DNSEye’s Contribution to SOC Operations and Assistance to SOC Teams

What are the benefits of using DNSEye for SOC Teams?
‍

1)Saving of Time thanks to Enriched Data

For different tiers of SOC operations, DNS logs are filtered, enriched, and understandable specifically for the SOC teams thanks to DNSEye. Thus, the SOC teams can take more precise crucial actions in the primary areas of security at a much faster pace.

In the default case, if the SOC teams are suspicious about any type of malicious traffic and they try to carry out a traffic analysis on the DNS layer, the only information that they will get from the Microsoft DNS logs will be Source IP and the hostnames.  DNS logs only contain the client’s IP address/source IP of the client and the queried domain name and IP address. But all clients’ IP addresses are variable which means they are not suitable for any type of investigation intended for past activities. DNSEye makes the investigation process by logging permanent information such as the names of the devices, user information, MAC addresses easier.

By the courtesy of DNSEye, the Source IP, real-time traffic information, user and hostname information are matched and forwarded to SOC teams. SOC teams do not lose any time in order to produce this data.

‍

2)Only the Risky DNS Traffic is Presented

All requested DNS queries will be categorized after the AI-based dynamic threat database considering each domains’ more than 850 features in real-time. Thus, only the traffic that poses a threat in terms of end-user/network security such as malware, virus, botnet, ransomware, phishing will be presented. On the other hand, the traffic that does not pose any threat such as news, technology, business domains will not be forwarded to SOC teams.

Since 90% of a network’s traffic consists of secure traffic, the SOC teams do not need to analyze, compare and distinguish the malicious traffic among a huge number of logs. So this time-wasting process for SOC teams will be eliminated thanks to the filtration of DNSEye.

‍

3)The Degree of Urgency is Indicated

DNSEye's Security Gap module will specify which traffic should be prioritized. In this situation, the domain request traffic will be prioritized that is not detected by the current security assets that exist in the network. In other words, the malicious traffic that could not be caught by your business’ security assets but detected by the Roksit will be presented to SOC teams primarily.

DNSEye regulates the logs which SOC teams need to investigate depending on their level of urgency. Let’s assume the CEO of the company clicked a phishing link, and there is a risk for loss of passwords, crucial files that belong to the CEO. Moreover, this activity passed through all of the existing security assets in the network (the security assets could not manage to detect this phishing activity). This will be regarded as the preliminary situation that the SOC teams need to investigate, and it is indicated in a report that is generated by DNSEye.

‍

Why do SOC teams need to Analyze DNS logs?

The 83% of IP addresses that carry out malware traffic could not be resolved instantly because they do not have any IP address. Simultaneously, the malicious traffic that is generated by the infected devices such as Botnet, DNS tunneling (which may be used for crypto mining, data theft), cannot be seen on the application layer since they do not contain an IP address. Hence, this type of malicious traffic cannot be detected by security assets such as firewalls or proxies. Therefore, the only way to detect these malicious activities is to analyze the DNS logs. In this situation, DNS log analysis plays a crucial role in terms of granting vital information to taking actions precisely on time.

‍