DNSEye detects malicious traffic on your network, and reports whether this traffic can be blocked by your other security devices.
What is the “Security Gap” feature?
The “Security Gap” feature reports malicious traffic that the existing security devices (UTM Firewall, Proxy, DNS Firewall, etc.) cannot detect.
Security Gap simulates connection to the malicious domain to test the network security in 3 different ways as follows:
1- Test with DNS query from the existing DNS server
2- Tests with HTTP/HTTPS request via the proxy server
3- Tests to reach a malicious domain using a direct HTTP/HTTPS connection through Gateway.
DNSEye VM appliance in your network sends a malicious connection request to DNSSense’s cloud-based malicious simulation service, with a specific metadata:
Security Gap = Blocked, malicious traffic has been blocked
In case DNSSense’s simulation service does not receive the metadata, which means the malicious connection has been blocked by Security Gap, it is reported as an instance of a blocked attack along with information on the device (Proxy or UTM) that has successfully blocked the malicious traffic.
What are the advantages of your smart SIEM integration?
Instead of forwarding all DNS data to SIEM, we only forward to the SIEM product domain queries for malicious domains together with information on the real user and the implemented machine. In this way, we can reduce the number of correlations required in the SIEM device as well as the number of EPS by 95%+, allowing a significant cut in the licence cost of the SIEM product.
Which SIEM products do you provide integration with?
In addition to our direct integration with products such as IBM QRadar, Microsoft ArcSight, and Splunk, we also provide integration with any of your SIEM products that send data in SYSLOG format.
Which DNS products do you read with “DNSEye”?
Microsoft DNS Server, Linux BIND Server, F5, Citrix NetScaler, Efficient IP, BlueCat and common DNS server types.
Why is DNS visibility important?
With DNS level protection, you can prevent attacks but cannot detect the actual machine that generates the malicious traffic. Given the varying nature of client IP addresses, they are not suitable for retroactive verification. They should be enriched with a continuous flow of information about the computers and users in question. DNS visibility lets you detect the device and user behind the related DNS queries. Such information on the actual device and user is critical for SOC teams.