Analysis: With SOC Insights, Infoblox brings DNS-based AI to the security operations center

This syndicated post originally appeared at Zeus Kerravala – SiliconANGLE.

It’s an understatement to say that artificial intelligence has been on top of every information technology and business leader’s priority list since the release of ChatGPT. The easy-to-use generative AI engine gave everyone a glimpse of what’s possible when it comes to the infusion of AI into our lives, and one of the areas in which it has the most promise is cybersecurity.

Protecting an enterprise, particularly in this mobile, cloud and hybrid work era, has become nearly impossible without AI as corporate assets are scattered everywhere, and finding threats and breaches has become akin to finding a needle in a stack of needles. People can’t wade through the massive amounts of data available to security operations and make sense of it. Machines can — quickly and accurately.

Today the de facto standard in DDI (DNS, DHCP, IPAM), Infoblox Inc., announced its AI-driven security operations solution, SOC Insights. Although there are many AI-infused security solutions today, the one from Infoblox is unique in that it uses DNS intelligence as part of its data set.

For those unfamiliar with DNS, it’s a network’s first touchpoint with the internet. When a user types www.siliconangle.com, a DNS system, such as Infoblox, converts that into an IP address, directing the computer to a particular internet-based server.

This can be particularly useful for cybersecurity because DNS systems have a good understanding of which systems are valid or malicious. For example, a user might get a spam message directing people to a “lookalike domain” where a character has been replaced with something similar. For example, “siIiconangle.com” looks like the real URL, but the lowercase ‘L’ has been replaced with a capital “I,” making it indistinguishable to the user. But Infoblox would know.

This is why I’ve always felt DNS security is the biggest “no-brainer” in security. Executivegov.com found that 92% of malicious activity can be blocked by using DNS. This may seem like a high number, but every network connection starts with a DNS query, allowing Infoblox to see traffic well before firewalls, IPS, EDR and other core security tools.

The new AI SOC Insights takes Infoblox’s massive amount of DNS information, analyzes and correlates it, and provides actionable insights and responses for SOC engineers to eliminate threats before they hit the enterprise network.

This can be of great value to the SOC engineer because it makes existing SOC tools better. One of the challenges with tools such as security orchestration, automation and response, or SOAR, and SIEM, or security information and event management, is that they need more data, leading to many false positives.

SOC Insights can eliminate much of the “noise” before it hits the SOC tools, making them more efficient. This reduces what SOC engineers call “alert fatigue” and enables them to focus on the remaining alerts.

The Tines Security Automation Voice of the SOC Analyst report, found that 60% of SOC analysts stated their workloads are growing. I’m a little surprised this number isn’t higher, but I’m guessing the other 40% hit a maximum level of work, are perpetually behind and can’t measure the growing workloads.

Another interesting data point comes from the Verizon Data Breach Investigations Report, which found that 55% of survey respondents said critical alerts are being missed weekly and even daily. Again, I believe this number to be higher, but most teams can’t quantify what’s being missed, so it just seems like noise upon more noise. In both cases, leveraging the DNS-based AI Security from Infoblox can bring those numbers down.

Infoblox has included several core capabilities in its BloxOne Threat Defense Offering. This includes features such as DNS failover checks, security policy optimization, DNS threat feed monitoring and high-risk web content. Customers can purchase an add-on to Security Insights with advanced capabilities such as phishing and malware detection, botnet discovery and lookalike domain monitoring. Given the importance of DNS, I was glad to see Infoblox embed core capabilities into its products, giving all customers the benefits of AI.

Looking ahead, it will be interesting to see how Infoblox leverages the rest of its suite of products. DNS data is powerful and provides an “early warning indicator,” but the company also has insights into DHCP, which hands out IP addresses to corporate devices, and IP address management, which helps companies manage their IP addresses. The correlation of this information can help find infected devices, quarantine endpoints and conduct other activities to minimize the “blast radius” of a breach.

Also, in a conversation with Craig Sanderson, vice president of product management for Infoblox, he told me the company is investigating what it can do with generative AI. A natural language interface into Infoblox has the potential to let SOC engineers interact with DNS data in an entirely new way. One could ask what likely lookalike domains are and block them in advance or bring other capabilities to enable the SOC engineer to get in front of the threat actors.

Hackers are using AI more than ever, and it’s critical that security teams fight fire with fire. I know many security teams are nervous about handing control over to machines. But AI is the only way to combat a world where AI is used for nefarious activities.

Author: Zeus Kerravala

Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides a mix of tactical advice to help his clients in the current business climate and long term strategic advice.