?

Find “Patient Zero” Fast with BlueCat and Cisco Umbrella

How a BlueCat and Cisco Umbrella integration delivers a compelling DNS firewall solution for security teams who need to quickly locate the source IP of malware-infected devices.

November 22, 2019

As the underlying infrastructure of all network communications, the Domain Name System (DNS) plays a critical yet often under-appreciated role in security.

Think about it. The devices and servers on your network process hundreds of millions of DNS queries each day.  That’s a goldmine of data for both security personnel and malicious actors alike. 

Studies have shown that 91 percent of malware uses DNS to establish command and control, map network assets and exfiltrate data. Yet until recently, security teams haven’t recognized the power of DNS to lock down critical assets.

Cisco Umbrella and the hunt for source IP

Cisco Umbrella (aka OpenDNS) is a major step forward in leveraging DNS data for security purposes. Using Cisco’s powerful threat intelligence, Umbrella examines every DNS query on the network boundary, blocking requests to malicious sites. This is a huge benefit to security teams who lack the ability to implement security policies this widely across an entire network protocol.

Now security teams are looking to take DNS firewalls, like Cisco Umbrella, a step further.

Once Umbrella identifies and blocks malicious activity, threat hunters will want to dig deeper to identify the source device. This gives them the granular data they need to mitigate the problem right away.

Knowing the source IP address of a threat also provides valuable context, which makes security teams more efficient. If you’re seeing 100 alerts an hour, can you tell if those alerts all coming from the same device or 100 different devices? If you’ve got the source IP, you can figure this out instantly.

Yet mapping the source IP of a device to threat data captured on the network boundary can be challenging. 

It’s a network architecture issue. Most DNS queries have to recurse through multiple server layers before they reach the network boundary. Tracing those DNS requests back through the routing chain usually means piecing together DNS logs — a time-consuming, manual process. Or it means implementing device-based agents that are cumbersome to deploy and that cannot cover many IoT devices.

This is where BlueCat’s DNS Edge comes in. 

Adding visibility and control with BlueCat

DNS Edge is a DNS firewall, deployed as a virtual machine, that sits at the “first hop” of any network query (i.e., the first server a network device encounters when it sends a DNS request). That gives DNS Edge the ability to tie every request on the network to a specific device. That position on the network also gives DNS Edge visibility into internal, “east-west” traffic — the 60 percent of all queries that boundary-level filters and firewalls miss.

Cisco and BlueCat integration

Here’s the good news: BlueCat and Cisco Umbrella now offer an integration that matches the device-level source IP from BlueCat with the alerts generated by Cisco Umbrella’s threat intelligence. 

With the integration in place, you can instantly drill down on threat information right in Cisco Umbrella and see which device on your network is responsible. Then you can act immediately by blocking, redirecting or monitoring that device through security policies implemented by BlueCat, right at the device level.

Triangulating Cisco Umbrella’s threat information with the east-west visibility provided by BlueCat, you can also trace lateral movement across internal resources, blocking the spread of malware and lowering the risk from insider threats.

Take charge of your network

Cisco Umbrella users can significantly increase the value of their solution by adding BlueCat to the mix. The granular, device-level data from BlueCat not only speed up the remediation process, but also provide unprecedented visibility into internal network traffic. 

Deploying the integration between BlueCat and Cisco Umbrella is simple. Once you’ve got your DNS running through BlueCat’s service points, just plug in your API key and you’re ready to go.

Malicious actors discovered the power of DNS long ago. Isn’t it time your security team does the same?

Learn more about the powerful BlueCat-Cisco Umbrella integration and about how WWT brings cutting-edge security technologies into our Advanced Technology Center (ATC) ecosystem to create a force multiplier of knowledge, speed and agility that benefits our customers anytime, anywhere around the world. 

A great place to start is our Cisco Umbrella and BlueCat Adaptive DNS Lab. We also have a separate Cisco Umbrella Lab, where a WWT security professional will providing an understanding of how Umbrella works, its features and functionality, and answer any questions you might have about whether integrating BlueCat with Cisco Umbrella is right for your use cases.