After you define your network scope, they are automatically protected by intelligence threat feeds that come with BloxOne Infoblox Threat Defense based on your subscription level. You can now set up a few security components such as custom lists, filters, security policies, and redirects.
...
A security policy is a set of rules and actions that you define to balance access and constraints, so you can mitigate malicious attacks and provide security for your networks. BloxOne Infoblox Threat Defense provides a default global policy that gives you a head start in protecting your networks. You can review the default global policy and decide whether you want to add or remove some of the rules based on your business requirements.
...
You can create custom lists containing domains and IP addresses to define allow lists and bock lists for additional protection. You can use a custom list to complement existing feeds or override the Block, Allow, Log, or Redirect action that is currently defined for an existing feed. You can also add a custom list to multiple security policies or multiple custom lists to one security policy based on your business needs. When using your own threat intelligence feeds with BloxOne CloudInfoblox Platform, allow lists and block lists, you can apply your own security policies. Each custom list can contain as many as 50,000 records, and BloxOne Infoblox Thread Defense supports up to 500,000 records across al customer lists. For information on setting up and configuring custom lists, see Custom Lists.
Filters
BloxOne Infoblox Threat Defense provides two types of filters you can use to control internet content for users: category and application filters. Category filters are content categorization rules that BloxOne Infoblox Threat Defense uses to detect and filter specific internet content. Based on your configuration, specific actions such as Allow or Block will be taken on the detected content. Application filters are rules that BloxOne Cloud Infoblox Platform uses to allow or deny specific applications, such as email, video conferencing, and others. For information on setting up and configuring filters, see Using Filters.
Intelligence Threat Feeds
BloxOne Infoblox Threat Defense provides threat feeds based on your subscription level. For information, see Licensing and Subscriptions.
Default and Custom Redirects
You can configure BloxOne Infoblox Threat Defense to redirect traffic to display the default or custom redirect page. If you want to redirect traffic to a custom destination, you must first add the redirect IP or domain to the Redirect page. For information on setting up and configuring redirects, see Defining the Redirect Page.
...
| Excerpt | ||
|---|---|---|
| ||
Threat InsightThreat Insight provides protection against data exfiltration that uses sophisticated DNS-tunneling techniques and against DNSMessenger, DGA, and fast flux by utilizuing built-in statistics of the DNS infrastructure, where these statistics can be used to detect and block data exfiltration by using only DNS and no additional endpoint software, security appliances, or network infrastructure.. Threat Insight is always active in your subscription but your organization can elect to use or not to use the threats it detects to block traffic. Threat Insight uses patented technology that detects and automatically blocks data exfiltration via DNS without requiring endpoint agents or extra network infrastructure. It uses real-time streaming analytics of live DNS queries and machine learning to accurately detect the presence of potential data exfiltration activity within data queries. Active Blocking of Data Exfiltration AttemptsBy adding the destinations to a list for the RPZ-based mitigation, Threat Insight automatically blocks communications to destinations associated with attempts to exfiltrate data. Through the Infoblox Grid, which distributes updates to all Infoblox members with DNS Firewall and RPZ capability, Threat Insight scales enforcement to all parts of the network. Threat Insight provides visibility into infected devices and employees who try to steal data, and it provides identifying information, such as username (through Identity Mapping), device IP and MAC addresses, and device type. Reports generated by Threat Insight can be accessed through the Infoblox Reporting and Analytics server. Unique Patented TechnologyThreat Insight is a patented technology that uses machine learning and performs real-time streaming analytics on live DNS queries to detect data exfiltration. It examines host.subdomain and TXT records in DNS queries and uses entropy, lexical analysis, time series and other factors to determine the presence of suspicious data in queries. Automated Security Response with IntegrationsWhen an endpoint is trying to exfiltrate data, Infoblox provides indicators of compromise to endpoint remediation solutions such as Carbon Black. Using this intelligence, Carbon Black automatically bans the malicious processes from future execution and quarantines the infected endpoint. These actions accelerate security responses. Infoblox also exchanges security event information with Cisco Identity Services Engine (ISE) and provides robust restful APIs, which can enrich an enterprise’s SIEM with additional contextual data.
For additional information on Infoblox Threat insight, see About Infoblox Threat Insight. |