DNS Visibility detects malicious traffic on your network, and reports whether this traffic can be blocked by your other security devices.
DNS is used by all protocols like http, https, smtp, IoT. DNS traffic provides information about your entire network, regardless of its network protocol.
With DNS Tunnelling, data exfiltration attacks cannot be detected by DLP products. It requires DNS log analysis for effective solution.
80% of malware domains do not have an IP address at the moment, Malware requests that do not have an IP address can only be detected in the DNS log.
DNS Visibility can collect the logs of many different brands and models of DNS servers without the need for any change in your network structure. It can collect Microsoft DNS, Infoblox, BIND, Bluecat, EfficientIP, F5, Citrix DNS server logs with high performance.
To select the data that SOC teams should review, the domains must first be classified. With Roksit Cyber X-Ray infrastructure, they are divided into 72 different categories in 4 main groups, based on AI.
DNS logs only include the source IP address. Since IP addresses vary, it should be enriched with permanent machine and user information. DNS Visibility has Host Discovery and User Identification features. The DNS Visibility Report, also features the real machine that makes the DNS query and the users logged into this machine.
DNS Visibility can report classified and meaningful DNS traffic one year back in the advanced reporting interface. In addition, it transmits the data that SOC teams need to analyse to the SIEM product. It provides a very flexible infrastructure to the user in selecting the logs to be transmitted. While it can send the entire log according to the user's preference, it can save up to 1000 times the amount of logs with the filters to be applied.
By courtesy of Security Gap Feature, DNSSense reports the existing malicious activities which have managed to pass through each current security asset (UTM Firewall, Proxy, DNS Firewall, etc.) in your network without even being detected.
The APIs of EDR systems are used to gather information about the application that makes the malicious DNS query, in order to understand whether the devices are infected or not.
In corporate networks, the amount of DNS traffic, visited categories and even the visited domains are in a certain pattern. DNS Visibility appliance learns the DNS traffic of the institution and reports anomalies.