UltraDNS Detection And Response (UltraDDR) FAQs

What is Neustar Security Services UltraDNS Detection & Response (UltraDDR)?

UltraDDR is a cloud-based DNS-layer cyber threat detection and response service that identifies and mitigates attacks, such as malware and ransomware, before they proliferate, independent of protocol, for devices inside and outside your network.

How does UltraDDR identify malicious domains?

Most solutions address malware, ransomware, phishing, and supply chain attacks using reactive approaches: an infection occurs, the circumstances are researched, and resulting intelligence is applied to prevent the attack vector from having a future impact. UltraDDR’s approach is fundamentally different - it focuses on what happens before the attack occurs. Before an attack can be launched, bad actors need to pre-stage “adversary infrastructure” that provides malware with instructions on what actions to take (command and control infrastructure), and the sites that phishing fraudsters build to convincingly look like the legitimate target websites.

These actions must occur before they can launch the first attack, send the first beacon, deliver the first phish, and before they can exploit any intrusion. NSS focuses on discovering and mapping this adversary infrastructure and then leverages this knowledge combined with real-time communication pattern analysis to identify and prevent attacks before they happen, thus shifting to a proactive security paradigm.

How does UltraDDR Differ from Cisco Umbrella?

UltraDDR fundamentally determines maliciousness differently than Umbrella does by using three core components: a proprietary adversary infrastructure data lake, the real-time decision process, and the “Watch Engine.” UltraDDR is continuously discovering and mapping adversary infrastructure and populating the results into UltraDDR’s proprietary adversary infrastructure data lake. Utilizing machine learning, UltraDDR continuously updates the relationship graph as billions of data items are ingested daily.

UltraDDR watches the Domain Name System (DNS) for outbound queries and therefore understands what domains and infrastructure devices inside the enterprise are trying to communicate with.

For each DNS query, UltraDDR performs a real-time decision process that results in a stoplight classification — green (permitted), yellow (suspicious), or red (malicious) — based on the knowledge in the data lake, the communication patterns, and associated elements. During this real-time decision process, for any communication deemed suspicious (yellow), UltraDDR utilizes its “Watch Engine”, a unique capability that performs further advanced analysis on suspicious communications that ultimately determines whether to move to block or greenlight.

Do I need to turn off my EDR solution to use this? Will UltraDDR replace my EDR, antivirus, or any other thick-client security application?

No, you do not need to turn your EDR solution off. UltraDDR is complementary to any EDR solution you use by providing proactive protection when a user makes a DNS request out to the public internet. UltraDDR compliments your existing security solutions with authoritative knowledge of attacker infrastructure and unrivaled domain-based intelligence.

How do I implement your solution?

To implement the UltraDDR solution, first speak with your NSS account team and obtain a portal login by providing the main user’s email address of the account. Then you will need to provide a list of netblocks that NSS expects recursive queries from, your company name, user account name, and if you need API access.

How do I identify who has malicious traffic going out to the Internet?

UltraDDR provides portal and API reporting for your locations and/or deployed clients to determine where malicious DNS requests come from.

Can I enforce an acceptable use policy (AUP) both on and off-premise?

Yes. UltraDDR can be used to customize and easily enforce corporate internet usage policies at the user level to improve productivity and ensure global workforces aren’t distracted by non-compliant sites. Administrators may choose from 17 categories to block: Malware and Ransomware, Phishing, Spyware, Hacking/Warez, Anonymous Proxies, Gambling, Adult, Pornography, Violence, Social Media, Dating, Drugs, Alcohol, Sports, Bots (C2), Gaming, Discrimination/Hate.

Users that are on your premises are automatically protected when UltraDDR is used as your organization’s recursive DNS solution. For users that are off your premises — or for hybrid scenarios in which users can be on-premises or off-premises at-will, your administrators can deploy UltraDDR agents onto your users’ devices to ensure UltraDDR policy is enforced. The UltraDDR Agent is will soon be available for Windows, macOS, iOS, and Android platforms.

How is UltraDNS Detection & Response (DDR) different from a Secure Web Gateway (SWG)?

An SWG provides multiple functions that your enterprise may or may not need with protective DNS being just a component. In a Secure Web Gateway, all the traffic from your users goes through a web proxy and is evaluated. This can lead to performance issues. With UltraDDR, your organization finds malicious activity more quickly and accurately at the first step in the kill chain. The decision-making is based on DNS queries made from company users or equipment, eliminating the bottleneck in network traffic that a SWG creates.

Will this solution integrate with both internal and external name resolution for tasks such as file sharing, printing, Exchange, etc.?

Yes. Your on-premises recursive nameservers will continue to resolve queries for internal resources. UltraDDR will resolve queries for internet-based traffic.

Will UltraDDR integrate with my full-tunnel VPN?

Yes, though please check with your NSS Sales Engineer to ensure your VPN has been tested with UltraDDR.

Does UltraDDR have a “policy violation” or “splash page” for AUP blocks?

Yes, when a site is blocked, UltraDDR can be configured to ensure that a “block page” is shown to the user.

Download PDF

Under DDoS Attack? Relief Begins Here!