Professional Documents
Culture Documents
Cisco Umbrella: First Line of Defense For Threats On The Internet
Cisco Umbrella: First Line of Defense For Threats On The Internet
May 2019
Challenges
Product overview
Enforcement
Intelligence
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Challenges
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The way we work Internet
has changed
Critical infrastructure Business apps
Amazon, Rackspace, Windows Salesforce, Office 365,
Azure, etc. G Suite, etc.
Critical Business
infrastructure apps
Workplace
desktops
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Users and apps have adopted the cloud…
…security must, too.
49% 82%
of the workforce admit to not using
is mobile 1 the VPN2
Security controls
must shift to the cloud
70% 70%
increase in of branch offices
SaaS usage3 have DIA4
Sources:
1. “Securing Portable Data and Applications for a Mobile Workforce” SANS, 2015 3. “Keeping SaaS Secure” Gartner, 2016
2. “Your Users Have Left the Perimeter. Are You Ready?” IDG, 2016 4. “Securing Direct-To-Internet Branch Offices: Cloud-Based Security Offers Flexibility and Control,” Forrester, 2015
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Umbrella
Cloud security platform
Malware
Built into the foundation of the internet
C2 Callbacks
Phishing Intelligence to see attacks before launched
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Where does Umbrella fit? Malware
C2 Callbacks
Phishing
Benefits
First line Block malware before
it hits the enterprise
NGFW
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
It all starts with DNS
Port agnostic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What sets Umbrella apart from competitors
Fastest
and most reliable
cloud infrastructure
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enforcement
Intelligence
Cloud platform
Deployment
Product overview Reporting and retention
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ENFORCEMENT
HQ
IoT
All office locations
BYOD Any device on your network
ON-NETWORK
OFF-NETWORK Roaming laptops and
Branch supervised iOS devices
Roaming
Every port and protocol
Supervised
iOS devices
Security controls
Intelligent proxy
• DNS and IP enforcement
Deeper inspection
• Risky domain inspection
through proxy
• SSL decryption available
Internet traffic
On and off-network
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ENFORCEMENT
UMBRELLA
• Domain request Custom domain lists STATISTICAL
AND MACHINE
• IP response (DNS-layer) LEARNING
Custom IP lists (future) MODELS
or connection (IP-layer)
ALLOW, BLOCK, PROXY
INTERNET-WIDE TELEMETRY
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ENFORCEMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ENFORCEMENT
91%
of C2 can be blocked
at the DNS layer
SWG
15%
Cloud or
of C2 bypasses
on-prem web ports 80 & 443
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Infected device
ENFORCEMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
Reconnaissance and
infrastructure setup
Patient zero hit Target expansion
Wide-scale expansion
Domain registration, IP,
ASN Intel Defense signatures built
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Our view
of the internet
17K 160+
enterprise countries
customers worldwide
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
Statistical models
2M+ live events per second
11B+ historical events
Guilt by inference
• Co-occurrence model
• Sender rank model
Patterns of guilt
• Secure rank model
• Spike rank model
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
Co-occurrence model
Domains guilty by inference
time - time +
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
DNS REQUESTS
of DNS request y.com is blocked before it
volume data is can launch full attack
gathered and analyzed
DAYS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
Our efficacy
Discover Identify Enforce
3M+
daily new
60K+
daily malicious destinations
7M+
malicious destinations while
domain names resolving DNS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data centers co-located at major IXPs
31
data centers
worldwide
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CLOUD PLATFORM
EU data
warehouse
facility available
Ease data serenity concerns
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CLOUD PLATFORM
Peering Peering
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CLOUD PLATFORM
Cloudflare 18 14 17 31 19
Google 24 14 24 27 26
Umbrella 30 15 28 43 36
Dyn 59 18 67 96 44
SafeDNS 61 27 46 99 100
OpenNIC 64 18 59 101 99
Level 3 71 33 45 114 87
Measured in milliseconds
Source: MSFT Office 365 Researcher,
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ThousandEyes Blog Post, August 1, 2018
CLOUD PLATFORM
Anycast IP routing
for reliability YVR
208.67.222.222
DFW
208.67.222.222
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CLOUD PLATFORM
Anycast IP routing
for reliability YVR
208.67.222.222
DFW
208.67.222.222
100%
business uptime
If down for any reason,
automatically re-routes to
since 2006 next fastest available
DDoS protection and
global fail-over
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
Connecting to Umbrella
Anycast routing
INTERNAL DNS OR DHCP Customers not tied to a data center
Umbrella
On-network NETWORK DEVICES
VA AND AD CONNECTOR
Customer
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
Enterprise-wide
deployment
in minutes
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
RETENTION
Every 10 min
HTTPS
S3 Benefits
Triple redundant and encrypted storage
Visibility on- or
off-network Pre-built SIEM / log analytic integrations
Pre-built
integrations Use self-managed or Cisco-managed bucket
TAP
Centrally managed S3 logs
Amazon
APIs
Any SIEM
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Ransomware example
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Ransomware: mapping attacker infrastructure
*.7asel7[.]top
LOCKY Umbrella
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
*.7asel7[.]top LOCKY
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat detected same day
domain was registered.
Network Domain
Association Threat detected before
domain was registered.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Visualizing attacker infrastructure
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Product demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Cloud Security
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Easiest security product
you’ll ever deploy
1 Signup
Umbrella
Start blocking in minutes
2 Point your DNS
3 Done
OPEN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Backup slides
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN and
Cisco Umbrella integration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What if you could secure every
user on your SD-WAN in
minutes?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The technology behind the integration
• Manage connectivity across WAN from • Protection against threats such as malware,
a single dashboard ransomware, & C2 callbacks with no added
latency
• Connect to SaaS and IaaS platforms
with speed, reliability, security and • Visibility into internet activity across
cost-savings all locations and users
• Visibility and analytics into any connection • No hardware to install or software to manually
across your network, whether MPLS or across update
the cloud edge
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Benefits
Internet/SaaS
• Quickly deploy Umbrella across SD-
WAN to hundreds of devices Umbrella
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How it works
Step 1: Copy API key in Umbrella dashboard
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How it works
Step 3: Configure Umbrella policy
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How it works
Step 4: Apply policy per-VPN and optionally enable DNScrypt
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Integration features
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Meraki MR and
Cisco Umbrella integration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What if you could secure every
user on your wireless network
in minutes?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The technology behind the integration
Meraki MR Umbrella
100% cloud-managed Cloud-delivered
wireless access points secure internet gateway
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Benefits
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How it works
Step 1 (Umbrella dashboard) Step 2 (Meraki dashboard)
Copy API key and secret. Input API key and secret.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How it works
Step 3 (Meraki dashboard) Step 4
Apply Umbrella policy. That’s it. Seriously, it’s that easy.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Integration features
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
208.67.222.222
Your policy Network egress IP
Enforce Umbrella security settings per 67.215.87.11 GUEST WI-FI SSID
SSID or using Meraki Group Policies Employee Wi-Fi
SSID DNS server
208.67.222.222
Guest Wi-Fi SSID
DNS server
208.67.222.222
YOUR NETWORK
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
App Discovery and blocking
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The multicloud reality
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The shadow IT reality
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential *Cisco Cloudlock CyberLab ** Gartner’s Top 10 Security Predictions (ref)
Two major aspects of shadow IT
On-network and managed device cloud activity Cloud to cloud activity (OAuth-enabled apps)
App Discovery Report Cisco Cloudlock Apps Firewall
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“Shadow IT is growing and
is an unstoppable force
“If governed, managed and guided appropriately to mitigate the risks,
shadow IT can create a lot of value for the organization. But the opposite
is also true, in that, left unguided and controlled, it can destroy value.”
Gartner: Embracing and Creating Value From Shadow IT, Simon Mingay, refreshed 5 January 2017
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key challenges
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Visibility challenge
Expectations Reality
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
App and risk insight challenge
1,200 discovered apps
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Optimization and blocking challenges
I need an app to How can I block risky
collaborate with my apps that I don’t want
colleagues is XYZ my users to access?
approved?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Umbrella App Discovery and blocking
• The App Discovery reporting section will replace the
Cloud Services Report
• Additional application coverage
(Cloud App Security Index)
• More detailed information on the vendor,
app, certificates, and risk factors
• Ability to block a category of apps
or individual apps
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Umbrella App Discovery and Blocking
Solve the three biggest challenges related to shadow IT
Visibility
Optimization
and blocking
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dashboard
Visibility
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Apps grid
Visibility
Optimization
and blocking
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
App detail /
risk profile
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
App Blocking
App Settings Screen
Optimization
and blocking
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Umbrella App Discovery and Blocking
Automated flow
Automated process: App Discovery Reporting Area
Application
Settings
a1.com
b2.com
c3.com Link
Umbrella Log App Discovery Engine Category and
DNS logs ingestion Cloud App Security Index Application
Blocking
Discovered App detail/
Dashboard
apps grid risk profile
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Overall benefits
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Statistical models
and categories
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
IP geo-location analysis
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
fgpxmvlsxpsp.me[.]uk
DGA beuvgwyhityq[.]info
a1.com DGA gboondmihxgc.com
a2.com + pwbbjkwnkstp[.]com
b1.com bggwbijqjckk[.]me
yehjvoowwtdh.com
c2.com ctwnyxmbreev[.]com
Configs upybsnuuvcye[.]net
quymxcbsjbhh.info
Configs vgqoosgpmmur.it
c.com, d.com, …
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
… Confirm “Hailstorm”
domain New malicious domain blocked
z.spam.ru by Umbrella
MAIL SERVERS
Identify queries to spam Model aggregates hourly Model identifies owners of Block 10,000s of domains before
reputation services graphs per domain “Hailstorm” domains new attacks happen
85M+ DNS users are attacked by Short bursts of 1000s of After confirmation, query WHOIS Attackers often register more domains to
various spam campaigns and use “Hailstorm” spam uses many records to get registrant of sender embed links in phishing or C2 callbacks
reputation services FQDNs, e.g. subdomains, to hide domain in malware
from reputation services
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
*New categories: These are allowed by default, but can be blocked. And domains in these categories may have already been categorized as Malware or Botnet (a.k.a. C2 callbacks) by many other Umbrella statistical models.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTELLIGENCE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deployment scenarios
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
Internet gateway
208.67.222.222
Your policy Network egress IP
Enforce all security settings for 67.215.87.11
67.215.87.11 DNS server
Default
208.67.222.222
YOUR NETWORK
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
Internet gateway
208.67.222.222
Your policy Network egress IP
Enforce all security settings for N/A
FGL189914GG DNS server
208.67.222.222
Supported Serial Number
FGL189914GG
+Custom
YOUR NETWORK
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
WORKSTATION VLAN
Cisco ISR
208.67.222.222
Your policy Network egress IP
Enforce all security settings for 67.215.87.11 SERVER VLAN
Workstation VLAN Workstation VLAN
DNS server
or 208.67.222.222
Server VLAN Sever VLAN
DNS server
208.67.222.222
208.67.222.222
Your policy Network egress IP
Enforce all security settings for 67.215.87.11 GUEST WI-FI SSID
Employee Wi-Fi SSID Employee Wi-Fi
SSID DNS server
208.67.222.222
Guest Wi-Fi SSID
DNS server
208.67.222.222
Laptop IP
Internet gateway 10.1.1.3
Internal DNS Server
208.67.222.222
Server IP
Your policy Network egress IP 10.1.1.1
Enforce all security settings for 67.215.87.11 External DNS resolution
67.215.87.11 DNS server 208.67.222.222
10.1.1.1
YOUR NETWORK
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
Server IP
Inserts 10.1.1.3, GUID and 10.1.1.1
Org ID in EDNS request,
encrypts and forwards
Laptop IP
Internet gateway 10.1.1.3
Umbrella VA
208.67.222.222
Appliance IP
Your policy Network egress IP 10.1.1.2
Enforce all security settings for 67.215.87.11 DNS server
10.1.1.3 DNS server 10.1.1.1
10.1.1.1 Internal domains
office.acme.com
YOUR NETWORK
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
Associates CEO
with EXEC
group Associates CEO with
(via HTTPS 10.1.1.3
CEO
YOUR NETWORK
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
AnyConnect roaming
security module
Internet gateway
208.67.222.222 or
Embed unique device ID and
GUID (if AD) in EDNS
Your policy Network egress IP request, encrypts and forwards
Enforce all security settings based on N/A
User identifiers DNS server
N/A
Umbrella
roaming client
YOUR NETWORK
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
Umbrella
Chromebook client
Internet gateway
YOUR NETWORK
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deployment extras
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
208.67.222.222
DNS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
SERVER VLAN WORKSTATION VLAN EMPLOYEE WI-FI VLAN GUEST WI-FI VLAN
Enforcement
and visibility per
Umbrella identity
DOMAIN REQUEST
CONNECTION
IP RESPONSE
HTTP/S
Securely embed identities within query using a Web-based redirects transparent to user
RFC-compliant mechanism, differing granularity enable same identity for proxy
based on deployment
+ + +
Umbrella Your DNS or Umbrella roaming Umbrella Umbrella AD Umbrella virtual Umbrella API for
deployments DHCP server client (RC) Chromebook client Connector appliance (VA) network devices
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential *Indicates identity available with Umbrella AD Connector
DEPLOYMENT
Umbrella Umbrella
All IP All IP
Update IPs to traffic traffic
watch for
Any Any Any
running running running
app app app
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
Apply Policies
View Reports
Admin
Manage Devices
Umbrella
Dashboard
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEPLOYMENT
ON-PREM INTERNAL
PROXY DNS SERVER
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential *NOTE: ACL varies depending on the ASA version or IOS version, or third-party product.
DEPLOYMENT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Security Connector
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Visibility
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The technology behind it
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero-touch UX for end-users
Visibility and control
Flows attributed by
iOS identity and app
AMP
Umbrella Requests attributed Clarity (AMP)
Dashboard by iOS identity Umbrella Dashboard
Umbrella Clarity
App extension App extension
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DELETE BEFORE PRESENTING
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cryptocurrency and attacks
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cryptocurrency
• Digital currency
• Operates independently
of a central bank
• Encryption techniques used
to regulate the generation of
currency units and verify the
transfer of funds
• Bitcoin, Monero, Litecoin,
Stellar, etc.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cryptomining
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cryptojacking
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How do you
protect yourself?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How to evade rogue cryptomining
in your environment?
• Ensure you have strong kubernetes passwords in
place
• Don’t just be on the hunt for Monero miners -
Threat actors have moved to more obscure coins
(easier to mine & convert)
• As market grows, will see multitude of switches of
coins they mine to evade detection
• More popular a coin becomes, less likely
it will be used for cryptomining
• Easier to avoid detection with new cryptos; will see
higher returns
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Preventing cryptomining with Umbrella
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Intelligent proxy extras
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
We’ve had the intelligent proxy since 2013,
let’s talk about it
RESOLVER PROXY
Inspects DNS Inspects header
REQUEST AND RESPONSE REQUEST AND RESPONSE
e
.ex
pro
d
/ba
xy
IP
om
t
rec
a
gra
y.c
dd
edi
r es
gra
y.c
2r
s
om
30
gray.com ANY ENDPOINT
/bad.exe Web activity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DNS load balancers expose proxy IPs so resolvers can
redirect clients
Unicast Anycast DATA CENTER #2
DNS load
balancer
Any
DNS load
Endpoint Websites
(1) DNS or (2) DNS balancer
EDNS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Resolver and proxy systems are independent
and Anycast
Unicast Anycast DATA CENTER #2
DNS load
balancer
Partial outage
(3) HTTP/S DATA CENTER #1
Any
DNS load
Endpoint Websites
(1) DNS or (2) DNS balancer
EDNS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Resolver and proxy systems are independent
and Anycast
Unicast Anycast DATA CENTER #2
DNS load
(2) DNS balancer
Full outage
(1) DNS or
EDNS (3) HTTP/S DATA CENTER #1
Any
DNS load
Endpoint Websites
balancer
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why do an Umbrella POV?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
It’s the easiest POV you’ll ever do.
1) Signup 2) Point DNS 3) Done
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Uncover more with Umbrella
Across 200+ recent POVs:
Decreased threats by
Umbrella reduced
100% reduction in an estimated 99% and
malware by at least
ransomware shortened investigation time
60 to 70%
by 75%
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cost savings example
Loss of business Loss of customer
Remediation Compliance fines
from downtime loyalty
Number of Cost
50
hours to fix: per incident: Total cost
endpoints
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Top threat occurrences by industry
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco IT’s deployment of Umbrella
7.6B 22M 1000x
DNS queries per day off sourced Amount of threat intelligence
from the Cisco network and DNS blocks per day in Umbrella vs Infosec’s
endpoints home grown system
30 min 432K
Average time of the change Blocks for roaming clients while
requests to enable enterprise wide not connected to Cisco’s network
policy changes in the first week
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multi-Org Console
Multi-Org Console
Roaming laptop
with AnyConnect module or
stand-alone client for Umbrella
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential *Always-on or location-aware policies are supported.
Secure Internet Gateway
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protect anywhere users connect
Malware
C2 Callbacks
Phishing
SIG
First line Safe access anywhere users
go, even off VPN
Secure onramp
to the internet
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
On and off the corporate network
OPEN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How a SIG compares to a SWG SIG SWG
Secure internet Granular web usage controls
access, anywhere for compliance and
users go protection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco’s SIG compared to others’ SWG
SWG SIG
Problem:
Incomplete coverage of DNS and IP layer PREDICTIVE
DESTINATION
destinations and files INTEL
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DNS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DNS
Overview
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Who resolves your
DNS requests?
ISP? ISP1
Enterprise
Home location A
users Internal InfoBlox
appliance
Challenges
Multiple internet service providers Enterprise
Roaming location B
ISP? laptops ISP2
Direct-to-internet branch offices Internal Windows DNS
server
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authoritative DNS for intranet domains
Using a single global
recursive DNS service
ISP? ISP1
Enterprise
Home location A
users Internal InfoBlox
appliance
Benefits
Global internet activity visibility Enterprise
Roaming location B
ISP? laptops ISP2
Network security w/o adding latency Internal Windows DNS
server
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authoritative DNS for intranet domains
Gather intelligence and enforce security
at the DNS layer
Recursive DNS
Any device Authoritative DNS
root
com.
domain.com.
User request patterns Authoritative DNS logs
Used to detect: Used to find:
• Compromised systems • Newly staged infrastructures
• Command and control callbacks • Malicious domains, IPs, ASNs
• Malware and phishing attempts • DNS hijacking
• Algorithm-generated domains • Fast flux domains
• Domain co-occurrences • Related domains
• Newly registered domains
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential