Bits and bytes in intelligence: Umbrella from OpenDNS
Bits and bytes in intelligence: Umbrella from OpenDNS

In our other First Look this month we talk about the soft side of cyber intelligence. Our review for that was Silobreaker. Now we turn to the hard side of the equation: the bits and bytes. This is the aspect that helps us determine if addresses and domains are hosting attacks, malware or phishing. As one might expect, gathering that type of information needs sensors and, to be effective, lots of sensors. There are three generic ways to access/place sensors.

First, one can rely on data delivered either directly (from an appliance or software installation) from tools that customers have placed on their networks. This might include gateways, IDS/IPS or firewalls. These devices report back to the vendor who aggregates the data and correlates the information.


Product Umbrella

Company OpenDNS 

Price Starts at $42/user (volume discounts apply); includes Investigate user interface. 

What it does Cloud-based network security service. 

What we liked Ease of use, easy and comprehensive configurability, in-depth drilldown and reporting, solid network security and, with Investigate, an excellent intelligence resource. 

What we didn't like This is a first-rate enhancement of a venerable service and we found nothing in it not to like – as would be expected with the service's pedigree.

Second, one can place analysis tools in the cloud where all of the data one needs converges. This is a variant of the first, but all of the action actually takes place in the cloud. The on-premise devices simply collect data and ship it to the vendor's cloud for further action.

Finally, for further analysis you can place honeypots strategically around the world and have them report back to a central location, locally or in the cloud. OpenDNS is a sort of a hybrid of the first two, but it is unique in that it is not an appliance. Open DNS started as a free DNS server source (and it still has some free services). What makes OpenDNS so useful from a security perspective, though, is that when you use it as your DNS you actually provide a mechanism to avoid such attacks as DNS cache poisoning. Attacks against other DNS servers that result in malicious redirection simply do not work with OpenDNS.

The current commercial incarnation is called Umbrella and it is a superb combination of network security and intelligence gathering. The idea behind Umbrella is that all of the devices in the enterprises point to the OpenDNS name servers. These servers are managed for security, gather extensive intelligence about reputation and mix the whole thing together in a complete network security offering. Everything in the enterprise today has a link to some level of regulatory control and with the reports generated by Umbrella you have what you need in that regard.

But, stuff happens and it is possible for an attack to get past all protections and impact a device on your enterprise. Even with Umbrella this is a possibility, however remote. When all else fails, the most important steps are remediation and Umbrella helps in that regard as well. An infected device is easier to pinpoint and repair with Umbrella because the system is watching constantly and picks out anomalous behavior. This can be seen easily from the Umbrella dashboard with excellent drilldown for details.

Filtering is accomplished by configuring policies in much the same familiar way as policies on typical gateways are configured. Administrators have a wide variety of options, including such capabilities as bypassing blocks on a case basis with a block bypass code, analyzing the overall activity on the network over selected time periods to identify patterns, and using the tool's Investigate feature to dig more deeply into particular suspect addresses and domains.