Cisco Umbrella

Cisco Umbrella
First line of defense for threats on the internet
Alonso Sal y Rosas

Systems Engineer
March 2020
Challenges
Introducing Cisco Umbrella
Agenda Ransomware example

Package Umbrella and Investigate
Product demo
How IT was built Internet
Critical Business
infrastructure apps
Workplace
desktops
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
The way we work Internet
has changed
Critical infrastructure Business apps
Amazon, Rackspace, Salesforce, Office 365,
Windows Azure, etc. G Suite, etc.
Critical Business
infrastructure apps
Workplace
desktops
Roaming laptops Branch office
Users and apps have adopted the cloud , security must too
49% 82%
of the workforce admit to not using
is mobile the VPN
Security controls
must shift to the cloud
70% 70%
increase in of branch offices
SaaS usage have DIA
Introducing
Cisco Umbrella
Cisco Umbrella
Cloud security platform
Malware
Built into the foundation of the internet
C2 Callbacks
Phishing Intelligence to see attacks before launched
Visibility and protection everywhere
208.67.222.222 Enterprise-wide deployment in minutes
Integrations to amplify existing investments
Where does Umbrella fit?
Malware
C2 Callbacks
Phishing
Benefits
First line Block malware before

it hits the enterprise
NGFW
Netflow Contains malware
Proxy if already inside
Sandbox Router/UTM
Internet access is faster
AV AV AV AV AV
Provision globally in minutes
HQ BRANCH ROAMING
It all starts with DNS
DNS = Domain Name System

Umbrella
• First step in connecting to the
internet
• Precedes file execution and IP
connection Cisco.com 72.163.4.161
• Used by all devices

• Port agnostic
Built into foundation of the internet
Umbrella provides: Safe Blocked

request request
Connection for safe requests
Prevention for user and malware-
initiated connections
Proxy inspection for risky domains
Intelligent proxy Requests for “risky” domains
Cisco Talos feeds

Cisco WBRS
URL inspection
Partner feeds
Custom URL block list
AV Engines
File inspection
Cisco AMP
Prevents connections before and during the attack
Web and email-based infection Command and control callback

Malvertising / exploit kit Malicious payload drop
Phishing / web link Encryption keys
Watering hole compromise Updated instructions
Stop data exfiltration and ransomware encryption
Malware doesn’t just happen
Intelligence to see attacks before launched
Build. Test. Launch. Repeat.
Ransomware
Ransomware Web
Web server
server Malware
Malware Web
Web server
server
www
www www
www
Email
Email delivery
delivery Domain/IP
Domain/IP Malvertising
Malvertising Domain/IP
Domain/IP
ATTACK
ATTACK 1
1 ATTACK
ATTACK 2
2
Our view of the internet
150B 90M
requests daily active
15K 160+
enterprise countries
per day users customers worldwide
Intelligence to see attacks before launched
Data
 Cisco Talos feed of malicious
domains Security researchers
 Umbrella DNS data —
150B requests per day  Industry renown researchers
 Build models that can automatically
classify and score domains and IPs
Models
 Dozens of models continuously
analyze millions of live events
per second
 Automatically uncover malware,
ransomware, and other threats
Our efficacy
Discover Identify Enforce
3M+
daily new
60K+
daily malicious
7M+
malicious destinations
domain names destinations while resolving DNS
Visibility and protection for all activity, anywhere
Umbrella
HQ
IoT All office locations

Mobile
ON-NETWORK
Any device on your network
OFF-NETWORK
Branch
Roaming laptops
Roaming
Every port and protocol
ALL PORTS AND PROTOCOLS

Allowed, blocked, and proxied
traffic per device or network
IDENTITY REPORTS
Quickly spot and

remediate victims
Top activity and categories

per device or network
Local vs. global trends
for malicious domains
DESTINATION REPORTS
Quickly assess
extent of exposure
Top identities associated

with malicious activity
Umbrella App Discovery and Blocking
Solve the three biggest challenges related to shadow IT
Visibility
App and risk insight
Optimization
and blocking
Integrations to amplify existing security
Block malicious domains from partner or custom systems
YOUR CURRENT SECURITY STACK
Threat analysis feed AMP Threat Grid + Others Umbrella

Appliance-based detection + Others
IOCs
Threat intelligence platform + Others
Cloud Access Security Broker Cloudlock + Others
Custom integrations Python Script Bro IPS + Others
What sets Umbrella Fastest
and most reliable
apart from competitors cloud infrastructure
Broadest Most open

coverage of malicious platform for integration
destinations and files
Easiest Most predictive

connect-to-cloud intelligence to stop
deployment threats earlier
Ransomware example
Ransomware: mapping attacker infrastructure
? ? ?
Domain → IP Network → IP IP → Sample
Association Association Association
? ? ?
IP → Domain IP → Network WHOIS
AUG 17 -26 DAYS SEP 12
*.7asel7[.]top
LOCKY Umbrella
*.7asel7[.]top LOCKY
185.101.218.206 Domain → IP 91.223.89.201

Association
IP → Domain IP → Sample IP → Network

AS 197569
1,000+ CERBER 600+

DGA domains Threat Grid files
ccerberhhyed5frqa[.]8211fr[.]top SHA256:0c9c328eb66672e
f1b84475258b4999d6df008
Threat detected same day
domain was registered.
DGA JUL 14 -7 DAYS JUL 21

jbrktqnxklmuf[.]info
LOCKY Umbrella
Network → Domain
Association Threat detected before
domain was registered.
DGA JUL 18 -4 DAYS -26

JULDAYS
22 AUG 21
mhrbuvcvhjakbisd[.]xyz
LOCKY Umbrella DOMAIN
REGISTERED
Visualizing attacker infrastructure
AS197569
91.223.89.201
Package Umbrella and
Investigate
Cisco Umbrella
Cisco Investigate
Product demo
Cisco Cloud Security
SAAS / PAAS / IAAS
Users Data Apps
Umbrella Umbrella Investigate Cloudlock

Secure Internet Gateway Threat intelligence Cloud Access Security Broker
Secure access to the internet View relationships between malware, Secure users, data, and apps
wherever users go, even off VPN domains, and IPs across the internet across SaaS, PaaS, and IaaS
Easiest security product
you’ll ever deploy
1 Signup
Umbrella
Start blocking in minutes
2 Point your DNS
3 Done
Conclusions
What’s Cisco Umbrella?
What’s Cisco
Investigate?

Cisco Umbrella

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cisco Umbrella

Caricato da

Copyright:

Formati disponibili

Cisco Umbrella

First line of defense for threats on the internet

Alonso Sal y Rosas

Agenda Ransomware example

Roaming laptops Branch office

Visibility and protection everywhere

208.67.222.222 Enterprise-wide deployment in minutes

Integrations to amplify existing investments

First line Block malware before

DNS = Domain Name System

• Used by all devices

Umbrella provides: Safe Blocked

Cisco Talos feeds

Web and email-based infection Command and control callback

Stop data exfiltration and ransomware encryption

Build. Test. Launch. Repeat.

Discover Identify Enforce

IoT All office locations

ALL PORTS AND PROTOCOLS

Quickly spot and

Top activity and categories

Top identities associated

App and risk insight

YOUR CURRENT SECURITY STACK

Threat analysis feed AMP Threat Grid + Others Umbrella

Cloud Access Security Broker Cloudlock + Others

Custom integrations Python Script Bro IPS + Others

Broadest Most open

Easiest Most predictive

AUG 17 -26 DAYS SEP 12

185.101.218.206 Domain → IP 91.223.89.201

IP → Domain IP → Sample IP → Network

1,000+ CERBER 600+

DGA JUL 14 -7 DAYS JUL 21

DGA JUL 18 -4 DAYS -26

SAAS / PAAS / IAAS

Users Data Apps

Umbrella Umbrella Investigate Cloudlock

Potrebbero piacerti anche