Behind the scenes @ Labs
cancel
Showing results for 
Search instead for 
Did you mean: 

HP Labs technology underpins HP ArcSight DNS Malware Analytics, a new solution from HP Security

Guest_Blogger

HP_Labs_insignia_developed-with_blue.jpgContributed by Simon Firth, freelance technology journalist

 

Yesterday at HP Protect, the company’s annual enterprise security user conference in National Harbor, Maryland, HP introduced HP ArcSight DNS Malware Analytics (DMA), a security solution based substantially on research conducted at HP Labs.

 

HP ArcSight DMA inspects network traffic associated with the Domain Name System (DNS), a fundamental building block in how the internet works.  DNS maintains the mapping between domain names, like www.hp.com, and IP addresses, like 15.216.111.22.  By inspecting DNS packets, DMA can identify servers, desktops, and mobile devices that have been infected by malware, helping users quickly detect high-risk threats, reduce the impact of data breaches, and enhance the overall security of their systems.

 

The technology began life at HP Labs several years ago, notes Bill Horne, HP’s Director of Security Research. “HP’s internal IT team wanted to collect our own DNS traffic,” he recalls, “and it turns out that’s really hard because you have to do it at scale – HP, for example, processes about 16 billion DNS packets a day.”

 

Dashboard-screen-shot.jpg

Screen shot of HP Arcsight DNS Malware Analytics dashboard

 

Still, the sheer data volumes were highly challenging.  “So we devised a system that throws out 99% of the logs,” explains Horne. “We use models to figure what we can be confident are safe DNS queries and responses and those we discard. That allows us to focus on the 1% that’s potentially suspicious.”  That still left a lot of data – 180 million packets a day – but a number that ArcSight, HP’s enterprise security event management platform, could easily handle.

 

Not only is it hard to collect this amount of data, but operations engineers don’t like to turn on logging because it has such a huge performance impact.  And worse, DNS logs typically don’t have all of the information needed to help reveal threats.  The Labs team used network packet sniffers to collect the DNS data, which didn’t impact the DNS server performance and allowed them to collect a more revealing set of data than they might otherwise.

 

As they developed a solution, Horne’s team realized that the DNS data could reveal information about attacks originating from within HP’s own network.

The information proved to be a goldmine. “We pulled it all into an HP Vertica platform and very quickly we started detecting all kinds of interesting things, including evidence of malware that hadn’t been detected yet by any other method,” Horne says.

 

As a result, HP Labs and HP IT worked together to deploy the malware detection service for HP’s own network and it soon proved itself by sending valuable alerts to HP’s Security Operations team. The obvious next step was to offer it to HP customers to help protect them from similar threats.

 

Now implemented as HP ArcSight DMA, the service has analyzed the DNS traffic of one the world’s largest corporate Enterprises, showing a consistent DNS data reduction of 100 million times and false positive reduction of 20 times over other malware detection systems.

 

Looking ahead, Horne’s team will help evolve HP ArcSight DMA’s analytics to reflect the state-of-the-art. “What I really liked about this project,” adds Horne, “is that we solved a big, important security problem for HP.  Because of our size, if we can solve a problem for HP, then we can pretty much solve it for anyone. Now we’re looking for ways in which we can repeat that success.”

 

 

0 Kudos
About the Author

Guest_Blogger

Comments
Shane Francis

How can I learn more about ArchSight and when will be available to general public?

Regards,
Shane

Curt_Hopkins
Events
June 18 - 20
Las Vegas, NV
HPE Discover 2019 Las Vegas
Learn about all things Discover 2019 in  Las Vegas, Nevada, June 18-20, 2019
Read more
Read for dates
HPE at 2019 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2019.
Read more
View all