|
This video is part of the appearance, “Infoblox Presents at Security Field Day 14“. It was recorded as part of Security Field Day 14 at 13:30-15:30 on September 24, 2025.
Watch on YouTube
Watch on Vimeo
This hands-on session follows the earlier briefings and goes straight into the Infoblox Security Portal. We’ll trace malicious activity from first DNS lookup to automated enforcement, show how verdicts are backed by Infoblox Threat Intelligence, and walk through incident triage and policy tuning. Expect practical coverage of policy creation, exception handling, and integrations that extend protection across endpoint, network, and cloud. You’ll leave with a clear view of day-to-day operations and the metrics that matter. Speaker Kevin Zettel began the demonstration by outlining the five flexible deployment options for Infoblox’s threat defense solution. These include a lightweight endpoint agent for rich user attribution, physical or virtual NIOS appliances, NIOS as a service with IPsec tunnels for cloud and SASE environments, and a simple external resolver configuration. Zettel emphasized that these methods can be mixed and matched, and even without an endpoint agent, the system uses Universal Asset Insights to enrich data, providing crucial context like the specific device, user, and MAC address for every DNS query. He also confirmed that Infoblox provides comprehensive threat feeds for IPs, URLs, and hashes that can be exported to firewalls to counter adversaries who might pivot away from DNS.
Transitioning to the live portal, Zettel showcased the main dashboard, which provides immediate KPIs on the security of the DNS infrastructure. He highlighted the value of “predictive intelligence” and a key metric called “first to detect,” which demonstrates to customers that Infoblox knew about malicious domains on average several weeks before an employee ever clicked on them. The portal offers a detailed, asset-centric view, allowing security teams to identify at-risk devices, trace their entire IP address history across the network, and review all associated security and policy violations. This capability is critical for incident triage, enabling an analyst to quickly understand the scope of an infection and identify other potentially compromised systems by seeing everywhere a device has been.
To demonstrate how security verdicts are backed by intelligence, Zettel navigated to the threat intelligence section, which shows customers which specific threat actor “cartels” are active in their environment and the exact malicious domains their users have accessed. To make the massive volume of DNS data actionable for security operations (SOC) teams, he introduced an AI-powered feature called “Insights,” which automatically correlates millions of individual events into a handful of manageable incidents. For deeper investigation and policy tuning, the integrated “Dossier” research tool allows an analyst to click any indicator (domain, IP, etc.) and receive a consolidated report from over twenty different tools, providing the full context needed to validate a threat and make informed policy decisions.
Personnel: Kevin Zettel