The SASE Framework
From the intensity of the threat landscape, to demands of the current hybrid work environment, to the expense and difficulty of managing infrastructure and multiple layers of cybersecurity solutions, more and more organizations are looking to comprehensive cybersecurity platforms like Secure Access Service Edge (SASE) or Security Service Edge (SSE). The SASE and SSE solutions cover a broad range of network and security functions including DNS-Layer Security, Secure Web Gateways (SWG), Firewalls, Cloud Access Security Broker (CASB), and curated Cyber Threat Intelligence (CTI). What makes the SASE/SSE model different from other cybersecurity platform solutions is the focus on moving security systems and infrastructure into the cloud versus at the traditional network boundary. For those looking to compete for market share as a SASE/SSE provider, this is the first in a series of blog posts that will help illustrate the crucial role that premium threat detection data plays in powering the SASE framework functions — starting with DNS-Layer Security.
It is acknowledged that DNS forms the cornerstone building block for the SASE framework. Unfortunately, for many of the reasons that makes DNS a simple-to-implement starting point for SASE, DNS is also a major target for malicious actors. The IDC 2021 Global DNS Threat Report found that 87 percent of organizations experienced DNS attacks in 2020, with the average cost of each attack reaching just under $1 million. According to that same report, the percentage of organizations that experienced one or more of the top five DNS-based attacks are as follows: Phishing (51%), malware (43%), DDoS (30%), DNS tunneling (28%), and hijacking/credential attack (28%).
This known blind spot makes DNS-based attacks an increasingly common tactic, technique, and procedure (TTP) for threat actors. Since all internet activity is dependent upon DNS, DNS-Layer Security is the first line of defense for blocking threats before they can reach your network or endpoints. And, as the threat landscape intensifies, DNS-Layer Security has been adopted as a core component of SASE, SSE, and other security frameworks competing for market share in the cybersecurity space.
DNS-Layer Security works by incorporating overlapping defensive systems, tools, and protocols to protect users from threats embedded within both inbound and outbound traffic.
Inbound DNS Threats
The most common types of inbound DNS-based attacks include things like DDoS attacks, DNS Cache Poisoning attacks, NXDomain attacks, Phantom Domain attacks, Random Subdomain attacks, and more. Preventing these types of attacks from reaching your network by blocking them at the DNS level will require partnering with a secure DNS provider. Major DNS providers are really the only vendors with the necessary visibility into the DNS data to offer this piece of DNS-Layer Security for threats in the inbound traffic.
Outbound DNS Threats
Malware and ransomware attacks routinely exploit techniques like DNS beaconing to communicate with C2 servers and DNS tunneling to deliver payloads and exfiltrate data from enterprise networks. Phishing threats are at an all time high with attackers aggressively pursuing spear phishing tactics like Business Email Compromise (BEC) to trick users into giving up their credentials. Protecting your network and endpoints against these types of threats is typically addressed with a DNS Filtering solution.
DNS Filtering monitors communication between end users and the internet, enabling the necessary visibility to inspect sites at the source so you can implement security protocols that will block high risk or potentially dangerous DNS connections to malicious, phishing, and non-sanctioned (objectionable) content domains. DNS Filtering is provided by ISPs, Cable and Telco Service Providers, and by SASE vendors targeting enterprise and mid-market customers.
DNS Filtering is typically offered with a taxonomy of pre-configured blocking rules restricting access to phishing sites, sites hosting or distributing malware, and sites which are considered objectionable. The common approach is to have a simple, straightforward set of filtering rules designed for minimal sysadmin intervention and the ability to prevent most of the domain-level threats in as unobtrusive a way as possible.
Powering DNS Filtering
The most critical part of DNS Filtering is the domain database used to power the solution. Said differently, the DNS Filtering solution will only be as good and effective as the domain database that is used to power it. From a business perspective, vendors seeking to distinguish themselves in a highly competitive DNS Filtering market need to determine if their competitive advantage is going to be based on maximum protection, lowest cost, or ease of use. It’s often said a product owner has to pick two of these factors.
For the vendors that select a ‘maximum protection’ model, they will require a premium domain database of categorized websites to deliver maximum coverage, accuracy, update speed and performance. While the meaning of ‘premium’ is somewhat subjective based on what a vendor is looking to achieve, these are the areas that zvelo recommends evaluating.
- Threat Detection Speed. How quickly are new and emerging threats detected — hours, days, longer? While the average time to detect can be tricky to pinpoint, it can be evaluated by measuring one threat feed provider against another. It goes without saying, the fastest time to detect is key.
- Accuracy. While the fastest time to detect may be a leading priority, it should not be considered independently of accuracy. A lack of accuracy, or high false positive rate can ultimately work against you.
- Coverage. Your visibility into the threat landscape, and ability to protect users and endpoints, depends on having extensive coverage of the ActiveWeb and global clickstream traffic.
- Curation vs Aggregation. Data curation itself is another fuzzy definition. There are threat feed providers claiming to curate threat feeds, but what they are really doing is aggregating a selection of feeds, as opposed to actually curating the data that comes from those feeds to have maximum coverage with the lowest possible rate of false positives.
- Web Content Classification. A premium domain database will also have excellent coverage for all forms of objectionable and other content, providing the DNS Filtering vendor with the opportunity to offer content-based filtering to supplement the phishing and malicious protection.
- Real-Time Detection/Update Capability. What constitutes ‘real-time’ in terms of technology applications can vary from minutes to hours. It’s important to understand how each threat feed provider defines real-time detections, as well as real-time updates (the time between which a threat is detected and the time that threat propagates to deployments).
DNS Filtering and Security as a Starting Point
DNS Filtering has quickly become the ‘table stakes’ starting point for a comprehensive SASE cybersecurity solution. DNS Filtering may be sufficient for certain markets, such as the residential/consumer market where low cost and low functionality with minimum protection is going to capture market share. However, as full-path URL threats account for more than 80% of the links that lead to the breaches and attacks that are the most crippling, a security solution that goes beyond DNS is required. For enterprise, education, government and other sophisticated customers that require security against full-path URL threats, or those who require more sophisticated content filtering solutions, that’s where the other elements of a SASE solution come into play.
The capability to protect networks and endpoints against threats is entirely dependent upon the data quality powering the solution. By maximizing your capability to block users from accessing dangerous sites with DNS Filtering, it reduces the overall number of threats flowing through your platform so the other components in the SASE/SSE framework can be more effective in tackling the threats that the DNS Filtering doesn’t address — for instance, the 80% of phishing and malicious threats that require a full-path URL detection solution like a Secure Web Gateway.
Where zvelo Fits
zveloDB is the market’s premier Domain Database with the broadest coverage of phishing, malicious and objectionable content detections, lowest FP rate, fastest time to update, and best lookup performance speed. And with zvelo’s modular and expandable SDK, you can quickly add the zveloCTI phishing and malicious detections for a single data powerhouse for your DNS Filtering, Secure Web Gateway, CASB and other SASE functions.
Next up in this blog series: Powering Secure Web Gateways