Assessing the DNS Security Risk
Sponsored by Infoblox Independently conducted by Ponemon Institute LLC Publication Date: October 2018
Ponemon Institute© Research Report
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 1
Assessing the DNS Security Risk Presented by Ponemon Institute, October 2018
Part 1. Introduction Ponemon Institute is pleased to present the findings of Assessing the DNS Security Risk, sponsored by Infoblox. The purpose of this study is to understand the ability of organizations to assess and mitigate DNS risks. As part of the research, an online index has been created to provide a global measure of organizations’ exposure to DNS security risks and assist them in their response to DNS security risks. We surveyed 1,021 IT and IT security practitioners in the United States and EMEA who are familiar with their organizations’ DNS architecture/implementation and have some level of responsibility in managing cybersecurity activities within their organizations. Drawing upon survey results for a total sample of 1,021 qualified respondents, Infoblox and Ponemon Institute created the DNS Risk Index. This index is tabulated from 24 objectively scored questions. The Index is organized into five broad categories: (1) visibility, (2) DNS attack protection, (3) data protection and malware mitigation, (4) threat intelligence and (5) security operations. The individuated response to each question yields risk points, which range in value from zero (no impact on DNS risk) to an ordinal value or “risk points” between one to eight points. Each question stands alone and is not weighted. The sum of all risk points from all questions represents the individual’s DNS Security Risk Index. As shown in Table 1, the theoretical maximum risk index score is 122 points, and the theoretical minimum risk index score is zero (0). In contrast, the actual maximum index score calculated from the sample results is 67 points, and the actual minimum index score is 22. The mean and median values are 57 and 48 points, respectfully. The standard deviation is 6.81 points.
Table 1. DNS Index Statistics Points Mean 57
Median 48 Sample Minimum 22 Sample Maximum 67
Theoretical Minimum 0 Theoretical Maximum 122 Standard Deviation 6.81
When this report was published the Ponemon DNS Risk Index was at 57 points, which represents a high risk on the assessment scale. This means that globally, most organizations are underprepared to deal with security issues arising out of a poorly architected DNS, DHCP and IP address management (IPAM) solution. Following is summary of the most salient findings. Most companies do not have dedicated personnel or teams to address DNS security. Fifty-eight percent of respondents either do not have dedicated personnel (32 percent) or no one team responsible for DNS security. Many companies are not identifying or tracking new assets. Forty-six percent of respondents say their organizations do not identify or track new assets such as endpoints, servers, virtual machines and other network-connected devices, such as IoT devices. If they do identify or track new assets, they are using spreadsheets and device ping (39 percent), NAC polling (39 percent) or other discovery tools (38 percent).
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 2
There is a lack of visibility about physical, virtual and cloud assets into a single view. Sixty-four percent of respondents say their organizations do not consolidate information about their physical, virtual and cloud assets into a single view. If they do consolidate information into one single view, 57 percent of respondents say their organizations use multiple tools with siloed views. DNS data is the number one tool used to identify a compromised device. More than half (52 percent) of respondents say they use DNS data, and 42 percent of respondents say their organizations use endpoint security. To determine if their assets are vulnerable to misconfiguration, 44 percent of respondents conduct an audit manually on a periodic basis. These manual processes could be error prone, take long periods of time to complete and in general are inefficient. The mitigation of DNS-based attacks is mostly handled by a cloud DNS service provider. Forty-five percent of respondents say the cloud DNS service provider hosts their DNS and handles attack mitigation, and 40 percent of respondents say their organizations leverage a load balancer or other on-premise appliance to handle increased traffic while under attack. Logs from the DNS server are mainly used to know the sources, patterns and types of DNS-based DDoS attacks. Forty-two percent of respondents say their organizations use logs from the DNS server to better understand DNS-based DDoS attacks. However, 37 percent of respondents say no solution is available. The analysis of traffic from the DNS firewall is often used to mitigate malware and protect data assets. Fifty-three percent of respondents use analysis from DNS firewall to safeguard data assets. Only 26 percent of respondents say their organizations use a next-generation firewall that permits inspection of DNS traffic. Antivirus/endpoint security and data encryption are used protect data assets. Seventy-five percent of respondents use antivirus/endpoint security to detect malware-attempting connections to malicious domains, and 52 percent of respondents use multiple commercial, open-source government and internal feeds to keep up to date with malicious domains. Fifty percent of respondents use data encryption to prevent DNS-based data exfiltration. The use of threat intelligence to mitigate the risk of DNS-based attacks is ineffective. On average, organizations represented in this research use 6.7 separate commercial threat feeds, and only 45 percent of respondents say they consolidate threat intelligence from various sources. Of these respondents, 42 percent of respondents say they use different threat feeds in different groups, making it impossible to consolidate threat intelligence in the entire security infrastructure. Threat investigations are mostly conducted manually. While more than half of respondents (52 percent) conduct threat investigations, 42 percent of these respondents say they manually search various sources to obtain information on threats.
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 3
A recent Ponemon Institute study1 underscores the importance of creating the DNS Risk Index. Not only did respondents in this research rate detecting, preventing, containing and recovering from DNS-based data exfiltration as very difficult, (as shown in Figure 1), but also 54 percent of respondents say DNS-based data exfiltration is a significant worry for their organizations. Figure 1. Cyber attacks that are of greatest concern Five responses permitted
1 Securing the Enterprise Against Cyber Attacks, conducted by Ponemon Institute, June 2018
45%
46%
51%
54%
59%
63%
0% 10% 20% 30% 40% 50% 60% 70%
Phishing and social engineering
Ransomware
Unauthorized network access
DNS-based data exfiltration
Advanced persistent threats (APTs)
Advanced malware
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 4
Reducing the number of false positives is considered the most important defense against DNS-based attacks. According to the study, to defend their enterprises against DNS-based attacks, 71 percent of respondents believe the reduction of false positives is critical. This is closely followed by 68 percent of respondents who say that the integration of DNS protection with SIEM and other traffic intelligence systems is important. Figure 2. The most important features that provide defensive capabilities against DNS-based attacks2 Very important and Important responses
2 Ibid.
26%
28%
30%
31%
28%
33%
38%
40%
0% 10% 20% 30% 40% 50% 60% 70% 80%
The ability to integrate big data analytics to achieve greater visibility and precision in the
intelligence gathering and dissemination process
The ability to scale (elasticity) during times of peak demand
The ability to integrate DNS protection with SIEM and other traffic intelligence systems
The ability to reduce the number of false positives in the generation of alerts
Very important Important
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 5
Part 2. Key findings This section presents an analysis of the key findings in the Assessing the DNS Security Risk study. The complete audited findings are presented in the Appendix of this report. The number of questions for each topic is as follows: visibility (5 questions), DNS attack protection (2 questions), data protection and malware mitigation (4 questions), threat intelligence (3 questions) and security operations (2 questions) for a total of 16 survey questions. Most companies do not have dedicated personnel or teams. Figure 3 shows 67 percent of respondents (26 percent + 23 percent + 18 percent) say their organizations have one or more teams that are responsible for addressing DNS security. Another 32 percent say their organizations do not have dedicated personnel to address DNS security. Figure 3. Does your organization have dedicated personnel specifically to address DNS security?
1%
18%
23%
26%
32%
0% 5% 10% 15% 20% 25% 30% 35%
Don't know
The security team is responsible for DNS security
The network team is responsible for DNS security
No one team is responsible for DNS security
Do not have dedicated personnel
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 6
According to Figure 4, the most frequently cited vendors, or “brands,” for managing DNS security risks are Cisco, Akamai, Infoblox and BlueCat. The remaining 37 percent of respondents selected another unnamed vendor. Figure 4. Does your organization use any of the following products specifically to address DNS security?
Many companies are not identifying or tracking new assets. Forty-six percent of respondents say their organizations do not identify or track new assets such as endpoints, servers, virtual machines and other network-connected devices, such as IoT devices. If they do identify or track new assets, they are using spreadsheets and device ping (39 percent), NAC polling (39 percent) or other discovery tools (38 percent), as shown in Figure 5. Figure 5. How does your organization identify and track when new assets are added or removed from its network? More than one response is permitted
13%14% 15%
20%
37%
0%
5%
10%
15%
20%
25%
30%
35%
40%
BlueCat Infoblox DNS Security
Akamai Cisco Umbrella Other brands
14%
20%
21%
38%
39%
39%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Infoblox tools (NetMRI or Network Insight)
CISCO switch sends SNMP to NAC
Periodic SNMP sweeps
Other discovery tools
NAC polling
Spreadsheet and device ping
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 7
There is a lack of visibility about consolidating physical, virtual and cloud assets into a single view. Sixty-four percent of respondents say their organizations do not consolidate information about its physical, virtual and cloud assets into a single view. As shown in Figure 6, if they do consolidate information into one single view, 57 percent of respondents say their organizations use multiple tools with siloed views. Another 49 percent of respondents use manual entry into a spreadsheet or database. Thirty-two percent of respondents are using an integrated IPAM solution with automated discovery. Figure 6. How does your organization consolidate information about all of its physical, virtual and cloud assets into a single view? More than one response is permitted
DNS data is the number one tool used to identify a compromised device. More than half (52 percent) of respondents say they use DNS data, and 42 percent of respondents say their organizations use endpoint security and NAC, as shown in Figure 7. Figure 7. What tools are used to identify a compromised device? More than one response is permitted
19%
21%
32%
49%
57%
0% 10% 20% 30% 40% 50% 60%
A CWPP solution for cloud/docker visibility
CMDB
Integrated IPAM solution with automated discovery
Manual entry into a spreadsheet or database
Multiple tools with siloed views
17%
21%
28%
30%
42%
42%
52%
0% 10% 20% 30% 40% 50% 60%
MS AD
None of the above
IPAM data
DHCP fingerprinting
NAC (e.g., Forescout)
Endpoint security
DNS data
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 8
To determine if their assets are vulnerable to misconfiguration, 44 percent of respondents say they conduct an audit manually on a periodic basis. Figure 8 describes how organizations are determining if their assets are vulnerable to misconfigurations. As shown, 44 percent of respondents say their organizations conduct an audit manually on a periodic basis which could be error prone, take long periods of time to complete and in general are inefficient. Figure 8. How does your organization know if its assets are vulnerable to misconfigurations?
The mitigation of DNS-based attacks is mostly handled by a cloud DNS service provider. According to Figure 9, 45 percent of respondents say the cloud DNS service provider hosts their DNS and handles attack mitigation (i.e., including amplification, reflection, floods, NXDOMAIN, DNS exploits, etc.), and 40 percent of respondents say their organizations leverage a load balancer or other on-premise appliance to handle increased traffic while under attack. Figure 9. How does your organization mitigate DNS-based internal and external DDoS attacks? More than one response is permitted
3%
14%
44%
49%
0% 10% 20% 30% 40% 50% 60%
Don’t know
We use Infoblox NetMRI to check for device misconfigurations
We audit manually on a periodic basis
We use a third-party Network Configuration and Change Management (NCCM) tool
13%
30%
36%
38%
40%
45%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Infoblox Advanced DNS Protection (ADP)
A dedicated DNS based DDoS solution is in place
A specialty DDoS solution is in place and also protects DNS
We do not have a solution
A load balancer or other on-premise appliance is leveraged to handle increased traffic while under
an attack
The cloud DNS service provider hosts our DNS and handles attack mitigation
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 9
Logs from the DNS server are mainly used to know the sources, patterns and types of DNS-based DDoS attacks. According to Figure 10, 42 percent of respondents say their organizations use logs from the DNS server to better understand DNS-based DDoS attacks. However, 37 percent of respondents say no solution is available. Figure 10. What solutions are used to know the sources, patterns and types of DNS-based DDoS attacks? More than one response is permitted
The analysis of traffic from the DNS firewall is often used to mitigate malware and protect data assets. According to Figure 11, 53 percent of respondents use analysis from DNS firewall as a step taken to safeguard data assets. Only 26 percent of respondents say their organizations use a next-generation firewall that permits inspection of DNS traffic. Figure 11. How does your organization analyze DNS traffic (on port 53)? More than one response is permitted
13%
35%
35%
37%
42%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Infoblox reporting and analytics with ADP
DNS-based DDoS solution
DNS cloud provider
No solutions available
Logs from the DNS server
22%
24%
26%
36%
53%
0% 10% 20% 30% 40% 50% 60%
Check for abnormal volumes and/or anomalous DNS patterns
None of the above
Next-gen firewall that permits inspection of DNS traffic
DNS log traffic that reveals malicious activity
Analysis from DNS firewall
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 10
Antivirus/endpoint security is used to protect data assets. According to Figure 12, 75 percent of respondents use antivirus/endpoint security to detect malware-attempting connections to malicious domains, and 52 percent of respondents use multiple commercial, open-source government and internal feeds to keep up to date with malicious domains. Figure 12. What does your organization use to detect malware-attempting connections to malicious domains? More than one response is permitted
As shown in Figure 13, only 38 percent of respondents say their organizations use DNSSEC to sign their external DNS zones and validate replies for external domains. Another 54 percent say they do not use DNSSEC and 8 percent are unsure. Figure 13. Does your organization use DNSSEC to sign its external DNS zones and validate replies for external domains?
19%
24%
25%
29%
33%
75%
0% 10% 20% 30% 40% 50% 60% 70% 80%
We don’t use a solution
DNS firewall with RPZ
Existing perimeter defense with black lists
A cloud-based security service
A service provider
Antivirus/endpoint security tools
38%
54%
8%
0%
10%
20%
30%
40%
50%
60%
Yes No Unsure
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 11
According to Figure 14, 50 percent of respondents say their organization relies upon data encryption to prevent DNS-based data exfiltration. Another 40 percent rely upon endpoint security and/or data loss prevention. Only 19 percent utilize a DNS-based data exfiltration detection tool. Figure 14. What tools does your organization have to detect and prevent DNS-based data exfiltration? More than one response is permitted
Seventy percent of respondents say their organizations use one or more reputational feed to maintain a high level of vigilance with respect to malware and malicious domains. According to Figure 15, more than 52 percent use multiple commercial, open-source, government and internal feeds. Thirty-four percent rely upon free/open-source blacklists. Only 16 percent rely on a single commercial reputational feed. Figure 15. Does your organization use a reputational feed to keep up to date with malicious domains? More than one response is permitted
11%
19%
21%
40%
40%
50%
0% 10% 20% 30% 40% 50% 60%
None
DNS-based data exfiltration detection
Next generation fire wall
Data loss prevention
Endpoint security
Data encryption
16%
30%
34%
46%
52%
0% 10% 20% 30% 40% 50% 60%
We use a single commercial reputational feed
None of the above
We use free/open-source blacklist(s)
We use multiple commercial reputational feeds
We use multiple commercial, open-source, government and internal feeds
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 12
Figure 16 shows the distribution of separate commercial threat intelligence feeds deployed by organizations. Seventeen percent of respondents’ organizations rely on 2 or 3 feeds. In contrast, 13 percent rely upon 10 or more separate commercial threat feeds. The extrapolated mean value is 6.7 separate commercial threat feeds. Figure 16. [If selected multiple commercial sources] how many separate threat intelligence feeds does your organization deploy? Mean = 6.7 threat feeds
As shown in Figure 17, 11 percent of respondents’ organizations get update reputational feeds in less than 2-hour intervals. In contrast, 23 percent receive updates daily and 28 percent receive updates between 6 hours and daily. Figure 17. How frequently does your organization get updates for the reputational feed?
17% 18%
25%27%
13%
0%
5%
10%
15%
20%
25%
30%
2 or 3 4 or 5 6 or 7 8 or 9 10 or more
11%
15%
21%
28%
23%
0%
5%
10%
15%
20%
25%
30%
Less than 2 hours Every 2 to 6 hours Once per week Between 6 hours and daily
Daily
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 13
The use of threat intelligence to mitigate the risk of DNS-based attacks is ineffective. Only 45 percent of respondents say their organizations consolidate threat intelligence from various sources. According to Figure 18, for those respondents who say their organization consolidates threat intelligence, 42 percent say they use different threat feeds in different groups. In other words, they are unable to distribute this information to the entire security infrastructure. Another 29 percent say their organizations consolidate threat intelligence and distribute it to the entire security infrastructure. Twenty-six percent say their organizations consolidate threat intelligence, but can only distribute to a particular vendor’s infrastructure. Figure 18. Does your organization distribute the consolidated intelligence to your organization’s security infrastructure?
26%
29%
42%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
We consolidate threat intel on a TIP platform but can only distribute to a particular vendor’s
infrastructure
We consolidate threat intel and distribute it to the entire security infrastructure
No, we use different threat feeds in different groups
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 14
Figure 19 shows 32 percent of organizations do not use DNS, DHCP and IPAM (DDI) data to inform your security infrastructure (i.e., endpoint security, NAC, SIEM and vulnerability scanners). Another 25 percent say their organizations do this manually to correlate events within the security ecosystem. Twenty-two percent automatically share DDI data with multiple security tools, and 20 percent automatically aggregate the data in one security tool. Figure 19. Does your organization use DNS, DHCP and IPAM (DDI) data to inform your security?
Threat investigations are mostly conducted manually. Fifty-two percent of the respondents say their organizations conduct threat investigations. Of these respondents, 42 percent say their organizations manually search various sources to obtain information on threats, as shown in Figure 20. One-third say their organizations use a generic threat investigation tool. Eleven percent say their organization uses Infoblox Dossier, and 6 percent use network intelligence from Awake Security. Figure 20. If yes, how do you investigate threats?
1%
20%
22%
25%
32%
0% 5% 10% 15% 20% 25% 30% 35%
Don't know
We automatically aggregate the data in one security tool
We automatically share DDI data with multiple security tools
We do this manually to correlate events within the security ecosystem
We do not use DNS, DHCP and IPAM (DDI) data
6%
11%
33%
42%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Network intelligence from Awake Security
We use Infoblox Dossier
An alternate threat investigation tool
Manually search various sources to obtain information on threats
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 15
The most frequently cited vendors for DNS-based data exfiltration detection are Cisco, Akamai, Infoblox (ActiveTrust) and BlueCat. The remaining 44 percent of respondents selected another unnamed vendor, as shown in Figure 21. Figure 21. If you selected DNS-based data exfiltration detection, what tools is your organization using?
10%13% 13%
21%
44%
0%
10%
20%
30%
40%
50%
BlueCat Infoblox Akamai Cisco Umbrella Other vendor
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 16
Part 3. Methods Table 2 shows the survey responses obtained in the United States and EMEA, which was completed in August 2018. The combined sampling frame includes 29,063 IT or IT security practitioners. The total number of completed survey returns is 1,142, of which 121 were rejected because of failed reliability. This results in a final sample size of 1,021 qualified respondents – or a 3.5 percent response rate. The overall margin of error at the 95th percent level of confidence is 4.6 percent (two-tailed test). Table 2. Survey Response US EMEA Total Total sampling frame 16,563 12,500 29,063 Total returns 673 469 1,142 Rejected surveys 64 57 121 Final sample 609 412 1,021 Response rate 3.7% 3.3% 3.5%
The following pie chart summarizes the position level of qualified respondents. At 37 percent, the largest segment contains those who are rank-and-file level employees (i.e., technicians or analysts). The smallest segment (4 percent) includes senior-level executives (C-suite). A total of 56 percent consists of employees who are at or above the supervisory level. Pie Chart 1. Position level of respondents
4%
16%
20%
15%
37%
8%
Senior executive/VP
Director
Manager
Supervisor
Technician/analyst
Contractor/consultant
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 17
Pie Chart 2 summarizes the total worldwide headcount of respondents’ companies. In the context of this study, headcount serves as an indicator of size. At 34 percent, the largest segment contains smaller-sized organizations with less than 1,000 full-time equivalent employees. The smallest segment (8 percent) includes larger-sized organizations with 10,000 or more employees. Pie Chart 2. Global headcount of respondents’ companies
Pie Chart 3 shows the percentage distribution of respondents’ companies according to 18 industries. As can be seen, financial services represent the largest industry sector (at 16 percent). Financial service companies include banking, insurance, brokerage, investment management and payment processing. Other large verticals include public sector, services, industrial and manufacturing, retail, and health and pharmaceuticals. Pie Chart 3. Primary industry sector of respondents’ companies
34%
22%
21%
15%
8%
Less than 1,000
1,000-1,999
2,000-4,999
5,000-9,990
10,000 and above
16%
12%
11%
10% 9%
8%
8%
6%
5%
3% 2%
2% 2% 2% 1% 1%
Financial servicesPublic sectorServicesIndustrial & manufacturingRetailHealth & pharmaceuticalTechnology & softwareEnergy & utilitiesConsumer productsConstructionCommunicationsHospitalityTransportationEducation & researchAgriculture & food servicesMedia & entertainmentAerospace & defenseOther
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 18
Part 4. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most Web-based surveys. < Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.
< Sampling-frame bias: The accuracy is based on contact information and the degree to which
the list is representative of individuals who are IT or IT security practitioners located in the United States and EMEA. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.
< Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses.
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 19
Appendix: Detailed Survey Results
The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in July 30, 2018 to August 6, 2018.
Survey response US EMEA Total Total sampling frame 16,563 12,500 29,063 Total returns 673 469 1,142 Rejected surveys 64 57 121 Final sample 609 412 1,021 Response rate 3.7% 3.3% 3.5% Sample weights 59.6% 40.4% 100.0%
Part 1. Screening Questions S1. How familiar are you with your organization’s
DNS architecture/implementation? US EMEA Total Very familiar 39% 33% 37% Familiar 35% 37% 36% Somewhat familiar 26% 30% 28% No knowledge (Stop) 0% 0% 0% Total 100% 100% 100%
S2. Do you have any responsibility in managing
cybersecurity activities within your organization? US EMEA Total Yes, full responsibility 31% 23% 28% Yes, some responsibility 54% 56% 55% Yes, minimum responsibility 15% 21% 17% No responsibility (Stop) 0% 0% 0% Total 100% 100% 100%
Part 2. Organizational Characteristics D1. What best defines your position level within
your organization? US EMEA Total Senior executive/VP 5% 3% 4% Director 17% 15% 16% Manager 22% 18% 20% Supervisor 14% 17% 15% Technical/analyst 35% 39% 37% Contractor/consultant 6% 8% 7% Other (please specify) 1% 0% 1% Total 100% 100% 100%
D2. How many employees do you have in your
organization? US EMEA Total Less than 1,000 30% 39% 34% 1,000-1,999 20% 26% 22% 2,000-4,999 23% 18% 21% 5,000-10,000 17% 12% 15% 10,001 and above 10% 5% 8% Total 100% 100% 100%
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 20
D3. What is the focus of your role/position within your organization? US EMEA Total IT/IT operations 35% 31% 33% Networking infrastructure/networking operations 34% 36% 35% Cybersecurity/security operations 30% 33% 31% Other 1% 0% 1% Total 100% 100% 100%
D4. Which of the following best describes your
company’s main line of business? US EMEA Total Aerospace and defense 1% 0% 1% Agriculture and food services 1% 2% 1% Communications 2% 3% 2% Construction and real estate 3% 2% 3% Consumer products 5% 6% 5% Education and research 2% 1% 2% Energy and utilities 5% 7% 6% Financial services 17% 15% 16% Health and pharmaceuticals 9% 7% 8% Hospitality 2% 3% 2% Industrial and manufacturing 10% 9% 10% Media and entertainment 2% 0% 1% Public sector 11% 13% 12% Retail 9% 10% 9% Services 10% 12% 11% Technology and software 8% 8% 8% Transportation 2% 2% 2% Other (please specify) 1% 0% 1% Total 100% 100% 100%
Part 3. Visibility Q1a. Does your organization have dedicated
personnel specifically to address DNS security? US EMEA Total Yes, our security team (person) is responsible for DNS security 20% 15% 18% Yes. our network team (person) responsible for DNS security 25% 20% 23% Yes, but no one team or person are responsible for DNS security 23% 30% 26% No 30% 35% 32% Don't know 2% 0% 1% Total 100% 100% 100%
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 21
Q1b. If yes, does your organization use any of the following products specifically to address DNS security? US EMEA Total Infoblox DNS Security 16% 12% 14% Cisco Umbrella 21% 19% 20% Akamai 16% 13% 15% Bluecat 13% 12% 13% Other (please specify) 34% 42% 37% Don't know 0% 2% 1% Total 100% 100% 100%
Q2a. Does your organization identify and track
when new assets (i.e., endpoints, servers, virtual machines) are added or removed from your network? US EMEA Total Yes 50% 55% 52% No 47% 44% 46% Unsure 3% 1% 2% Total 100% 100% 100%
Q2b. If yes, how does your organization identify and
track when new assets are added or removed from its network? US EMEA Total We use Infoblox tools (NetMRI or Network Insight) 16% 12% 14% We use other discovery tools (e.g. HPNA, Solarwinds and others) 40% 36% 38% Periodic SNMP sweeps 23% 18% 21% Spreadsheet and device ping 37% 43% 39% NAC (e.g. Forescout) polling 41% 37% 39% CISCO switch sends SNMP to NAC 21% 18% 20% None of the above 32% 35% 33% Don’t know 2% 0% 1% Total 212% 199% 207%
Q3a. Does your organization consolidate
information about all of its physical, virtual and cloud assets into a single view ? US EMEA Total Yes 36% 32% 34% No 62% 68% 64% Unsure 2% 0% 1% Total 100% 100% 100%
Q3b. If yes, how does your organization consolidate
information about all of its physical, virtual and cloud assets into a single view ? US EMEA Total Integrated IPAM solution with automated discovery 34% 28% 32% Manual entry into a spreadsheet or database 45% 54% 49% Multiple tools with siloed views 55% 60% 57% CMDB 23% 18% 21% A CWPP solution for cloud/docker visibility 21% 17% 19% Don’t know 0% 3% 1% Total 178% 180% 179%
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 22
Q4. What tools does your organization use to identify a compromised device? Please select all that apply. US EMEA Total DNS data 54% 49% 52% DHCP fingerprinting 31% 29% 30% IPAM data 30% 26% 28% Endpoint security 46% 37% 42% MS AD 18% 15% 17% NAC (e.g., Forescout) 40% 45% 42% Other (please specify) 2% 4% 3% None of the above 23% 19% 21% Don’t know 0% 1% 0% Total 244% 225% 236%
Q5. How does your organization know if its assets
are vulnerable to misconfigurations? US EMEA Total We use Infoblox NetMRI to check for device misconfigurations 15% 12% 14% We use a third-party Network Configuration and Change Management (NCCM) tool <enter product name here> 50% 48% 49% We audit manually on a periodic basis 47% 39% 44% Don’t know 2% 5% 3% Total 114% 104% 110%
Part 4. DNS Attack Protection Q6. How does your organization mitigate DNS-
based internal and external DDoS attacks (i.e., including amplification, reflection, floods, NXDOMAIN, DNS exploits etc.). Please select all that apply. US EMEA Total Infoblox Advanced DNS Protection (ADP) 14% 11% 13% The cloud DNS service provider hosts our DNS and handles attack mitigation 47% 41% 45% A dedicated DNS based DDoS solution is in place 33% 26% 30% A specialty (Akamai, Prolexic, Arbor) DDoS solution is in place and it also protects DNS 38% 32% 36% A load balancer or other on-premise appliance (e.g., Radware) is leveraged to handle increased traffic while under an attack 42% 38% 40% We do not have a solution 36% 40% 38% Don't know 3% 2% 3% Total 213% 190% 204%
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 23
Q7. What solutions are used to know the sources, patterns and types of DNS-based DDoS attacks? US EMEA Total Infoblox Reporting and Analytics with ADP 13% 14% 13% DNS cloud provider 37% 32% 35% DNS-based DDoS solution 37% 31% 35% Logs from the DNS server 41% 44% 42% No solutions available 35% 39% 37% Don't know 3% 1% 2% Total 166% 161% 164%
Part 5. Data Protection and Malware Mitigation
Q8a. Does your organization analyze DNS traffic (on port 53)? US EMEA Total Yes 60% 56% 58% No 39% 44% 41% Unsure 1% 0% 1% Total 100% 100% 100%
Q8b. If yes, how does your organization analyze
DNS traffic (on port 53)? Please select all that apply. US EMEA Total Analysis from DNS firewall 52% 55% 53% Check for abnormal volumes and/or anomalous DNS patterns 24% 20% 22%
DNS log traffic that reveals malicious activity 39% 32% 36%
Next-gen firewall that permits inspection of DNS traffic 28% 22% 26% None of the above 23% 25% 24% Don’t know 2% 3% 2% Total 168% 157% 164%
Q9. What does your organization use to detect malware attempting connections to malicious domains? Please select all that apply.
US EMEA Total DNS firewall with RPZ 26% 21% 24% Antivirus/endpoint security tools 78% 71% 75% A cloud-based security service 30% 28% 29% A service provider 35% 30% 33% Existing perimeter defense with black lists (i.e., FW, NGFW, SWG) 27% 23% 25% Don’t know 2% 4% 3% We don’t use a solution 18% 21% 19% Total 216% 198% 209%
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 24
Q10. Does your organization use DNSSEC to sign your its external DNS zones and validate replies for external domains with DNSSEC? US EMEA Total Yes 40% 35% 38% No 54% 54% 54% Unsure 6% 11% 8% Total 100% 100% 100%
Q11a. What tools does your organization have to detect and prevent DNS-based data exfiltration? Please select all that apply.
US EMEA Total DNS-based data exfiltration detection 20% 18% 19% Endpoint security 42% 38% 40% Data loss prevention 38% 43% 40% Data encryption 50% 51% 50% NGFW 23% 17% 21% None2 12% 10% 11% Don't know 4% 2% 3% Total 189% 179% 185%
Q11b. [If you selected DNS-based data exfiltration detection] What tools is your organization using?
US EMEA Total Infoblox DNS Security/ActiveTrust 13% 12% 13% CISCO Umbrella 20% 22% 21% Akamai 13% 12% 13% Bluecat 10% 9% 10% Other (please specify) 44% 45% 44% Don’t know 0% 0% 0% Total 100% 100% 100%
Part 6. Threat Intelligence
Q12a. Does your organization use a reputational feed to keep up-to-date with malicious domains? Please select all that apply.
US EMEA Total Yes, we use multiple commercial, open-source, government and internal feeds 54% 50% 52% Yes, we use multiple commercial reputational feeds 48% 43% 46% Yes, we use a single commercial reputational feed 15% 17% 16% Yes, we use free/open-source blacklist(s) 36% 32% 34% No (skip to Q14a) 32% 27% 30% Don't know 3% 1% 2% Total 188% 170% 181%
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 25
Q12b [If you selected multiple commercial sources] How many separate threat intelligence feeds does your organization deploy?
US EMEA Total 2 or 3 15% 21% 17% 4 or 5 16% 20% 18% 6 or 7 23% 28% 25% 8 or 9 31% 22% 27% 10 or more 15% 9% 13% Total 100% 100% 100% Extrapolated value 7.03 6.20 6.69
Q13. How frequently does your organization get updates for the reputational feed?
US EMEA Total Less than 2 hours 15% 5% 11% Every 2 to 6 hours 17% 12% 15% Between 6 hours and daily 25% 33% 28% Once per day 21% 27% 23% Once per week 19% 23% 21% Don’t know 3% 0% 2% Other (please specify) 0% 0% 0% Total 100% 100% 100%
Q14a. Does your organization consolidate threat
intel from various sources? US EMEA Total Yes 49% 40% 45% No 50% 60% 54% Unsure 1% 0% 1% Total 100% 100% 100%
Q14b. If yes, does your organization distribute the
consolidated intel to your organization’s security infrastructure (e.g., SIEM, NGFW, SEG, SWG, others)? US EMEA Total
Yes, we consolidate threat intel and distribute it to the entire security infrastructure
31% 27% 29% Yes, we consolidate threat intel on a TIP platform but can only distribute to a particular vendor’s infrastructure 27% 25% 26%
No, we use different threat feeds in different groups 40% 45% 42%
Don’t know 2% 3% 2% Total 100% 100% 100%
Sponsored by Infoblox Ponemon institute© Private and Confidential Document
Page 26
Part 7. Security Operations
Q15. Does your organization use DNS, DHCP and IPAM (DDI) data to inform your security infrastructure (i.e., endpoint security, NAC, SIEM and vulnerability scanners)?
US EMEA Total Yes, we automatically share DDI data with multiple security tools 24% 19% 22% Yes, we automatically aggregate the data in one security tool. e.g., SIEM, CLM (centralized log management) 22% 18% 20% Yes, we do this manually to correlate events within the security ecosystem 22% 29% 25% No 30% 34% 32% Don't know 2% 0% 1% Total 100% 100% 100%
Q16a. Does your organization conduct threat
investigations? US EMEA Total Yes 54% 48% 52% No 44% 49% 46% Unsure 2% 3% 2% Total 100% 100% 100%
Q16b. If yes, how do you investigate threats? US EMEA Total
We use Infoblox Dossier 12% 10% 11% An alternate threat investigation tool 34% 31% 33% Network intelligence from Awake Security 8% 4% 6% Manually search various sources to obtain information on threats 40% 45% 42% Other (please specify) 6% 8% 7% Don’t know 0% 2% 1% Total 100% 100% 100%
Please contact [email protected] or call us at 800.887.3118 if you have any questions.
Ponemon Institute Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.