Aligning Domains, Security, and Brand Protection in 2025

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "Aligning Domains, Security, and Brand Protection in 2025." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Elliott Champion, Walt Fry, and Mark Flegg. Elliott is the Senior Director of Technology for Brand Protection at CSC in our DBS headquarters, where he is responsible for our industry-leading proprietary technology and product strategy. Walt is our Senior Director of Technology for Domains at CSC, responsible for developing the products and platforms that protect and optimize the domain portfolio of the world's largest companies. Mark is our CSC's Senior Director of Technology, Security Products and Services and is responsible for advising a global client base on digital risk and the preventative measures brands can take to safeguard their digital assets. And with that, I'd like to welcome Elliott, Mark, and Walt.

Walt: Thank you, Christy. And thank you, everyone, for joining our Second Annual CSC Cybersecurity Webinar to discuss how to create a comprehensive digital brand security strategy. Mark and Elliott, it's great to be with you again, and I know that you've been very busy discussing these issues in conferences, events, and webinars this year. We're excited to bring domains, DNS, certificates, brand protection, and anti-fraud protection into one discussion today.

So I know that one aspect that keeps us very busy is that things are always changing. So we're going to start off today by discussing the key trends that we see in the security landscape in 2025. Of course, AI is a part of that. So we're going to address the AI-driven threats and how that's changing the landscape as well. We're going to take a look at some recent events in the industry that are really a real good example of why you need that comprehensive strategy, and then why aligning your digital, security, and brand stakeholders really provides for the best governance approach.

So there have been some significant developments and trends that are emerging over the past year. Mark, I'll turn to you. What should people be aware of in the domain security space?

Mark: Yeah, if they're not already aware, I think the biggest change in the industry is around SSL certificates. Hopefully, everybody on the webinar today is aware that by the time the 15th March 2029 comes along, we'll be down to 47 days for certificates' maximum lifetime instead of the year that we enjoy today. But more importantly, 10-day reuse on what we call Domain Control Validation, DCV. This is going to make certificates a lot more cumbersome to manage. And I'm not talking about, oh, yeah, you've got to replace that cert eight times a year instead of once. I'm talking about living with the risk because it's got the opportunity to expire eight times a year instead of once. So that's probably the biggest thing. And because we've deprecated WHOIS email validation as an industry, that means there are only technical solutions left for DCV — web token or DNS token. So that's probably the biggest change that's going on right now.

Walt: And Mark, I think there's a lot that's happening around security and compliance as well, right? I think you've done a lot of research on compliance regulations.

Mark: Yeah, we've done a lot, and a lot of it's being generated by Europe, the European Union, things like NIS2, for example, Network Information Security Version 2, an EU directive that came out on October 17th last year. Not all member states have implemented it properly yet. So there's a definite long burn-in period. But this is kind of forcing people to pay attention to the smaller things that they can solve from a threat perspective.

We have other things like DORA, and I think a lot of people already try and work to the NIS framework to have good practice. But these legislations from the European Union, and it's for anybody doing business there. If you read the document, it's like GDPR for IT. The fines are very similar in the way they're structured. So it's something that the business is going to have to take note of for the remainder of this year and beginning of next.

Walt: And Elliott, what should people be aware of in the brand and fraud space?

Elliott: Yeah, thank you. I think it's already an extremely dynamic environment, so you kind of expect the unexpected. But I think over the last 12 months we've really seen an incredible boom in the social media space, particularly when it comes to social media infringements.

So we have over 1,500 customers around the world. And looking just at that customer base, existing customer base, not the many customers that are joining us, we've seen a doubling of the amount of social media enforcements that we've done. This is really interesting, and I think it kind of ties to a number of different topics.

So one is people's usage and habits and the fact that many of our customers, our stakeholders are very used to using social media today. I think it also says about the overall habits of people using social media for various other items that they wouldn't have in the past. But also I think the social commerce boom is really finally here. And I think a lot of the blurring between traditional platforms and social media is really kind of complete now. People don't feel it's one or the other. They kind of see social media as a place where they can do commerce. So that would be a big standout one from recent trends.

Walt: Thank you. So here we have a broad picture of the threat landscape, right? And you can see at the top how it's all connected, but it can certainly seem overwhelming to address each one of these individually. So Mark, Elliott, what are the impacts to an organization if any one of these threats become a reality, and especially when we consider the impact that AI is having in making it easier to launch attacks and harder to monitor them?

Mark: Yeah. From a security services, a DNS perspective, I think the biggest threat that we're seeing is subdomain takeover. This has really ramped up since the global pandemic in terms of cybercriminals actively mining zone data to see what resource records a company has to see if there are any vulnerabilities there. Because what we've got to remember is in the security space, if somebody's been affected, they close the door. They will find budget. So they'll move on to other things, as they always do and always have.

So things like dangling DNS records, I won't go into the detail. We've got a webinar on it if somebody wants to watch it in more detail. These are just so common now. And from the research that we did, one in five zone resource records were dangling, so susceptible to a subdomain takeover. And that's bad news because those subdomains get used in phishing campaigns. It adds legitimacy to the emails that they're sending out because there are no bad signals coming from it. It's a legitimate link that our clients still own as a subdomain. They've just lost control of the content. So that would be, for me, probably the biggest one that we see.

Clearly, DDoS attacks are still increasing at pace. And user security, if there's one takeaway from today, always review your users and what permissions they have. We know one in five data breaches are caused by an internal employee. And it can be the difference between having your cup of coffee in the morning or not, whether you click on some of these links that are coming out, and they're very sophisticated.

Walt: Elliott, how are companies impacted when one of these attacks becomes successful?

Elliott: Yeah, I think just tying to what Mark was just saying there, I think again, at the start we were talking just a little bit about AI. Really, this is a problem of scalability and the fact that everyone's being put on the back foot, not necessarily because a lot of these are new threats, but because they are able to be scaled extremely quickly.

And one sort of universal example would be the gTLD space. So the ability to be able to weaponize gTLDs very quickly has always been the case since the early dot-com era. But now to be able to scale them very, very efficiently and to be able to do so across multiple industry verticals, that's what we're really reading within the market, and we're seeing these attacks get weaponized extremely quickly. And that short life cycle of those domains has only really come about recently because of the ability to be able to scale.

So that then, when you think how does that then impact the organization, well, what it means is it's putting a lot of pressure on these teams. It means that the pressure of the wider digital governance teams, which I know we're going to go into a little bit later, they'll see this, and they'll say, "Oh, my goodness, how am I going to explain the fact that the amount of these attacks have gone higher?" Also, I think one of the things is that it's also bringing these disparate stakeholders back together now because they're all seeing that they're being attacked in different perspectives, whether that be legal, security, and also IT.

Walt: So let's talk about a couple of recent events that I think really brings a lot of this together. Both of them are phishing-related. The first one there, on the left, there was a recently discovered global phishing activity. It was actually phishing as a service. It was an organization that was, over multiple years and at an industrial scale, providing phishing service to someone who would want to tap into it. And it was using trusted domains that had expired and then been re-registered and then serving content from cloud hosting. And in some cases, it was serving from the original brand. So an interesting aspect of this, Elliott, is the re-registered domains. What is the significance of that? Why is that effective?

Elliott: Yeah. So one of the interesting things about that is that this would have been known to multiple people within various organizations, as we all know how many domains we have and how many have been dropped and re-registered. And there are multiple processes and procedures to make sure that the domains that you own, you want to own securely. And then you wouldn't just release and drop any of those domain names without someone within some sort of true business role making that decision, because that is a decision. Someone made the decision to register the domain name for business purposes. If you want to lapse that domain name, then there's obviously a critical juncture where someone makes that decision to drop them. But that in itself is an indicator to the market.

So when you look at that broader ecosystem across the domain name space, there are bad actors monitoring this constantly. And the second you drop that domain name, that was of interest to others. So what we try and focus on is the three points of the life cycle of the domain name —,the registration, the re-registration, and the drop. And we want to make sure that even if you are dropping those domain names, that you're also monitoring those, because, again, even though that may seem like you're distancing yourself from that domain name now, this is no longer ours, this is going to go into the general market availability, that doesn't necessarily mean that you've shed all of the associated risk associated with that, because the legacy entanglements that you have between yourself and that digital asset are still going to be there.

Walt: Yeah, you know, we do see . . Oh, go ahead, Mark.

Mark: I was just going to say, Elliott, that kind of goes back to what we tell our clients, right? You've got domains that you own and domains that you don't. Just because you don't own it, doesn't mean you shouldn't keep your eye on that space because somebody will do something with it.

Walt: Yeah, we do see domain . . . Now we see portfolios being downsized. And I certainly understand in economic scenarios like we have today, in some cases people look at this as a place to cut the budget. But this can be the result of it and something that has to be considered.

Back to you, Mark. So the content, there were phishing attacks, but they were actually sites and content that was being served, as I said, in some cases from the original brand's cloud hosting. So what do you do in the DNS space to make sure that certainly that's not the case?

Mark: It's going to be easier for me to say than it is to do. But you have to have good zone cyber hygiene. Again, when people are lapsing domains from their portfolio, if that's a necessary thing to do, absolutely still continue to monitor it. But have you purged the zone? If the zone is still sitting there on name servers, it's easy to understand what name servers they were on. Somebody can re-register the domain, apply the same name servers, and all of that traffic will flow to their content. They will have taken over the cloud hosting company. Or worst case, they go and change the name service to their own, and then they've got the keys to the kingdom. They can put in whatever they want. They can monitor email, not just the websites, literally anything. And again, because it's a name that one of our customers has dropped, it's going to look legitimate.

So I think, from a security services perspective, making sure that you've got a good strategy, you're employing things like DNSSEC, MultiLock, CAA records, you've got single sign-on to your registrar, and you're doing a frequent user permission review. All of these things are important. But zone cyber hygiene has been neglected for 20 years because it's never been seen as a high priority. And 20 years ago, it was fine. When we ran our own data centers, there was no risk because you're not going to give your IP space to a third party, let alone a cybercriminal. But as we've all, well, a majority of folks have moved over to the cloud, they recycle hostnames. So the risk has been introduced, and it must be dealt with.

Walt: I think these use cases are really instructive. So I just wanted to briefly touch on the second one, which was a phishing attack within a software development package that were then compromised. And it was in a technical supply chain, and it was an exact match, registered name, but registered with a new gTLD that was not registered by the brand holder. So Elliott, for these supply chain attacks, is this something new, and do you find that organizations have a bit of a blind spot where it's in the chain, but maybe not the primary brand?

Elliott: Yeah, I would see it as usually the organization is most aware of things that has the most marketing budget behind it, of course, because those are the things that they're talking about, they want to talk to the market about, and they want to talk to their customers about. But those things that are more infrastructure and logistics based probably are going to be on the back burner, not going to be the forefront of everyone's mind. And so this is a typical example of no one necessarily would have been monitoring it or proactively monitoring it, or it wasn't the top of people's minds, and therefore it would have just been on the back burner.

I think, again, that talks to really about having good communication, knowing what are the digital assets that you do have, what are the ones that you do not have, and what's your risk profile, right? Is this something that, from our perspective as an organization, this is business critical, and we want to make sure we protect it at its most possible capability?

It's an extremely dynamic environment. The ecosystem is constantly changing. But are we making sure that we're monitoring for those critical assets? What most likely can happen in situations like this, again, is that it probably just wasn't at the forefront of people's minds, and that's I know we're going to come again to digital governance.

Walt: That's right. So knowing what those critical assets are, I think it's too much for any one role or any one group or certainly any one person, right? So this is something that we've talked about for years now, and it does apply to large, small, and mid-sized organizations. It applies to organizations of all sizes. And that is this idea of a digital governance council or cross-team governance. So common stakeholders in this group are marketing, legal. I know, Mark, when we started out in the domain industry, it was really just IT, but this security, these security teams, right, sort of within the IT space, but certainly as distinct teams have certainly emerged in that space. Where do we see the success for organizations that use this?

Mark: The most successful ones have a stakeholder or a governance team put together. You're right. It's not one person's decision. What marketing might want to do is very different to what they should be allowed to do from a compliance standpoint. Legal, obviously, are coming in now because of things like NIS2 and DORA and all the other legislations that are coming out. The UK has got one going through parliament right now as well, which is going to mimic NIS2.

All of these things, it needs to be this governance team. Everyone has their different angle on things, and we have to hold each other accountable as well. Don't go off just registering domains that you're going to use for email without having some form of SPF, DKIM, DMARC on there to stop it being spoofed. So yeah, and what we're seeing, though, 20 years ago when we started out, Walt and Elliott was a young boy, it was quite low level in the organization. Oh, we want to be online. It's technical. Give it to IT. And it was the IT admins that would have to go and figure out how to set domains and websites up and everything.

But it's coming full circle after it's gone to marketing and legal. It's coming full circle as a helix because we're now talking to general counsel. We're talking to CIOs, CISOs. Basically, C-level is where it's escalated to. And that's because we are so reliant on being online now.

At the events that we do, I always make a point and say a TXT record on a zone looks very different to what it did 10, 15 years ago. You might have had one record back then. Now it's a laundry list. So there are many things on it. DNS has become critical infrastructure, whether everybody recognizes that or not.

And again, this too calls out for redundancy. So what's plan B? What's in your business continuity plan, your disaster recovery plan? And a lot of people don't have a good answer for that. "Oh, I'll change providers." Well, there's 24 to 72 hours. Is that an acceptable time to be down, guys? And nobody says yes, obviously, because of email for one reason.

So the most successful ones, they get together regularly, and they get things done. And it does move things quicker in the organization as well if all of the key stakeholders are aligned.

Walt: So this brings it all home, right? These are the areas that we've talked about and all of this together. And again, not just having separate solutions, but as a unified both technology solution and organizational strategy form this 360-security posture. So Mark and Elliott, just open it up to you. Any final recommendations, in your experience, for folks to form this strategy?

Mark: Don't be shy. Talk to people. Find out who's responsible, if you don't know already, for those different disciplines, see what they're doing on it, and make sure that you get a seat at the table for whatever your discipline is. Make sure the table exists.

Elliott: Yeah, I put it a very similar way. I think on a recent article we did, I said at the very least, just take them out for a coffee. Take someone from a different stakeholder group out for a coffee . . .

Mark: Great idea.

Elliott: . . . and just sit down with them and just talk to them. It doesn't have to be anything official. It can be, "Do you know we also look at these domain names that come in from a legal perspective, and just be good just to talk to the security team because we know sometimes we both seem to be doing takedowns, and just want to make sure that we both understand, like you're doing your bit, we're doing our bit. But is there an opportunity for maybe us to have a little bit of connection, a little bit of communication?" And really that's the most key thing is opening those up.

I think also when it comes to actually connecting these things up, one of the really key trends that we've seen is that certainly over the growth we've seen the last few years has been the movement of brand protection solutions being their own isolated thing just with the legal team. Now that's moved over with security. So really, brand protection is evolving into brand security. And if we're going to connect all of these things up, we need to make sure that all of the relevant stakeholders are then connected. So there's a lot of different terminology with that stakeholder. There's a lot of different ways that you can actually meld that methodology together. But really that's critical because you've all got different ways that you need to report up into the business success.

And that's one of the many things that I do here is meeting with the world's largest brands every single day, making sure that they can themselves show their own professional objectives, but also their personal objectives. Okay, my professional objective is to make sure that across these key areas, the domain, the brand, and the fraud areas, and making sure that we're ticking these off for my organization. But also am I making sure that I'm communicating that in such a way that means something to my upper management, that actually shows that return on investment, that also allows me to be ready for the future, not the past, not domain names that were just on a spreadsheet, but for something that actually can be used as a digital asset into the future?

And as a digital native myself, as Mark said, there's no doubt that you want to make yourself focused on that future, focused on: How can we build out these individual communications across the business? How can we make sure that these strategies not only go from just, and the example that was given a moment ago, I think, Mark, you said just creating an email address? Well, everyone comes up with good ideas on a Friday afternoon. What we want to make sure is that we transmit that back to policy, that we then make sure that we connect all of it together.

So yeah, it's an ever-evolving target. But I think the nice thing is that this is a really good time, before the pressure is on too much, for many people to connect all of these disparate elements up. And then they can make it successful for the organization.

Walt: Thank you. Really insightful. I love bringing these discussions that we're having all the time anyway public in a forum like this.