Having more than two decades of rich leadership experience with cutting edge cyber security technology, Coleman discusses the way the firm’s product portfolio allows security professionals to gain an understanding of the overall threat landscape, the threats specific to a customer’s public infrastructure, and the risks exposed by third party relationships. He highlights that the firm’s architecture and product portfolio addresses the full scope required to collect mass Internet intelligence and threat data, aggregate, correlate, and manage that information. To mitigate threats, their solutions then deliver that information into network defense solutions, specifically DNS Defender-which is critical to not only protecting an infrastructure from DDoS attacks but also blocking communication with known malicious command and control servers.
The First Line of Defense
In the industry, it’s often said that you can’t stop threats if you don’t have visibility of the threat landscape including potential risks posed by your third parties. With their outside-in perspective of the Internet and associated threats, LookingGlass has seen how the threat landscape has continued to evolve. Let’s take a look at LookingGlass’ threat intelligence-driven solutions to understand how these solutions can provide cyber security advantages.
As a global botnet monitoring system, LookingGlass’ Virus Tracker works by reverse engineering malware and identifying the domains located on the Internet that the malware attempts to contact and communicate with. “By registering those domains before the malware authors can, or by re-registering domains after they have expired, Virus Tracker is able to masquerade as the command and control servers that control the malware communication channels,” says Coleman. This information is not only collected and aggregated by their flagship ScoutVision platform but can also be ingested in a machine readable format by their DNS Defender application to shut down command and control connections as well as by protecting the customer’s DNS infrastructure from malformed DNS requests and DDoS attacks against that same infrastructure. How concerning is the malware problem? Since Virus Tracker identifies more than three million new unique malware infections per day, we’d say the malware problem is very serious.
Our mission is to deliver the most advanced and comprehensive threat intelligence driven solutions so security teams have the best chance of finding and mitigating threats early before they do damage
The threat intelligence ingested to ScoutVision is layered on top of continuous monitoring and assessment of Internet intelligence risks and activity for enhanced threat visibility and understanding. ScoutVision’s back-end system continuously monitors the Internet and the public facing, advertised network space of customers, their trusted third party suppliers, and their industry peers. This outside-in perspective allows ScoutVision to identify how networks may be attacked to deliver early warning and notification of attacks targeting LookingGlass customers and their peer organizations.
It’s important to understand how threats are impacting an organization so to operationalize intelligence ScoutInterXect correlates network telemetry inside the organization with global threat indicators and Internet intelligence. By getting a complete view of how corporate owned assets are interacting-both historically and in real time-with threats and threat actors located beyond an organization’s perimeter, incident responders and forensic investigators gain a critical outside-in perspective.
Threat Mitigation-Taking Action to Secure the Network
Over 90 percent of DDoS attacks target the DNS and the Internet DNS servers which can result in significant loss of connectivity. DNS servers operate on well-known ports that are always kept open to respond to devices attempting to resolve domains, making it an extremely easy target.
LookingGlass addresses DDoS attacks and malware with two solutions. DNS Defender is a DNS protocol specific caching, load balancing and DNS firewall so by inserting DNS Defender in front of their DNS infrastructure, organizations can help effectively mitigate DNS DDoS attacks.
During a 2013 DDoS attack, a telecommunications and Internet service provider decided to install DNS Defender in their data center.
The Dynamic Threat Defense solution integrates DNS Defender with ScoutVision to prevent the first contact between a spear phishing email or a malware infected host and the command and control server located on the Internet by eliminating the DNS resolution. With automated threat detection via ScoutVision, organizations are able to migrate from a manual rules provisioning process to comprehensive, automated threat mitigation for thousands of rules without administrator’s involvement.
The firm’s Dynamic Threat Defense (DTD) solution stops malware outbreaks, spear phishing attacks, and drive-by-downloads by integrating Scout Vision's machine-readable threat intelligence (MRTI) with the protocol-specific DNS firewall as an integrated network security solution. The DTD solution offers granular policy enforcement with malicious domain tagging, blocking, URL redirection, and logging—complete with an integrated suite of DNS management and analytic tools. DTD delivers superior protection while overcoming the cumbersome integration challenges of multi-vendor mitigation solutions based on traditional firewalls.
The Edge Offering both cloud based and on-premises solutions, LookingGlass extends its global sales, marketing, and professional services capabilities through its experienced and valued channel and system integration partners. Through its ScoutConnected Partner Program, the company enables partners to integrate complementary security capabilities with the ScoutVision platform. ScoutConnected provides the technical interfaces based on OpenTPX—API, structure, schema—and training to enable third party threat and Internet intelligence to be ingested into or exported out of ScoutVision. A LookingGlass contribution to the open source community, OpenTPX is a comprehensive framework to share machine-readable threat intelligence combining network security operations data with threat intelligence, analysis and scoring data at Internet performance and scale. The threat data is then processed and prioritized to create actionable threat intelligence that customers can use directly or feed into other security information and event management tools or network appliances.
LookingGlass’ public and private partnerships enable exclusive access to some of the largest DDoS sensor networks in the world which is useful in identifying ongoing DDoS attacks. This Threat Intelligence Analysis and Management coupled with Dynamic Threat Defense continue to bring in critical advantages across multiple sectors such as financial services, healthcare, government and telecommunications.
“Our mission is to deliver the most advanced and comprehensive threat intelligence driven solutions so security teams have the best chance of finding and mitigating threats early before they do damage,” affirms Coleman.