DNSSense Rule-Based SIEM Integration Saves You Up To 95% On DNS EPS Count
Why DNS Log should be collected?
The Domain Name System (DNS) is a centralized system that various companies utilize to convert domain names to IP addresses. It is a critical service since remembering IP addresses instead of URLs or manually configuring all devices in a network larger than one environment takes too much time.
Normally, raw DNS logs are unreadable as it contains a large amount of raw data that is meaningless unless it is enriched. This increases the EPS counts and complicates SOC team workflow operation. DNSSense on the other hand enriches DNS logs and makes them readable, which simplifies the log analyses and optimizes SOC operational workflow time.
DNS log simply contains the client IP address and domain queries. Client IP addresses are generally variable. It is not appropriate for a retrospective review. Collecting logs with permanent data such as machine name, user name, and MAC address rather than variable IP address simplifies analysis. To address this issue, the DNS log, DHCP log, and AD Security log should be enriched with triple correlation rules in the SIEM product. DNSSense; By combining DNS, DHCP, and AD Security logs, it combines the Source IP address, Mac address, and Hostname information and forwards it to the SIEM product.
The DNS log contains information such as the domain’s IP address, country, whether it is safe or not and if it is active or passive.
DNSSense instantaneously collects these logs from the Cloud environment and can provide current and historical usage information for this domain. For example, detailed information such as the number of subdomains.
What is the size of the DNS Log?
When the term DNS packet is discussed, the words DNS request and DNS response come to mind. A DNS request packet’s average size, including sub-protocol information, ranges between 40 and 60 bytes. The size of a DNS log at a company with 10,000 users can range from 10–15,000. What causes it to grow to such a large size? It is a result of 80–100 queries which are made when you visit any website.
Why are DNS Logs Important?
1- DNS Log is a service that is utilized by all protocols as a common infrastructure. The DNS log contains information about all services used in the corporate network. For example, you can only get information about the web traffic log on the proxy server and the e-mail traffic logs on the e-mail server. The DNS log contains information on both types of traffic. As a result, analysing the DNS log entails processing the entire business network.
1. Malicious traffic without an IP address can only be detected through the DNS log. Examples of domain types that do not have IP addresses-
a. According to Cyber Xray statistics, approximately 85 percent of Malware domains do not have an instant IP address. Due to there being no IP address, no HTTP request, and no log, it is crucial to analyse only the DNS log.
The screenshot below is the addresses that users attempt to access, even though there is no IP address.
b. DGA Domains: These are domains that are generated by a specific algorithm based on the system clock. These domains are only registered and have an IP address when the zombie network is commanded. The owner of the zombie army has two main objectives:
i. Avoiding security researchers from detecting command centre connection domains
ii. Unlocking the use of the zombie army as timed
c. DNS Tunnelling: DLP products are unable to identify data theft via DNS tunnelling. The only way to recognize DNS tunnelling data is to examine the DNS log.
Why is it important to reduce EPS count (SIEM cost)?
EPS counts in local DNS logs are really high. In a network with 10,000 users, for example, the average EPS count changes between 10,000–15,000 during the day. When we connect to a regular web page (such as a news site), approximately 70–100 DNS logs are created for each user. If all of these logs are forwarded to the SIEM product, a lot of meaningless data will be sent to SIEM, and the EPS count will be higher. However, the vast majority of these logs, 90–95 percent, are safe logs that are of no relevance to security teams. Sending them to SIEM has no effect other than to increase the EPS count.
DNSSense filters safe logs utilizing template rules or custom rules. The EPS count is reduced by 95 percent as a result of this integration with the SIEM product, enabling us to save on the SIEM cost at this rate.
How to Simplify DNS Logs?
1- Category and Rule-Based integration
Regardless of network differences, access to safe domains (such as cnn.com, bbc.co.uk) accounts for 95–99 percent of DNS logs at institutions. These queries are meaningless in terms of information security. There is no need for security analysts to examine them. It is beneficial in terms of time and EPS Count (SIEM cost) to filter these logs and data of these safe domains and forward the risky or grey area domains to SIEM.
Malware and malicious activities take a large portion of the remaining DNS traffic. This means that SIEM will be unable to collect the logs required for analysis because SIEM solutions have limited transactions and analysis capabilities.
DNSSense’s filter-based SIEM module forwards only logs that may cause a threat to SIEM which means reducing the number of events and network traffic sent to SIEM. As a result, your security teams will only receive meaningful alerts about necessary actions. Furthermore, SIEM license costs are reduced as the number of DNS logs forwarded to SIEM decreases. DNSSense protects you against malicious software while also reducing your workload and SIEM costs.
DNSSense’s AI engines conduct domain classification with an accuracy rate of 99.5%+. Based on this threat database, DNSSense forwards only accurate and precise data to SIEM for SOC teams to analyse.
The following rules can be used in the data sent to SIEM:
· Only forwards malicious traffic.
· Forwards malicious traffic only if it is not blocked by existing security solutions.
· Forwards malicious traffic that attempts to access the corporate network.
· Domain queries that have not been accessed by the institution in the last year and are being accessed for the first time are forwarded.
Aside from these template rules, the client can create their own rules. It can be forwarded to SIEM with the traffic corresponding with these rules (matching).
Alternatively, all Enriched and Meaningful DNS data can be forwarded to SIEM.
2- Security Gap Visibility Monitoring Reports
The Security Gap feature is used to identify logs that the SOC team should prioritize while analysing malicious activity detected. Malicious traffic that cannot be detected by the institution’s existing security devices is reported. Security Gap simulates malicious domain connectivity in three ways:
· Performs test with DNS query from existing DNS server
· Performs testing with HTTP/HTTPS request via proxy server
· Performs testing with a direct connection from the gateway (Gateway) HTTP/HTTPS request to reach the malicious domain
3- Domains visited by the institution for the first time
Some DNS requests made over the network may not be detected in DNSSense’s threat database. When these domains are visited for the first time and are not in the threat database, DNSSense’s AI engines include them in the ‘Variable’ category as a ‘First Seen’ domain.
The Domain scoring and categorization service using Artificial Intelligence is the most important feature of this service. Artificial intelligence checks over 850 features (MX Record, TTL, Domain, how old is it, CTI, Crawler, HTTPS, SSL, etc.) using its deep learning capabilities.
Added Values Provided to the Client
A project was initiated to centralize the DNS logs of this organization (XXBank), which has data centres in several regions of the world and to integrate them into the ArcSight SIEM product. Collectors were implemented with corrector software in all data centres thus logs were collected in AD in each data centre as well as collected and reported in central DNSEye with a secure protocol (e.g., SSL).
According to the rules determined by the XXBANK SOC teams, the necessary data was forwarded to the ArcSight SIEM product and an integrated process was ensured.
