Infoblox Report - Assessing the DNS Security Risk · Assessing the DNS Security Risk Presented by...

Assessing the DNS Security Risk

Sponsored by Infoblox Independently conducted by Ponemon Institute LLC Publication Date: October 2018

Ponemon Institute© Research Report

Sponsored by Infoblox Ponemon institute© Private and Confidential Document

Page 1

Assessing the DNS Security Risk Presented by Ponemon Institute, October 2018

Part 1. Introduction Ponemon Institute is pleased to present the findings of Assessing the DNS Security Risk, sponsored by Infoblox. The purpose of this study is to understand the ability of organizations to assess and mitigate DNS risks. As part of the research, an online index has been created to provide a global measure of organizations’ exposure to DNS security risks and assist them in their response to DNS security risks. We surveyed 1,021 IT and IT security practitioners in the United States and EMEA who are familiar with their organizations’ DNS architecture/implementation and have some level of responsibility in managing cybersecurity activities within their organizations. Drawing upon survey results for a total sample of 1,021 qualified respondents, Infoblox and Ponemon Institute created the DNS Risk Index. This index is tabulated from 24 objectively scored questions. The Index is organized into five broad categories: (1) visibility, (2) DNS attack protection, (3) data protection and malware mitigation, (4) threat intelligence and (5) security operations. The individuated response to each question yields risk points, which range in value from zero (no impact on DNS risk) to an ordinal value or “risk points” between one to eight points. Each question stands alone and is not weighted. The sum of all risk points from all questions represents the individual’s DNS Security Risk Index. As shown in Table 1, the theoretical maximum risk index score is 122 points, and the theoretical minimum risk index score is zero (0). In contrast, the actual maximum index score calculated from the sample results is 67 points, and the actual minimum index score is 22. The mean and median values are 57 and 48 points, respectfully. The standard deviation is 6.81 points.

Table 1. DNS Index Statistics Points Mean 57

Median 48 Sample Minimum 22 Sample Maximum 67

Theoretical Minimum 0 Theoretical Maximum 122 Standard Deviation 6.81

When this report was published the Ponemon DNS Risk Index was at 57 points, which represents a high risk on the assessment scale. This means that globally, most organizations are underprepared to deal with security issues arising out of a poorly architected DNS, DHCP and IP address management (IPAM) solution. Following is summary of the most salient findings. Most companies do not have dedicated personnel or teams to address DNS security. Fifty-eight percent of respondents either do not have dedicated personnel (32 percent) or no one team responsible for DNS security. Many companies are not identifying or tracking new assets. Forty-six percent of respondents say their organizations do not identify or track new assets such as endpoints, servers, virtual machines and other network-connected devices, such as IoT devices. If they do identify or track new assets, they are using spreadsheets and device ping (39 percent), NAC polling (39 percent) or other discovery tools (38 percent).


Page 2

There is a lack of visibility about physical, virtual and cloud assets into a single view. Sixty-four percent of respondents say their organizations do not consolidate information about their physical, virtual and cloud assets into a single view. If they do consolidate information into one single view, 57 percent of respondents say their organizations use multiple tools with siloed views. DNS data is the number one tool used to identify a compromised device. More than half (52 percent) of respondents say they use DNS data, and 42 percent of respondents say their organizations use endpoint security. To determine if their assets are vulnerable to misconfiguration, 44 percent of respondents conduct an audit manually on a periodic basis. These manual processes could be error prone, take long periods of time to complete and in general are inefficient. The mitigation of DNS-based attacks is mostly handled by a cloud DNS service provider. Forty-five percent of respondents say the cloud DNS service provider hosts their DNS and handles attack mitigation, and 40 percent of respondents say their organizations leverage a load balancer or other on-premise appliance to handle increased traffic while under attack. Logs from the DNS server are mainly used to know the sources, patterns and types of DNS-based DDoS attacks. Forty-two percent of respondents say their organizations use logs from the DNS server to better understand DNS-based DDoS attacks. However, 37 percent of respondents say no solution is available. The analysis of traffic from the DNS firewall is often used to mitigate malware and protect data assets. Fifty-three percent of respondents use analysis from DNS firewall to safeguard data assets. Only 26 percent of respondents say their organizations use a next-generation firewall that permits inspection of DNS traffic. Antivirus/endpoint security and data encryption are used protect data assets. Seventy-five percent of respondents use antivirus/endpoint security to detect malware-attempting connections to malicious domains, and 52 percent of respondents use multiple commercial, open-source government and internal feeds to keep up to date with malicious domains. Fifty percent of respondents use data encryption to prevent DNS-based data exfiltration. The use of threat intelligence to mitigate the risk of DNS-based attacks is ineffective. On average, organizations represented in this research use 6.7 separate commercial threat feeds, and only 45 percent of respondents say they consolidate threat intelligence from various sources. Of these respondents, 42 percent of respondents say they use different threat feeds in different groups, making it impossible to consolidate threat intelligence in the entire security infrastructure. Threat investigations are mostly conducted manually. While more than half of respondents (52 percent) conduct threat investigations, 42 percent of these respondents say they manually search various sources to obtain information on threats.


Page 3

A recent Ponemon Institute study1 underscores the importance of creating the DNS Risk Index. Not only did respondents in this research rate detecting, preventing, containing and recovering from DNS-based data exfiltration as very difficult, (as shown in Figure 1), but also 54 percent of respondents say DNS-based data exfiltration is a significant worry for their organizations. Figure 1. Cyber attacks that are of greatest concern Five responses permitted

1 Securing the Enterprise Against Cyber Attacks, conducted by Ponemon Institute, June 2018

45%

46%

51%

54%

59%

63%

0% 10% 20% 30% 40% 50% 60% 70%

Phishing and social engineering

Ransomware

Unauthorized network access

DNS-based data exfiltration

Advanced persistent threats (APTs)

Advanced malware


Page 4

Reducing the number of false positives is considered the most important defense against DNS-based attacks. According to the study, to defend their enterprises against DNS-based attacks, 71 percent of respondents believe the reduction of false positives is critical. This is closely followed by 68 percent of respondents who say that the integration of DNS protection with SIEM and other traffic intelligence systems is important. Figure 2. The most important features that provide defensive capabilities against DNS-based attacks2 Very important and Important responses

2 Ibid.

26%

28%

30%

31%

28%

33%

38%

40%

0% 10% 20% 30% 40% 50% 60% 70% 80%

The ability to integrate big data analytics to achieve greater visibility and precision in the

intelligence gathering and dissemination process

The ability to scale (elasticity) during times of peak demand

The ability to integrate DNS protection with SIEM and other traffic intelligence systems

The ability to reduce the number of false positives in the generation of alerts

Very important Important


Page 5

Part 2. Key findings This section presents an analysis of the key findings in the Assessing the DNS Security Risk study. The complete audited findings are presented in the Appendix of this report. The number of questions for each topic is as follows: visibility (5 questions), DNS attack protection (2 questions), data protection and malware mitigation (4 questions), threat intelligence (3 questions) and security operations (2 questions) for a total of 16 survey questions. Most companies do not have dedicated personnel or teams. Figure 3 shows 67 percent of respondents (26 percent + 23 percent + 18 percent) say their organizations have one or more teams that are responsible for addressing DNS security. Another 32 percent say their organizations do not have dedicated personnel to address DNS security. Figure 3. Does your organization have dedicated personnel specifically to address DNS security?

1%

18%

23%

26%

32%

0% 5% 10% 15% 20% 25% 30% 35%

Don't know

The security team is responsible for DNS security

The network team is responsible for DNS security

No one team is responsible for DNS security

Do not have dedicated personnel


Page 6

According to Figure 4, the most frequently cited vendors, or “brands,” for managing DNS security risks are Cisco, Akamai, Infoblox and BlueCat. The remaining 37 percent of respondents selected another unnamed vendor. Figure 4. Does your organization use any of the following products specifically to address DNS security?

Many companies are not identifying or tracking new assets. Forty-six percent of respondents say their organizations do not identify or track new assets such as endpoints, servers, virtual machines and other network-connected devices, such as IoT devices. If they do identify or track new assets, they are using spreadsheets and device ping (39 percent), NAC polling (39 percent) or other discovery tools (38 percent), as shown in Figure 5. Figure 5. How does your organization identify and track when new assets are added or removed from its network? More than one response is permitted

13%14% 15%

20%

37%

0%

5%

10%

15%

20%

25%

30%

35%

40%

BlueCat Infoblox DNS Security

Akamai Cisco Umbrella Other brands

14%

20%

21%

38%

39%

39%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Infoblox tools (NetMRI or Network Insight)

CISCO switch sends SNMP to NAC

Periodic SNMP sweeps

Other discovery tools

NAC polling

Spreadsheet and device ping


Page 7

There is a lack of visibility about consolidating physical, virtual and cloud assets into a single view. Sixty-four percent of respondents say their organizations do not consolidate information about its physical, virtual and cloud assets into a single view. As shown in Figure 6, if they do consolidate information into one single view, 57 percent of respondents say their organizations use multiple tools with siloed views. Another 49 percent of respondents use manual entry into a spreadsheet or database. Thirty-two percent of respondents are using an integrated IPAM solution with automated discovery. Figure 6. How does your organization consolidate information about all of its physical, virtual and cloud assets into a single view? More than one response is permitted

DNS data is the number one tool used to identify a compromised device. More than half (52 percent) of respondents say they use DNS data, and 42 percent of respondents say their organizations use endpoint security and NAC, as shown in Figure 7. Figure 7. What tools are used to identify a compromised device? More than one response is permitted

19%

21%

32%

49%

57%

0% 10% 20% 30% 40% 50% 60%

A CWPP solution for cloud/docker visibility

CMDB

Integrated IPAM solution with automated discovery

Manual entry into a spreadsheet or database

Multiple tools with siloed views

17%

21%

28%

30%

42%

42%

52%

0% 10% 20% 30% 40% 50% 60%

MS AD

None of the above

IPAM data

DHCP fingerprinting

NAC (e.g., Forescout)

Endpoint security

DNS data


Page 8

To determine if their assets are vulnerable to misconfiguration, 44 percent of respondents say they conduct an audit manually on a periodic basis. Figure 8 describes how organizations are determining if their assets are vulnerable to misconfigurations. As shown, 44 percent of respondents say their organizations conduct an audit manually on a periodic basis which could be error prone, take long periods of time to complete and in general are inefficient. Figure 8. How does your organization know if its assets are vulnerable to misconfigurations?

The mitigation of DNS-based attacks is mostly handled by a cloud DNS service provider. According to Figure 9, 45 percent of respondents say the cloud DNS service provider hosts their DNS and handles attack mitigation (i.e., including amplification, reflection, floods, NXDOMAIN, DNS exploits, etc.), and 40 percent of respondents say their organizations leverage a load balancer or other on-premise appliance to handle increased traffic while under attack. Figure 9. How does your organization mitigate DNS-based internal and external DDoS attacks? More than one response is permitted

3%

14%

44%

49%

0% 10% 20% 30% 40% 50% 60%

Don’t know

We use Infoblox NetMRI to check for device misconfigurations

We audit manually on a periodic basis

We use a third-party Network Configuration and Change Management (NCCM) tool

13%

30%

36%

38%

40%

45%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Infoblox Advanced DNS Protection (ADP)

A dedicated DNS based DDoS solution is in place

A specialty DDoS solution is in place and also protects DNS

We do not have a solution

A load balancer or other on-premise appliance is leveraged to handle increased traffic while under

an attack

The cloud DNS service provider hosts our DNS and handles attack mitigation


Page 9

Logs from the DNS server are mainly used to know the sources, patterns and types of DNS-based DDoS attacks. According to Figure 10, 42 percent of respondents say their organizations use logs from the DNS server to better understand DNS-based DDoS attacks. However, 37 percent of respondents say no solution is available. Figure 10. What solutions are used to know the sources, patterns and types of DNS-based DDoS attacks? More than one response is permitted

The analysis of traffic from the DNS firewall is often used to mitigate malware and protect data assets. According to Figure 11, 53 percent of respondents use analysis from DNS firewall as a step taken to safeguard data assets. Only 26 percent of respondents say their organizations use a next-generation firewall that permits inspection of DNS traffic. Figure 11. How does your organization analyze DNS traffic (on port 53)? More than one response is permitted

13%

35%

35%

37%

42%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Infoblox reporting and analytics with ADP

DNS-based DDoS solution

DNS cloud provider

No solutions available

Logs from the DNS server

22%

24%

26%

36%

53%

0% 10% 20% 30% 40% 50% 60%

Check for abnormal volumes and/or anomalous DNS patterns

None of the above

Next-gen firewall that permits inspection of DNS traffic

DNS log traffic that reveals malicious activity

Analysis from DNS firewall


Page 10

Antivirus/endpoint security is used to protect data assets. According to Figure 12, 75 percent of respondents use antivirus/endpoint security to detect malware-attempting connections to malicious domains, and 52 percent of respondents use multiple commercial, open-source government and internal feeds to keep up to date with malicious domains. Figure 12. What does your organization use to detect malware-attempting connections to malicious domains? More than one response is permitted

As shown in Figure 13, only 38 percent of respondents say their organizations use DNSSEC to sign their external DNS zones and validate replies for external domains. Another 54 percent say they do not use DNSSEC and 8 percent are unsure. Figure 13. Does your organization use DNSSEC to sign its external DNS zones and validate replies for external domains?

19%

24%

25%

29%

33%

75%

0% 10% 20% 30% 40% 50% 60% 70% 80%

We don’t use a solution

DNS firewall with RPZ

Existing perimeter defense with black lists

A cloud-based security service

A service provider

Antivirus/endpoint security tools

38%

54%

8%

0%

10%

20%

30%

40%

50%

60%

Yes No Unsure


Page 11

According to Figure 14, 50 percent of respondents say their organization relies upon data encryption to prevent DNS-based data exfiltration. Another 40 percent rely upon endpoint security and/or data loss prevention. Only 19 percent utilize a DNS-based data exfiltration detection tool. Figure 14. What tools does your organization have to detect and prevent DNS-based data exfiltration? More than one response is permitted

Seventy percent of respondents say their organizations use one or more reputational feed to maintain a high level of vigilance with respect to malware and malicious domains. According to Figure 15, more than 52 percent use multiple commercial, open-source, government and internal feeds. Thirty-four percent rely upon free/open-source blacklists. Only 16 percent rely on a single commercial reputational feed. Figure 15. Does your organization use a reputational feed to keep up to date with malicious domains? More than one response is permitted

11%

19%

21%

40%

40%

50%

0% 10% 20% 30% 40% 50% 60%

None

DNS-based data exfiltration detection

Next generation fire wall

Data loss prevention

Endpoint security

Data encryption

16%

30%

34%

46%

52%

0% 10% 20% 30% 40% 50% 60%

We use a single commercial reputational feed

None of the above

We use free/open-source blacklist(s)

We use multiple commercial reputational feeds

We use multiple commercial, open-source, government and internal feeds


Page 12

Figure 16 shows the distribution of separate commercial threat intelligence feeds deployed by organizations. Seventeen percent of respondents’ organizations rely on 2 or 3 feeds. In contrast, 13 percent rely upon 10 or more separate commercial threat feeds. The extrapolated mean value is 6.7 separate commercial threat feeds. Figure 16. [If selected multiple commercial sources] how many separate threat intelligence feeds does your organization deploy? Mean = 6.7 threat feeds

As shown in Figure 17, 11 percent of respondents’ organizations get update reputational feeds in less than 2-hour intervals. In contrast, 23 percent receive updates daily and 28 percent receive updates between 6 hours and daily. Figure 17. How frequently does your organization get updates for the reputational feed?

17% 18%

25%27%

13%

0%

5%

10%

15%

20%

25%

30%

2 or 3 4 or 5 6 or 7 8 or 9 10 or more

11%

15%

21%

28%

23%

0%

5%

10%

15%

20%

25%

30%

Less than 2 hours Every 2 to 6 hours Once per week Between 6 hours and daily

Daily


Page 13

The use of threat intelligence to mitigate the risk of DNS-based attacks is ineffective. Only 45 percent of respondents say their organizations consolidate threat intelligence from various sources. According to Figure 18, for those respondents who say their organization consolidates threat intelligence, 42 percent say they use different threat feeds in different groups. In other words, they are unable to distribute this information to the entire security infrastructure. Another 29 percent say their organizations consolidate threat intelligence and distribute it to the entire security infrastructure. Twenty-six percent say their organizations consolidate threat intelligence, but can only distribute to a particular vendor’s infrastructure. Figure 18. Does your organization distribute the consolidated intelligence to your organization’s security infrastructure?

26%

29%

42%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

We consolidate threat intel on a TIP platform but can only distribute to a particular vendor’s

infrastructure

We consolidate threat intel and distribute it to the entire security infrastructure

No, we use different threat feeds in different groups


Page 14

Figure 19 shows 32 percent of organizations do not use DNS, DHCP and IPAM (DDI) data to inform your security infrastructure (i.e., endpoint security, NAC, SIEM and vulnerability scanners). Another 25 percent say their organizations do this manually to correlate events within the security ecosystem. Twenty-two percent automatically share DDI data with multiple security tools, and 20 percent automatically aggregate the data in one security tool. Figure 19. Does your organization use DNS, DHCP and IPAM (DDI) data to inform your security?

Threat investigations are mostly conducted manually. Fifty-two percent of the respondents say their organizations conduct threat investigations. Of these respondents, 42 percent say their organizations manually search various sources to obtain information on threats, as shown in Figure 20. One-third say their organizations use a generic threat investigation tool. Eleven percent say their organization uses Infoblox Dossier, and 6 percent use network intelligence from Awake Security. Figure 20. If yes, how do you investigate threats?

1%

20%

22%

25%

32%

0% 5% 10% 15% 20% 25% 30% 35%

Don't know

We automatically aggregate the data in one security tool

We automatically share DDI data with multiple security tools

We do this manually to correlate events within the security ecosystem

We do not use DNS, DHCP and IPAM (DDI) data

6%

11%

33%

42%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Network intelligence from Awake Security

We use Infoblox Dossier

An alternate threat investigation tool

Manually search various sources to obtain information on threats


Page 15

The most frequently cited vendors for DNS-based data exfiltration detection are Cisco, Akamai, Infoblox (ActiveTrust) and BlueCat. The remaining 44 percent of respondents selected another unnamed vendor, as shown in Figure 21. Figure 21. If you selected DNS-based data exfiltration detection, what tools is your organization using?

10%13% 13%

21%

44%

0%

10%

20%

30%

40%

50%

BlueCat Infoblox Akamai Cisco Umbrella Other vendor


Page 16

Part 3. Methods Table 2 shows the survey responses obtained in the United States and EMEA, which was completed in August 2018. The combined sampling frame includes 29,063 IT or IT security practitioners. The total number of completed survey returns is 1,142, of which 121 were rejected because of failed reliability. This results in a final sample size of 1,021 qualified respondents – or a 3.5 percent response rate. The overall margin of error at the 95th percent level of confidence is 4.6 percent (two-tailed test). Table 2. Survey Response US EMEA Total Total sampling frame 16,563 12,500 29,063 Total returns 673 469 1,142 Rejected surveys 64 57 121 Final sample 609 412 1,021 Response rate 3.7% 3.3% 3.5%

The following pie chart summarizes the position level of qualified respondents. At 37 percent, the largest segment contains those who are rank-and-file level employees (i.e., technicians or analysts). The smallest segment (4 percent) includes senior-level executives (C-suite). A total of 56 percent consists of employees who are at or above the supervisory level. Pie Chart 1. Position level of respondents

4%

16%

20%

15%

37%

8%

Senior executive/VP

Director

Manager

Supervisor

Technician/analyst

Contractor/consultant


Page 17

Pie Chart 2 summarizes the total worldwide headcount of respondents’ companies. In the context of this study, headcount serves as an indicator of size. At 34 percent, the largest segment contains smaller-sized organizations with less than 1,000 full-time equivalent employees. The smallest segment (8 percent) includes larger-sized organizations with 10,000 or more employees. Pie Chart 2. Global headcount of respondents’ companies

Pie Chart 3 shows the percentage distribution of respondents’ companies according to 18 industries. As can be seen, financial services represent the largest industry sector (at 16 percent). Financial service companies include banking, insurance, brokerage, investment management and payment processing. Other large verticals include public sector, services, industrial and manufacturing, retail, and health and pharmaceuticals. Pie Chart 3. Primary industry sector of respondents’ companies

34%

22%

21%

15%

8%

Less than 1,000

1,000-1,999

2,000-4,999

5,000-9,990

10,000 and above

16%

12%

11%

10% 9%

8%

8%

6%

5%

3% 2%

2% 2% 2% 1% 1%

Financial servicesPublic sectorServicesIndustrial & manufacturingRetailHealth & pharmaceuticalTechnology & softwareEnergy & utilitiesConsumer productsConstructionCommunicationsHospitalityTransportationEducation & researchAgriculture & food servicesMedia & entertainmentAerospace & defenseOther


Page 18

Part 4. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most Web-based surveys. < Non-response bias: The current findings are based on a sample of survey returns. We sent

surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.

< Sampling-frame bias: The accuracy is based on contact information and the degree to which

the list is representative of individuals who are IT or IT security practitioners located in the United States and EMEA. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.

< Self-reported results: The quality of survey research is based on the integrity of confidential

responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses.


Page 19

Appendix: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in July 30, 2018 to August 6, 2018.

Survey response US EMEA Total Total sampling frame 16,563 12,500 29,063 Total returns 673 469 1,142 Rejected surveys 64 57 121 Final sample 609 412 1,021 Response rate 3.7% 3.3% 3.5% Sample weights 59.6% 40.4% 100.0%

Part 1. Screening Questions S1. How familiar are you with your organization’s

DNS architecture/implementation? US EMEA Total Very familiar 39% 33% 37% Familiar 35% 37% 36% Somewhat familiar 26% 30% 28% No knowledge (Stop) 0% 0% 0% Total 100% 100% 100%

S2. Do you have any responsibility in managing

cybersecurity activities within your organization? US EMEA Total Yes, full responsibility 31% 23% 28% Yes, some responsibility 54% 56% 55% Yes, minimum responsibility 15% 21% 17% No responsibility (Stop) 0% 0% 0% Total 100% 100% 100%

Part 2. Organizational Characteristics D1. What best defines your position level within

your organization? US EMEA Total Senior executive/VP 5% 3% 4% Director 17% 15% 16% Manager 22% 18% 20% Supervisor 14% 17% 15% Technical/analyst 35% 39% 37% Contractor/consultant 6% 8% 7% Other (please specify) 1% 0% 1% Total 100% 100% 100%

D2. How many employees do you have in your

organization? US EMEA Total Less than 1,000 30% 39% 34% 1,000-1,999 20% 26% 22% 2,000-4,999 23% 18% 21% 5,000-10,000 17% 12% 15% 10,001 and above 10% 5% 8% Total 100% 100% 100%


Page 20

D3. What is the focus of your role/position within your organization? US EMEA Total IT/IT operations 35% 31% 33% Networking infrastructure/networking operations 34% 36% 35% Cybersecurity/security operations 30% 33% 31% Other 1% 0% 1% Total 100% 100% 100%

D4. Which of the following best describes your

company’s main line of business? US EMEA Total Aerospace and defense 1% 0% 1% Agriculture and food services 1% 2% 1% Communications 2% 3% 2% Construction and real estate 3% 2% 3% Consumer products 5% 6% 5% Education and research 2% 1% 2% Energy and utilities 5% 7% 6% Financial services 17% 15% 16% Health and pharmaceuticals 9% 7% 8% Hospitality 2% 3% 2% Industrial and manufacturing 10% 9% 10% Media and entertainment 2% 0% 1% Public sector 11% 13% 12% Retail 9% 10% 9% Services 10% 12% 11% Technology and software 8% 8% 8% Transportation 2% 2% 2% Other (please specify) 1% 0% 1% Total 100% 100% 100%

Part 3. Visibility Q1a. Does your organization have dedicated

personnel specifically to address DNS security? US EMEA Total Yes, our security team (person) is responsible for DNS security 20% 15% 18% Yes. our network team (person) responsible for DNS security 25% 20% 23% Yes, but no one team or person are responsible for DNS security 23% 30% 26% No 30% 35% 32% Don't know 2% 0% 1% Total 100% 100% 100%


Page 21

Q1b. If yes, does your organization use any of the following products specifically to address DNS security? US EMEA Total Infoblox DNS Security 16% 12% 14% Cisco Umbrella 21% 19% 20% Akamai 16% 13% 15% Bluecat 13% 12% 13% Other (please specify) 34% 42% 37% Don't know 0% 2% 1% Total 100% 100% 100%

Q2a. Does your organization identify and track

when new assets (i.e., endpoints, servers, virtual machines) are added or removed from your network? US EMEA Total Yes 50% 55% 52% No 47% 44% 46% Unsure 3% 1% 2% Total 100% 100% 100%

Q2b. If yes, how does your organization identify and

track when new assets are added or removed from its network? US EMEA Total We use Infoblox tools (NetMRI or Network Insight) 16% 12% 14% We use other discovery tools (e.g. HPNA, Solarwinds and others) 40% 36% 38% Periodic SNMP sweeps 23% 18% 21% Spreadsheet and device ping 37% 43% 39% NAC (e.g. Forescout) polling 41% 37% 39% CISCO switch sends SNMP to NAC 21% 18% 20% None of the above 32% 35% 33% Don’t know 2% 0% 1% Total 212% 199% 207%

Q3a. Does your organization consolidate

information about all of its physical, virtual and cloud assets into a single view ? US EMEA Total Yes 36% 32% 34% No 62% 68% 64% Unsure 2% 0% 1% Total 100% 100% 100%

Q3b. If yes, how does your organization consolidate

information about all of its physical, virtual and cloud assets into a single view ? US EMEA Total Integrated IPAM solution with automated discovery 34% 28% 32% Manual entry into a spreadsheet or database 45% 54% 49% Multiple tools with siloed views 55% 60% 57% CMDB 23% 18% 21% A CWPP solution for cloud/docker visibility 21% 17% 19% Don’t know 0% 3% 1% Total 178% 180% 179%


Page 22

Q4. What tools does your organization use to identify a compromised device? Please select all that apply. US EMEA Total DNS data 54% 49% 52% DHCP fingerprinting 31% 29% 30% IPAM data 30% 26% 28% Endpoint security 46% 37% 42% MS AD 18% 15% 17% NAC (e.g., Forescout) 40% 45% 42% Other (please specify) 2% 4% 3% None of the above 23% 19% 21% Don’t know 0% 1% 0% Total 244% 225% 236%

Q5. How does your organization know if its assets

are vulnerable to misconfigurations? US EMEA Total We use Infoblox NetMRI to check for device misconfigurations 15% 12% 14% We use a third-party Network Configuration and Change Management (NCCM) tool <enter product name here> 50% 48% 49% We audit manually on a periodic basis 47% 39% 44% Don’t know 2% 5% 3% Total 114% 104% 110%

Part 4. DNS Attack Protection Q6. How does your organization mitigate DNS-

based internal and external DDoS attacks (i.e., including amplification, reflection, floods, NXDOMAIN, DNS exploits etc.). Please select all that apply. US EMEA Total Infoblox Advanced DNS Protection (ADP) 14% 11% 13% The cloud DNS service provider hosts our DNS and handles attack mitigation 47% 41% 45% A dedicated DNS based DDoS solution is in place 33% 26% 30% A specialty (Akamai, Prolexic, Arbor) DDoS solution is in place and it also protects DNS 38% 32% 36% A load balancer or other on-premise appliance (e.g., Radware) is leveraged to handle increased traffic while under an attack 42% 38% 40% We do not have a solution 36% 40% 38% Don't know 3% 2% 3% Total 213% 190% 204%


Page 23

Q7. What solutions are used to know the sources, patterns and types of DNS-based DDoS attacks? US EMEA Total Infoblox Reporting and Analytics with ADP 13% 14% 13% DNS cloud provider 37% 32% 35% DNS-based DDoS solution 37% 31% 35% Logs from the DNS server 41% 44% 42% No solutions available 35% 39% 37% Don't know 3% 1% 2% Total 166% 161% 164%

Part 5. Data Protection and Malware Mitigation

Q8a. Does your organization analyze DNS traffic (on port 53)? US EMEA Total Yes 60% 56% 58% No 39% 44% 41% Unsure 1% 0% 1% Total 100% 100% 100%

Q8b. If yes, how does your organization analyze

DNS traffic (on port 53)? Please select all that apply. US EMEA Total Analysis from DNS firewall 52% 55% 53% Check for abnormal volumes and/or anomalous DNS patterns 24% 20% 22%

DNS log traffic that reveals malicious activity 39% 32% 36%

Next-gen firewall that permits inspection of DNS traffic 28% 22% 26% None of the above 23% 25% 24% Don’t know 2% 3% 2% Total 168% 157% 164%

Q9. What does your organization use to detect malware attempting connections to malicious domains? Please select all that apply.

US EMEA Total DNS firewall with RPZ 26% 21% 24% Antivirus/endpoint security tools 78% 71% 75% A cloud-based security service 30% 28% 29% A service provider 35% 30% 33% Existing perimeter defense with black lists (i.e., FW, NGFW, SWG) 27% 23% 25% Don’t know 2% 4% 3% We don’t use a solution 18% 21% 19% Total 216% 198% 209%


Page 24

Q10. Does your organization use DNSSEC to sign your its external DNS zones and validate replies for external domains with DNSSEC? US EMEA Total Yes 40% 35% 38% No 54% 54% 54% Unsure 6% 11% 8% Total 100% 100% 100%

Q11a. What tools does your organization have to detect and prevent DNS-based data exfiltration? Please select all that apply.

US EMEA Total DNS-based data exfiltration detection 20% 18% 19% Endpoint security 42% 38% 40% Data loss prevention 38% 43% 40% Data encryption 50% 51% 50% NGFW 23% 17% 21% None2 12% 10% 11% Don't know 4% 2% 3% Total 189% 179% 185%

Q11b. [If you selected DNS-based data exfiltration detection] What tools is your organization using?

US EMEA Total Infoblox DNS Security/ActiveTrust 13% 12% 13% CISCO Umbrella 20% 22% 21% Akamai 13% 12% 13% Bluecat 10% 9% 10% Other (please specify) 44% 45% 44% Don’t know 0% 0% 0% Total 100% 100% 100%

Part 6. Threat Intelligence

Q12a. Does your organization use a reputational feed to keep up-to-date with malicious domains? Please select all that apply.

US EMEA Total Yes, we use multiple commercial, open-source, government and internal feeds 54% 50% 52% Yes, we use multiple commercial reputational feeds 48% 43% 46% Yes, we use a single commercial reputational feed 15% 17% 16% Yes, we use free/open-source blacklist(s) 36% 32% 34% No (skip to Q14a) 32% 27% 30% Don't know 3% 1% 2% Total 188% 170% 181%


Page 25

Q12b [If you selected multiple commercial sources] How many separate threat intelligence feeds does your organization deploy?

US EMEA Total 2 or 3 15% 21% 17% 4 or 5 16% 20% 18% 6 or 7 23% 28% 25% 8 or 9 31% 22% 27% 10 or more 15% 9% 13% Total 100% 100% 100% Extrapolated value 7.03 6.20 6.69

Q13. How frequently does your organization get updates for the reputational feed?

US EMEA Total Less than 2 hours 15% 5% 11% Every 2 to 6 hours 17% 12% 15% Between 6 hours and daily 25% 33% 28% Once per day 21% 27% 23% Once per week 19% 23% 21% Don’t know 3% 0% 2% Other (please specify) 0% 0% 0% Total 100% 100% 100%

Q14a. Does your organization consolidate threat

intel from various sources? US EMEA Total Yes 49% 40% 45% No 50% 60% 54% Unsure 1% 0% 1% Total 100% 100% 100%

Q14b. If yes, does your organization distribute the

consolidated intel to your organization’s security infrastructure (e.g., SIEM, NGFW, SEG, SWG, others)? US EMEA Total

Yes, we consolidate threat intel and distribute it to the entire security infrastructure

31% 27% 29% Yes, we consolidate threat intel on a TIP platform but can only distribute to a particular vendor’s infrastructure 27% 25% 26%

No, we use different threat feeds in different groups 40% 45% 42%

Don’t know 2% 3% 2% Total 100% 100% 100%


Page 26

Part 7. Security Operations

Q15. Does your organization use DNS, DHCP and IPAM (DDI) data to inform your security infrastructure (i.e., endpoint security, NAC, SIEM and vulnerability scanners)?

US EMEA Total Yes, we automatically share DDI data with multiple security tools 24% 19% 22% Yes, we automatically aggregate the data in one security tool. e.g., SIEM, CLM (centralized log management) 22% 18% 20% Yes, we do this manually to correlate events within the security ecosystem 22% 29% 25% No 30% 34% 32% Don't know 2% 0% 1% Total 100% 100% 100%

Q16a. Does your organization conduct threat

investigations? US EMEA Total Yes 54% 48% 52% No 44% 49% 46% Unsure 2% 3% 2% Total 100% 100% 100%

Q16b. If yes, how do you investigate threats? US EMEA Total

We use Infoblox Dossier 12% 10% 11% An alternate threat investigation tool 34% 31% 33% Network intelligence from Awake Security 8% 4% 6% Manually search various sources to obtain information on threats 40% 45% 42% Other (please specify) 6% 8% 7% Don’t know 0% 2% 1% Total 100% 100% 100%

Please contact [email protected] or call us at 800.887.3118 if you have any questions.

Ponemon Institute Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

Date post:	06-Jul-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Infoblox Report - Assessing the DNS Security Risk · Assessing the DNS Security Risk Presented by...

Documents