DNSEye’s contribution to SOC operations and assistance to SOC teams
What are the benefits of using DNSEye for SOC teams?
1) Saving time thanks to enriched data
DNSEye filters, enriches, and makes DNS logs understandable for various SOC operations, and especially SOC teams, so that they can take more precise measures in the key areas of security at a much faster pace.
By default, when SOC teams get suspicious of any type of malicious traffic and try to carry out a traffic analysis at the DNS layer, the only information they will get from Microsoft DNS logs will be the source IP addresses and hostnames. DNS logs only contain the client’s IP address, i.e. source IP, and the queried domain name and IP address. However, client IP addresses are generally dynamic, meaning they are not suitable for any type of analysis intended for past activities. DNSEye facilitates analyses of this kind by logging information such as device name, user data, and MAC address.
DNSEye matches data regarding the source IP, real-time traffic, user and hostname(s) at issue and forwards them to SOC teams, saving them precious time to generate these data.
2) Presenting only risky DNS traffic
DNSEye’s advanced AI-power dynamic threat database categorises all DNS queries in real time by taking over 850 criteria into account. This allows SOC teams to only analyse traffic that pose a threat in terms of end-user/network security such as malware, viruses, botnets, ransomware, and phishing. Secure traffic such as news, technology, and business domains will not be forwarded to SOC teams.
Since secure traffic represents 90% of a network’s traffic, SOC teams do not need to analyse, compare and distinguish malicious traffic from among a huge number of logs. As a result, this time-wasting process for SOC teams will be eliminated thanks to DNSEye’s advanced filtration system.
3) Identifying the degree of urgency
DNSEye’s “Security Gap” module will specify which traffic should be prioritised. First and foremost, it prioritises traffic analytics associated with domain queries undetected by the existing security assets in the network. In other words, malicious traffic that have gone unnoticed by other security assets of your company will be presented to SOC teams.
DNSEye regulates DNS logs to be examined by SOC teams depending on their level of urgency. Imagine the CEO of a company has clicked on a phishing link, creating a potential risk for loss of passwords and/or crucial files belonging to him/her. Assuming the failure of the existing security assets in the network to detect this phishing activity, DNSEye will regard this as the top critical security concern that needs to be addressed by the SOC team, generating a report indicating this matter.
Why do SOC teams need to analyse DNS logs?
83% of IP addresses that generate malicious traffic cannot be resolved immediately owing to the fact that they do not carry an actual IP address. At the same time, malicious traffic generated by infected devices such as botnets and DNS tunneling attacks, which may be used for crypto mining and data theft, cannot be detected in the “Application Layer” since they do not contain an IP address. This renders traditional security assets such as firewalls and proxy servers ineffective, and it’s where DNS log analysis come into play as the only method to track down this type of malicious traffic; thus, serving a crucial role in providing vital information for precise and immediate action.
