Critical Infrastructure Security

Bits and bytes in intelligence: Umbrella from OpenDNS

In our other First Look this month we talk about the soft side of cyber intelligence. Our review for that was Silobreaker. Now we turn to the hard side of the equation: the bits and bytes. This is the aspect that helps us determine if addresses and domains are hosting attacks, malware or phishing. As one might expect, gathering that type of information needs sensors and, to be effective, lots of sensors. There are three generic ways to access/place sensors.

First, one can rely on data delivered either directly (from an appliance or software installation) from tools that customers have placed on their networks. This might include gateways, IDS/IPS or firewalls. These devices report back to the vendor who aggregates the data and correlates the information.


Product Umbrella

Company OpenDNS 

Price Starts at $42/user (volume discounts apply); includes Investigate user interface. 

What it does Cloud-based network security service. 

What we liked Ease of use, easy and comprehensive configurability, in-depth drilldown and reporting, solid network security and, with Investigate, an excellent intelligence resource. 

What we didn't like This is a first-rate enhancement of a venerable service and we found nothing in it not to like – as would be expected with the service's pedigree.

Second, one can place analysis tools in the cloud where all of the data one needs converges. This is a variant of the first, but all of the action actually takes place in the cloud. The on-premise devices simply collect data and ship it to the vendor's cloud for further action.

Finally, for further analysis you can place honeypots strategically around the world and have them report back to a central location, locally or in the cloud. OpenDNS is a sort of a hybrid of the first two, but it is unique in that it is not an appliance. Open DNS started as a free DNS server source (and it still has some free services). What makes OpenDNS so useful from a security perspective, though, is that when you use it as your DNS you actually provide a mechanism to avoid such attacks as DNS cache poisoning. Attacks against other DNS servers that result in malicious redirection simply do not work with OpenDNS.

The current commercial incarnation is called Umbrella and it is a superb combination of network security and intelligence gathering. The idea behind Umbrella is that all of the devices in the enterprises point to the OpenDNS name servers. These servers are managed for security, gather extensive intelligence about reputation and mix the whole thing together in a complete network security offering. Everything in the enterprise today has a link to some level of regulatory control and with the reports generated by Umbrella you have what you need in that regard.

But, stuff happens and it is possible for an attack to get past all protections and impact a device on your enterprise. Even with Umbrella this is a possibility, however remote. When all else fails, the most important steps are remediation and Umbrella helps in that regard as well. An infected device is easier to pinpoint and repair with Umbrella because the system is watching constantly and picks out anomalous behavior. This can be seen easily from the Umbrella dashboard with excellent drilldown for details.

Filtering is accomplished by configuring policies in much the same familiar way as policies on typical gateways are configured. Administrators have a wide variety of options, including such capabilities as bypassing blocks on a case basis with a block bypass code, analyzing the overall activity on the network over selected time periods to identify patterns, and using the tool's Investigate feature to dig more deeply into particular suspect addresses and domains.

Investigate, a core piece of Umbrella, is a serious tool for intelligence gathering and analysis even while being simple to use. Entering an address or domain gets all information associated with malicious behavior, if applicable, associated with the target. There is easily enough information associated with a malicious domain or address to proactively protect the network. Once the associated domains are identified they can be blacklisted locally. Once given an address, the domains that the address hosts can be identified and the process can be iterated to identify potential threats.

Overall, this is an attractively priced solution to unintended access to malicious internet resources. It gives administrators a lot of control, plenty of reporting for regulatory purposes and effective drilldowns and intelligence-gathering functionality. There is no point in gathering intelligence if it is not actionable. Umbrella – with Investigate – provides direct protection for the network, plus it offers tools to help take proactive or reactive action regarding network-borne threats.

We liked this tool a lot. Having protection and analysis all in the same solution is useful – especially when the data that enables the tool is being updated constantly. Reliability? The company boasts 100 percent uptime since it began back in 2006. That's a boast not many companies can make. There are more than 50 million active daily users and with 50 billion requests per day OpenDNS gathers a lot of data. All of that data tunes the product continually. From a largely free DNS offering to one of the most powerful network security tools available is an impressive journey. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.