DNS logs cause massive license and time costs for companies because of two primary reasons;
• DNS server logs create the highest EPS in corporate networks.
The average number of instant DNS queries can reach 15 thousand in a typical enterprise network with 10 thousand users. This high number is due to a variety of factors.
For example, approximately 70-100 DNS queries are made when a regular news web page is requested. In addition, even when devices are not in use, the services running in the background continue to generate DNS queries. Mail servers also perform numerous DNS queries during a simple e-mail transmission. In this manner, every device on a network constantly performs a DNS query to provide or receive internet services.
• Raw DNS logs are incomprehensible.
DNS logs contain a large amount of raw data that doesn’t make much sense if not processed. The logs have the Client’s IP address and the requested domain, which is not helpful for security analysis. As client IP addresses are dynamic, retrospective analyses are not always applicable.
Furthermore, the logs contain no information about the domain's content or safety. To analyse these logs, in such a large amount, a correlation on the SIEM is required. Besides that, processing domains are already known to be secure, and every extra correlation process raises the SIEM’s cost and consumes the SOC team's time.
2-Using Roksit to reduce the number of EPS sent to SIEM.
DNS logs contain no information about the domain's content or safety. Also, the vast majority of the log comprises trusted and frequently used domains such as Google, Facebook, and WhatsApp, and this information does not need to be processed by SIEM.
Roksit uses Cyber-Xray, an AI-based classification system, to distinguish between secure domains and malicious or suspicious domains and then sends only the required data to SIEM. Besides forwarding traffic to SIEM, based on domains’ category and other customised rules, Roksit is also able to alert SIEM when;·
* The existing security devices do not detect malicious traffic,·
* The network requests a domain for the first time,·
* Anomalies resembling DNS Tunneling and data exfiltration,
After these filters, the amount of DNS logs sent to SIEM can be reduced by 95-99%.
Try Roksit free. No credit card required.