DDI Enriches Cyberthreat Intelligence

Continual vigilance of network events is an absolute necessity for network and security engineers to protect against ever evolving cyberthreats. Sensitive data thefts, disruptive denial of service attacks, service outages due to human error, ransomware and other related events are examples of cybersecurity incidents. These incidents are the manifestations of cyberthreats that affect your network, data, and compute infrastructure, whether in your data centers, remote sites, cloud, or IoT spots, and can impact your organization’s business, operations, and reputation.

The impacts to business are widely acknowledged and have spurred the US Securities and Exchange Commission (SEC) to issue new rules around cybersecurity reporting by public companies to protect investors. The new rules mandate the reporting not only of observed cybersecurity incidents and respective impacts but the disclosure of proactive processes for assessing, identifying, and managing material risks from cybersecurity threats.

Several frameworks and standards are available to help organizations formulate plans and procedures to reduce risks of cyberthreats, and we’ve published several white papers regarding the DDI implications for many of these including the NIST Cybersecurity Framework (CSF), Zero Trust, MITRE’s ATT&CK, and ISO 27001. Common procedures of these helpful references include the monitoring and detection of cybersecurity events; after all, if you’re not watching, you may miss something. Cybersecurity practitioners often assess input from multiple sources in order to distinguish an anomaly or misconfiguration from a cybersecurity incident. The use of multiple sources that include observations of an event from multiple perspectives enables more thorough analysis and event classification.

Visibility to and inclusion of DHCP, DNS, and IPAM (DDI) data within your cybersecurity event investigations can prove indispensable in identifying cybersecurity incidents outright or in corroborating complementary observations from other systems. All network transactions typically begin with a DNS query, so detecting queries issued to known malware DNS servers or for domain names of ill-repute can indicate potential malware infection of the querying device.

Clearly, having ready access to DDI transaction details is critical not only to investigating cybersecurity incidents, but is instrumental for auditing network activities and verifying network changes such as IP address changes. Cygna Labs provides such access with tracking of real-time and historical DHCP and DNS transaction data. Our Cygna DDI Guard solution provides high performance, scalable DHCP/DNS transaction auditing, reporting, and archiving. Cygna DDI Guard also enables the filtering of DHCP and DNS packet information that can be forwarded to third-party SIEM systems and for alerting. Filtering of SIEM data can provide substantial cost savings through ingest data volume reduction and it filters our unremarkable data.

Cygna Labs offers several products and services that can assist with bolstering your defenses against current and evolving cyberthreats. From extensive DNS security features such as DNS firewalls and DNS tunnel detection, to tracking of DDI administration events, DHCP and DNS packet capture and archiving, and our managed DDI services. Our solutions couple world-class DDI features and functions with advanced DDI security capabilities to maximize the benefits of your DDI investment.