OpenDNS buy is feeding security insights to Cisco's threat-intelligence efforts

Visibility of online activities paints clearer picture of changing threat climate

Nearly a year after it was acquired by networking colossus Cisco, OpenDNS is providing a wealth of information about online security risks and user habits that is informing Cisco's threat analytics and remediation work around the world.

That information is being collected and analysed on an ongoing basis as the company leverages the ongoing activities of more than 65 million users of OpenDNS – an alternative DNS infrastructure, acquired by Cisco in August 2015, that provides usage monitoring, security scanning and other features that help businesses tighten control over their Internet usage.

“OpenDNS is proving to be a very straightforward, zero-touch deployment that can be done in a minute and gives organisations an enormous level of visibility about where their users are connecting to while protecting them from connecting to places they shouldn't,” Cisco ANZ general manager of security sales Anthony Stitt recently told CSO Australia.

“We see about 2 percent of all Internet traffic through OpenDNS, and the level of threat awareness and visibility that we get out of such a huge customer base is very, very good. Because of this, we have an amazing level of visibility into what 'bad' looks like.”

In the current security climate – in which Australian users are clicking on malicious URLs millions of times per month – that high level of visibility has helped shape security policies based on real-world examples of malicious files buried within file download streams. Among other information that Cisco's security team collects, downloadable software samples have proven to have great predictive value: whenever the team is presented with a new file that it hasn't seen before, odds are that it is a new strain of malware.

“We've discovered that low-prevalence files, that we've seen maybe 5 to 10 times or fewer, are 100 times more likely to be malware,” Stitt explained. “We place a much more fine-grained lens over low-prevalence files than things that we have seen thousands of times before, because those things are typically things that we know about – the normal applications and services that organisations run.” As well as informing Cisco's ongoing work in threat detection, the expanding security infrastructure is paving the way for more proactive use of new technologies to improve customers' overall security posture.

OpenDNS founder and CEO David Ulevitch last year called Cisco's acquisition of OpenDNS 'a new day in cloud security', highlighting the importance of better network visibility in driving companies' transition to the cloud.

This mission is facilitated by the vision of Cisco, which has been a staunch proponent of software-defined networking (SDN) models and is using its experience in threat intelligence to help shape SDN policies designed to help enforce security at the network level. Software-defined network segmentation, which becomes both implementable and enforceable within SDN environments, is proving to be a highly useful way of cordoning off 'zones of trust' across organisational networks, Stitt said, with virtual workloads easily transported across zones to help protect them. “Security is one of the primary use cases for networking,” Stitt said, “because it solves a number of problems that customers have with internal segmentation and security.”

“If they can do that in a software-defined and -orchestrated way, it has a much lower cost of implementation and management than trying to carpet-bomb the internal network with firewalls. You can always put up firewalls, but being able to do that in an orchestrated way lets you move service and workloads into the cloud – and have security follow that just as easily.”

SDN also facilitates traffic classification according to rules that are being regularly tweaked according to the collective learnings from the information dumps provided by OpenDNS and other envionments. The value of these regular information feeds has solidifed the appreciation of the value of threat intelligence, a practice that has come into its own in recent years as cloud-based architectures fostered collaboration around detection and analysis of security threats.

“Threat intelligence is a big problem and a small problem at the same time,” Stitt said. “The big problem is how you can get as much data as you can, to do all sorts of data analytics with. The small problem is how you reverse-engineer malware, find weak signals and use the collective immunity to discover it and leverage it for the benefit of all our customers. OpenDNS really gives us a major uplift in both of these problems.”

Tags threatssecurity risksciscofirewallsOpenDNSSecurity climate

Show Comments