Recent UK government-led developments in cybersecurity have resulted in the creation of the National Cyber Security Centre (NCSC), a new body tasked with taking a lead in the protection of government and critical infrastructure.

I wanted to share an interesting guest post from Matt Schofield, Principal Solutions Architect at NTT Security, who explains the use of one tactic to automate defences using new techniques with existing data sets:

Like most organisations, the NCSC recognises the challenges of scaling protection against cybersecurity risks and is looking at automation as one way to address it. One such capability the body is looking to extend is the scaling up of Domain Name System (DNS) filtering to defend against malware and its effects.

The role of DNS in the detection and prevention of malware is therefore being pushed to the fore, but how many organisations currently use it in a defensive role? In my experience as a solutions architect, I have often found DNS to be both misunderstood and underused. Yet it underpins pretty much everything we do (good and bad) in a connected world – without it, nothing works.

In the consumer space DNS has been used by service providers as a way of providing rudimentary protection and in some cases the questionable activity of pairing up consumers with advertisers, however few enterprises use it for anything more than its intended purpose of resolving hostnames to IP addresses.

Besides DNS, another widely available ‘low cost’ indicator of malicious intent is network flow data. For these ubiquitous datasets it’s likely that the absence of detail and the sheer volume of data turns security teams off its collection and analysis. Like other difficult-to-scale problems, developments in technology have reframed the relevance of such datasets and in the case of DNS and flow data machine learning is now being employed to analyse them at scale for signs of malicious intent. For DNS and in particular the rise of Domain Generated Algorithms (DGAs), machine learning is being used to differentiate between legitimate and malicious domains and for flow data we have seen an emergence of technologies that analyse and enrich it to identify anomalous behaviour potentially associated with malicious intent.

As we have discussed in other blog posts, innovation – in particular cognitive intelligence – should be a serious consideration for organisations looking to reduce risk and even more so where the data sets for analysis are both readily and ‘freely’ available within the enterprise.