If your organization is like many, you've subscribed to external intelligence and/or you're using internal patchwork of threat intelligence within various departments—some information here, some information there that can't be used anywhere else—no way to integrate. And that means, you end up with gaps in your view of the threat intelligence and your defense across your infrastructure.

1. 1 | © 2013 Infoblox Inc. All Rights Reserved.1 | © 2016 Infoblox Inc. All Rights Reserved.
Infoblox Threat Intelligence Webinar
Sam Kumarsamy and Jon Abbe | March 23, 2017

2. 2 | © 2013 Infoblox Inc. All Rights Reserved.2 | © 2016 Infoblox Inc. All Rights Reserved.
Agenda
• Infoblox ActiveTrust
• Optimizing Threat Intel
• Security Challenges
• Next Steps

3. 3 | © 2013 Infoblox Inc. All Rights Reserved.3 | © 2016 Infoblox Inc. All Rights Reserved.
Cyber Threats
The industry is witnessing a paradigm
shift:
• Increase in digital economy
• Increase of digital channels
This translates into higher risks of cyber
threats and attacks.
60% Compound Annual Growth in
Cyber crimes, despite of increased
spend in security solutions and
products
Source: PwC Global State of Information Security Survey 2015 &
2016

4. 4 | © 2013 Infoblox Inc. All Rights Reserved.4 | © 2016 Infoblox Inc. All Rights Reserved.
Today’s Security Landscape
400+
VENDORS

5. 5 | © 2013 Infoblox Inc. All Rights Reserved.5 | © 2016 Infoblox Inc. All Rights Reserved.
The Disconnect..
Security You Often GetSecurity You Want

6. 6 | © 2013 Infoblox Inc. All Rights Reserved.6 | © 2016 Infoblox Inc. All Rights Reserved.
Leads to Ineffective Threat Intelligence
1. Source: Ponemon Institute, 2015 Second Annual Study on Exchange Cyber Threat Intelligence: There Has to Be a Better Way
Poor incident
response and
manual processes
70% 46% 45%
% of survey respondents
unable to prioritize the
threat by category1
% of survey respondents
lacked context for threat intel to
make it actionable1
of survey respondents
that felt Threat Intel is
not timely1
Lack of prioritization and context slows
remediation
Siloed Threat Intelligence impacts effectiveness &
trust

7. 7 | © 2013 Infoblox Inc. All Rights Reserved.7 | © 2016 Infoblox Inc. All Rights Reserved.
Gartner’s View on Silos
Silos between network, edge, endpoint and
data security systems and processes can
restrict an organization’s ability to prevent,
detect and respond to advanced attacks.
Best Practices for Detecting and Mitigating
Advanced Threats, 2016 Update 29 March 2016

8. 8 | © 2013 Infoblox Inc. All Rights Reserved.8 | © 2016 Infoblox Inc. All Rights Reserved.
Enforce policy using timely, consolidated & high quality
threat intelligence data
Improve incident response with consolidate threat
intelligence from multiple sources
Eliminate silos and accelerate remediation by centralizing
threat intelligence and sharing DNS IoCs with security
ecosystem
Investigate threats faster to free up security personnel
Timely access to context for threat indicators
Prioritize with network context
Optimize Your Threat Intelligence Operations with
Threat Intelligence Data Exchange (TIDE)
Threat Intelligence
Optimization

9. 9 | © 2013 Infoblox Inc. All Rights Reserved.9 | © 2016 Infoblox Inc. All Rights Reserved.
High Quality Threat Intelligence Data
• Timely
• Reliable
• Accurate
• Contextual
• Easy-to-use

10. 10 | © 2013 Infoblox Inc. All Rights Reserved.10 | © 2016 Infoblox Inc. All Rights Reserved.
Marketplace Data
• Single vendor
management
• Normalized content

11. 11 | © 2013 Infoblox Inc. All Rights Reserved.11 | © 2016 Infoblox Inc. All Rights Reserved.
RBL Zone File
Deploying Threat Intel Across Your Security Infrastructure
Infoblox
Marketplace
Custom TI
Single-source of TI management Faster triage Threat PrioritizationRESULT:
C2 IP List
Spambot IPs
C2 & Malware
Host/Domain
CSV File
JSON
Phishing &
Malware URLs
RPZ
WWW
DNS
SIEM
TIDE
Define Data
Policy,
Governance &
Translation
Dossier
Investigate
Threats

12. 12 | © 2013 Infoblox Inc. All Rights Reserved.12 | © 2016 Infoblox Inc. All Rights Reserved.
TIDE is bundled with ActiveTrust®
Proactively protect users against cyberattacks
Early detection and
prevention of
malicious
communications
Ecosystem
integrations
Rapid threat
investigation through
Infoblox Dossier
Threat Intelligence
Data Exchange
(TIDE)
Data exfiltration
detection and
prevention
Proactively Contain
Malware and Stop Data
Exfiltration using DNS
Collect and distribute threat Intel and
hasten threat investigation
Improved Visibility
and Context

13. 13 | © 2013 Infoblox Inc. All Rights Reserved.13 | © 2016 Infoblox Inc. All Rights Reserved.
ActiveTrust Standard ActiveTrust Plus ActiveTrust Advanced
Annual Subscription
Licensed By
Appliance by model Organization by
protected user
Organization by protected user
Zones (RPZs) – Infoblox
Infrastructure only
Standard (4) Standard (4) + Advanced
(5) + SURBL (2)
Standard (4) + Advanced (5) +
SURBL (2)
Infoblox Data via TIDE –
Third party infrastructure
No ONE of
 Hostnames or
 IP Addresses or
 URLs
ALL of
 Hostnames
 IP Addresses
 URLs
Dossier No (Cloud Services Portal
with threat lookup only)
32,000 queries/year 65,000 queries/year
ActiveTrust Tiers

14. 14 | © 2013 Infoblox Inc. All Rights Reserved.14 | © 2016 Infoblox Inc. All Rights Reserved.
Next Steps
Path to Engagement
• Learn more go to: ActiveTrust
Product Page
• Try Our Product – Free of
Cost & Risk
• ActiveTrust eval
• Download ActiveTrust Plus or
Advanced only to evaluate
TIDE
• For additional information
engage with your Infoblox
Account Manager

15. 15 | © 2013 Infoblox Inc. All Rights Reserved.15 | © 2016 Infoblox Inc. All Rights Reserved.
Q&A

16. 16 | © 2013 Infoblox Inc. All Rights Reserved.16 | © 2016 Infoblox Inc. All Rights Reserved.
Thank You

17. 18 | © 2013 Infoblox Inc. All Rights Reserved.18 | © 2016 Infoblox Inc. All Rights Reserved.
Infoblox ActiveTrust Standard – data sets
• Base – known malicious threats that are dangerous as destinations
• Malware – can take action/control of a system
• Ransomware – restricts access to system it infects and demands ransom be paid
for restriction to be removed
• Bogon – Bogon IPs are commonly found as source addresses of DDoS attacks,
have no legitimate use, and usually result of accidental or malicious
misconfiguration

18. 19 | © 2013 Infoblox Inc. All Rights Reserved.19 | © 2016 Infoblox Inc. All Rights Reserved.
Infoblox ActiveTrust Plus and Advanced –
additional data sets
• Malware - malicious or compromised IPs known to host threats that can take action on or control of system (e.g., malware
C&C, malware download, and active phishing sites)
• Bots - self-propagating malware designed to infect a host and connect it back to C&C/botnet
• Exploit Kit - distributable packs that contain malicious programs used to execute "drive-by download" attacks in order to
infect users with malware; target vulnerabilities in user’s machine (usually due to unpatched versions of Java, Adobe
Reader, Adobe Flash, IE, etc.) to load malware onto victim’s system
• Malware DGA – DGAs seen in various families of malware used to periodically generate large number of domain names
that can be used as rendezvous points with their C&C servers; examples (Ramnit, Conficker, and Banjori)
• TOR Exit Node – block entry/gateways to the TOR network (darknet) because many company network/security admins
believe these gateways (exit nodes) represents a risk worthy of blocking because of criminal activity associated with darknet
and since criminals have started using Tor as a malware C&C channel
• SURBL – see details on next slide

19. 20 | © 2013 Infoblox Inc. All Rights Reserved.20 | © 2016 Infoblox Inc. All Rights Reserved.
SURBL (partner) Threat Intelligence Feed
• Infoblox and SURBL data complementary and when used together, can
enable increased threat coverage
• SURBL data
̶ Multi domains - blacklist of roughly 800k+ malicious domains including up-to-
date intelligence on active malware, phishing, botnet, and spam domains
̶ Fresh domains - Newly Observed Domains (NOD); provides critical, accurate,
information on the time new domains are placed into service
• SURBL OEM license bundled with Infoblox ActiveTrust Plus and
ActiveTrust Advanced products for usage by Infoblox DNS Firewall (RPZ)
• SURBL Enterprise license available on Infoblox 3rd Party Threat Indicator
Feed Data Marketplace