Hybrid Approach to Security Needed for Maximum Protection Against Cyber Attacks
May 2018 by Marc Jacob
Are Software-as-a-Solution (SaaS) security solutions truly the panacea they are publicized to be? The answer is, it depends on how the SaaS solution is architected.
A majority of SaaS-only security solutions are “overlay” solutions that simply provide an additional layer of security on top of an enterprise’s existing network and security infrastructure. These overlay solutions are easy for the vendor to develop, but difficult for the customer to combine with other existing security solutions and derive value from.
In contrast, a hybrid approach to security is one that tightly integrates SaaS solutions with an enterprise’s existing IT infrastructure and leverages SaaS capabilities to seamlessly extend and scale on-premise solution performance. With a hybrid solution, the vendor does the heavy lifting of seamless integration with existing infrastructure, thus providing a unified solution, which unlocks valuable context available from the on-premises infrastructure. Such context allows the hybrid solution to prioritize threats better. In addition, the unified solution enables sharing of data with broader security ecosystem for an efficient and optimized incident response.
DNS as a Security Tool
As enterprises gear up to handle the barrage of increasingly targeted and sophisticated cyber attacks, security architects must take advantage of the visibility that each IT asset can provide. DNS is an excellent example of a scalable and pervasive network infrastructure protocol that offers unmatched visibility into network traffic patterns, malicious and otherwise. If used optimally, DNS can provide an affordable and scalable first line of defence for detection and mitigation of the vast majority of known threats. Behavioural analysis of DNS traffic can also serve as an “early warning system,” flagging potential zero-day threats in the network.
When it comes to DNS security, many organizations are interested in cloud-based SaaS-only solutions, which they think will be easier to implement and provide sufficient functionality to identify infected devices and protect against threats like malware and phishing attacks. SaaS for DNS security can be effective, but only when integrated with on-premise systems.
Overlay (SaaS-only) solution challenges
The way most SaaS-only DNS security solutions work is to enable businesses to forward their DNS traffic to the cloud, where DNS queries are processed and potential malicious activity is detected and flagged. In order to identify the infected end host, these solutions require the deployment of DNS forwarding proxies (running on virtual machines) deep inside the enterprise network or the use of endpoint agents. As enterprises move their workloads into private and public clouds, deploying and managing these proxies can become even more complicated. Most enterprise DNS servers support the ability to block access to domains via configuration of response policy zones. By directing all DNS traffic to the cloud, SaaS-only solutions fail to leverage these existing security capabilities, which allow an enterprise to block the most egregious threats at the very first DNS server that detects it.
Further, because overlay solutions do not integrate with the incumbent enterprise DNS architecture, they leave enterprise administrators stuck with operating two separate and siloed management systems and having to manually correlate data between the two. Beyond the inefficiencies of managing two separate DNS systems, an even more significant drawback is that you sacrifice visibility and security context. Specifically, overlay solutions are unable to leverage the rich contextual data available in the enterprise DNS, DHCP, and IP address management systems (DDI). This context can help with prioritization of security threats, a key requirement for security analysts who are swamped with alerts they can’t keep up with.
Why a hybrid approach for DNS security
To recap, a hybrid DNS security approach weaves security right into the network control fabric of the enterprise. Tight integration with the incumbent enterprise DNS, DHCP, and IPAM infrastructure simplifies deployment and management brings efficiency and scale and improves overall security efficacy and effectiveness.
Hybrid solutions offer enterprises complete flexibility in terms of deployment options – the best combination of on-premise and SaaS. And regardless of the deployment model, enterprises get all the benefits of integration with their DDI infrastructure:
• Reduces complexity: Hybrid solutions take away the hassle of deploying proxies throughout the network. The on-premise component of the solution can be configured to forward recursive DNS traffic to the DNS service in the cloud while preserving the ability to identify the end host associated with any security event detected in the cloud. This ability can be seamlessly extended to workloads running in private and public clouds as well.
• Increases flexibility: With a hybrid solution, customers may choose to leverage their on-premise DNS servers to block access to domains based on curated low false positive threat intelligence and leverage the cloud for a more comprehensive threat assessment based on a lot more threat data as well as big data analytics.
• Improves visibility: Hybrid solutions offer a single pane of glass for managing security across the enterprise DNS infrastructure.
• Enables threat prioritization: Rich network context data, e.g., where the device sits in the network, who is the user, how critical is the asset from a business standpoint, etc., that was locked up in network control protocols located on-premise can be made available in the security dashboards and used to intelligently prioritize threats for remediation.
• Improves intelligence: On-premise network and user context is automatically shared with the SaaS component of the solution, and security events detected in SaaS can be shared back with the security ecosystem on-premise, creating a closed intelligence loop across the enterprise. Indicators of compromise can be shared in real time with existing security infrastructure (on-premise or in the cloud) including endpoint security, NAC, vulnerability management, and SIEM solutions for an automated incident response such as quarantine, scan, or killing of malicious processes running on suspicious devices.
In conclusion, although a few organizations are truly cloud-first, most enterprises maintain a hybrid environment and need a more flexible, comprehensive solution for DNS security – and a hybrid approach is the key.