Infoblox’s view of the SIEM, the SOAR and the SOC.
Estimated reading time: 3 minutes
Domain Name Server, or DNS, security is something which is slowly gaining prominence and importance. More organisations, regulators, and even governments have begun to take DNS into consideration in their cybersecurity approaches and policy. For example, the Monetary Authority of Singapore’s Technology Risk Management guidelines.
A chat with Infoblox’s Field Chief Security Officer, Alvin Rodrigues, highlighted the pitfalls of overlooking Highway 53, or Port 53, the oft-used entry point for characters with dubious motives.
But, he also delved a little into the relationship between SOCs, SIEMs and SOAR. This journalist finds the complex interplay between all these solution areas fascinating.
Below is a brief explanation about it all by Alvin, which was too insightful for me to not share with EITN readers.
SOC and SIEM and SOAR
The whole goal of the security operations centre or SOC is to look at detection, protection, mitigation, and recovery. The SIEM (security incident event management) simply put, is to give you the visibility of all the devices that’s actually connected to the environment, and to look at potential incidents or events.
With that, it gives recommendation about how to mitigate that.
The SOAR or security orchestration, automation and response, drives orchestration and automates the entire process. So, SIEM and SOAR work quite tightly integrated in the SOC environment.
The SOAR very much depends on a company’s security playbook and its risk appetite, and so on.
Table of contents
How does this relate to DDI?
(Editor’s note: According to Infoblox, DDI is integration of DNS, DHCP, and IPAM (IP Address Management) into a unified service or solution. It comprises the foundation of core network services that enables all communications over an IP-based network).
DNS is able to capture every attempted connection to your environment. Especially if it is leveraged as the first line of defense of your environment, Infoblox’s solution is able to capture all the foundational information that is traversing an organisation’s network.
This information enriches the SIEM logs, giving insight into security incidents, where it came from, and any historical information around that.
Enriching SIEM logs
From there, Infoblox can interact with an organisation’s security posture or its playbook, to enrich information and drive more informed orchestration.
With this DNS information which is foundational, we are able to help organisations harmonise the security posture across their security stack.
So, if we detect a machine in your environment that has just experienced a ransomware attack; a command and control; Infoblox solutions is able to detect a command and control request going back to the host malicious server.
Now, we did a detection, which means we captured that IP address. Then this is shared with the SIEM and SOAR environment, to then communicate to your firewall, sandbox, endpoint security, to block any communication from this IP address.
Starting remediation automatically
Simultaneously, Infoblox is able to assist with the organisation’s communication to its network access control, to stop all communication to the compromised device that has a command and control malware.
While this is happening, the solution will work with ITSM (IT service management) to alert the IT department about the ransomware attack, and to do remediation.
Now, all this is done automatically, with the exception of the helpdesk people going in to address the compromised device.
When security incidents like this happen, speed and accurate response is really critical.
BloxOne Threat Defense, is a cybersecurity product, that can collaborate with an organisation’s SIEM and SOAR, to enable this.
Overall, its functions are to defend against ransomware (via stopping data exfiltration), mitigate DDoS attacks through the DNS. It looks at driving these activities by leveraging some of an organisation’s existing IT infrastructure.