We talked with Jen Ayers, COO (Chief Operating Officer) at DNSFilter about threat detection, content filtering and how crucial it is to always enforce basic security principles.
1. Please explain in a few words the security solutions your company provides and why DNS security is essential.
DNSFilter provides DNS-layer security services to our customers. When you look at the security products that have entered the market over the last 10 years, many of them have centered on two specific areas: purely network security or purely endpoint security. But DNS is a critical component that enables users, companies, and businesses to connect with each other across the internet.
Everybody uses Google, we all know google.com. But nobody knows about the 63,000 IP addresses (and subsequent domains) that make up google.com. Domain resolution is one of the ways systems talk to each other and allows for access to websites.
When you think about DNS from a security perspective, it’s imperative to consider the DNS layer since so many threats originate or involve this way. Phishing campaigns, malware, and other threats use domain names as C2 (Command and Control) servers where malicious files can be downloaded.
Roughly 33% of the breaches actually originate at the DNS layer. And about 78% of breaches involve DNS in some way. What we provide at DNSFilter is the ability to effectively block malicious sites or those sites’ ability to communicate with a command-and-control server—or even in some cases, download malicious software.
We are a crucial element within an organization’s security stack, supplementing detection and response tools and more traditional solutions. We provide a rapid way to protect our customers so they can focus on shoring up remaining defenses.
2. How would you explain to a non-tech user the difference between antivirus and DNS filtering?
The differences are actually very vast—not just in implementation but also in use case.
Antivirus is a program that runs on your device and recognizes an application as malware or a trojan after it has already been installed. DNS filtering is, completely different as we are stopping threats before they’re downloaded, at the domain level.
You might have a smart phone with a browser and somehow manage to navigate to threat.com. Antivirus isn’t necessarily going to protect you from accessing that threat website, whereas DNS filtering is something that protects across the board, across any type of device that you’re using to resolve a domain name. However, without DNS security in place, antivirus may still stop that threat—but at that point, it’s already on your device.
DNS security leverages a typical (and mandatory) internet operation to mitigate the risk of a threat being downloaded to your device.
One great thing about DNS filtering is that we can protect you no matter how you’re using that device. So, if you are using your phone as a consumer or using that laptop as a business, that same level of DNS protection is accessible across any device. Whereas antivirus has to be installed on each one of your devices, and how it’s implemented could be drastically different. DNS doesn’t have to differentiate in that capacity; we provide the same level of protection across any device, regardless of how you’re using it.
3. Some researchers have been saying that DNS filtering has its limitations. What’s your argument against this theory?
Anything has limitations. There is no easy button. There is no solution that will 100% solve all of your security needs. And if anybody is trying to sell you that, then run far, far away.
The reality is that cybersecurity is very complex, and it’s made up of multiple layers. For example, if you manage to download a malicious file, and that malicious file executes on your endpoint, that is not DNS. DNS security is capable of protecting your machine from talking to command-and-control servers, but we’re not going to be able to protect you from that malicious file execution just like in the antivirus example. That’s where you need to look at something like endpoint detection and response (EDR) technologies. DNS security and filtering is purely going to cover the communication mechanism; we’re providing an additional layer of protection to prevent things like phishing campaigns or malicious website access.
But we are not designed to protect you from opening up an executable file that’s going to deliver ransomware on your machine once you’ve executed that file. We would prefer to protect you from accessing that malicious website to begin with.
Again, cybersecurity is complex and there are many avenues and entry points for the countless number of threats that exist. What you need to look at are the layers of protection and ensure you’re securing the assets, the individuals, and the companies. I would say that it’s not just DNS filtering that has its limitations. Every security technology has limitations, but by combining best-in-class technologies that are tailored to your business needs, you can achieve a higher level of protection.
4. Do you believe there has been an increase of security challenges with DNS filtering along with more remote work?
I would have to say it’s not a security challenge, as much as it is an introduction to a new type of user behavior.
In the past year it’s been really fascinating to look at some of the data and do some analysis across remote work from 2020-2021. The security challenges haven’t really changed, but they have introduced the use of devices on a consumer basis. As people started working from home, laptops and mobile devices that might have been company-assigned are now being employed for personal use.
In the traditional work environment, there were hard boundaries between work and home. And now that everybody’s home, people tend to use their laptops to do more things like stream video, watch Netflix, play games, and other things. So, it’s not a security challenge in a negative way. But it has opened up a door to a new type of threat vector that traditionally was separate from the corporate world.
As a personal user who’s been spear phished by a Nigerian prince scam (as an example), that no longer is impacting just your personal machine, but instead increases the risk of the company machine—and vice versa. Even from home and depending on how you have your home network setup, if you’ve been targeted through a spear phishing campaign, there is a risk of potentially introducing ransomware into your home environment. There is an overlap between consumer and corporate threat vectors that didn’t exist before.
It’s not an increase of a challenge, per se, but it has introduced the need for a different level of protection.
We constantly take a look and see what kinds of things are changing from a trend analysis perspective and a protection perspective. Is there an interesting trend that we’re identifying? As one example, we’ve seen a large increase in traffic to Netflix from 2019 through today on corporate devices. Taking all these into account allows us to understand the possible expansion or contraction of the threat landscape.
5. Besides DNS filtering, name two or three other online security tools or best practices you would advise anyone to use.
That’s always a tough question. I think every company, every business, or every consumer has a different threshold in terms of how their particular business operates. But if there is absolutely one thing that I can recommend, is multi-factor authentication.
Multi-factor authentication has been around for some time, and I know there are some arguments against how secure it is. There will always be arguments against how secure anything is at the end of the day. But the reality is the introduction of multi-factor authentication, (or even two-factor authentication, if you want to simplify it) has created something like a speed bump in the theft of credentials. Credential theft is the number one way that adversaries tend to prefer to get into environments. That can happen through a credential dump because they’re already in, or by scraping credentials that have been stolen from a company that’s been breached, or even collecting them from you in a spear-phishing campaign and giving you that fake DocuSign login screen.
Putting in that two-factor or multi-factor authentication is absolutely critical to start introducing and disrupting how adversaries ultimately operate. So many websites offer this now—and for free! Google authentication is free and is proven, this is tried, and now inexpensive technology as compared to the costly RSA tokens back in the early days.
Implementing 2FA or MFA ensures that system accounts and administrative level of accounts have the right criteria for access. These users actually need the access they’re requesting, and they’re also exactly who they say they are. The concept of zero trust applies here. The idea behind ‘trust no one, ask everybody to authorize themselves’ is really a very good basic principle to have.
From an authentication perspective, cybersecurity insurance policies actually require 2FA to achieve zero trust, but around a quarter of businesses still don’t use it. As cyberattacks occur, a lot of companies have gone out to get that cybersecurity insurance policy to at least try and recoup some of their losses and understand what they can do to mitigate future attacks. It’s pretty amazing that some basic security principles still aren’t deployed.
I would say the other best practice is understanding how things are accessed in your environment. So, even though the world has moved forward to cloud-based or SaaS-based access from anywhere, the reality is that administrators still have to connect to 10-15 year-old traditional data centers.
One thing that I saw before coming to DNSFilter, was an increase of what we call remote desktop protocol (RDP) or remote access. You’d go into the office, and you’d have access, but going from home is an entirely different path that you had to cross. People rushed to give their people remote access, and they did so very insecurely by allowing them to control work desktops from afar.
I would highly advise people to go back and check their ingress points and make sure that they’re tightening up the entry points as much as possible. Again, it doesn’t matter if you’re in a data center, AWS cloud, the principles still apply. If you’re allowing remote access, make sure that you have the proper procedures and protocols to restrict that access, authenticate that access, and authorize that access.
Any final thoughts or any advice for end users?
I feel like DNS is one of those areas that has been overlooked because it hasn’t changed. But anything that doesn’t change and is overlooked is a ripe area for threats; whether you’re talking about DNS tunneling, or DNS poisoning, they’re still existent threats out there.
The story I’m telling isn’t new to those of us that have been doing this as long as I have. For me, it’s not just about DNSFilter, but truly about the awareness of the threat landscape, and how to protect yourselves by ensuring that basic security principles are in place.
As I said in the beginning, DNSFilter is not an easy button, or one-stop solution. You don’t just implement a single solution like DNS filtering and consider yourself secure. If you don’t have anything today, I would urge people to look at a solution like ours because it’s a fast implementation, agentless, and can at least provide you with a layer of protection while you go and work on maturing your security program. But basic security principles are still required.