A managed services provider (MSP) in Europe was recently considering launching a new security service. Before doing so they wanted to answer a fundamental question: how many of their enterprise customers had malware infections? Within hours of asking the question they made a configuration change and identified over 700 business customers with critical malware infections. For example, a major healthcare company infected with multiple malware variants capable of logging employee keystrokes - a major risk to the sensitive patient data stored on their network.
How was it possible to find so many undetected threats so quickly with so little effort? They didn’t use a brand new security appliance or the newest intrusion prevention technology. Instead they used a 30 year old technology deployed in every IP network - the Domain Name System (DNS). People and applications make trillions of DNS queries daily to translate human understandable domain names into IP addresses to navigate the Internet. Although the DNS has been around since the beginning of the Internet it’s only recently been viewed as a way to start solving a broader range of business problems.
Why is this happening now? Companies being forced to innovate while squeezing more out of their IT budget are re-evaluating how they can utilse already-deployed technologies to solve new problems.
As companies have implemented a variety of new systems to deliver business applications, comply with regulations and address security threats, the complexity of running their networks has increased dramatically. Having more disparate IT systems increases the cost of maintenance, integration, upgrades and patch management. Application ecosystems built around existing technologies such as ERP and sales force automation aim to address this challenge.
Security applications are a logical starting point for extracting value from the DNS since, just as virtually every legitimate IP application relies on the DNS, so do the attackers. This opens up a wide range of uses of DNS data to detect and prevent threats. For instance, DNS is used to prevent data exfiltration from infected devices on the network by observing clients querying criminally owned botnet command and control (C&C) sites. DNS is also being used to prevent phishing attacks, warn users accessing sites hosting malware and prevent access to a range of unwanted or illegal content.
While DNS has played a role in security for a while, its importance has recently increased significantly. In just the last several years the DNS has been used to detect or take down an increasing number of sophisticated botnets - e.g. Conficker, Aurora, Stuxnet, Zeus, Flamer, TDL4 and Nitol. DNS (port 53) is also one of the few open ports on enterprise networks making it a natural target for attackers, especially as enterprises have been scrubbing HTTP traffic more carefully leaving fewer channels of communication open to attackers. Likewise, the proliferation of devices accessing enterprise networks has made it essentially impossible to prevent every infected device from getting on the network. If you can’t keep infections out of the network you need to identify and remediate them quickly, for which DNS is uniquely suited.
Enterprise security is just a starting point though. Other DNS-based applications that have or are being deployed include:
• Content filtering - Virgin Media in the UK launched an application to block access to pornographic content on their Free WiFi service at the London Underground stations just prior to the Olympics in less than two weeks. Delivering the service in two weeks would have been impossible if they weren’t able to leverage an existing DNS-based platform in their network.
• Customer retention - A major South American cable operator launched a series of applications based on the DNS. This included an application to communicate special pricing packages to customers who had called to cancel their service through subscribers’ Internet browser and another to offer profitable customers free upgrades.
• Managed security – MSP operators are planning to offer small businesses an intuitive, easy-to-use solution for protecting every Internet-enabled device from phishing, malware and other targeted attacks. The solution can also be extended to block content that small businesses don’t want to allow into the office such as pornography, hate sites, violence sites, etc all using an intuitive interface that non-technical users understand.
• Customer loyalty - Over half of consumers said they never complained to their service provider before disconnecting service yet most churn management systems rely on call records to predict behaviour. DNS data is now being used to predict who is likely to churn or discontinue using a service before they decide to cancel their service based on customers’ online activity.
• Strategic Marketing - Media companies know a lot about what their subscribers are watching on their service but little about what types of content viewers are watching online and over what device. DNS data is now being used the popularity of specific OTT applications, what online videos are most popular, what categories of websites are popular with which types of subscribers and much more.
Companies faced with increasing network complexity are turning to DNS to deliver a differentiated experience faster with a lower total cost of ownership. Security is a natural starting point for enterprises looking for efficient and effective ways of protecting critical data. The value of DNS goes far beyond security though as industries such as telecom and media are now using DNS for a wide range of applications that provide a differentiated experience and generate new revenue. Even after almost 30 years the best years still appear to be ahead for this Internet workhorse.