hubbard is a noted information security researcher and Chief Technology Officer for OpenDNS, provider of the Umbrella cyber-security service.