Enterprise Threat Protector Is Configured - Now What?
In previous posts we talked about how to configure Enterprise Threat Protector for your environment. Generally it is as simple as configuring your recursive DNS infrastructure to forward external DNS traffic to Enterprise Threat Protector, and defining locations and policies to be applied to your traffic.
Real traffic is best
But before we get started, it’s important to talk about how to evaluate Enterprise Threat Protector. It is not advisable to upload a list of predetermined threats to test against. Malicious domains come and go, particularly if you account for command and control domains generated by a domain generation algorithms, and what was malicious 6 months ago would only generate false positives today.
Hence the best way to evaluate Enterprise Threat Protector is to turn it on in a live environment with real up-to-date traffic. Once DNS requests are being forwarded to Enterprise Threat Protector, remember not to focus on the amount of threats caught. You will want to focus on the type and severity of the alert or the various threat, acceptable use policy, and security events captured by Enterprise Threat Protector.
The easiest way to start analyzing events is to navigate to the Enterprise Threat Protector area in the Luna Control Center. Luna provides visibility, control and reports of activity across locations, groups, and identities. Enterprise Threat Protector also allows for seamless third-party Security Information and Event Management (SIEM) tool and API integration. However, for this particular post we will focus on the Luna Control Center.
Start with the dashboard and drill down
The Enterprise Threat Protector dashboard is broken into three main areas focused on an overview, threat, acceptable use policy (AUP) and Security Connector events.
The time period that you specify in the dashboard defines the data you see. The dashboard includes the following graphs:
- Summary graphs located at the top of the screen. This graph provides a snapshot and the total number of threat events, AUP events, DNS activity, and alerts based on the selected time period. This particular view allows you to quickly determine whether significant security events are occurring.
- Event doughnut and timeline graphs located just below. The event doughnut charts provide more details about threat, AUP and security connector events. In the Threat Events and AUP Events dashboard sections, three doughnut charts appear with data based on the category, location, or domain information associated with events. Clicking the Show Timeline link opens up line or bar graphs that represent event data based on the selected time period.
Clicking an event doughnut graph or an event number in a summary graph at the top of the dashboard directs you to the applicable ETP page that shows more event information.
For example, clicking the number of total threat events directs you to the Threat Analysis page where you can see more data, broken down by various threat categories, locations, policies, etc.
In terms of threat categories Enterprise Threat Protector focuses on the following:
- Malware - Connection to known malicious domains associated with malware delivery
- C&C - Connection to domains associated with command and control infrastructure
- Phishing - Connection to known malicious domains associated with phishing
By hovering over domain names you can get useful information in terms of the nature of the domain, or you can drill deeper to learn more. In this particular example the domain is sinkholed by the security community and hence gives us a strong indication that there is a compromised system in this network.
The same process can be followed with the other event categories such as AUP or security connector events.
Security and visibility
It’s also important to remember that Enterprise Threat Protector is not just about threat or AUP events but can also provide visibility into your overall DNS traffic volume and profile. You can easily navigate to this data by clicking the DNS Activity summary graph.
Once you see the Total DNS activity graph a selection of criteria are available ranging from Autonomous System (AS) Name to AUP category. Applying filters to the data is easy. You can configure the filter to exclude the top 10, 100, 1K, 10K, 100K, or one million websites that Alexa Internet, Inc. publishes as most popular on the Internet.
This post was intended to give you a quick overview into how to initially use Enterprise Threat Protector to get visibility into DNS traffic, threat events such as malware, phishing and command and control, and how to easily apply an acceptable Internet usage policy across your organization.
Stay tuned for more.