united red and blue lines
Blog Product Updates

Iris Detect: A New Way to Discover and Monitor Hostile Domains

Introducing Iris Detect

I’m super excited to announce our newest product: Iris Detect. This release is an initial realization of a vision we had many years ago to rethink and rebuild a product that we pioneered well over 10 years ago, brand protection in the DNS.   For years I have argued that brand protection is security, and that things as simple as lookalike domain detection are fundamentally important to security posture. These efforts are not the purview of the Marketing department or the Legal department but rather the Security organization, leadership, and budget.  Every company that markets, transacts, and works (employees) online, which is to say nearly every company on the planet large or small, needs to be vigilant not just about brand abuse but about how brand impersonation and phishing techniques are the entry point for over 90% of security incidents worldwide every year.  Through this lens we knew that if DomainTools could get better at preventing the compromise of networks, employees and customers we could make significant and material impacts to the security posture of every organization. Enter Iris Detect.

What is Iris Detect?

Iris Detect is an all-new technology designed to detect and monitor newly-created domains that imitate brands, company names, or any other term the user might choose. It builds on core strengths of both DomainTools and Farsight Security, monitoring the Internet at global scale and in near real time to discover potentially hostile domains nearly as soon as they are registered.

What Does Iris Detect Offer to You?

Simply put, time and awareness. We know that adversary infrastructure is often registered, used, and discarded within hours. This places brand protection, digital risk management, and security teams in a reactive stance; often the first signal of a new domain spoofing their properties comes with a phishing email or a counterfeit eCommerce site. DomainTools Iris Detect aims to disrupt that cycle by giving you the earliest possible warning of these domains.

But just early warning is not enough; for many companies, the volume of lookalike domains is high. Iris Detect has two main functional areas to assist with this. The first is to provide you with as much detail about these domains as possible, to give your team a leg up in triaging the new discoveries. The screenshot helps give an idea of this detail.

The second is the Watchlist. If you identify domains that may represent a threat, but whose status is currently ambiguous, you can add these to the Watchlist. Iris Detect will then track changes to those domains, notifying you via email or the Detect API when changes have been discovered. This way, your team can focus on the many tasks on their plates without having to manually review the suspicious domains.

When it’s clear that a domain is malicious, Iris Detect offers two forms of escalation. By escalating the domain to Google Phishing Protection (directly from the Iris Detect UI or API), you can leverage the protections Google puts into Chrome to protect millions of users. But it’s not just Chrome: Mozilla Firefox and Apple’s Safari browsers also pick up these blocking rules. The other escalation mechanism is to mark the domain as blocked, which allows a script against the Iris Detect API to pass these domains on to other teams or security controls within your organization to block them in email, web, or other filtering controls.

What Makes Iris Detect Different?

It’s the best at what it does.  For over 20 years, DomainTools has been a pioneer in timely and thorough domain discovery and context. Monitoring the DNS at scale and at speed is an enormous and ongoing challenge.  We aim to be great at this because we believe there is real value created when you can intersect everything happening “inside the firewall” with what can capably be seen outside the firewall.  We’re not a company that’s pretty good at a lot of things.  Instead we want to be very very good at a few things, and make sure those few things matter A LOT.  DNS matters a lot to security.  Security matters a lot to us.  Hence the doubling down by acquiring the outstanding team, data and technologies of Farsight Security. And hence Iris Detect. 

There is more to come; this is just the beginning of our renewed focus on Detection as a pillar of security posture.  Iris Detect exists because a very large number of DomainTools employees believe in the vision of this product and because of their enduring commitment to its realization.  I want to say thank you to everyone who has contributed thus far and to those that will continue to do so going forward.  The fundamental engineering of the Iris Detect platform and architecture will be the basis for important new product development work in 2022 and beyond. I should also thank the wider information security community, whose research, know-how, and passion have raised the state of the art in defense and analysis, and forced us to be better at every step of the way. And thank you also to our Customers, whose insights, feature requests, and partnership with us have been invaluable. This is an auspicious day for many reasons, but the greatest of them is the opportunity Iris Detect gives us to live our commitment to making the Internet a safer place for everyone.

We invite you to join Security Evangelist, Tim Helming, and Principal Product Manager, Grant Cole, for a webinar introducing Iris Detect.