(Editor’s Note: This post originally appeared on infoblox.com.)
Today, I am delighted to have a chance to speak about a topic that’s really interesting to me – how Infoblox plays into a security ecosystem. Traditionally, Infoblox is thought of as a DNS, DHCP and IP Address Management, It’s also been thought of as a DDI vendor or a tool for network automation, but, increasingly, DNS has been the chosen attack vector or leading indicator of compromise.
When we started the project to create an ecosystem, our goal was not to put logos on a page but to be able to tell some interesting stories that helped real people solve real-world problems. Our integration with Carbon Black is an important cornerstone in this process. We have approached each partnership with the idea that everything we add to our ecosystem should enhance the customers’ ability to respond to threats, understand threats, or prevent them in some one-plus-one equals three sort of manner.
One of our goals was to become to security, what we are to network; an automation company (security automation), to save human’s time. Time is the most critical factor in incident response, after or before compromise.
To aid the goal, Infoblox, the industry leader in DDI services, teamed up with Carbon Black, which offers a leading next-generation endpoint solution, to extend our network visibility and intelligence to the endpoint. The idea was to allow an incident response vision that connected rich data to the incident response (IR) operator.
Ben Johnson, Bit9+Carbon Black’s chief security strategist, said:
“Integration and automation are must-haves in today’s cyber defense. With security events and alerts exploding in volume and adversaries moving with greater speed and precision, integrations like Infoblox with Carbon Black can help security teams be more agile — to detect, respond, and recover faster from intrusions and compromise.”
Looking at the ecosystem from the perspective of security automation gives us the challenge of giving humans more time. The idea is to help move away from a model that puts pressure on people to respond, to a model where systems work together intelligently to either automate processes completely or provide humans with rich data and rapid decision process.
With that in mind let’s take a look at how the integration works.
Step 1: Infoblox identifies a DNS lookup to a malicious domain.
This reputation information can be populated by Infoblox’s own threat intelligence feed, by a connector to another ecosystem partner (like FireEye), or a user populated Response Policy Zone (RPZ).
Step 2: Infoblox conveys that alert to the Carbon Black server.
Step 3: Carbon Black correlates the network information sent from Infoblox with its own intelligence gathered from the endpoint and allows (via live response) action to be taken on the endpoint.
This integration helps close the loop between network threat detection and endpoint enforcement. To read more about this, check out this solution brief.