NIS 2 Enforcement Webinar: Get Your DNS Ready

Standing by

00:00 – 02:19

Good morning everyone. We will wait a few minutes for everybody to join.

We still have a few more people joining, so we will wait one or two more minutes.

Hello to everyone who joined us in the last few minutes. We are waiting one more minute to allow everybody to join.

Okay, so we will start. Welcome everybody, and good morning. Welcome to the NIS 2 DNS Security webinar.

Introduction

02:29 – 05:01

My name is Yaelle Harel. I am EfficientIP’s Product Marketing Manager responsible for cybersecurity solutions. I have been focusing on cybersecurity for more than 15 years now, and I am honored to co-host this webinar with Alexandre Chauvin-Hameau, who will introduce himself.

Hello everyone, I am Alexandre Chauvin-Hameau. I am Product Manager for EfficientIP, and I have been working on the business for a few years. I am happy to be with you today.

Let’s take a step back and talk about GDPR. If we go back to 2016, the European Parliament adopted GDPR. Back then, it was still very vague. Organizations did not fully know what it would become or what its impact would be.

In 2018 and 2019, when GDPR started to be enforced, we began seeing incidents and fines. In 2019, GDPR fines reached around €71 million, and by 2023, they had reached much higher amounts, with the overall sum of GDPR fines reaching approximately €4.5 billion.

On the graph, you can see the average amount of fines per month. It is not consistent: some months include very severe incidents with extremely high fines.

Why are we talking about GDPR now? Because there is a strong relationship between GDPR and NIS 2.

A Google Trends screenshot taken a few weeks before the webinar compared searches for “GDPR” and “NIS 2.” In 2018, when GDPR enforcement started, many people searched for GDPR. Moving forward to April 2024, we can see many people searching for NIS 2.

This is not a coincidence. It shows a real trend: the cybersecurity community is gearing up for the regulation because organizations understand that once regulations start being enforced, they need to be ready and protected in order to avoid fines and other consequences of non-compliance.

NIS 2 Adoption Progress

05:10 – 09:56

Let’s now look at what European countries have done so far to get ready for the NIS 2 Directive.

The most important organization when we talk about cybersecurity in Europe, and of course about NIS 2, is ENISA, the European Union Agency for Cybersecurity.

ENISA is responsible for European cybersecurity resilience through different actions such as guidance, training, expert advice, and other measures to help European countries improve their cybersecurity posture.

ENISA is also preparing for NIS 2. They have created a four-step plan to help Europe prepare for the directive.

The first step is enhanced support. ENISA already provides support to different member countries and sectors, with a special focus on critical sectors, helping them get ready for NIS 2 with guidance and advice.

The second step is resource allocation. ENISA has allocated experts who will train and support different organizations in preparing for NIS 2. They have also prepared equipment and tools needed for activities such as risk assessment.

The third step is risk evaluation. ENISA is taking different steps to assess risks, including assessing threats affecting European countries and organizations. They also help organizations assess their own risks by providing guidance and specific risk assessment tools.

The fourth step is policies and laws. ENISA helps member states develop laws and regulations that will allow them to enforce NIS 2 and transform it from a generic directive into an actual enforceable law.

At EfficientIP, we conducted research to assess the readiness of different European countries for NIS 2. As a reminder, by October 2024, organizations had to comply with NIS 2, meaning that countries had started preparing for that deadline.

There is a lot of diversity between the readiness levels of different countries.

To score each country, we looked at several criteria. Countries that already had laws enforcing NIS 2 received a higher score. We also considered readiness in terms of training, awareness among organizations, and the establishment of committees or authorities responsible for enforcing the directive.

Hungary was at the top of the list, followed by Germany, the Czech Republic, and Switzerland. Then, we had many European countries, including France, that did not yet have specific laws in place but already had guidance and instructions to prepare for NIS 2.

At the bottom of the list, we saw the UK, Poland, and Norway. Even though the UK and Norway are not part of the European Union, it is important to note that they have decided to follow the NIS 2 Directive and prepare for it as well.

Let’s take a closer look at the Hungary case study.

Hungary is a good example because it shows what enforcement could look like in other countries. Hungary started much earlier than many other countries.

In April 2023, Hungary already included NIS 2 in its law, meaning it could enforce the directive, issue fines, and take related measures.

In January 2024, critical sectors were already required to follow the NIS 2 Directive.

In June 2024, all organizations and entities needed to report to the Hungarian cybersecurity authority.

In October 2024, proactive measures were expected to begin.

By December 2024, organizations had a deadline to register for their first audit, well before many other countries.

Hungary expected organizations to start passing audits by December 2024. This timeline can be seen as an example of what other countries may follow, each with their own timeline.

NIS 2 Overview

10:03 – 11:38

We have talked a lot about NIS 2, but let’s now explain what it actually means.

NIS 2 comes from a previous directive called NIS, now often referred to as NIS 1.

In July 2016, enforcement of the original NIS Directive began. The idea was to create a common European standard for cybersecurity and to help different countries enforce cybersecurity rules, improving the overall cybersecurity posture across the European Union.

In December 2020, there was already a proposal for the NIS 2 Directive, with the goal of expanding the entities covered by the regulation and strengthening cybersecurity resilience and requirements.

In November 2022, NIS 2 was formally adopted by the European Parliament.

In January 2023, NIS 2 entered into force. This meant that countries were already required to prepare for NIS 2, but they were given time to get ready for actual enforcement and fines.

October 2024 was the deadline for transposition of the directive into national law. Countries had to create laws enforcing NIS 2 and establish organizations responsible for monitoring and enforcing the directive.

January 2025 was the first key deadline for organizations themselves. Entities had to report information to the relevant committees or authorities selected in their countries and begin demonstrating compliance.

NIS 2 Sectors

11:46 – 13:44

What are the main changes introduced by NIS 2 compared with NIS 1?

One of the most important changes concerns the covered entities.

The sectors covered by NIS 2 are almost double those covered by NIS 1. But this is not the only change.

Another important change is the default approach. Under NIS 1, an organization had to be specifically listed as covered by the directive. Under NIS 2, the logic is reversed: organizations and sectors are considered covered by default unless they are specifically exempted.

This means that many organizations should assume that they are required to comply with NIS 2.

Another major difference is that non-European companies and organizations may also be required to comply with NIS 2 if they provide services to European countries.

For example, if an American organization provides services to France, Germany, or any other EU country, it may fall under the NIS 2 regulation and be exposed to fines.

What is also interesting is that, in addition to company size and revenue, if a non-European company provides services in a European language or uses a European currency such as the euro, it may be impacted by NIS 2 compliance requirements. This could potentially affect many companies around the world.

DNS Security & NIS 2

13:53 – 17:01

What is NIS 2 actually about when it comes to organizations and what they need to do?

NIS 2 is composed of four key elements:

Risk management, incident handling, business continuity, and reporting and disclosure.

The first element is risk management. As mentioned in Article 21 of the regulation, entities are required to take measures to reduce risk. This includes continuous monitoring, risk minimization, and the use of solutions and processes that reduce cybersecurity risks.

The next element is incident handling.

According to the NIS 2 Directive, incident handling includes the full security incident lifecycle: prevention, detection, analysis, containment, response, and recovery.

Organizations are expected to have procedures, technologies, and processes in place to prevent incidents and recover when incidents occur.

The next element is business continuity.

This is not only important for the regulation, but also as a general best practice. One of the strongest motivations for taking security measures is making sure that if an organization is under attack or faces a cybersecurity incident, the business can continue operating.

The network needs to remain operational. To do this, organizations must create plans in advance, have technologies that help them recover during an attack, maintain backups, and implement other business continuity measures.

Even with strong risk management, organizations can still be attacked. They need to be prepared.

The last element, and one of the main focuses of NIS 2, is reporting and disclosure.

This is not surprising because one of the main purposes of the directive is to improve collaboration between countries.

Reporting plays a key role in this collaboration. When an organization experiences an incident, it must report it as soon as possible, and within 24 hours at most.

This is a very short deadline. Anyone working in incident response or SOC teams knows how challenging it can be.

The reason for this requirement is to encourage collaboration between organizations and across borders, in order to prevent incidents from escalating to other organizations and other countries.

We will now move to the next part of the webinar: the role of DNS security in meeting this regulation.

The Role of DNS Security

17:09 – 19:48

NIS 2 is a regulation that provides guidelines. For a long time, we have known that organizations need to take action to comply with this kind of regulation and, more importantly, to keep the company operating.

In this second part, we will focus on DNS and what can be done with DNS.

As a reminder for those who are not deeply familiar with DNS technology, DNS is a targeted element of the infrastructure.

Hackers use DNS frequently because it is critical for business. If DNS breaks, the company will probably stop working.

DNS is a very old protocol. It is open by design and was not secured by design. Even though improvements have been made over the last 40 years, it remains a very open protocol.

It is also difficult to protect DNS only from outside the DNS layer. Firewalls and other security tools can help, but they are probably not sufficient in every case.

DNS is a target, and DNS-related attacks can be very costly.

According to figures from a recent IDC study, incidents involving DNS can cost more than one million dollars. In most cases, they can lead to downtime for applications, cloud applications, and access services. They can also cause significant damage, including data theft.

Data theft is typically one of the cases that must be disclosed under NIS 2.

In terms of impact, downtime is usually the most important consequence of DNS attacks. When DNS is broken, generally speaking, nothing works. But organizations can also suffer brand damage and business loss.

The figures are high, which is why organizations need to focus on what can be done with DNS.

How DNS Security Can Help

19:55 – 20:04

Let’s now deep dive into DNS security and what organizations can do.

We will use the four NIS 2 pillars and first focus on risk management.

Risk Management

20:13 – 25:56

DNS is generally part of an ecosystem called DDI, which stands for DNS, DHCP, and IPAM.

Within DDI, IPAM plays an important role because it is where organizations manage their IP plan and their knowledge base of what is running on the network.

It helps identify what types of devices are being used, whether they are active or not, and where they are located.

With all the assets organizations now have, both on premises and in the cloud, it is very important to have this kind of information repository.

IPAM helps provide visibility. Since DNS is part of DDI, it can leverage information from IPAM and other repositories to perform better security controls.

One of the key tools for DNS security is filtering.

DNS sees almost everything because it is often the first step in any communication on the network. When a user or device tries to reach an application, there is usually a DNS request at the very beginning. This happens transparently, but if DNS does not answer, the user will not be able to access the application.

This makes DNS a strategic point where filtering can be introduced.

EfficientIP proposes filtering capabilities on top of its DNS technologies. This filtering can be based, for example, on threat intelligence feeds. If a domain has a bad reputation and is listed in a threat data feed, it can be blocked by DNS, making the application or malicious resource more difficult to reach.

This is a good way to start blocking threats such as malware and ransomware located directly on employee devices. It can also work for IoT devices, where there may not be an employee behind the device and where the device itself may have a lower level of protection.

To further improve this filtering process, EfficientIP developed an innovation called Client Query Filtering.

Client Query Filtering sits on top of the DNS engine. The DNS can still operate as a standard DNS service, transparently resolving domain names into IP addresses for clients, but it can also apply filters based on multiple lists.

For example, the DNS can block specific clients from accessing certain applications or destinations that are included in lists.

This is a powerful way to perform filtering.

These rules are grouped into what EfficientIP calls policies. A policy is a set of lists combined together: lists of clients, lists of destinations, and technical DNS elements such as query type or answer type.

Once the policy is created, the engine can start blocking specific traffic.

Logs can also be pushed back to other tools in the ecosystem for deeper analysis.

For example, organizations can block malware or phishing domains for all clients on the network, or only for specific clients. Client Query Filtering is innovative in this area.

When talking about what to block, it is important to remember that threats can have different levels of danger.

One interesting area is Domain Generation Algorithms, or DGAs, which are used by malware and ransomware to get instructions from outside.

A DGA can be used to download a payload, trigger a specific action, download an algorithm to encrypt data, or simply receive information about when to start acting.

For example, malware may spread across many machines before starting its malicious activity. This is often done through new domain requests that go through DNS.

Organizations therefore need to identify and block DGAs.

EfficientIP has built innovative capabilities to detect DGAs before they become fully active. This is based on the analysis of large amounts of data and clustering techniques. By analyzing how clients evolve around a DGA, EfficientIP can detect and block suspicious activity.

Incident Handling

26:05 – 29:23

Sometimes bad things happen, and organizations experience incidents.

In these situations, DNS must be able to perform specific actions. If DNS simply breaks or continues trying to resolve malicious traffic, it may not be the right strategy.

That is why EfficientIP integrated specific countermeasures into its DNS engine.

The basic countermeasure is blocking traffic. We already discussed this. But blocking traffic can block an entire device or even an entire network, which can have a strong impact on productivity and application access.

At the DNS level, EfficientIP can apply a more elegant action: quarantine.

Quarantine is innovative because the user or device can still access what is already known. Business applications already used by other devices remain available, even if the device may be infected.

However, anything new in terms of DNS resolution can be blocked for a certain period of time.

This is useful because it supports continuity of service while containing suspicious behavior at the DNS level.

EfficientIP applies this through specific rule sets. In general, it does not require a large number of rules. With three, four, five, or six rules, it is possible to protect entire networks.

A rule defines how to apply a measure based on DNS-level statistics, which client is concerned, and what remediation should be applied, such as quarantine.

Of course, sometimes there may be an issue where traffic is blocked or a user is placed in quarantine. In that case, investigation is needed.

This is typically where SOC teams need a lot of data to work with.

If DNS has blocked a client or placed one or more clients in quarantine because they tried to access suspicious domains, the team can investigate the domain further: why the traffic was blocked, what kind of domain it is, and what threat it represents.

EfficientIP provides a tool for this investigation. It is updated in real time and helps SOC teams, security teams, and even network teams investigate threats at the domain and DNS level.

For example, in the case of a high-level threat such as phishing, the tool can provide technical information, screenshots if there is a website behind the domain, and information about how that domain has been used over the last few days on the network.

This helps SOC teams perform investigations while staying at the domain and DNS level.

Business Continuity

29:31 – 32:00

Sometimes, something goes seriously wrong. Even then, DNS can still help.

This is why EfficientIP implemented a continuity option in the DNS engine through DNS Guardian.

DNS Guardian helps the DNS engine protect itself.

The system inspects all DNS traffic for each transaction between DNS clients, devices on the network, and the domains that need to be resolved.

The entire DNS traffic is analyzed client by client. The system can apply specific blocking or quarantine measures.

If DNS is really under attack, DNS Guardian can protect itself and the devices behind it by entering a rescue mode.

This can happen if DNS clients are performing an attack, for example after malware has spread across many devices and starts attacking the DNS layer. It can also happen if the recursive path back to the internet is not working properly, if there is a network outage, or if there is a DNS problem on the internet side.

In rescue mode, the DNS resolving function works differently. It provides information from the cache itself.

This allows continuity of resolution, even if the information is not completely fresh. In many cases, this is acceptable and allows users to continue accessing applications while the organization is under attack or experiencing an internet-side issue.

This is important because it provides business continuity during a large incident or a major attack.

Reporting & Disclosure

32:07 – 35:14

For all DNS-related activities, organizations need reporting and disclosure capabilities.

Under NIS 2, if there is a problem, organizations need to provide information within 24 hours. This is very fast, so investigation tools are necessary.

EfficientIP provides two types of tools at the DNS level.

The first allows teams to deep dive into traffic: what domains have been resolved, whether threats were involved, and whether suspicious domains were contacted.

This information can come from the threat intelligence database.

The tool provides graphs showing the traffic and the number of threat domains that devices tried to resolve. It also provides information about the domains themselves, allowing teams to investigate each domain.

At the DNS level, teams can access statistics, metrics, and information about clients and the domains they tried to resolve.

All this information can be used by SOC teams and security teams to build a case, perform their investigation, and provide information to their local cybersecurity authority. If the impact is very significant, the information may also be provided to European cybersecurity bodies.

Because DNS provides a lot of information, it can also feed the broader security ecosystem.

Organizations often have security tools such as log analysis platforms or SIEM systems that can perform correlation.

The goal is not necessarily to push all DNS traffic into these tools, because that would generate a very large amount of information and may not be useful.

Instead, it is more useful to push events, such as: this user was blocked, this IP address was placed in quarantine, or this domain was blocked inside the traffic.

This kind of information can be pushed to a SIEM.

If the organization has the ability to do so, it can also trigger countermeasures. For example, if an IP address is placed into quarantine at the DNS level, the organization may also take action at the NAC level, on a firewall, or on another security device.

This enables security automation.

DNS is a rich source of information that can feed the security ecosystem.

DNS Security Helps Meet NIS 2 Requirements

35:21 – 36:59

NIS 2 introduces many obligations for European companies, and also for some companies based outside Europe that provide services in Europe.

Across the four major pillars of NIS 2, DNS can help.

DNS is not the only thing organizations need to address. It is far from that. But DNS is a good starting point if organizations have not yet acted.

DNS security can support NIS 2 requirements by helping organizations maintain DNS service under stress, block suspicious activity, quarantine devices, analyze traffic, detect strange behavior from devices, protect IoT environments, and provide statistics and data back to SIEM and other security tools.

In all these areas, DNS can help organizations meet NIS 2 requirements for this part of the infrastructure.

It is also important to remember that DDI, with IPAM and its data repository, helps organizations better understand their infrastructure and make sure they do not forget devices, sites, or assets.

Q&A

37:08 – 54:28

Question 1: Is AI really a game changer in cybersecurity under NIS 2, or is it just another buzzword?

AI, and especially machine learning in cybersecurity, is very important.

Attackers are becoming more sophisticated. If we compare attacks today with attacks from 10 or 20 years ago, we would not be able to detect modern attacks with technologies from that time.

Attackers are evolving. They also use machine learning and AI to generate attacks. They have more computing resources and other tools to perform attacks.

So yes, AI is really important in cybersecurity. It is used to develop different technologies, including those mentioned earlier.

Many cybersecurity solutions today use AI to provide faster responses, faster detection, better anomaly detection, better detection of unusual traffic behavior, and other capabilities.

In addition, when looking at DGA detection, attackers are now using techniques to change algorithms between different versions of malware or DGA algorithms. We have started to see larger changes involving LLM-based AI technologies.

It is becoming easier to build new malware or ransomware using available tools and AI-generated algorithms. Organizations need to stay aware of that and find the right countermeasures.

Question 2: Does EfficientIP offer a domain security feed?

Yes. EfficientIP offers a DNS security feed called DNS Threat Pulse.

DNS Threat Pulse is built using different technologies, including AI-based technologies. It includes anything related to DGAs, which are among the most advanced attacks, but it also aggregates more standard types of threats such as malware, ransomware, and phishing.

It also includes elements that are not always considered threats today, such as newly observed domains.

A newly observed domain is a domain that has just appeared on the internet. This information can help customers apply specific filtering policies.

For example, an organization may decide that it does not want devices to resolve domains that have just appeared on the internet. It may prefer to wait a few days or even a month before allowing access.

Combined with Client Query Filtering, this provides a higher level of control.

Organizations can use information such as phishing classification, newly observed domains, or DGA detection to create security policies and adapt the feed to their security strategy.

Customers do not all use the feed in the same way. It depends on the type of security they want to apply on their network.

Question 3: Can you give an example of an attack involving DNS?

There are many attacks involving DNS.

One example is phishing, where DNS can be used as part of the attack chain.

Another interesting example is the Snake malware. This malware has existed for many years and is associated with Russian government-linked entities. It was used for espionage and data theft.

The FBI managed to shut it down after many years of activity.

In an analysis published by CISA, DNS played an important role in the Snake attack.

One way the attack used DNS was to communicate outbound and inbound traffic. Snake used character strings resembling domain names and concealed data before the first period in the domain name.

These strings, originally byte arrays, were obfuscated and encoded as Base32 text, then sent as DNS requests. This made the traffic resemble legitimate DNS requests and allowed data to be transmitted covertly.

After sending the encoded DNS request, Snake parsed the returned information and used DNS responses as part of the covert channel.

This is only one part of the attack that used DNS traffic, but it is an interesting example.

DNS can also be used for data exfiltration through DNS tunneling. In some cases, people also use DNS tunneling not necessarily as a cyberattack, but to bypass mobile data fees, because DNS traffic is sometimes not counted in the same way by telecom operators.

This can be seen more often in some regions, although it also happens in Europe.

Question 4: Is Client Query Filtering based on the DNS Threat Intelligence feed?

Client Query Filtering and DNS Threat Pulse can be combined.

Client Query Filtering is a DNS technology at the DNS engine level. It performs the filtering function.

It can be fed by DNS Threat Pulse or by another type of feed. Customers can also build their own feed.

Together, Client Query Filtering and DNS Threat Pulse provide a strong approach to securing the network at the DNS level.

Question 5: Who keeps the list updated? Can customers add their own entries?

Customers can manage their own lists at the DNS level.

When EfficientIP provides a feed such as DNS Threat Pulse, customers can combine it with other feeds and add their own entries to build their own policies.

Most customers do this, for example to allow certain traffic they need to reach. If they are building their own application with a new domain, they may want that domain to be accessible.

Customers can build allow lists or deny lists and combine them together.

Question 6: Are DNS entries marked as bad or malicious based only on EfficientIP rules, or also from other sources?

EfficientIP’s feed can integrate information from other feeds as well.

EfficientIP performs curation on this information and can inject bad reputation domains into its own feed.

Question 7: What is the license model for the security features?

It depends on which security feature is being discussed.

If we are talking about the engine itself, such as Client Query Filtering, countermeasures, or quarantine, these are embedded in DNS Guardian as a product.

DNS Guardian has a specific license that can be added on top of EfficientIP’s DDI solution.

If we are talking about DNS Threat Pulse, that has another pricing model. It can be used with DNS Guardian to perform advanced policies, but it can also be used with a standard DNS Firewall from EfficientIP.

Question 8: When do you expect EU governments to demand penalties from companies that do not meet NIS 2 requirements?

It is difficult to predict.

At the time of the webinar, Hungary was the only country with actual laws in place to enforce NIS 2.

Based on the NIS 2 timeline and deadlines, enforcement was expected to begin in 2025, after countries had put enforcement laws and authorities in place by the end of 2024.

However, this is only a prediction.

It is also important to remember that, in the meantime, the original NIS compliance framework and GDPR are still in force. Organizations can already face penalties under existing European laws.

Question 9: Customers have multiple attack vectors, not only DNS. Are there collaborations between vendors to help customers succeed?

Yes, this is part of the broader security ecosystem.

EfficientIP works more through vendor-based integrations. There are not many multivendor organizations that manage this type of collaboration because it is complex.

EfficientIP aims to provide tools through APIs to retrieve information from DDI and DNS, and also to provide events through webhooks or other mechanisms to feed other vendors’ tools.

EfficientIP has specific integrations with NAC vendors and firewall vendors, for example.

The best approach is to share useful information, not necessarily all traffic or volumetric information, because that is difficult to process and does not always provide the right triggers.

DNS events are more useful. For example: “I blocked a user who tried to access a specific domain.”

This is an important event that can easily be pushed out of EfficientIP to a data bus, through an API call, or toward another tool or piece of equipment.

This is the kind of cooperation EfficientIP proposes.

Question 10: What support does EfficientIP offer to help ensure compliance with the NIS 2 Directive?

EfficientIP offers a DNS Risk Assessment tool.

This tool helps organizations evaluate their security level related to DNS security.

Organizations can reach out through the EfficientIP website, contact the sales team, and use the tool to assess cybersecurity risk around DNS.

Closing

54:02 – 54:28

Thank you everyone for joining us.

We will send you the recording of the session together with the deck shortly after the webinar.

If you have additional questions, you can reach out to either of us through LinkedIn or email. We will be happy to answer any questions you may have.

Thanks a lot, and have a good day.