How Cisco Umbrella Works

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and thank you for watching this technical training video for Cisco umbrella during this video we'll take a deep dive into the technical details of umbrella looking at the deployment scenarios and steps policy management reporting and logs and we'll finish with integrations first let's do a quick recap about the customer challenges and key differentiators of Cisco umbrella there are several major challenges that we hear from our customers one they're constantly dealing with malware and ransomware even though they have many security products deployed across their network and endpoints attackers are still getting in and their team is dealing with way too many malware infections too they have gaps in visibility and coverage customers have more locations and devices to protect and threats are using many different ports to try to gain access or exfiltrate data they lack visibility into all internet activity 3 they need to secure cloud applications like office 365 and box and reduce the risk of data exfiltration their organization is using more cloud applications some sanctioned some unsanctioned customers need to know which ones are being used and they need to protect the data in those apps and finally number 4 their existing security is difficult to manage it doesn't scale well it isn't reliable and it won't integrate with other security investments customers need security that's easy to use and more effective security teams are often understaffed and they need solutions that are easy to deploy simple to manage and can scale exponentially and that's where umbrella comes in Cisco umbrella is a cloud security platform that provides the first line of defense against threats on the internet wherever users go by analyzing and learning from Internet activity patterns umbrella automatically uncovers attacker infrastructure staged for current and emerging threats and it proactively blocks malicious requests before they reach a customer's network or endpoints with Cisco umbrella customers can stop phishing and malware infections earlier identify already infected devices faster and prevent data exfiltration because umbrella is built into the foundation of the Internet and delivered from the cloud it provides complete visibility into Internet activity across all locations and users plus it's one of the simplest security products to deploy and manage the Cisco umbrella is truly built into the foundation of the Internet we have 25 data centers worldwide and you can see the current status of all systems by visiting our website we peer with over 500 of the top Internet service providers or ISPs and content delivery networks or CDNs to exchange BGP routes and ensure we're not adding more latency over regional DNS providers and we've also maintained 100% uptime since our network went live in 2006 while it's nearly all automated we have a 24/7 network operation center that monitors and manages our anycast IP routing and other protections to ensure 100% uptime and even as the internet population grows we've been handling roughly 2% of the world's Internet activity for the past 5 years which speaks to the scale that our network is able to handle if you haven't done so already please watch the training video for the Umbrella global network to understand more about its operation we ingest all of that information in real time into our massive graph database and then continuously run statistical models against it this information is constantly analyzed by our research and response team as well and using this combination of human intelligence and machine learning we identify malicious sites whether it's domains URLs IPS or autonomous systems all across the internet a few examples include the co-occurrence model which identifies domains queried right before or after a given domain this model helps to uncover domains linked to the same attack even if they're hosted on separate networks the spike ranked model recognizes when spikes in traffic to a domain match patterns seen with other attacks for example the traffic to one domain matches the request pattern seen with exploit kits so we'll block the domain before the full attack launches the predictive IP space monitoring model starts with the domains identified by the spike ranked model and it scores the steps attackers take to set up infrastructure like the hosting provider name server IP etc to predict if their malicious this identifies other destinations that can be proactively blocked before an attack launches let's move on to the technical details for umbrella starting with deployment scenarios will cover how umbrella can be deployed on network and off network our first deployment scenario is for on network protection the simplest setup is using a DHCP server that is built into a router switch Wi-Fi access point or firewall or installed on a Windows Server DHCP is short for dynamic host control protocol and with one minor edit meaning if you change the DNS IP address to that of the Umbrella global network which is 2-0 8.6 7.22 to that - - - it will tell any device connected to a network to point dns to umbrella but that works best if there are no internal domains such as for printers or internet that need to be resolved locally now if that's the case then the customer will have a DNS server on the network so now with one minor edit on the dns server all external DNS requests for Internet domains will be forwarded to umbrella but with both of these deployment scenarios policy control and visibility is limited to the network's public facing IP address for more granularity we need a local presence our solution is to have lightweight DNS forwarders deployed as virtual appliances in VMware or hyper-v using our DHCP method we point all requests for internal and external domains first to our virtual appliances the virtual appliance then forwards requests for internal domains to the existing local DNS servers before it forwards requests for Internet domains to umbrella it embeds the local IPs into RFC compliant extension mechanisms for DNS so that way we know which internal network requested it all three deployments are completely transparent to users and devices so now that we have a local presence we can also integrate with Active Directory to enforce by various ad objects by running a one-time script on all domain controllers they are registered with our cloud service and then on just one domain controller or member we install our connector service which performs two tasks first it continuously syncs the group memberships of users and computers with our cloud service and second the connector service views the local IP that users and computers authenticated from and sends those mappings to our virtual appliances the virtual appliance can now embed a unique identifier that our cloud service will translate for control and visibility per ad user or computer for off network coverage if a customer uses Cisco anyconnect no additional endpoint client is needed we'll talk more about that setup in a little bit if a customer does not use any connect we have a lightweight client that works with any VPN client it provides a way to identify which customer and device set the DNS request additionally the roaming client can be deployed as an alternative to our virtual appliances to get granular control and visibility of on networked laptops or desktops it was really important that we designed this client to be as lightweight and transparent as possible so that it would not cause latency or performance issues for customers this is possible because all security enforcement happens in the cloud the umbrella roaming client works very similar to that of the virtual appliance because it forwards requests for external internet domains to Umbrella we embed a unique identifier that matches the device's hostname and also encrypts the DNS request to prevent man-in-the-middle eavesdropping on public networks and requests for internal domains are forwarded to the networks local DNS server on Windows devices the roaming client makes minor edits to the dotnet API registry file and WMI configuration and for Mac just the resolve cough file is edited one method that attackers use is to simply hard-code IP addresses into the malware file instead of using DNS for command and control callbacks while it's less common for malware to bypass DNS lookups it does happen luckily we do have a way to enforce at the IP layer as well as the DNS layer so leveraging the same roaming client we continuously push down a list of about 50,000 suspect IPs that our researchers have observed payloads connect to without DNS lookups using the built-in OS Network stack the roaming client tells it to watch for these IP destinations normally this networking stack will just send safe traffic directly to the internet but when a rule is triggered it tells our client to immediately add just this IP to the built-in IPSec VPN which tunnels this one connection to our global network we either block it right away based on the IP or we can proxy the connection and black only bad urls the last scenario is for off network protection with the cisco anyconnect client if your customer already uses cisco anyconnect then they won't have any additional agents to deploy they can simply enable a module on the any connect agent and get protection from umbrella even when the VPN is off the first step is to point all DNS requests from any running app to 127.0.0.1 which is every device's home IP address it does this using built-in OS operational parameters it also learns from your umbrella account which domain names are internal and should not be resolved off network the second step depends on whether a DNS request is for an Internet or internal domain name for an internal domain name our client embeds au embeds a unique identity into the DNS request that matches the device's hostname it also encrypts the DNS requests to prevent man-in-the-middle eavesdropping on public networks when our global network receives this DNS request it checks our cache as well as your policy for this device for the proper response if the destination is safe and adheres to your policy we return the IP registered and the authoritative DNS record if it is malicious or violates your policy we return the IP address of the umbrella block page servers or even a custom IP address you own and if the destination contains both safe and malicious web content we return the IP of the umbrella cloud-based proxies so we can intercept the connection and filter at the URL level alternatively requests for internal domains are forwarded to the networks local DNS server without embedding the identity or encrypting the request so we won't interfere with anyone's internal DNS servers now that we've covered the deployment scenarios let's quickly cover the steps customers take to deploy for their environment we hear from our customers that umbrella is the simplest security solution they've ever deployed many state that it took less than 30 minutes to deploy enterprise-wide so what is the setup entail step 1 find out where the Public DNS server addresses are configured to log on to the server or router where DNS is configured step 3 change DNS server addresses then you'll go on to create your policies but with those simple steps you'll be able to start protecting any device on your network as we covered a few minutes ago for off network coverage umbrella has the option of a lightweight roaming client so what is the setup of a roaming client entail step 1 navigate to the roaming computer section of the umbrella dashboard step 2 access the download links for the Mac and Windows versions of the agent now these are unique to each organization so they shouldn't be distributed step 3 install on to users laptops the roaming client can be manually installed for single machines or distributed for mass deployments using tools like group policy objects app or remote desktop or other tools for automated software installation umbrella is now integrated with Cisco anyconnect if your customers use Cisco anyconnect for VPN connectivity they can enable the umbrella roaming security module to protect their users even when the VPN is turned off without adding another endpoint agent so what is the setup for the roaming module entail well if a customer already has the umbrella roaming client deployed they need to upgrade to any connect version 4.3 or later with the roaming security module enabled now this will automatically detect copy registration from and uninstall the standalone client they are finished here that is the only step now if your customer does not have the roaming client step one is to download the umbrella roaming security module from the umbrella dashboard management console then step two is to deploy any connect version 4.3 or later with the roaming security module enabled once up and running customers use policies to control the level of protection for their deployment let's now look at policy management all customers start with a default policy which ensures that all identities within an organization receive a baseline level of protection to create and apply company specific policies customers can use the policy wizard for step-by-step prompts and instructions there are four steps required to both create and edit policies which include step 1 select identities to which the policy will be applied identities include networks categories such as roaming computers or if integrated with Active Directory users step 2 select policy settings during this step customers make block allow selections for web content categories security types and domain lists for content umbrella has more than 60 web filtering categories that customers can use to restrict access for example customers can block adult related websites for security policies malware is blocked by default but customers can determine if they want to block high-risk sites or enable our intelligence proxy or IP enforcement for destination or domain lists customers can add specific domains to block and allow it is also important to note that customers can set policies for different users and they can even configure different policies for when users are on or off the corporate network for example a customer might want to restrict access to gambling sites when on the network but doesn't care about that if they're off network step 3 customize block page customers can create one custom block page or several per type of block page as an alternative customers can also redirect to a custom URL step 4 select logging preference customers can choose if they want full logging security only logging or to disable logging customers policies can be very complicated so before applying new or newly updated policies customers can run simulations to check if they're set up to enforce the way they were intended the umbrella policy tester tool makes this possible and it's a huge benefit for customers to run a simulation an identity and destination selection is required the tester will then determine based on the way policies are configured whether the selected identity can reach the defined destination this tool enables customers to gain more context prior to implementing or editing policies plus it decreases the time to respond to future support issues because all of the information about the triggered policy will be provided in umbrella the multi-org console is an add-on option for umbrella and was designed for organizations with a centralized IT group or security team or those responsible for multiple decentralized or partitioned organizations the multi org console eases the burden of administrating policies and reviewing reports it gives an administrator the ability to manage more than one organization or org within a single instance of the umbrella dashboard each organization stands on its own with its own umbrella dashboard but several settings can be shared between organizations making management simple and easy in addition shared reports exist to help the global administrator decide on the actions to take let's now spend a few minutes talking about reporting and logs umbrella displays data in real time in the reporting section of the umbrella dashboard it works similar to Facebook or Twitter and that if someone sent a DNS request seconds later it is visible within a report and then we layer on top of that our internet wide visibility in addition to the out-of-the-box reports customers can set filters for custom views preview these reports and share with email recipients they can then schedule these to run every day week or month they can also access information on who created and last modified a scheduled report the last time it was set and the next time it will be sent let's look now at a few report examples first is a sneak peak of the identity report as of November 2016 this functionality is currently in limited availability and will be generally available in the next couple of months the identity reports enable customers to identify and review malicious internet activity per device or network as it happens in real time across their organization this helps to quickly spot and remediate potential victims specifically customers can pivot into any identity whether it's a network computer or user they can also view top security destinations per identity which can show what else this user might be infected with and they can see top overall destinations which can give insight into what else this user is doing like the identity reports destination reports will also be available later in 2016 destination reports enable a customer to investigate every malicious domain attempted to be accessed from their organization specifically they see traffic volumes how prevalent is this attack in my network global traffic percentage is this attack targeted at me top identities who has been infected that I might need to remediate relevant policies why is this being blocked for example if your customer sees that umbrella blocked a user from going to internet bad guys calm they can view more detailed information like when the request happened who it came from why it was blocked and more with the local versus global data they can assess the likelihood that they are facing a more targeted attack has umbrella seen other people going to internet bad guys calm or requests only coming from your customer the cloud services report is available today this report helps customers to uncover cloud services and Internet of Things or IOT devices being used within their organization this helps them to effectively combat shadow IT specifically they see total and newly seen cloud services as well as cloud apps by classification and traffic volume when it comes to logs another capability of umbrella is the ability to export DNS logs to Amazon s3 for long-term storage umbrella will store logs for 30 days and we have built an integration where you can export logs at regular intervals to Amazon s3 by using this you can store logs for as long as needed and even export the logs from Amazon to a sim for more details on how to export logs you can check out our documentation many customers ask for this functionality because they want the ability to go back and review DNS logs when responding to an incident for example they may have a need to go back to research and incident that may have occurred two years ago and this gives them the ability to retain logs as long as needed it's easy to set up this integration to customers will be responsible for purchasing their own Amazon s3 instance once they have it the first step is to create a new bucket which is a container for objects stored in Amazon s3 in the Umbrella dashboard they'll enter the name of their s3 bucket and then verify the connection after that you'll be able to start pushing DNS logs from umbrella to Amazon s3 from there customers can set up integration with a sim to either automatically or manually pull logs from the bucket more details can be found on our product documentation and in a knowledgebase article on our product support page now in this last section let's talk about our partner integrations we currently have three types of integrations for enforcement and visibility we enable customers to extend threat detection offered by fire I and other security appliances beyond their perimeter and not just detect but also prevent for example customers may not be able to put a fire box at every branch location but through our integration customers can use umbrella to enforce protection anywhere for threats detected by fire I umbrella becomes a great way to expand protection from other security products your customers may already own umbrella can also integrate with threat intelligence platforms you can think of them like databases that capture and correlate all of the customer sources of threat intelligence including vendors like anomaly this Intel can be sent to umbrella so that customers can act on these indicators of compromised Cisco amp threat grid is another example malicious domains uncovered by threat grid can be sent to umbrella for enforcement in addition to our pre-built partner integrations customers have the ability to create up to 10 custom integrations between umbrella and other in-house systems the customer has it's easy to create custom scripts and we have detailed documentation and knowledgebase articles to help each integration allows custom scripts to automatically add or remove domains in a separate security category the key thing to remember is that umbrella is designed to be a more open platform so you can help your customers integrate it into their existing security stack well that wraps up our discussion on the technical details behind Cisco umbrella congratulations on completing this lesson to continue your learning journey we encourage you to explore the additional lessons in this course

Info

Channel: Son Phan

Views: 73,753

Rating: undefined out of 5

Keywords:

Id: Gho3oKGiT2w

Channel Id: undefined

Length: 25min 37sec (1537 seconds)

Published: Tue Jun 20 2017