 From around the globe, it's theCUBE with digital coverage of next level network experience event brought to you by Infoblox. Okay, welcome back everyone. It's theCUBE's coverage and co-creation with Infoblox, next level networking event, virtual event. John Furrier, your host of theCUBE. We're here with Craig Sanderson, Vice President of Security Products at Infoblox. Talk about securing the borderless enterprise. Obviously Infoblox, we had a variety of different conversations, Craig, welcome to theCUBE. Thank you, thanks Craig, to be here. Remote CUBE, not only we're in person, but since it's COVID-19, we're doing our best to get the stories out. And one of the things I want to chat with you is, with COVID-19, this shift to remote working is interesting, and the word work is interesting, yet workforces, which are people, workplaces, which are locations, which is now home, workflows and workloads, all work related, right? So if you think about the enterprise, just the disruption to business model around this unforeseen, almost 100% VPN usage maybe, or you got all this remote action, no one could have foreseen all this coming. How has this shift changed the security paradigm and posture for enterprises? Yeah, I think for a lot of the customers that we talked to, Dave, a lot of them have been thinking about digital transformation for some time. What COVID has really done is rapidly expanded or accelerated the need for them to think about what the digital transformation plans are. And unfortunately for some organizations who may be not as far down the line as others, they've looked at their current implementation for remote access, and the traditional security models are like perimeter-based, and they found that in this current environment, where suddenly you've gone from being only a partial set of your workforce who are remote to now all of them being remote, and their applications, their data, their users, they're all kind of spread any time, any place, anywhere, the traditional models don't really work. So what has caused a lot of organizations to do is to really accelerate their digital transformation plans. And quite often for some of those organizations, they've realized that they've had to make the move relatively quickly because their traditional architectures have just not been designed for this level of disruption that digital transformation has had on their businesses. Give some examples of how companies have either been flat footed around their heels, kind of pushed back and saying, wow, we got caught off guard to ones that are kind of in place that kind of managed and managed the pandemic well. What's the difference? Can you just give some color commentary around the profile of who got it right or someone right and some that have gotten it wrong or are struggling? So I think the ones who've got it right are the ones who are already thinking about digital transformation. They're looking at the fact that a lot of the applications that their consumers or their users are consuming, increasingly they're going to be in the cloud anyway. So the traditional architecture of well, all the good stuff's on the inside and the bad stuff's on the outside, that simply doesn't work with cloud. And those organizations who are looking at, obviously cloud deployments for their applications, SD-WAN, IoT, those organizations have had to be thinking about how they can secure those devices, the applications and users in a way that is going to be ubiquitous. The fact that you can deploy the security controls wherever those applications users or devices are going to be. So those organizations were already starting to think about how they can build a networking architecture that is going to be suited for digital transformation and by extension, they've been recognizing that the security model has to change. So because they were much further down the path, really, this has been an acceleration. For those organizations that, well, I'm not really interested in cloud. I'm worried about the risks associated with cloud and things like that. We've tended to try and stick or cling to the old traditional model. Where they've really run into trouble now is like, this model just doesn't work. And now the decision's almost been taken out of their hands with COVID because now their users are not on the corporate network. They can't build a wall around those users. They now have to provide protection for a user who's potentially not even using the device that they can control. So for those organizations who are already thinking about cloud and SD-WAN and IoT, because of that digital transformation effect, they've been starting to think about security. For those who have not thought about that or have tried to been pushing that off, they're the ones who've been caught somewhat flat-footed. And now they're being forced to make a decision which may be not actually feeling comfortable or ready to go off and do. Yeah, Craig, I was talking to a friend the other day and we're riffing on COVID-19 really kind of exposes almost like the tide coming out as that tsunami comes. You can see everything, all the scabs and all the problems. And then we started talking about the whole work at home situation. Like this is probably the biggest use case of IoT in real life because you can really see it play out, not just a factory or a sensor or device at the edge of the network. These are people doing work, right? So this whole IoT edge, it's about addressability. So I have to ask you because we've talked with you guys earlier and other segments around this next level networking experience, I love the word experience, but next level networking means next level. So DDI has an abstraction, DDI being DNS, DACP and IP address management. How does the security piece fit in? Because certainly yes, you got at home, you got a bunch of IoT people running their stuff from their home networks, so remote access. And you got also the business to run which includes everything that's connected to the network now. And it literally is borderless. So I like that term. So how does DDI security fit into that? Yeah, I mean, it's part of having the experience. I mean, one of the things that's changed, I mean, I've been in security over 20 years, probably about 10 or 15 years ago as a security guy, you could come back and you had a veto, you could come back and say, well, no, we're not going to roll this thing out, these applications or these services because it's a risk to the business. Now in a lot of the CCOs that I've talked to is that veto has gone away. If this application is going to get rolled out, we're going to run this service, security has to catch up. Now what you can't have is from a seamless experience point of view, is to say, well, okay, you've now got a wonderful application experience, but then it gets ruined by all the security controls are very invasive. So what organizations are having to do is to think about how you can build a seamless networking architecture that can also seamlessly include the security as part of that. And so you can still have the security the organization needs without it becoming a massive disruption to the experience. And one of the good examples is for a lot of organizations, their remote access going back to the COVID example is based on VPN. VPNs are cumbersome, they have troubles with passwords and all these sort of traditional issues associated with the user experience from a VPN perspective. I mean, a lot of the users don't have the patience to do with that. And they don't necessarily follow all the necessary security controls. So people are being forced to rethink how they can build the quality application experience underpinned by a digitally transformed network, but at the same time making sure you can layer in at a foundational layer, the security functions as well. And that's where a lot of organizations who are a little bit more forward thinking understood that and started to think about like DNS is essentially this ubiquitous platform, which is already there can already provide the sort of security services by default, because going back to your example about IoT, one of the jokes for one of my friends is for every IoT security offer, sorry, every IoT offering, there's a separate IoT security offering. And one of the things that was quite a light bulb moment for us is if you're trying to secure all these heterogeneous IoT devices, well, one thing they have in common, they're all going to get an IP address to all going to use DNS. So what people have to start to do is to try and make security seamless. It has to be built into the foundations. It can't be this extra thing that you kind of glob on the side because it then ruins the overall experience for the users. The nice thing about DNS is it's ubiquitous and you can apply the security regardless of what the endpoint and application is because the common denominator is they get an IP address and they use DNS. And DNS is such a great track record over the years of having layers of abstractions on top of it to pace with the functionality. And it's really been an operating model and you bring up the different security packages and postures for each thing. And you mentioned the old days, the security guy, oh, no, we're killing that. No, we're going this way. Yeah, that was the operational model. But now with DevOps, you brought up cloud earlier, DevOps has proven that agility, speed, scale can work. And how does security catch up? It's an operating model. So this is really kind of the key epiphany is, hey, VPNs, that's not the experience that people want. And I was just talking to someone from Amazon this morning in another interview segment and the discussion was new expectations, new solutions. So that's kind of what we're seeing right now. So how do you enable that out at speed by not screwing over the operations people, right? Because they got to be operationally, I need to be really rock solid. So you need automation, you got to have those factors and requirements built in, but you got to have the agility for development. Here we go. Yeah, absolutely. I mean, we see that especially is one of the things about, because DNS essentially ubiquitous, you can apply a similar security controls regardless of the environment. So right now I'm stuck at home because of the COVID virus. So again, I'm going to use DNS. I go through one of our cloud platforms. I have DNS applying security controls there. But within the same thing, because DNS works as one ubiquitous system and it's like how the internet works with DNS is that quite easily, not only can you block malicious threats for myself, but also you can push that same block mitigation to a DNS server that's running in AWS. So if your workload that may also have been compromised trying to go to the same malicious domain, you can also be blocked by DNS. And so that ubiquity, the fact that it's built as this ubiquitous system. I mean, one thing that's very different in the networking world, standards are great. We can plug different things together. They all kind of fit together nicely. In security, it's not normally the case. It's normally you've got this jigsaw puzzle with all the pieces don't really fit together. The nice thing with DNS is it's absolutely ubiquitous. So one basic example is if I try to go to a malicious domain and I try to steal data over DNS, not only would we be able to block it, but we'd also be able to dynamically share that mitigation to all of the on-prem DNS servers, the DNS servers you've run in your public or private cloud, and for all the other like remote users. So the fact you've got this pre-built fabric and it's not that we're security geniuses, it's just it happens to already be there because of DNS and how DNS has been developed over the last 30 or 40 years. So I think the nice thing about it, a lot of organizations are starting to realize that you've got this foundation already there. Ostensibly, it's there for networking purposes, but the ability to repurpose all the core assets of DNS, the scalability, the flexibility, the adaptability, the ubiquity, all those things are there by default. Why don't you use that as the new foundation for that next gen security architecture? And you know, you got me as a fan, I'll say that right away because you're thinking about the simplicity of going to the low level building block in DNS. It fits for what I said earlier, the future of work, the word work, workplace, work force, work load, work flows. No matter what it is, it works across. So it's a consistent primitive. I mean, it makes total sense. Why would you want to have different things? So again, this brings up the whole foundational level of DDI that's got my interest. And I want you to explain this for folks because I think it's not obvious. Abstractions are pretty clear. People get abstraction layers, reduce complexity and increase functionality and capability. But DDI you guys have from a foundational security standpoint is kind of the unique thing Infoblogs has. How is that different DDI from other offerings in the security stack? Yeah, I think the one thing that's probably unique especially when it comes to DNS is the fact that it's built together as this ubiquitous system and it's there by default. I mean, otherwise the internet just wouldn't work. So the nice thing is, is that if you deploy a DNS system here, we deploy it as a grid. So whether it's the appliance running on-prem or sitting in a public cloud or even for roaming users who are going through one of our points of presence it works as one big ubiquitous system. Whereas you take like traditional firewalls you're configuring these devices separately and you have to try and manually stitch it together. And you take multiple different vendors and it doesn't quite fit neatly together. DNS is based on the standard. You could take a DNS server from Mars and a DNS server from another company. And because it's based on standards it will work seamlessly together. In fact, the threat mitigation mechanism where you distribute threat intelligence to tell the DNS what is the malicious domains of IP addresses to block is based on so-called response policy zones. That's been part of the DNS standards since 2010. And it works seamlessly across multiple vendors whereas in the security world, as I said, it's kind of like a jigsaw where you get all the pieces together that you think you need. And then the burden is always on the customer or the organization to then piece these things together. And it's a jigsaw that doesn't fit together. And then obviously that burden will cause a hell of a lot of issues for a lot of the customers. I got to ask you since DNS is so foundational it's an element in every all internet activities. Obviously, you know, URLs is DNS string actually. So everything's based on DNS, how it resolves. So what about the, how would you respond if someone said, hey, you know, I don't even know DNS is still around. I know it's palm. It's underneath there somewhere. I don't even have to deal with it. It just runs things. We've been using it for years. What's the big deal? So how do you go in and say, hey customer, hey enterprise, you're now borderless. I get pitch, but they have DNS. How do they modernize it? How do they assess it? How do you go in? Some of the young kids don't even know what DNS might even is. I mean, like, so like, what do you go in? How do you approach that? And what's the pitch? Because they got it and it's an opportunity to innovate. What's the story there? I have really two aspects to it. The first one, I mean, DNS is a bit like oxygen. If it's not there, you really do notice it. You just take when we had the Mirai botnet attack a few years back. All these organizations suddenly realize how important DNS is. And there's a reason why DNS is the number one attack vector for DDoS attacks. If I'm an adversary, I could try and take out individual applications. It's going to take me forever. I take out your DNS. Everything's going to stop. I mean, it's that foundational. It's Mark Baum for Knackers No Problem, yeah. Yeah, right, exactly. So for that reason, that's why it's constantly targeted. So firstly, my first pitch to customers is you got to take this stuff seriously because when it goes down, everything is down. And the impact to your organization, not just from a brand reputation, but just from running your business, it's going to be huge. But on top of that, the way to think of DNS is the nice thing is, you don't have to change your network architecture. If you think about a typical user who clicks on a phishing link, when they click on the phishing link, who's going to see the malicious request first? Is it your firewall? No, your DNS server. Because you make the request, you have to resolve the malicious domain that you're going to try and connect to. You need to find out the IP address of it. So your DNS server has been proven in multiple studies that the vast majority of malware uses DNS as its control plane. So if you want to understand what the bad guys are doing, you know, your DNS server has got a front row seat to exactly what the bad guys are doing. And to influence security on it is, you don't have to change your network architecture because your DNS is already there by default. All you need to do is infuse it with security knowledge, whether that is machine learning analytics or threat intelligence. But those DNS servers are ideally positioned. They're going to see the malicious activity regardless of what the application is. So it's foundational, not just in terms of, if it's not there, it's going to cause a massive issue for your environment anyway. But even if you secure the DNS, the DNS is also this wonderful tool that is in all the right places. And it's also deeper into the network. One of the challenges you mentioned about operations is the challenge is, it's okay, you can block malware, but if you don't know the source address of the device that is actually trying to make the request, you don't know what to go and clean up. Whereas your DNS server, your DHCP server, knows exactly who it is because we handed out the IP address, we know the MAC address, we know the IP address, we know the username. We have all that information that is going to be critical for security operations. And now you can see what we're talking about, maybe the Forrester report, you'll start to see that organizations are waking up to the fact that you have this treasure trove of security operations data that you haven't tapped largely for political reasons because the security guys can't reach over and grab the necessary DDI network context from those DNS platforms because typically they're owned by the networking or the serviting. Before we get into that Forrester reports, I think that had some thread investigation data. What you're getting at about this DNS is that basically it's critical infrastructure. And if you try to forget about it, because it works, you lose sight of the real opportunity, which is if it's critical infrastructure, you got to treat it like critical infrastructure and make sure it's modernized, refreshed, in the right position to manage all this, right? Absolutely, absolutely. Yeah, it's unfortunate with the mirror button attack, a lot of organizations, it's so well, okay, we'll just outsource this, we don't have to worry about it. But when it wasn't there, and it wasn't the fact that, I mean, it was an attempt to take out like Minecraft servers, nothing to do with most of the businesses that were impacted, but there was a lot of collateral damage. And unfortunately, it's like one of those things is because DNS is a victim of its own success, the fact that it is reliable, it is consistent. You don't have lots of DNS outages, typically. As a result of that, people tend to forget about how critical it is as the role it plays in serving all of your applications and all your users. Let's get into the Forrester report because they surveyed a bunch, hundreds of security and risk management leaders, both compliance and also security pros that are using DNS. What were your key thoughts on the takeaways from that study? What should people know about it? It's very encouraging as I've been at Infobox about five years, when I first joined the usage of DNS as a network context as a way to help with security operations was very, very low. And that causes all sorts of issues for organizations when it comes to doing security operations. I mean, a prime example is that the guys who work in security operations, that is the biggest issue for customers right now. They've bought almost too much security gear and each of those security tools and platforms, they're generating security events. So you're getting security events from your firewall or from your IPS or from your NAC system or whatever it happens to be. And the burden now falls on the security operations team and it's been proven that there's huge amounts of open opportunities because there just isn't enough trained security operations staff. And the ones who are already in the business are massively overworked and struggled to get through all the security events that have been firing from those security operations tools. So for what I was encouraging from the forest report is that organizations are realizing the HCP is going to help you be able to identify the fact that these two security events seem completely separate. One's got a source address of 10.1 and the other one's 20.1. Well, you know what? This laptop moved from one side of the building to the other and got a different address. It's actually the same device. But based on the traditional security events you're getting from the existing tools, you know, you're going to think it's two separate events and they're not. Likewise, one of the things that's come out is that people start to use DNS as an audit trail. I mean, one of the challenges for organizations is if you get a data breach, what's one of the first questions a journalist is going to ask you is like, well, what is the scope of the breach? What was impacted? And quite often organizations are not prepared. They come back and say, well, at this stage we don't know. That's a great way for a CEO or a CSO to get fired. So a smarter way of doing it is if you think about it, you got a device that's under investigation. The DNS queries that those machines been making is a wonderful audit trail of not just the external resources that's been accessing, but also the internal resources as well, what has been potentially exposed. So I think from the Forrester report we're certainly seeing people realizing where the biggest challenge is security operations. Essentially the DVI data is almost like the oil that's going to grease the wheels of security operations. And if you don't do that, finding more security gear, it's not going to make the problem better. It's actually going to make it worse unless you can operationalize it. Yeah. At the end of the day, the failure is right there in the low level critical infrastructure. You know, building falls, no one cares what happened on the 10th floor, foundation's gone. Right. I got to get your thoughts on this because as you guys have DDI, it's abstraction DNS, you know, as it's grown has its evolutions with abstractions. You know, as these things kind of flex it used to be an old expression DNS tricks, you know, you would mangle DNS and it was a naming system. So you use it the way you use it and then new innovation layers create more upside and more takes away complex of these. How does DNS scale and enable value? Because now you get cloud, you get cloud native, new software's being written and developers want to rely on the DNS as critical infrastructure but also want to be enabled to have, you know, really robust applications. Yeah. I think with given the fact that all the work has been put into DNS over the last 20 or 30 years, what has resulted in is a very highly available, very resilient system. And so a lot of stuff has to go wrong for DNS to fully go down. And if it's even just take things like anycast, anycast allows you to connect to the nearest DNS server that's going to give you the resolution. So it's going to give you the best performance. This also going to give you the high availability and resilience that goes along with that. And I think also from the security guys point of view is if all the things that we've started to realize is that DNS is a great avenue where we should detect somewhat unique threats. So one of the things that comes up quite a lot we start to see old malware being re-weaponized to exfiltrate data over DNS. So if you're a DevOps guy and you're building your new application, if someone compromises your application, if I try to extract the data over HTTP or email, you probably have a solution for that. But how many organizations have visibility in the billions of DNS queries that's going to come out of your network in a day? Which ones of those might be actually data that has been stolen? It gets encoded, encrypted, chopped up and sent out in DNS packets. It's very difficult for traditional security appliances to understand and really differentiate between legitimate DNS requests, the malicious ones and actually the ones who are benign applications that essentially tunnel over DNS because they're trying to bypass firewalls. So increasingly DNS is a threat vector for basically data loss. It's also important to understand it really gives you a window into what the adversaries are doing. So not just when it comes to data exfiltration but other things like domain generated algorithms that allow adversaries to maintain control of devices that they compromise. So a lot of that stuff is not just about the high availability and the ubiquity of DNS but also making sure that you can be fully on top of the potential impact of DNS being exploited as a potential backdoor out of your network. Critical infrastructure but also that's where you're going to see the footprints of any kind of activity right there. It's a great observation space as well for detection and analysis. Great stuff. Craig, thank you for taking the time. Great insight, great conversation. DNS is critical infrastructure. Get on it and people aren't on it. They're going to go the next level. Getting the next level networking experiences about having that security always on, high availability and protecting the bed. Guys, Craig, thanks for joining me on this CUBE conversation for the Infoblox virtual event. Thank you. Good pleasure, thanks for having me. Okay, this is CUBE coverage of Infoblox's next level networking virtual event. I'm John Furrier, host of theCUBE. Thanks for watching.