Cisco Umbrella: First Line of Defense For Threats On The Internet

Cisco Umbrella
First line of defense for threats on the internet
May 2019
Challenges
Product overview
Enforcement
Intelligence
Agenda Cloud platform

Deployment
Reporting and retention
Ransomware example
Product demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Challenges
The way we work Internet
has changed
Critical infrastructure Business apps
Amazon, Rackspace, Windows Salesforce, Office 365,
Azure, etc. G Suite, etc.
Critical Business
infrastructure apps
Workplace
desktops
Roaming laptops Branch office
Users and apps have adopted the cloud…
…security must, too.
49% 82%
of the workforce admit to not using
is mobile 1 the VPN2
Security controls
must shift to the cloud
70% 70%
increase in of branch offices
SaaS usage3 have DIA4
Sources:
1. “Securing Portable Data and Applications for a Mobile Workforce” SANS, 2015 3. “Keeping SaaS Secure” Gartner, 2016
2. “Your Users Have Left the Perimeter. Are You Ready?” IDG, 2016 4. “Securing Direct-To-Internet Branch Offices: Cloud-Based Security Offers Flexibility and Control,” Forrester, 2015
Cisco Umbrella
Cloud security platform
Malware
Built into the foundation of the internet
C2 Callbacks
Phishing Intelligence to see attacks before launched
Visibility and protection everywhere

208.67.222.222 Enterprise-wide deployment in minutes
Integrations to amplify existing investments
Where does Umbrella fit? Malware
C2 Callbacks
Phishing
Benefits
First line Block malware before
it hits the enterprise
NGFW
Netflow Contains malware

Proxy if already inside
Sandbox Router/UTM
Internet access is faster
AV
AV AV AV AV
Provision globally in minutes
HQ BRANCH ROAMING
It all starts with DNS
DNS = Domain Name System

Umbrella
First step in connecting to the internet
Precedes file execution and IP connection
Used by all devices Cisco.com 72.163.4.161
Port agnostic
What sets Umbrella apart from competitors
Fastest
and most reliable
cloud infrastructure
Broadest Most open

coverage of malicious platform for integration
destinations and files
Easiest Most predictive

connect-to-cloud intelligence to stop
deployment threats earlier
Enforcement
Intelligence
Cloud platform
Deployment
Product overview Reporting and retention
ENFORCEMENT
Visibility and protection for all activity, anywhere

Umbrella
HQ
IoT
All office locations
BYOD Any device on your network
ON-NETWORK
OFF-NETWORK Roaming laptops and
Branch supervised iOS devices
Roaming
Every port and protocol
Supervised
iOS devices
ALL PORTS AND PROTOCOLS

ENFORCEMENT
Built into foundation of the internet

Destinations Safe Blocked
Original destination or block page Original destinations Modified destination
Security controls
Intelligent proxy
• DNS and IP enforcement
Deeper inspection
• Risky domain inspection
through proxy
• SSL decryption available
Internet traffic
On and off-network
ENFORCEMENT
Breadth to cover all ports and depth to inspect risky

domains
DNS and IP layer Umbrella/Talos and partner feeds
PREDICTIVE UPDATES
UMBRELLA
• Domain request Custom domain lists STATISTICAL
AND MACHINE
• IP response (DNS-layer) LEARNING
Custom IP lists (future) MODELS
or connection (IP-layer)
ALLOW, BLOCK, PROXY
INTERNET-WIDE TELEMETRY
WBRS/Talos + partner feeds

HTTP/S layer Custom URL lists
• URL request
AV
• File hash
AMP
ALLOW OR BLOCK
ENFORCEMENT
Prevents connections before and during the attack
Web- and email-based infection Command and control callback

Malvertising / exploit kit Malicious payload drop
Phishing / web link Encryption keys
Watering hole compromise Updated instructions
Stop data exfiltration and ransomware encryption
ENFORCEMENT
Protection for command and control (C2) callbacks
91%
of C2 can be blocked
at the DNS layer
SWG
15%
Cloud or
of C2 bypasses
on-prem web ports 80 & 443
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Infected device
ENFORCEMENT
Integrations to amplify existing security

Block malicious domains from partner or custom systems
YOUR CURRENT SECURITY STACK
Threat analysis feed AMP Threat Grid + Others Umbrella

Appliance-based detection + Others
IOCs
Threat intelligence platform + Others
Cloud Access Security Broker Cloudlock + Others
Custom integrations Python Script Bro IPS + Others
INTELLIGENCE
Anatomy of a cyber attack
Reconnaissance and
infrastructure setup
Patient zero hit Target expansion
Wide-scale expansion
Domain registration, IP,
ASN Intel Defense signatures built
Monitor adaption based

on results
Our view
of the internet
180B 90Mrequests daily active

per day users
17K 160+
enterprise countries
customers worldwide
INTELLIGENCE
Intelligence to see attacks before launched

Data
• Cisco Talos feed of malicious
domains, IPs, and URLs Security researchers
• Umbrella DNS data — • Industry renown researchers
180B requests per day
• Build models that can
automatically classify and
score domains and IPs
Models
• Dozens of models continuously
analyze millions of live events
per second
• Automatically uncover malware,
ransomware, and other threats
INTELLIGENCE
Statistical models
2M+ live events per second
11B+ historical events
Guilt by inference
• Co-occurrence model
• Sender rank model
Patterns of guilt
• Secure rank model
• Spike rank model
Guilt by association • Natural Language Processing

rank model
• Predictive IP Space Modeling
• Live DGA prediction
• Passive DNS and WHOIS Correlation
INTELLIGENCE
Co-occurrence model
Domains guilty by inference
time - time +
a.com b.com c.com x.com d.com e.com f.com
Possible malicious domain Possible malicious domain

Known malicious domain
Co-occurrence of domains means that a statistically significant number of identities have
requested both domains consecutively in a short timeframe
INTELLIGENCE
Spike rank model

Patterns of guilt
DGA MALWARE EXPLOIT KIT PHISHING
Massive amount y.com
DNS REQUESTS
of DNS request y.com is blocked before it
volume data is can launch full attack
gathered and analyzed
DAYS
DNS request volume matches known

exploit kit pattern and predicts future attack
INTELLIGENCE
Predictive IP Space Monitoring

Guilt by association
Pinpoint suspicious domains and

209.67.132.476
observe their IP’s fingerprint
Identify other IPs – hosted on

198.51.100.252 the same server – that share the same
Domain
fingerprint
198.51.100.253
198.51.100.254 Block those suspicious IPs and any

related domains
INTELLIGENCE
Our efficacy
Discover Identify Enforce
3M+
daily new
60K+
daily malicious destinations
7M+
malicious destinations while
domain names resolving DNS
Data centers co-located at major IXPs
31
data centers
worldwide
CLOUD PLATFORM
EU data
warehouse
facility available
Ease data serenity concerns
Store data used for Umbrella reports

in EU facility
Use multi-org console for different

storage settings for different
locations
CLOUD PLATFORM
BGP peering for speed

800+
partnerships with top
ISP and CDNS
Peering Peering
Share BGP routes with ISPs and CDNs to

shorten the path from customers’ devices and
our Global Network
CLOUD PLATFORM
How fast do we resolve DNS requests?

North Europe/ Latin Asia/
America EMEA America APAC
Cloudflare 18 14 17 31 19
Google 24 14 24 27 26
Umbrella 30 15 28 43 36
Dyn 59 18 67 96 44
SafeDNS 61 27 46 99 100
OpenNIC 64 18 59 101 99
Level 3 71 33 45 114 87
Verisign 94 33 59 128 168
Comodo 102 30 55 112 20
Measured in milliseconds
Source: MSFT Office 365 Researcher,
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ThousandEyes Blog Post, August 1, 2018
CLOUD PLATFORM
Anycast IP routing
for reliability YVR
208.67.222.222
DFW
208.67.222.222
All data centers announce

same IP address
Requests transparently sent to

fastest available
CLOUD PLATFORM
Anycast IP routing
for reliability YVR
208.67.222.222
DFW
208.67.222.222
100%
business uptime
If down for any reason,
automatically re-routes to
since 2006 next fastest available
DDoS protection and
global fail-over
DEPLOYMENT
Connecting to Umbrella
Roaming CLIENT/ANYCONNECT Route traffic and IDs via DNS

No need for connectors/PAC files
Anycast routing
INTERNAL DNS OR DHCP Customers not tied to a data center
Umbrella
On-network NETWORK DEVICES
VA AND AD CONNECTOR
Customer
DEPLOYMENT
Enterprise-wide
deployment
in minutes
Existing Network footprint Endpoint footprint
DNS/DHCP ISR1K SD-WAN WLC Meraki AnyConnect Cisco Umbrella

servers, and 4K (Viptela) MR roaming Security Chromebook
Wi-Fi APs module Connector client
• Provisioning and policies per VLAN/SSID;
Simple config tags for granular filtering and reporting Granular filtering and reporting
change to on- & off-network (Umbrella
• Out-of-the-box integration
redirect DNS roaming client also available)
(Umbrella virtual appliance also available)
RETENTION
Log storage with Amazon S3
Every 10 min
HTTPS
S3 Benefits
Triple redundant and encrypted storage
Visibility on- or
off-network Pre-built SIEM / log analytic integrations
Pre-built
integrations Use self-managed or Cisco-managed bucket
TAP
Centrally managed S3 logs
Amazon
APIs
Any SIEM
Ransomware example
Ransomware: mapping attacker infrastructure
Domain IP Network IP IP Sample

Association Association Association
IP Domain IP Network WHOIS

AUG 17 -26 DAYS SEP 12
*.7asel7[.]top
LOCKY Umbrella
*.7asel7[.]top LOCKY
185.101.218.206 Domain IP 91.223.89.201

Association
IP Domain IP Sample IP Network AS 197569

1,000+ CERBER 600+

DGA domains Threat Grid files
ccerberhhyed5frqa[.]8211fr[.]top SHA256:0c9c328eb66672ef1b8
4475258b4999d6df008
Threat detected same day
domain was registered.
DGA JUL 14 -7 DAYS JUL 21

jbrktqnxklmuf[.]info
LOCKY Umbrella
Network Domain
Association Threat detected before
domain was registered.
DGA JUL 18 -4 DAYS -26

JULDAYS
22 AUG 21
mhrbuvcvhjakbisd[.]xyz
LOCKY Umbrella DOMAIN
REGISTERED
Visualizing attacker infrastructure
Product demo
Cisco Cloud Security
Security when Security for Security for Security for

accessing the cloud accessing any app SaaS apps public cloud
Duo Cloudlock and Stealthwatch

Umbrella Security Email Security Cloud
Secure Internet Gateway (SIG) Multi-Factor Authentication (MFA), Cloud Access Security Broker Public cloud visibility
Single Sign-on (SSO), (CASB) and Email and threat detection
Software-Defined Perimeter (SDP)
Easiest security product
you’ll ever deploy
1 Signup
Umbrella
Start blocking in minutes
2 Point your DNS
3 Done
OPEN
Backup slides
Cisco SD-WAN and
Cisco Umbrella integration
What if you could secure every
user on your SD-WAN in
minutes?
The technology behind the integration
Cisco SD-WAN Umbrella

Cloud-delivered WAN architecture Cloud-delivered
that enables digital transformation secure internet gateway
• Manage connectivity across WAN from • Protection against threats such as malware,
a single dashboard ransomware, & C2 callbacks with no added
latency
• Connect to SaaS and IaaS platforms
with speed, reliability, security and • Visibility into internet activity across
cost-savings all locations and users
• Visibility and analytics into any connection • No hardware to install or software to manually
across your network, whether MPLS or across update
the cloud edge
Benefits
Internet/SaaS
• Quickly deploy Umbrella across SD-
WAN to hundreds of devices Umbrella
• Gain DNS-layer protection against

threats at branch offices
DIA
• Create policies and view reports on a
per-VPN basis MPLS
Data Center SD-WAN fabric Branch
How it works
Step 1: Copy API key in Umbrella dashboard
Step 2: Input API key in vManage dashboard
How it works
Step 3: Configure Umbrella policy
How it works
Step 4: Apply policy per-VPN and optionally enable DNScrypt
Integration features
• Appends EDNS (Device ID and

Client IP) to the DNS packet
• Local domain bypass support
to exclude internal DNS requests
from being sent to Umbrella Umbrella SD-WAN
resolvers
• Supports DNSCrypt proxy
to encrypt DNS traffic
Powered
by Viptela
Cisco Meraki MR and
Cisco Umbrella integration
What if you could secure every
user on your wireless network
in minutes?
The technology behind the integration
Meraki MR Umbrella
100% cloud-managed Cloud-delivered
wireless access points secure internet gateway
• Manage your global wireless • Protection against threats such

infrastructure from a single dashboard as malware, ransomware, & C2 callbacks
with no added latency
• Provides visibility into application,
device, and usage statistics • Visibility into internet activity across all
locations and users
• No controller hardware to install
or maintain • No hardware to install or software
to manually update
Benefits
• Simplest way to deploy Umbrella across a

wireless network
• Conveniently enable Umbrella policies
directly in the Meraki dashboard
Umbrella Meraki MR
• Create granular policies on a
per-SSID basis or by using Meraki group
policies
How it works
Step 1 (Umbrella dashboard) Step 2 (Meraki dashboard)
Copy API key and secret. Input API key and secret.
How it works
Step 3 (Meraki dashboard) Step 4
Apply Umbrella policy. That’s it. Seriously, it’s that easy.
Integration features
• Appends EDNS (Device ID and

Client IP) to the DNS packet
• Split DNS support to exclude
internal DNS requests from being
sent to Umbrella resolvers Umbrella Meraki MR
• Supports DNSCrypt proxy
to encrypt DNS traffic
DEPLOYMENT
Protect corporate and guest wi-fi
Inserts Device ID and

Client IP in EDNS
request and forwards
EMPLOYEE WI-FI SSID

Meraki access points
208.67.222.222
Your policy Network egress IP
Enforce Umbrella security settings per 67.215.87.11 GUEST WI-FI SSID
SSID or using Meraki Group Policies Employee Wi-Fi
SSID DNS server
208.67.222.222
Guest Wi-Fi SSID
DNS server
208.67.222.222
YOUR NETWORK
App Discovery and blocking
The multicloud reality
The shadow IT reality
80% of end users use software not

cleared by IT*
1,220 cloud services used by

average large org*
33% of enterprise attacks will come

from shadow IT by 2020**
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential *Cisco Cloudlock CyberLab ** Gartner’s Top 10 Security Predictions (ref)
Two major aspects of shadow IT
On-network and managed device cloud activity Cloud to cloud activity (OAuth-enabled apps)
App Discovery Report Cisco Cloudlock Apps Firewall
“Shadow IT is growing and
is an unstoppable force
“If governed, managed and guided appropriately to mitigate the risks,
shadow IT can create a lot of value for the organization. But the opposite
is also true, in that, left unguided and controlled, it can destroy value.”
Gartner: Embracing and Creating Value From Shadow IT, Simon Mingay, refreshed 5 January 2017
Key challenges
App and risk Optimization

Visibility
insight and blocking
Visibility challenge
Expectations Reality
“I know about ~40 cloud ~1,200 cloud apps in use

apps but there are others
that we aren’t aware of…
maybe double that number.”
> 20 collaboration apps in use
“We use 3 or 4 CIO

collaboration apps.”
App and risk insight challenge
1,200 discovered apps
• What apps introduce high risk?

Security • Which apps are in compliance?
team
• What is the web reputation score?
• How many cloud apps do we have in each functional category?

IT team • How many users are active in each app?
• Who are the top users of each app?
Optimization and blocking challenges
I need an app to How can I block risky
collaborate with my apps that I don’t want
colleagues is XYZ my users to access?
approved?
End user Security team CISO
Can I see a list of Which cloud file

marketing/sales apps sharing app are we
are we using? using the most?
Business IT Team CIO

leaders
Umbrella App Discovery and blocking
• The App Discovery reporting section will replace the
Cloud Services Report
• Additional application coverage
(Cloud App Security Index)
• More detailed information on the vendor,
app, certificates, and risk factors
• Ability to block a category of apps
or individual apps
Umbrella App Discovery and Blocking
Solve the three biggest challenges related to shadow IT
Visibility
App and risk insight
Optimization
and blocking
Dashboard
Visibility
Apps grid
Visibility
Optimization
and blocking
App detail /
risk profile
App Blocking
App Settings Screen
Optimization
and blocking
Umbrella App Discovery and Blocking
Automated flow
Automated process: App Discovery Reporting Area
Application
Settings
a1.com
b2.com
c3.com Link
Umbrella Log App Discovery Engine Category and
DNS logs ingestion Cloud App Security Index Application
Blocking
Discovered App detail/
Dashboard
apps grid risk profile
Overall benefits
• Visibility into existing and new cloud apps

• Understanding usage and identities
• Risk mitigation
• Productivity gains TRACK SHADOW IT TO CREATE A CULTURE OF:
• Reduced cloud expenditures Acceptance Detection and

vs.
and protection punishment
• Promote healthy cloud adoption
Statistical models
and categories
INTELLIGENCE
IP geo-location analysis
Host Infrastructure DNS Requesters

Location of the server Location of the network and off-network device IP
IP addresses mapped to domain addresses requesting the domain
Hosted across 28+ countries Only US-based customers

requesting a .RU TLD
INTELLIGENCE
‘Live DGA Prediction’

Automated at an unparalleled scale
a.com + b.com b.com
fgpxmvlsxpsp.me[.]uk
DGA beuvgwyhityq[.]info
a1.com DGA gboondmihxgc.com
a2.com + pwbbjkwnkstp[.]com
b1.com bggwbijqjckk[.]me
yehjvoowwtdh.com
c2.com ctwnyxmbreev[.]com
Configs upybsnuuvcye[.]net
quymxcbsjbhh.info
Configs vgqoosgpmmur.it
c.com, d.com, …
Live DNS Automate reverse Predict 100,000s Automate blocking

log stream engineering of future domains pool of C2 domains
Identify millions of domains, Combine C2 domain pairs Combine newly-identified Used by thousands of
many used by DGAs and known DGA to identify configs with DGA to identity malicious samples now
and unregistered unknown configs C2 domains continuously and in the future
INTELLIGENCE
‘Sender Rank’ model

Predict domains related to spammers
REPUTATION SERVICES
Suspect Check Model automatically places
domain behavior registrants on a watch list
identified patterns
spam.ru
New domains registered
badguy
a.spam.ru checkspam.com Type of domain at a future time
b.spam.ru checkspam.com
Domain of Domain popularity
Domain a.spam.ru
sender of service Model automatically
Historical activity verifies new domains
b.spam.ru
… Confirm “Hailstorm”
domain New malicious domain blocked
z.spam.ru by Umbrella
MAIL SERVERS
Identify queries to spam Model aggregates hourly Model identifies owners of Block 10,000s of domains before
reputation services graphs per domain “Hailstorm” domains new attacks happen
85M+ DNS users are attacked by Short bursts of 1000s of After confirmation, query WHOIS Attackers often register more domains to
various spam campaigns and use “Hailstorm” spam uses many records to get registrant of sender embed links in phishing or C2 callbacks
reputation services FQDNs, e.g. subdomains, to hide domain in malware
from reputation services
INTELLIGENCE
‘Newly Seen Domains’ category

Reduces risk of the unknown
Umbrella’s Auto- 1. Any user (free or paid) requests the domain1
WHOIS model may 2. Every minute, we sample from our streaming DNS logs
predict as malicious 3. Check if domain was seen before and if whitelisted2
4. If not, add to category, and within minutes, DNS resolvers are updated globally
Attackers Domains Before expiration,3 Later, Umbrella

register used in if any user requests statistical models or
domains an attack this domain, it’s reputation systems
logged or blocked as identify as malicious
newly seen
Cisco Potentially
Not yet a threat unprotected
Protected
Umbrella
Reputation
Not yet a threat Unprotected Protected
systems
DAYS TO WEEKS MINUTES 24 HOURS
Events
1. May have predictively blocked it already, and likely the first requestor was a free user 2. E.g. domain generated for CDN service 3. Usually 24 hours, but modified for best results, as needed.
INTELLIGENCE
New analysis and categories

to combat DNS tunneling
Streaming signature-based jobs Malware
(e.g. PisLoader)
Automatically identify malicious or potential data
exfiltration or open-source tools (e.g. DNS2TCP).
100B+ DNS Potentially Harmful
Undetermined
requests daily Domains*
Batch behavior-based jobs
plus researcher inspection DNS Tunneling
VPN*
Manually identify commercial services
(e.g. YourFreedom) or benign uses every hour.
Hidden whitelist
Machine learning detects domains with excessive # of (e.g. AV updates)
subdomains or characters and invalid characters or
encoded data. Plus, detects clients requesting excessive #
of subdomains over a time period.
*New categories: These are allowed by default, but can be blocked. And domains in these categories may have already been categorized as Malware or Botnet (a.k.a. C2 callbacks) by many other Umbrella statistical models.
INTELLIGENCE
Umbrella statistical models are 5X more relevant than

external intelligence
Relevancy measures the extent that each threat
source provides intelligence that is blocking active
threats recently seen across our customer base.
5X Higher relevancy = better coverage

58% against active threats
Umbrella statistical models have high relevancy

because models quickly adapt to evolving threat
landscape.
11%
Umbrella 3rd party
Statistical Models feeds
INTELLIGENCE
An alternative view to measure efficacy

Benefits of looking at relevancy
Alternative view Traditional view
Relevancy Precision Recall (Sensitivity)
• Measures the extent a threat source • Highly subjective

provides intelligence that blocks active
• Dependent on customer environment and
threats seen across customers
data set
• Not dependent on a specific customer
• Impossible to generalize and efficiently
environment
use as vendor selection criteria
• Measured using our global infrastructure
serving 90M users
Deployment scenarios
DEPLOYMENT
Appropriate for small branch

offices with no internal domain
applications
DEPLOYMENT
Protect on-network devices via gateway’s DHCP
Internet gateway
208.67.222.222
Enforce all security settings for 67.215.87.11
67.215.87.11 DNS server
Default
208.67.222.222
YOUR NETWORK
DEPLOYMENT
Protect on-network devices

via partner network device
Internet gateway
208.67.222.222
Enforce all security settings for N/A
FGL189914GG DNS server
208.67.222.222
Supported Serial Number
FGL189914GG
+Custom
YOUR NETWORK
DEPLOYMENT
Appropriate for any size office

with internal domain
applications
DEPLOYMENT
Protect on-network devices using Cisco ISR*
Inserts VLAN identity

& internal IP address
in EDNS request, encrypts
and forwards
WORKSTATION VLAN
Cisco ISR
208.67.222.222
Enforce all security settings for 67.215.87.11 SERVER VLAN
Workstation VLAN Workstation VLAN
DNS server
or 208.67.222.222
Server VLAN Sever VLAN
DNS server
208.67.222.222
*Supported models: 1K and 4K series running OS-XE v16.6.1+

YOUR NETWORK
DEPLOYMENT
Protect guest wi-fi using Cisco WLC

No support for internal or split domains
Not recommended for employees
Inserts SSID identity in

EDNS request and
forwards
EMPLOYEE WI-FI SSID

Cisco WLAN controller
208.67.222.222
Enforce all security settings for 67.215.87.11 GUEST WI-FI SSID
Employee Wi-Fi SSID Employee Wi-Fi
SSID DNS server
208.67.222.222
Guest Wi-Fi SSID
DNS server
208.67.222.222
*Supported models: AireOS 8.0+ and WLC 8.4+

YOUR NETWORK
DEPLOYMENT
Protect on-network devices via DNS server
Laptop IP
Internet gateway 10.1.1.3
Internal DNS Server
208.67.222.222
Server IP
Your policy Network egress IP 10.1.1.1
Enforce all security settings for 67.215.87.11 External DNS resolution
67.215.87.11 DNS server 208.67.222.222
10.1.1.1
YOUR NETWORK
DEPLOYMENT
Protect internal networks

via Umbrella virtual appliance
Internal DNS Server
Server IP
Inserts 10.1.1.3, GUID and 10.1.1.1
Org ID in EDNS request,
encrypts and forwards
Laptop IP
Internet gateway 10.1.1.3
Umbrella VA
208.67.222.222
Appliance IP
Your policy Network egress IP 10.1.1.2
Enforce all security settings for 67.215.87.11 DNS server
10.1.1.3 DNS server 10.1.1.1
10.1.1.1 Internal domains
office.acme.com
YOUR NETWORK
DEPLOYMENT
Protect AD users via Connector

and Umbrella virtual appliance
AD Server
w/AD connector
Associates CEO
with EXEC
group Associates CEO with
(via HTTPS 10.1.1.3
Internet gateway push) Internal

Umbrella VA DNS Server
208.67.222.222
Appliance IP DHCP IP
Your policy Network egress IP Inserts 10.1.1.3, 10.1.1.2 10.1.1.1
Enforce all security settings for 67.215.87.11 GUID and Org ID in DNS server
EDNS request, 10.1.1.1
EXEC group DNS server
encrypts and
(GUID = CEO, a member of EXEC group) 10.1.1.1 Internal domains Laptop IP
forwards office.acme.com 10.1.1.3
CEO
YOUR NETWORK
DEPLOYMENT
Appropriate for laptops at any

managed or unmanaged
location, with or without
internal domain applications
DEPLOYMENT
Protect off-network Win/Macs

via Umbrella roaming client
AnyConnect roaming
security module
Internet gateway
208.67.222.222 or
Embed unique device ID and
GUID (if AD) in EDNS
Your policy Network egress IP request, encrypts and forwards
Enforce all security settings based on N/A
User identifiers DNS server
N/A
Umbrella
roaming client
YOUR NETWORK
DEPLOYMENT
Protect on and off-network Chromebook devices via

Umbrella Chromebook client
Umbrella
Chromebook client
Internet gateway
208.67.222.222 Embed unique email ID

of the user in EDNS request
Your policy Network egress IP and forwards
Enforce all security settings based on N/A
User identifiers DNS server
N/A
YOUR NETWORK
Deployment extras
DEPLOYMENT
Simplest way to protect any device on-network

Point external DNS traffic to Umbrella
208.67.222.222
DNS
Provision DNS Provision corporate

Any device Any owner
or DHCP servers and guest wireless APs
DEPLOYMENT
Integration with Cisco ISR 1K and 4K devices

and WLAN controllers
Protection for branch offices and Wi-Fi users
Cisco ISR 1K and EDNS

Cisco WLAN controller
4K devices
SERVER VLAN WORKSTATION VLAN EMPLOYEE WI-FI VLAN GUEST WI-FI VLAN
Visibility and enforcement per VLAN

DEPLOYMENT
Enforcement
and visibility per
Umbrella identity
DOMAIN REQUEST
CONNECTION
IP RESPONSE
HTTP/S
Securely embed identities within query using a Web-based redirects transparent to user
RFC-compliant mechanism, differing granularity enable same identity for proxy
based on deployment
NETWORK VIA EGRESS IP FOR ALL DEPLOYMENTS
+ + +
Umbrella Your DNS or Umbrella roaming Umbrella Umbrella AD Umbrella virtual Umbrella API for
deployments DHCP server client (RC) Chromebook client Connector appliance (VA) network devices
Hostname (GA) Internal IPs

Internal IPs
*Usernames Network
Umbrella
N/A Internal IPs (LA) with groups Subnets device names
identities
for RC and VA or VLAN IDs
Usernames
Usernames* (LA) Usernames*
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential *Indicates identity available with Umbrella AD Connector
DEPLOYMENT
DNS-layer security via Umbrella’s roaming client

Step 1 Step 2a or Step 2b
Client watches for new networks External (internet) domains Internal (intranet) domains
and continuously sets DNS resolved by Umbrella resolved by your DNS server
Internal DNS server Internal DNS server Internal DNS server
Umbrella Umbrella
1. Encrypt EDNS w/embedded ID

Customer’s internal domain list
2. Enforce policy for host, user, IP Forwards DNS request w/o changes
Umbrella Umbrella Umbrella

Built-in OS Built-in OS Built-in OS
Roaming Roaming Roaming
components components components
Client Client Client
DNS 2. 1. 2.
1.
Sets DNS server External IP response Internal IP response
server to domain to requested domain from your
127.0.0.1 Any request domain, block Any request internal DNS Any
page, or proxy server
running running running
app app app
DEPLOYMENT
IP-layer security without a full VPN via roaming client

Step 1 Step 2a or Step 2b
Client continuously updates list and Most traffic routed Some traffic tunneled
OS watches for matching IP traffic directly to internet through Umbrella
Umbrella Umbrella
Risky or known bad IP list Safe IP traffic Risky or bad IP traffic
Built-in OS Built-in OS Built-in OS

Umbrella Umbrella Umbrella
components components components
Roaming Roaming Roaming
Umbrella list of
Client risky or bad IPs
Client No match Client Match!!!
All IP All IP
Update IPs to traffic traffic
watch for
Any Any Any
running running running
app app app
DEPLOYMENT
DNS-layer security via Umbrella Chromebook client

INSIDE CHROMEBOOK
User Chrome Browser Chrome Chrome App Umbrella

(Teacher/Student) Extension Local DNS Server Resolver
Auto register device

Get Policies
Apply Policies
View Reports
Admin
Manage Devices
Umbrella
Dashboard
DEPLOYMENT
We play well with others;

just a bit of PAC or ACL config
UMBRELLA PROXIES
AND BLOCK PAGE UMBRELLA
SERVERS RESOLVERS
Bypass redirection to Umbrella proxy IP space
function FindProxyForURL(url, host) {
// If the requested website is using an Umbrella IP address, return

DIRECT
FIREWALL/ROUTER
FIREWALL/ROUTER ACL*
ACL* if (isInNet(hostIP, "67.215.64.0", "255.255.224.0") ||
isInNet(hostIP, "204.194.232.0", "255.255.248.0") ||
isInNet(hostIP, "208.67.216.0", "255.255.248.0") ||
isInNet(hostIP, "208.69.32.0", "255.255.248.0") ||
isInNet(hostIP, "185.60.84.0", "255.255.252.0") ||
or isInNet(hostIP, "146.112.61.0", "255.255.255.0") ||
isInNet(hostIP, "146.112.128.0", "255.255.192.0")) ||
isInNet(hostIP, "146.112.192.0", "255.255.192.0"))
{
return "DIRECT";
ON-PREM INTERNAL }
PROXY DNS SERVER
// DEFAULT RULE: All other traffic, use below proxies, in fail-over
order.
PAC MODIFY CONFIG return "PROXY 192.0.2.5:8080; PROXY 192.0.2.6:8080";
}
cs.co/UmbrellaProxyConfig
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential *NOTE: Best practice to add ACL to only permit external DNS queries to Umbrella resolver IP space.
DEPLOYMENT
We play well with others;

just a bit of PAC or ACL config
UMBRELLA PROXIES
SERVERS RESOLVERS
Deny redirection for Umbrella proxy IP space
access-list wccp-traffic extended deny ip any 67.215.64.0 255.255.224.0
access-list wccp-traffic extended deny ip any 204.194.232.0
255.255.248.0 access-list wccp-traffic extended deny ip any 208.67.216.0
255.255.248.0 access-list wccp-traffic extended deny ip any 208.69.32.0
MODIFY 255.255.248.0
FIREWALL/ROUTER ACL*
CONFIG access-list wccp-traffic extended deny ip any 185.60.84.0 255.255.252.0
access-list wccp-traffic extended deny ip any 146.112.61.0 255.255.255.0
255.255.192.0
255.255.192.0
access-list wccp-traffic extended permit ip any any
ON-PREM INTERNAL
PROXY DNS SERVER
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential *NOTE: ACL varies depending on the ASA version or IOS version, or third-party product.
DEPLOYMENT
Endpoint-level granularity requires

Umbrella RC/AC or VA
UMBRELLA PROXIES
SERVERS RESOLVERS
FIREWALL/ROUTER ACL IF TRANSPARENT, SAME CONFIG
Force client-side DNS requests

function FindProxyForURL(url, host) {
ON-PREM or UMBRELLA VA
PROXY (OPTIONAL IF USING URC*) // Generate DNS request on the
client
URC hostIP = dnsResolve(host);
PAC IF EXPLICIT, ANOTHER CONFIG }
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential *URC = Umbrella Roaming Client
Cisco Security Connector
Cisco Security Connector
• Extend visibility and control to iOS

devices
• Single app to enable multiple
security technologies
• Deploy to supervised devices
through MDM solutions
• No impact to employees’ mobile
experience
Control
• Protect users from connecting

to malicious destinations
• Defend against phishing attacks
and accidental browsing of bad sites
• Encrypt DNS requests on public
Wi-Fi & cellular networks
Visibility
• Gain insight into activity on iOS devices

during incident investigations
• Build audit reports of user, device,
and app traffic
• Quickly identify the impact and degree of
risk exposure
The technology behind it
Umbrella Clarity (AMP for Endpoints)

• Ensure all DNS requests are sent • Enable audit of iOS device users and
to Umbrella their applications
• Adds protection when iOS users are off- • Visibility into usage and network
network; on public Wi-FI and cellular resources accessed by mobile apps
networks
• First vendor to get this level of access to
• Simplest, most user friendly solution in iOS
the market
• Licensed by number of devices
• Licensed by number of user seats
Zero-touch UX for end-users
Visibility and control
Flows attributed by
iOS identity and app
AMP
Umbrella Requests attributed Clarity (AMP)
Dashboard by iOS identity Umbrella Dashboard
Encryption and enforcement Auditing and correlation

Internet requests App traffic flows
Umbrella Clarity
App extension App extension
Works anywhere One app, two extensions

On- and off-network Automatically provisioned via Meraki
Basic requirements
Enterprise-owned iOS devices run in supervised mode
Must belong to Apple’s Volume Purchase Program (VPP)
Subscription to Cisco Umbrella

Licensed per number of internet-connected users
Subscription to Cisco Clarity

AMP for Endpoints – licensed per device
Currently supported MDM system

• Cisco Meraki Systems Manager (licensed by number of devices)
• VMware Workspace ONE, powered by VMware AirWatch
• MobileIron
DELETE BEFORE PRESENTING
For the full Cisco Security Connector TDM visit: cs.co/CSCTDM
Cryptocurrency and attacks
Cryptocurrency
• Digital currency
• Operates independently
of a central bank
• Encryption techniques used
to regulate the generation of
currency units and verify the
transfer of funds
• Bitcoin, Monero, Litecoin,
Stellar, etc.
Cryptomining
The process of generating new units

of the cryptocurrency
Bitcoin example:
• A miner uses their computing power
to verify P2P Bitcoin transactions
• Rewarded with new Bitcoins
proportional to the amount
of computing power they donated to
the Bitcoin network
Cryptojacking
• Secret use of business’

computing power to mine
cryptocurrencies through
individual machines
• Done in browser JavaScript
exploits, cloud AWS
instances, etc.
Cryptojacking
How do you
protect yourself?
How to evade rogue cryptomining
in your environment?
• Ensure you have strong kubernetes passwords in
place
• Don’t just be on the hunt for Monero miners -
Threat actors have moved to more obscure coins
(easier to mine & convert)
• As market grows, will see multitude of switches of
coins they mine to evade detection
• More popular a coin becomes, less likely
it will be used for cryptomining
• Easier to avoid detection with new cryptos; will see
higher returns
Preventing cryptomining with Umbrella
Leverage our Cryptomining

security policy to block
cryptomining pools and
web miners
Intelligent proxy extras
We’ve had the intelligent proxy since 2013,
let’s talk about it
RESOLVER PROXY
Inspects DNS Inspects header
REQUEST AND RESPONSE REQUEST AND RESPONSE
e
.ex
pro
d
/ba
xy
IP
om
t
rec
a
gra
y.c
dd
edi
r es
gra
y.c
2r
s
om
30
gray.com ANY ENDPOINT
/bad.exe Web activity
DNS load balancers expose proxy IPs so resolvers can
redirect clients
Unicast Anycast DATA CENTER #2
DNS load
balancer
(3) HTTP/S DATA CENTER #1
Any
DNS load
Endpoint Websites
(1) DNS or (2) DNS balancer
EDNS
Resolver and proxy systems are independent
and Anycast
DNS load
balancer
Partial outage
(3) HTTP/S DATA CENTER #1
Any
DNS load
Endpoint Websites
(1) DNS or (2) DNS balancer
EDNS
Resolver and proxy systems are independent
and Anycast
DNS load
(2) DNS balancer
Full outage
(1) DNS or
EDNS (3) HTTP/S DATA CENTER #1
Any
DNS load
Endpoint Websites
balancer
Why do an Umbrella POV?
It’s the easiest POV you’ll ever do.
1) Signup 2) Point DNS 3) Done
After your POV, you’ll receive a custom

security report to help answer:
• How effective is this solution?
• How does it compare (or add)
to my current security stack?
• Does it deliver great time-to-value?
Uncover more with Umbrella
Across 200+ recent POVs:
50% 82% 77%

Encountered APT Encountered Encountered
(Advanced Persistent Threat)
ransomware phishing
653 C2 callbacks blocked 1150 malware requests blocked

Don’t just take our word for it
Decreased threats by
Umbrella reduced
100% reduction in an estimated 99% and
malware by at least
ransomware shortened investigation time
60 to 70%
by 75%
7,200+ users 10,000+ users 70,000+ users
Cost savings example
Loss of business Loss of customer
Remediation Compliance fines
from downtime loyalty
Number of Cost
50
hours to fix: per incident: Total cost
250 × $175 = $8,750

Assuming five hours Assuming IT per month
is paid $35/hour
Infected to re-image endpoint
endpoints
Cost avoidance total Cost avoidance total
$7,875 Savings with

Umbrella $94,500
per month per year
Assuming Umbrella prevents 90% of incidents
Uncover more with Umbrella
Across 200+ recent POVs:
50% 82% 77%

Encountered APT Encountered Encountered
(Advanced Persistent Threat)
ransomware phishing
81% 86% 74%

Encountered Encountered Encountered
C2 callback Angler Locky
Top threat occurrences by industry
Healthcare Manufacturing Professional services

1) Ransomware 94% 1) C2 Callbacks 75% 1) Spam 100%
2) C2 Callbacks 90% 2) Exploit kit 67% 2) Browser redirect 80%
3) Phishing 87% 3) Spam 63% 3) C2 Callbacks 80%
Cisco IT’s deployment of Umbrella
7.6B 22M 1000x
DNS queries per day off sourced Amount of threat intelligence
from the Cisco network and DNS blocks per day in Umbrella vs Infosec’s
endpoints home grown system
30 min 432K
Average time of the change Blocks for roaming clients while
requests to enable enterprise wide not connected to Cisco’s network
policy changes in the first week
3 110K <10 cases

End client installation cases Umbrella clients installed For false positives per month
from AnyConnect bootstrap via AnyConnect VPN (not all cases are even found to be
deployment bootstrap in 2 weeks false positives)
Misc. extras
Multi-Org Console
Multi-Org Console
Control & visibility across

multiple, decentralized or
partitioned organizations
Asia Pacific North America European

office HQ office
ENFORCEMENT
Protect any location Internet
You required Threats blocked

over any port
Users to VPN into corporate network to
Malware
get work done C2 Callbacks
Phishing
You now need On-network Cisco
coverage Umbrella
Protection for a mobile workforce
VPN On VPN Off (or On*)
Umbrella active
Roaming laptop
with AnyConnect module or
stand-alone client for Umbrella
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential *Always-on or location-aware policies are supported.
Secure Internet Gateway
Protect anywhere users connect
Malware
C2 Callbacks
Phishing
SIG
First line Safe access anywhere users
go, even off VPN
First line of defense

and inspection
Secure onramp
to the internet
On and off the corporate network
All ports and protocols

Secure
Open platform
Internet Gateway
Your secure onramp to the internet, anywhere Live threat intelligence
users go
Proxy and file inspection
Discovery and control of SaaS
OPEN
How a SIG compares to a SWG SIG SWG
Secure internet Granular web usage controls
access, anywhere for compliance and
users go protection
Open platform w/ bi-directional API integrations

SaaS discovery and control; works w/ CASB
Internet traffic enforcement for all ports & protocols
Cloud-delivered security to cover on and off-network
Web traffic enforcement for ports 80/443 and HTTP/S
Web application visibility and control Future release
Web content filtering
Web data loss prevention
Web productivity and bandwidth control
Cisco’s SIG compared to others’ SWG
SWG SIG
Problem:
Incomplete coverage of DNS and IP layer PREDICTIVE
DESTINATION
destinations and files INTEL
HTTP/S layer HTTP/S layer
VENDOR AV REACTIVE VENDOR + CUSTOMER AMP RETROSPECTIVE

FEEDS FILE INTEL FILE INTEL
FEEDS
TALOS AND AMP SUPPORTING ENTIRE

CISCO SECURITY PORTFOLIO
DNS
DNS
Overview
Domain registrar Authoritative DNS Recursive DNS

Maps and records names Owns and publishes Looks up and remembers
to #s in “phone books” the “phone books” the #s for each name
Who resolves your
DNS requests?
ISP? ISP1
Enterprise
Home location A
users Internal InfoBlox
appliance
Challenges
Multiple internet service providers Enterprise
Roaming location B
ISP? laptops ISP2
Direct-to-internet branch offices Internal Windows DNS
server
Users forget to always turn VPN on

Different DNS log formats Remote Enterprise
sites location C
Internal BIND server
ISP? ISP3
Recursive DNS for internet domains
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authoritative DNS for intranet domains
Using a single global
recursive DNS service
ISP? ISP1
Enterprise
Home location A
users Internal InfoBlox
appliance
Benefits
Global internet activity visibility Enterprise
Roaming location B
ISP? laptops ISP2
Network security w/o adding latency Internal Windows DNS
server
Consistent policy enforcement

Internet-wide cloud app visibility Remote Enterprise
sites location C
Internal BIND server
ISP? ISP3
Recursive DNS for internet domains
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authoritative DNS for intranet domains
Gather intelligence and enforce security
at the DNS layer
Recursive DNS
Any device Authoritative DNS
root
com.
domain.com.
User request patterns Authoritative DNS logs
Used to detect: Used to find:
• Compromised systems • Newly staged infrastructures
• Command and control callbacks • Malicious domains, IPs, ASNs
• Malware and phishing attempts • DNS hijacking
• Algorithm-generated domains • Fast flux domains
• Domain co-occurrences • Related domains
• Newly registered domains

Cisco Umbrella: First Line of Defense For Threats On The Internet

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Umbrella: First Line of Defense For Threats On The Internet

Uploaded by

Copyright:

Available Formats

Cisco Umbrella

First line of defense for threats on the internet

Agenda Cloud platform

Roaming laptops Branch office

Visibility and protection everywhere

Integrations to amplify existing investments

Netflow Contains malware

DNS = Domain Name System

Precedes file execution and IP connection

Used by all devices Cisco.com 72.163.4.161

Broadest Most open

Easiest Most predictive

Visibility and protection for all activity, anywhere

ALL PORTS AND PROTOCOLS

Built into foundation of the internet

Breadth to cover all ports and depth to inspect risky

WBRS/Talos + partner feeds

Prevents connections before and during the attack

Web- and email-based infection Command and control callback

Stop data exfiltration and ransomware encryption

Protection for command and control (C2) callbacks

Integrations to amplify existing security

YOUR CURRENT SECURITY STACK

Threat analysis feed AMP Threat Grid + Others Umbrella

Cloud Access Security Broker Cloudlock + Others

Custom integrations Python Script Bro IPS + Others

Anatomy of a cyber attack

Monitor adaption based

180B 90Mrequests daily active

Intelligence to see attacks before launched

Guilt by association • Natural Language Processing

a.com b.com c.com x.com d.com e.com f.com

Possible malicious domain Possible malicious domain

Spike rank model

DGA MALWARE EXPLOIT KIT PHISHING

Massive amount y.com

DNS request volume matches known

Predictive IP Space Monitoring

Pinpoint suspicious domains and

Identify other IPs – hosted on

198.51.100.254 Block those suspicious IPs and any

Store data used for Umbrella reports

Use multi-org console for different

BGP peering for speed

Share BGP routes with ISPs and CDNs to

How fast do we resolve DNS requests?

Verisign 94 33 59 128 168

Comodo 102 30 55 112 20

All data centers announce

Requests transparently sent to

Roaming CLIENT/ANYCONNECT Route traffic and IDs via DNS

Existing Network footprint Endpoint footprint

DNS/DHCP ISR1K SD-WAN WLC Meraki AnyConnect Cisco Umbrella

Log storage with Amazon S3

Domain IP Network IP IP Sample

IP Domain IP Network WHOIS

AUG 17 -26 DAYS SEP 12

185.101.218.206 Domain IP 91.223.89.201

IP Domain IP Sample IP Network AS 197569

1,000+ CERBER 600+

DGA JUL 14 -7 DAYS JUL 21

DGA JUL 18 -4 DAYS -26

Security when Security for Security for Security for