Cisco Umbrella

First line of defense for threats on the internet

Alonso Sal y Rosas

Systems Engineer
March 2020
 Challenges
Introducing Cisco Umbrella

Agenda Ransomware example

Package Umbrella and Investigate
Product demo
How IT was built Internet

Critical Business
infrastructure apps

Workplace
desktops
The way we work Internet
has changed
Critical infrastructure Business apps
Amazon, Rackspace, Salesforce, Office 365,
Windows Azure, etc. G Suite, etc.

Critical Business
infrastructure apps

Workplace
desktops

Roaming laptops Branch office

Users and apps have adopted the cloud , security must too

49% 82%
of the workforce admit to not using
is mobile the VPN
Security controls
must shift to the cloud
70% 70%
increase in of branch offices
SaaS usage have DIA
Introducing
Cisco Umbrella
Cisco Umbrella
Cloud security platform

Malware
Built into the foundation of the internet
C2 Callbacks
Phishing
Intelligence to see attacks before launched

Visibility and protection everywhere

208.67.222.222 Enterprise-wide deployment in minutes

Integrations to amplify existing investments

Where does Umbrella fit?
Malware
C2 Callbacks
Phishing

Benefits
First line Block malware before
it hits the enterprise
NGFW
Netflow Contains malware
Proxy if already inside
Sandbox Router/UTM
Internet access is faster
AV AV AV AV AV
Provision globally in minutes
HQ BRANCH ROAMING
It all starts with DNS

DNS = Domain Name System

Umbrella
• First step in connecting to the
internet
• Precedes file execution and IP
Cisco.com 72.163.4.161
connection
• Used by all devices
• Port agnostic
Built into foundation of the internet

Umbrella provides: Safe Blocked

request request
Connection for safe requests
Prevention for user and malware-
initiated connections
Proxy inspection for risky domains
Intelligent proxy Requests for “risky” domains

Cisco Talos feeds

Cisco WBRS
URL inspection
Partner feeds
Custom URL block list

AV Engines
File inspection
Cisco AMP
Prevents connections before and during the attack

Web and email-based infection Command and control callback

Malvertising / exploit kit Malicious payload drop
Phishing / web link Encryption keys
Watering hole compromise Updated instructions

Stop data exfiltration and ransomware encryption

Malware doesn’t just happen
Intelligence to see attacks before launched

Build. Test. Launch. Repeat.

Ransomware Web server Malware Web server

www www

Email delivery Domain/IP Malvertising Domain/IP

ATTACK 1 ATTACK 2
Our view of the internet

150B 90M
requests daily active
15K 160+
enterprise countries
per day users customers worldwide
Intelligence to see attacks before launched

Data
§ Cisco Talos feed of malicious
domains Security researchers
§ Umbrella DNS data —
150B requests per day § Industry renown researchers
§ Build models that can automatically
classify and score domains and IPs

Models
§ Dozens of models continuously
analyze millions of live events
per second
§ Automatically uncover malware,
ransomware, and other threats
Our efficacy

Discover Identify Enforce

3M+
daily new
60K+
daily malicious
7M+
malicious destinations
domain names destinations while resolving DNS
Visibility and protection for all activity, anywhere
Umbrella

HQ

IoT All office locations

Mobile
ON-NETWORK
Any device on your network
OFF-NETWORK

Branch
Roaming laptops

Roaming
Every port and protocol

ALL PORTS AND PROTOCOLS

 Allowed, blocked, and proxied
traffic per device or network

IDENTITY REPORTS

Quickly spot and

remediate victims

Top activity and categories

per device or network
 Local vs. global trends
for malicious domains

DESTINATION REPORTS

Quickly assess
extent of exposure

Top identities associated

with malicious activity
Umbrella App Discovery and Blocking
Solve the three biggest challenges related to shadow IT

Visibility

App and risk insight

Optimization
and blocking
Integrations to amplify existing security
Block malicious domains from partner or custom systems

YOUR CURRENT SECURITY STACK

Threat analysis feed AMP Threat Grid + Others Umbrella

Appliance-based detection + Others
IOCs
Threat intelligence platform + Others

Cloud Access Security Broker Cloudlock + Others

Custom integrations Python Script Bro IPS + Others

What sets Umbrella Fastest
and most reliable
apart from competitors cloud infrastructure

Broadest Most open

coverage of malicious platform for integration
destinations and files

Easiest Most predictive

connect-to-cloud intelligence to stop
deployment threats earlier
Ransomware example
Ransomware: mapping attacker infrastructure

? ? ?
Domain → IP Network → IP IP → Sample
Association Association Association

? ? ?
IP → Domain IP → Network WHOIS
Association Association Association

AUG 17 -26 DAYS SEP 12

*.7asel7[.]top
LOCKY Umbrella
 *.7asel7[.]top LOCKY

185.101.218.206 Domain → IP 91.223.89.201

Association

IP → Domain IP → Sample IP → Network

Association Association Association
AS 197569

1,000+ CERBER 600+

DGA domains Threat Grid files
ccerberhhyed5frqa[.]8211fr[.]top SHA256:0c9c328eb66672e
f1b84475258b4999d6df008
 Threat detected same day
domain was registered.

DGA JUL 14 -7 DAYS JUL 21

jbrktqnxklmuf[.]info
LOCKY Umbrella

Network → Domain
Association Threat detected before
domain was registered.

DGA JUL 18 -4 DAYS -26

JULDAYS
22 AUG 21
mhrbuvcvhjakbisd[.]xyz
LOCKY Umbrella DOMAIN
REGISTERED
Visualizing attacker infrastructure

AS197569

91.223.89.201
Package Umbrella and
Investigate
Cisco Umbrella
Cisco Investigate
Product demo
 Cisco Cloud Security

SAAS / PAAS / IAAS

Users Data Apps

Umbrella Umbrella Investigate Cloudlock

Secure Internet Gateway Threat intelligence Cloud Access Security Broker
Secure access to the internet View relationships between malware, Secure users, data, and apps
wherever users go, even off VPN domains, and IPs across the internet across SaaS, PaaS, and IaaS
Easiest security product
you’ll ever deploy
1 Signup
Umbrella
Start blocking in minutes
2 Point your DNS

3 Done
Conclusions
What’s Cisco Umbrella?
What’s Cisco
Investigate?