Detect the undetectable at the breach

This will be presented in English.

Chenta Lee (IBM)
14:5015:30 Thursday, June 20, 2019

必要预备知识 (Prerequisite Knowledge)

  • General knowledge of security in AI

您将学到什么 (What you'll learn)

  • Understand the important role DNS analytics play in insecurity operations
  • Learn what a DNS analytics playbook should look like, how to use it, and how advance DNS analytics to create a new dimension to look at security data

描述 (Description)

Detection of malware infection, data extraction, and abnormal activities are the top three things in security operations. It’s a false assumption that we can identify every asset in an environment and know its owner. The security industry tried for years to figure out a solution for it, but collecting logs and doing more integration are not the cure. If we cannot identify each asset in an environment, how do we answer the top three challenges that security analysts are facing? Can we identify a critical path that not only any software but also any malware needs to step on, so that we can at least have one single pane of glass to look at security postures? One of the critical paths that every software and malware needs to step on is DNS protocol.

Chenta Lee explains how DNS volumetric data and analytics complement each other to create a new dimension to look at security postures and how to leverage it in security operations. Not only is DNS simple enough to be the foundation of the World Wide Web; it also contains context depicting the network activities of every asset in an environment. For example, security analysts can see unclassified domains showing up in an environment. A good threat-hunting procedure could use it as a starting point to automatically poll back related indicator, including if this unknown domain ever shows up in other network environments, and the WHOIS data associated with it. A more advanced threat intelligence could even provide screenshots of a target domain and show how it evolved. Moreover, it can show you if any known bad actor is related to the WHOIS record.

To run a sustainable security operation, we need to spend minimum time on the most valuable security data. DNS analytics provide a single pane of glass to look at security postures and use it to bring in more security indicators to speed up investigations. Chenta walks you through how DNS analytics successfully brought unique security insights to customers by combining various analytics including distributed graph analytics (DGA), squatting, tunneling, rebinding, and fast fluxing detection. The company built a DNS analytic playbook elaborating how to anneal actionable threat intelligence from billions of DNS requests it collected in one day. In addition to volumetric data, he explains how DNS data and analytics complement each other to create a new dimension to look at security postures and how DNS supremacy could change the landscape of security industry in the future.

Photo of Chenta Lee

Chenta Lee


Chenta Lee is a senior software engineer at IBM Security Systems, where he’s the architect of IBM Security Network Protection and currently focuses on the network security in the cloud. His expertise includes emerging cloud technologies, with seven years of experience in cloud security products, as well as software-defined networking, virtualization and advanced threat protection.