1 23-feb-17 cisco live 2017 brksec-1980

1

23-Feb-17Cisco Live 2017

BRKSEC-1980

2


BRKSEC-1980

Cisco Live 2017 23-Feb-17

3BRKSEC-1980

Gartner, “Predicts 2017: Network and Gateway Security”, December 2016 (up from 10% in 2016)

- Gartner predicts by 2018, the average company will have 25% of its corporate data traffic bypassing the network perimeter.

- Some industries are already there or surpassed this depending on how mobile your workforce is.

- And that means that if you rely on perimeter security alone, you’re only getting 75% protection—at best.

- People work wherever work needs to get done, and we need to make sure security does the same thing


4BRKSEC-1980

How IT was built:

- Going back a few years, most, if not all, infrastructure, applications, and desktops were behind the firewall.

- To work, employees went into an office location and logged into the network.

- Branch offices backhauled all traffic to headquarters.

Security focus:

- The focus from a security perspective was to secure your perimeter and endpoints.

- And by backhauling all traffic, branch offices would get the same security as corporate.

Changing landscape:

- But in the last few years the way we work has fundamentally changed a a great deal.


5BRKSEC-1980

- What has changed? More happens off-network.- There are more roaming users than ever.

- There are more corporate-owned devices accessing the internet from other networks.

- Apps move to the cloud- Users no longer need to connect to the corporate network to get work done – they

use cloud apps like SFDC, Office 365 and others.- They don’t always turn on the VPN — which means they are more vulnerable and

you lack visibility and protection.- A study by IDG found that 82% of workers admit to not using the VPN.

- Branch offices connect directly to the internet- It’s very expensive to backhaul all traffic to the corporate network, so more branch

offices are moving towards direct internet access.- In fact, Forrester found 70% of branch offices had some level of direct internet

access. - While you save money by not backhauling the traffic, you lose the security

protection.


6BRKSEC-1980

It’s estimated that SaaS app usages will increase by 70% in the next 2 years. To save on bandwidth and related costs, branch offices no longer backhaul traffic to corporate, and instead connect directly to the internet. 70% of enterprise branch office report direct internet access or DIA, and, it’s estimated that an alarming 30% will be the target of entry for advanced attacks.


7BRKSEC-1980


8BRKSEC-1980


9BRKSEC-1980


10BRKSEC-1980


11BRKSEC-1980


12BRKSEC-1980


13BRKSEC-1980

Security must evolve to address today’s challenges and protect the modern enterprise.It has to protect users wherever they work.

And, like infrastructure, apps, and data - it has to shift to the cloud.


14BRKSEC-1980

A SIG provides safe access to the internet anywhere users go, even when they are off the VPN. Before you connect to any destination, a SIG acts as your secure onramp to the internet and provides the first line of defense and inspection. Regardless of where users are located or what they’re trying to connect to, traffic goes through the SIG first. Once the traffic gets to the SIG cloud platform, there are different types of inspection and policy enforcement that can happen. And as more security controls move to the cloud, a SIG provides a platform that future capabilities can be built upon.


15BRKSEC-1980

Let’s look at how we built our SIG...

When developing Cisco’s SIG (Umbrella), we looked at the technology across the Cisco security portfolio and reimagined how the technology could be architected together. We started with the internet infrastructure from OpenDNS Umbrella as the foundation, and brought together capabilities from the CWS proxy and AMP.

And, these products haven’t just been stitched together but we’ve reimagined how they can be delivered within Umbrella, so that they’re easy to use and able to deliver even more effective security.


16BRKSEC-1980

- Cisco Umbrella is a cloud security platform that provides the first line of defense against threats on the internet wherever users go.

- By analyzing and learning from internet activity patterns, Umbrella automatically uncovers attacker infrastructure staged for current and emerging threats, and proactively blocks malicious requests before they reach a customer’s network or endpoints.

- This means that it is not necessary to proxy everything, leading to a much better user experience.- With Cisco Umbrella, customers can stop phishing and malware infections earlier, identify already

infected devices faster, and prevent data exfiltration. - Because Umbrella is built into the foundation of the internet and delivered from the cloud, it

provides complete visibility into internet activity across all locations and users.- Plus it’s one of the simplest security products to deploy and manage.


17BRKSEC-1980


18BRKSEC-1980


19BRKSEC-1980

For those not familiar with Umbrella, let’s start with some background information.

Cisco Umbrella comes from Cisco’s acquisition of OpenDNS, which happened in 2015. OpenDNS started in 2006 as a provider of a recursive DNS service with a mission of providing safer, faster internet browsing for business and home users.

In 2012, OpenDNS entered the enterprise security market with the launch of Umbrella —a cloud-delivered security service that protects users anywhere they go by enforcing security at the DNS layer.

In 2013, OpenDNS released a second security offering. This product resulted from customers asking for more information about why Umbrella blocked what it blocked. This second product, Investigate, is an interface or API providing access to our global threat intelligence.

Here is a more detailed list of the significant product milestones:June 2006 – Umbrella global network (with 100% uptime to today)July 2012 – v1 Umbrella virtual appliance (with AD integration)Nov 2012 – v1 Umbrella roaming clientFeb 2013 – Umbrella statistical models (with new models released every few months)Nov 2013 – Umbrella Investigate ConsoleJan 2014 – v1 Umbrella intelligent proxy (mid-2013 beta)Feb 2014 – v1 Umbrella API (for partner intel enforcement)May 2015 – v2 Umbrella API (for customer intel enforcement)July 2015 – Umbrella Investigate APIOct 2015 – v2 Umbrella roaming client (with IP-layer enforcement)Oct 2015 – v3 Umbrella API (enables agile integrations with network devices such as with ISR4K and Aironet wireless APs)May 2016 – v2 Umbrella intelligent proxy (with SSL decryption)July 2016 – v3 Umbrella roaming module integrated in Cisco AnyConnectFeb 2017 – v3 Umbrella intelligent proxy (with file inspection & custom URL lists)


20BRKSEC-1980

OpenDNS company milestones leading up to the acquisition were tracked on this page: https://www.opendns.com/about/company-history/.

The other half of Umbrella comes from Cisco’s acquisition of ScanSafe. ScanSafe was founded in 1999 and in 2004 launched the first cloud-based web security proxy. ScanSafe was the pioneer in cloud-based web security.

In 2009 Cisco acquired ScanSafe and further invested in the cloud platform and integrated the service into Cisco infrastructure and platforms such as ISR G2 routers, ASA firewalls, the AnyConnect roaming client, WSA appliances and virtual appliances, and recently also with the ISR 4K series.

ScanSafe was rebranded by Cisco as CWS, Cloud Web Security.

CWS is fully integrated with various engines from Cisco’s Talos, including AMP, Web Reputation, Application Visibility & Control (AVC), and Cognitive Threat Analytics (CTA).

In November 2016, OpenDNS Umbrella was rebranded to Cisco Umbrella, and now Umbrella is enhanced with an intelligent proxy for deeper inspection.

Umbrella and CWS are still separate products that can complement each other, but over time Umbrella will be Cisco’s sole offering, filling the position of a Secure Internet Gateway enforcing at the DNS layer as the first line of defence, with an integrated intelligent proxy for advanced capabilities.

Today the OpenDNS brand is still available, but only for the consumer market.

BRKSEC-1980 20


- Consider the analogy of a phone book.- First there’s the domain registrar—this is where domain names are registered. The domain

registrar—for example Go Daddy— will record and map the domain name to IP address—the same way you’d record names and phone numbers in a phone book.

- Authoritative DNS owns and publishes the “phone books.” - Then recursive DNS services, like Umbrella, look up the numbers for each name.- Think about when you go to your contact list on your phone to call someone…you look up

their name because you don’t memorize everyone’s phone numbers.


21BRKSEC-1980

- Most people and companies leave their DNS resolution up to their ISP. - Larger organizations may need to deal with multiple ISPs as each of their offices connects

directly to the internet. - Some companies try to address this issue by deploying a VPN, but employees often forget

the VPN or turn it off because of performance issues. - Working with multiple ISPs for DNS resolution means that your DNS logs will be in different

formats.- Another issue is that ISPs simply resolve DNS requests without offering any visibility or

network protection.


22BRKSEC-1980

- Using Umbrella to resolve all external DNS requests allows our customers to see all their internet activity from all their locations and networks globally.

- Because our security solution operates at the DNS layer using existing Internet infrastructure, we can offer network security with zero added latency.

- Executing security at the DNS layer also enables consistent policy enforcement and allows our customers to see which cloud applications are being used on their networks.


23BRKSEC-1980

- With DNS resolution, we can make many threat discoveries.- First any device will send a DNS request to Cisco Umbrella. - We analyze the request patterns to detect many types of threats and anomalies. - For example, we can determine if a system is compromised based on the types of requests

it’s making. If a device is making requests to a number of known-bad domains, it’s more likely to be compromised.

- The user requests patterns across our user base give us great insight into potential threats. - In the second part of the process, if our global cache doesn’t contain a non-expired

response to the request, then we recursively contact all of the name servers that are authoritative for the domain requested.

- This process gathers authoritative logs for virtually every domain daily, which we use to find newly staged infrastructures and other types of anomalies.


24BRKSEC-1980

- Think about where you enforce security today.

- You probably have a range of products deployed at your corporate headquarters and branch offices, or on roaming laptops.

- What we hear from customers like you is that despite the existing security products deployed — everything from firewalls to web proxies to email security to endpoint products — they are still dealing with too many malware infections and phishing attacks.

- There are many ways that malware can get in, which is why it’s important to have multiple layers of security.

Umbrella + DNS:

- Umbrella can be the first line of defense against threats by preventing devices from connecting to malicious or likely malicious sites in the first place—which significantly reduces the chance of malware getting to your network or endpoints.

- Umbrella uses DNS as one of the main mechanisms to get traffic to our cloud platform, and then use it to enforce security too.

- DNS is a foundational component of how the internet works and is used by every device in the network.

- Way before a malware file is downloaded or before an IP connection over any port or any protocol is even established, there’s a DNS request


25BRKSEC-1980

- Our view of the internet is like no other security provider.

- The Umbrella global network includes 25 datacenters around the world that resolve over 100 billion DNS requests from more than 85 million users across over 160 countries every day.

- We peer with over 500 of the top ISPs and Content Delivery Networks to exchange BGP routes and ensure we’re routing requests efficiently and not adding any latency over regional DNS providers.

- So not only do we have a massive amount of data, but perhaps more importantly, a very diverse data set. It’s not just from one geography or one protocol.

- This diversity enables Umbrella to offer unprecedented insight into staged and launched attacks – learning where the threats are coming from, who is launching them, where they are going to, how wide the net of the attack is, and more.

- This data acts as the foundation for our many statistical models.


26BRKSEC-1980

- Umbrella provides enforcement without delay.- Umbrella uses DNS to enforce security but how does this work?

- When Umbrella receives a DNS request, it first identifies which customer the request came from, and which policy to apply.

- Next, Umbrella determines if the request is:(A) Safe or whitelisted, (B) Malicious or blacklisted, OR (C) Risky or unknown

- For:(A) Safe requests, we route the connection as usual, and(B) Malicious requests, we route the connection to a block page(C) Unknown or risky requests, we route the connection to our cloud-based proxy for

deeper inspection- Additionally, all requests are logged globally and immediately visible for your security teams

to take action.

Proxy: - It’s important to note that traditional web proxies examine all internet requests which adds

latency and complexity for their users.- But because Umbrella sends only the partially malicious or suspicious domains for review,

user’s don’t experience the same performance issues.


27BRKSEC-1980

- Umbrella not only protects against initial infection- Umbrella also prevents command and control callbacks (aka C2 callbacks)- So even if devices become infected in other ways, Umbrella blocks the communication to

an attacker’s server

- Stopping data exfiltration or the download of ransomware encryption keys- C2 callbacks are blocked using the same DNS enforcement process described a moment

ago. - And in the event that the malicious payload is designed to bypass DNS and use a direct-to-

IP connection, Umbrella goes beyond DNS to provide malicious IP blocking and enforcement.


28BRKSEC-1980

Often malware will use command and control (C2) callbacks to communicate with the attacker for additional instructions or to exfiltrate data.

In research done by Lancope (also now part of Cisco), they found that 15% of C2 callbacks bypass web ports, the ports covered by traditional web security systems. Lancope analyzed millions of unique malware samples from small office LANs for over 2 years. They found that 15% of command & control callbacks, which are commonly used to exfiltrate data, bypass web ports.• Additionally, when Mandiant released their APT1 report, about half of the samples analyzed

relied on non-web C2.• And some of the most damaging botnet infrastructures responsible for ransomware and bank

trojans, dubbed “Gameover Zeus”, “Tinba”, “Kelihos” and dozens of others bypassed ports 80 & 443.

So you most likely have a gap in coverage if you’re only relying on your SWG or perimeter security. Add to this the fact that many such solutions depend on PAC files or other enforcement methods that limit their control to browser-based traffic, or other traffic that may follow the browser’s proxy settings.

Cisco conducted additional research that found 91% of C2 callbacks relied on DNS. So by using Umbrella, you’d have the ability to block the vast majority of those C2 callbacks.


29BRKSEC-1980

So what about the other 9%? Umbrella can also block direct IP connections and even proxy traffic to block specific URLs.

So you most likely have a gap in coverage if you’re only relying on your SWG or perimeter security.

BRKSEC-1980 29


Let’s peek inside the cloud platform.

It started off rather simple--dashboard changes were pushed out to all resolvers in a few minutes via our central brain and returns activity logs in a few seconds.

Then, we built a world-class intelligence database that combines Talos, Umbrella statistical models and partner feeds. And customers can complement our intel with their own security stacks.

But sometimes we can’t simply allow or block everything behind a domain or IP without creating false positives or negatives.So our resolvers point traffic for risky sites thru our intelligently proxy for deeper inspection.

What’s new as of this launch, is how Cisco’s Advanced Malware Protection (AMP) as well as AV engines are seamlessly integrated within Umbrella’s proxy.


30BRKSEC-1980

Umbrella provides visibility and protection for all of your internet traffic.

Specifically: - Umbrella provides the visibility needed to protect internet access across all office locations,

all devices on your network, and roaming laptops.- Umbrella provides visibility into sanctioned and unsanctioned cloud services, so you can

uncover new services being used, see who is using them, and identify potential risk.- As attackers try to infiltrate networks with different tactics, Umbrella also provides coverage

and visibility for all ports.- As the internet moves towards HTTPS, more destinations will require SSL decryption to

effectively see and block. Umbrella provides visibility and protection for HTTPS destinations, without adding latency.


31BRKSEC-1980

- This matrix lays out which features are included in each package.- There are 5 packages available for Umbrella- The first two, Roaming and Branch, are designed to be entry level. While Professional, Insights and

Platform are the core offers.

- Looking first at the Roaming package. It is an entry level package of Umbrella that provides protection when the VPN is off. Customers can leverage the built-in Cisco AnyConnect integration or deploy a standalone client.

- Branch is another entry level package for the Cisco Integrated Services Routers (ISR) 4K series that provides protection for guests and corporate users at branch offices. It is important to note that this packages offers only on-network coverage.

- Looking now at the core packages, the first is Professional which includes the base level functionality of Umbrella such as content filtering, reporting, and both on/off network coverage.

- Next is Insights, the most popular option, which includes the functionality available in Professional as well as Active Directory integration, user-based policies, the ability to retain logs forever, and more reporting options.

- Lastly, Platform, Umbrella’s high-end package, that includes all of the features and functionally from Insights as well an API for pre-built and custom integrations and access to the Investigate web console for deeper context during investigations.

- It’s important to understand that customers can only purchase one package, but they can always upgrade to get additional functionality.


32BRKSEC-1980


33BRKSEC-1980

- When you connect to a cloud security platform, performance is critical. It cannot break or slow down your internet connection.

- We have 25 data centers worldwide that are co-located with the top IXPs on every continent where we have a presence.

- IXPs or Internet Exchange Points are locations where organizations either physically or virtually connect their routers to exchange data.

- https://www.opendns.com/data-center-locations/


34BRKSEC-1980

CWS datacenters are also on the backbone of the internet.

http://servicestatus.sco.cisco.com/status


35BRKSEC-1980

- At those exchange points, we exchange BGP route data with major ISPs and content delivery networks.

- Through our presence at the internet exchange points, we’ve established over 500 relationships with ISPs and other networks, as well as over 2,000 peering sessions.

- Those peering relationships allow us to resolve DNS requests faster. Each peer effectively offers a shortcut for traffic to take through the thousands of ISPs that make up the topology of the Internet.

- For this reason, Umbrella will not add latency compared to your current service provider or local server, and many customers even experience a little boost to their internet speed.

- This is important because typically, when you add more security, you also have to add (1) more hardware to your network, (2) more software to your endpoints, and (3) more gateways to your internet connection.

- But not with Umbrella - you already rely on recursive DNS services to connect to the internet, and our cloud security platform simply builds in a more reliable and faster alternative.

- Plus, it’s smarter, due to storing the response to 85+ million users’ daily internet requests, and for most safe destinations, responding back immediately.

- Even when the authoritative name servers go down, such as during the recent DDoS against Dyn in October 2016, we leverage a technology called SmartCache to resolve the last known IP address for the domain.


36BRKSEC-1980

- If you are asking “How fast is your DNS resolution?”, in 2015 we received 3rd party validation of our DNS resolution speed in the form of a blog post.

- A Microsoft Engineer (from their internet operations team) conducted an unsolicited test using Thousand Eyes software comparing resolution speeds of top public recursive DNS providers around the globe.

- Thousand Eyes is a company that monitors Internet performance for large enterprises. - According to the results, Umbrella DNS is the fastest public provider in North America, and

amongst the top 5 fastest in Europe.


37BRKSEC-1980

- We’ve discussed the speed of the Cisco Umbrella global network, but what about reliability?

- You never have downtime when we update our platform or datacenters go offline for any reason. We’re not forcing you to set up static routes to a primary and backup datacenter per office like many vendor’s clouds.

- Our anycast IP routing system plays a large role in our reliability.- All of our datacenters advertise the same IP address.- For example if a customer has offices in Berlin, London and Paris, they point their traffic to

the Umbrella IP address and requests are transparently sent to the fastest available location. As shown here, traffic from the Berlin office would be automatically sent to our Berlin datacenter versus the London datacenter.

- This differs from many services providers that use traditional unicast routing which means that they have a unique IP address for each of their datacenters.

- Customers of those vendors would need to select the datacenter closest to each location and route their traffic to each separate IP address.


38BRKSEC-1980

- Umbrella has had 100% uptime since its inception in 2006- This is in large part due to automated re-routing made possible by our Anycast routing

system.- With the same example from before, if a our Berlin datacenter went offline for any reason –

maintenance, scheduled downtime, etc. – requests would be automatically sent to the next fastest available location, for example London.

- With a traditional unicast system, if a datacenter went offline, the customer would need to identify the closest location and reroute their traffic manually.


39BRKSEC-1980

- Umbrella is also one of the simplest solutions to deploy and manage. - Because Umbrella is delivered from the cloud, there is no hardware to install or software to

manually update, and the browser-based interface provides quick setup and ongoing management.

- Many customers deploy enterprise wide in less than 30 minutes.


40BRKSEC-1980

Here’s how identities are made available through various existing and new Umbrella deployments.

For every deployment, we’ll always know the egress IP if you’d like to provision your networks as an identity in your policies. But for greater granularity, we offer both our own stand-alone endpoint and network footprints as well as integrations with Cisco’s and many customer’s existing footprints.


41BRKSEC-1980

Umbrella also has pre-built integrations with the Cisco ISR-4K series, already deployed across thousands of customer’s networks, and now also WLAN device footprints.

Using a RFC-compliant mechanism for DNS, we can securely embed VLAN identities within an EDNS query that automatically is forwarded to the Umbrella global network. This way you set different policies for servers vs. workstations or employee vs guest wi-fi even when it’s the same network egress IP or network device originating the query.

Best of all, using a single ISR script or WLAN controller, you can provision thousands of network devices to protect all your branch office and wi-fi users in a matter of minutes.


42BRKSEC-1980

For on-network coverage: - Update the settings of the DNS/DHCP servers in your network (or even wireless access

points) to point your internet traffic to Umbrella, and every device on that network is protected.

- You can protect all devices– even those you don’t own – by changing one setting in your network server, access point or router.

DHCP is short for dynamic host control protocol. And with one minor edit, meaning if you change the DNS IP address to that of the Umbrella global network (208.67.222.222), it will tell any device connected to a network to point DNS to Umbrella. But that works best if there are no internal domains such as for printers or intranets that need to be resolved locally. If that’s the case, then the customer will have a DNS server on the network.


43BRKSEC-1980

This requires only a simple edit on the DNS server.It doesn’t matter what platform the DNS server is hosted on, this could even be a competing product. There is no conflict.


44BRKSEC-1980

• VA (Virtual Appliance) is a lightweight DNS forwarder hosted on VMware or Hyper-V.• Uses DHCP method to point all requests for internal and external domains first to VA, which forwards

requests for internal domains to the existing local DNS servers.• Before VA forwards requests for Internet domains to Umbrella, it embeds the local IPs into RFC-compliant

extension mechanisms for DNS, with details of the internal network IP address.• As shown here, there cannot be NATing in place between users and the VA.

• Documentation for VA: https://support.umbrella.com/hc/en-us/sections/206618528-Virtual-Appliances-and-Internal-Networks-Setup

• VA Sizing Guide: https://support.umbrella.com/hc/en-us/articles/231266188-Virtual-Appliance-Sizing-Guide

Virtual Environment:VMWare ESXi 4.1 update 2 and newerorWindows Server 2008 R2 Server with the Hyper-V Role or Hyper-V Server 2008orWindows Server 2012 (Standard or Datacenter), Windows Server 2012 SP1 (Standard or Datacenter) or Windows Server 2012 R2 (Standard or Datacenter) with Hyper-V role installed and configured

Number of dedicated CPU cores per Virtual Appliance: minimum of 1Amount of memory per Virtual Appliance: 512MB minimumHard drive space per Virtual Appliance: 6.5GB


45BRKSEC-1980

NOTE: Two instances of VA are required per site for high-availability and to support automatic updates. Customers can provision additional resources per VA instance or add VA instances in large network environments, at any time, with no extra fees.VAs do not store data persistently. So even if the VMware or HyperV hosts running the VAs suffered a catastrophe, no loss of unrecoverable data would occur.

BRKSEC-1980 45


- Now there is a local presence through the Virtual Appliance, you can also integrate with Active Directory to enforce policy by various AD objects.

- By running a one-time script on all domain controllers, they are registered with the cloud service.

And then, on only one Domain Controller or member, the Connector service is installed, performing 2 tasks: - First it continuously syncs the group memberships of users and computers with the cloud service.- And second, the connector service views the local IP that users and computers authenticated from

and sends those mapping to the Virtual Appliances.

- The Virtual Appliance can now embed a unique identifier that the cloud service will translate for control & visibility per AD user or computer.

- Note that today, only a single domain is supported.

- What are the required permissions for the OpenDNS_Connector user?- https://support.umbrella.com/hc/en-us/articles/230902488-Required-permissions-for-the-

OpenDNS-Connector-user

- Which Window Events/EventIDs is the connector service looking for?- https://support.umbrella.com/hc/en-us/articles/230902448-Which-Window-Events-EventIDs-is-

the-Connector-service-looking-for-


46BRKSEC-1980

https://support.umbrella.com/hc/en-us/articles/230902448-Which-Window-Events-EventIDs-is-the-Connector-service-looking-for-

Off-network coverage: - What about laptops connecting off network? If a customer uses Cisco AnyConnect, they simply enable

the Umbrella roaming security module for protection anywhere, including when the VPN is off.- Not a Cisco AnyConnect user? Umbrella’s lightweight, standalone agent works alongside any VPN and

has been proven in over a million deployments. The roaming client is a virtual "bump-in-the-wire" for every internet connection. It is transparent to users and does not cause any latency or performance issues because the footprint is very small.

- Download the profile for the Umbrella Roaming module from the management console and apply it to all instances of the module.

1. You can create a separate policies for off-network users or use a consistent policy for both on-network and off-network coverage. If a separate policies is needed you can:

1. Customize a block page for your users. If a threat is requested via a web browser, end-users receive a this page.

2. Set sites that should never be blocked and always allowed.

2. View your daily, weekly, or monthly security events occurring off-network either in your inbox or our dashboard.

1. Check if threats are trending up or down as well as the domains and laptops with the most security events.

2. Respond to an incident by drilling into the full activity per domain or laptop.

All features of the AnyConnect client and the Umbrella roaming client are supported on both Windows and Mac OS-X platforms.


47BRKSEC-1980

- Umbrella’s lightweight, standalone agent works with any VPN and has been proven in over a million deployments.

- The roaming client s a virtual "bump-in-the-wire" for every internet connection. It is transparent to users and does not cause any latency or performance issues because the footprint is very small.

- In fact it has the same endpoint impact as an instant messenger service or song, for memory and disk.

- 4x smaller than an antivirus which scans all system activity or redirect all data traffic, causing network latency and end user burdens.

- The roaming client simply forwards DNS requests or tunnels suspect IP connections to Umbrella. - The roaming client can be manually installed for single machines or distributed for mass

deployments using tools like Group Policy Objects, Apple Remote Desktop, or other tools for automated software installation.

Details for AV footprint:- Memory is based on average across 6 providers when active or idle- Disk takes the average across 6 providers and the smallest of the six

Data sources -- Third-party report (http://static.symanteccloud.com/estore/PassmarkReports/en/SEP/endpoint-

protection-2014-performance-testing.pdf) - Third-party paper (http://www.invincea.com/wp-content/uploads/2014/01/Buyers-Guide-for-ATP-

Endpoint-Solutions-1-4-14.docx.pdf)- Umbrella engineers determined the footprint in memory by measuring and aggregating the private


48BRKSEC-1980

working set, which is the RAM that is not shared between system processes, for all running Umbrella Roaming Client services. User-initiated network activity was simulated by rapidly requesting websites, including domains like tmz.com, which has many browser redirects that generate hundreds of DNS requests. The system under test was running Windows 7 SP1 x64 and contained 4GB memory and a I3-4005U CPU (1.70GHz, 2 cores, 4 logical processors). Third-party service tracked Yahoo Messenger (j.mp/YahooIM), which includes two services: ymsgr_tray.exe (j.mp/ymsgr_tray) and YahooMessenger. exe (j.mp/ymsgr_IM).

- Third-party article (http://filecatalyst.com/todays-media-file-sizes-whats-average/)

BRKSEC-1980 48


This scenario shows off-network protection with the Umbrella Roaming client.Users are protected by Umbrella even when the VPN is not enabled.

How does the client discover which domains are internal?1. From account settings.2. Local domain search list that’s published via DHCP or on the device itself – i.e. if the device

is connected to the internal network then we will resolve that.3. Backup (failsafe): Any time we get an NXdomain response from Umbrella the client will

query that too.


49BRKSEC-1980

This scenario shows off-network protection with the Umbrella AC Roaming client.Users are protected by Umbrella even when the VPN is not enabled.


50BRKSEC-1980

- What does Umbrella do once it receives the request? - When the global network receives DNS requests, it checks the cloud cache as well as your

policy for this device for the proper response.- If the destination is safe and adheres to the policy, the IP registered in the authoritative DNS

record is returned.- If it is malicious or violates your policy, the IP address of the Umbrella block page servers is

returned, or even a block page on a custom IP address you own.- And if the destination contains both safe and malicious or unknown web content, Umbrella

returns the IP of the cloud-based intelligent proxies so the connection can be intercepted and filtered at the URL-level.


51BRKSEC-1980


52BRKSEC-1980

The list of risky IPs is dynamically updated, and includes feeds from both Umbrella and Talos.


53BRKSEC-1980

- Available today in the roaming client.- About to be released also for the AnyConnect client (already supported in current Windows

version; Mac version will require upgrade).


54BRKSEC-1980


55BRKSEC-1980

On Windows, the user ID is derived from the Registry.


56BRKSEC-1980


57BRKSEC-1980

How does a SIG fit with a SWG?• SIG complements SWG as an added-layer of security• The need for on-prem security doesn’t go away, but need a cloud-delivered SIG to

address today’s challenges

A SIG should work seamlessly with a SWG – which an enterprise would use to apply all the usage controls, bandwidth controls, and HR compliance. Off the corporate network, these controls are unnecessary. Cisco has both products (WSA & Umbrella) and they can be deployed as complementary. In addition, there are aspects that will be shared between the two products throughout the coming year including application categorization, policy orchestration, and threat intelligence.

Hybrid use case:As customers move to the cloud, you can’t just relocate your on-prem appliance into a hosting center, as other vendors have done. You need to have a cloud-native, cloud-first solution to address today’s security challenges. And because this migration to the cloud will happen over many years for most customers, you still need to have technology on premises that can handle the complex use cases that have developed over the last 15 years.


58BRKSEC-1980

At the DNS-layer, we see both the domain request and IP response.And at the IP-layer, when our roaming client is installed, we can even see direct connections.The combination of Umbrella statistical models and Talos, plus partner feeds, enforce 7 million malicious domains and IPs over all ports and protocols.Plus, customers can build their own custom domain lists using our GUI or our API.

With all dispositions, the new telemetry continuously powers our predictive updates.

In the case of a proxy disposition, we’ll see the URL request and file hash at the HTTP/S layer.The combination of Cisco web reputation systems, Talos, and partner feeds enforces millions of malicious URLs.And then a combination of partner AV engines and Cisco AMP enforces 100s of millions of malicious hashes.

The analyze disposition occurs if an unknown file request matches one of 16 file types. Integration with Threat Grid to upload files for sandbox analysis will be coming soon. And as always, Threat Grid is updating AMP with retrospective updates continuously.

1. IP-layer enforcement is available with Umbrella roaming client.2. If a domain is gray-listed, the IP response proxies the connection. This gray-list is populated by Umbrella, Talos, partners, and each

customer’s URL lists.3. WBRS = web reputation system4. AMP Threat Grid can analyze 16 file-types, whereas AMP and AV checks hashes for 43 and 120 file-types, respectively.

Intelligent proxy also required for HTTPS inspection, and other advanced features in future releases such as AVC.IPv6 will be supported in a future release.


59BRKSEC-1980

“Risky” or gray domains will be redirected to the proxy for full inspection. There are certain domains that will never get redirected to the proxy, for example popular sites with good reputations such as Netflix. Remember that the intention is not to redirect everything to Umbrella, and if a reputable site were to be compromised, Umbrella would detect malicious patterns related to that site at the DNS layer.At this point in time, customers can define custom category lists for redirecting to the intelligent proxy. However if this custom list includes any domains that never get proxied (or any of their subdomains), that will override your settings and these requests will not get proxied.


60BRKSEC-1980


61BRKSEC-1980

- When it comes to logs, another capability of Umbrella is the ability to export DNS logs to Amazon S3 for long term storage.

- Umbrella will store logs for 30 days, and we have built an integration where you can export logs at regular intervals to Amazon S3.

- By using this, you can store logs for as long as needed and even export the logs from Amazon to a SIEM.

- Many customers benefit from this functionality because they want the ability to go back and review DNS logs when responding to an incident. For example, they may need to go back to research an incident that may have occurred more than a year ago, and this gives them the ability to retain logs as long as needed.

- The universal W3C text format means that the logs can be imported into almost any device or platform that supports it other than SIEMs, including firewalls.

Log storage helps organizations cover their blind spots. This means that if you discover a breach long after it has occurred, you can go back through your logs to help investigate how and when your organization was compromised. Umbrella offers flexible DNS log storage through the Amazon S3 Cloud. Customers can also use the S3 Cloud to feed their logs from Umbrella to their security incident and event management system (SIEM). Having this information can help customers manage compliance and improve incident response times.


62BRKSEC-1980

Together, Umbrella and Cloudlock provide visibility and control for access and usage of SaaS apps. The team has worked on an integration that leverages Umbrella’s enforcement API.

How it works: - Independently, Umbrella identifies which SaaS apps are being access across an organization - And, Cloudlock identifies risky or inappropriate app usage and revokes oauth –

authentication standard used to log users into apps. - Together: Using Umbrella’s API, Cloudlock automatically sends Umbrella info on which

domains to block. - These domains are blocked when users are on- and off-network.

The team is working to improve/build upon this use case.

For example: A company only wants users to use Box for file sharing. If a user tries to go to Dropbox, then Umbrella can give them a block page that instructs them to use Box instead.


63BRKSEC-1980


64BRKSEC-1980

- Looking now at the anatomy of an attack before we look at our intelligence.- Patient zero refers to the first machine infected with the malicious code. There’s a common

misconception that the attack lifecycle starts with patient zero.- Once patient zero is infected, the attacker does a targeted expansion to a similar segment,

then a wide-scale expansion to all. Weeks later traditional security vendors catch up, reverse engineer the code and create a signature they push out to customers in form of an update.

- But looking at the timeline in more detail, before an attack is launched, servers get spun up in dark of the internet, domain registered, and IP/ ASN’s allocated. And although threats continue to increase in sophistication, attackers often reuse the same infrastructure in multiple attacks, leaving behind cyber fingerprints.

- Umbrella uses data from our global network and statistical models to uncover this information to stop attacks before patient zero is hit.


65BRKSEC-1980

- All the information that Umbrella sees is ingested in real-time into our massive graph database, and then continuously run statistical models (aka algorithms) against it.

- More than a reputation score that looks at the past, we analyze both historical and live data.

- Our models statistically score the “guilt” of domains and IPs to determine if they’re part of an attacker’s infrastructure.

- We use three main approaches: guilt by inference, guilt by association, and patterns of guilt- This slide lists several models that fit into each category. We will go into examples in the

following slides

What is an “event” as stated label on the slide?- We see 2 events per DNS query: (1) Domain request and (2) IP response - Therefore, 80B queries per day / 24 hours / 3600 seconds/hr. = 1.85M events per second

(2M+ live events) - Historical events represents our cache

For more information on Umbrella’s approach and models: https://learn-umbrella.cisco.com/threat-intelligence/predictive-intelligence-pre-crime-for-it.


66BRKSEC-1980

We associate the domains and IPs observed at the DNS layer with URLs and file hashes from Cisco AMP and

networks from our BGP peering sessions.

Then Umbrella security researchers observe trends and anomalies in the data collected and build models that can

automatically score and classify domains and IPs.

These models continuously analyze 2M live events per second combined with 11B historical events to automatically

identify malware, C2 callbacks, phishing, and advanced threats linked to an attacker’s infrastructure.


67BRKSEC-1980

- Whenever someone makes a DNS request, the co-occurrence rank model identifies what other domains are queried right before and after in a short timeframe.

- Identifying domains that have high co-occurrence scores can highlight a connection between domains, regardless of what IP or network they’re hosted on.

- For example, if the 2 domains “c.com” and “d.com” are frequently visited right before or after the malicious domain “x.com”, this may mean that “c.com” “d.com” are possibly malicious domains as well – they are domains guilty by inference.

- And what does that mean in the larger scope? If customers use our Investigate product, in the event of an attack, security analysts are able to piece together the malicious domains that are all tied to the same attack and get the most complete view of an attacker’s internet infrastructure.

- Co-occurrences even enable analysts to stay ahead of attackers and proactively block additional related (and suspicious) domains before their network is compromised.


68BRKSEC-1980

http://c.com/

http://d.com/

http://x.com/

http://c.com/

http://d.com/

- We’ve mentioned that Cisco Umbrella resolves over 100B DNS requests per day. - Spike Rank leverages that massive amount of DNS request volume data and detects

domains that have spikes in their DNS request patterns using sound wave graphing. - This model recognizes when spikes in traffic to a domain match patterns seen with other

attacks. - For example, if the traffic to one domain matches the request patterns seen with exploit

kits, we’ll block the domain before the full attack launches.


69BRKSEC-1980

- Starts with domains identified by the Spike Rank model and scores the steps attackers take to set up infrastructure (e.g. hosting provider, name server, IP, etc.) to predict if malicious.

- By focusing on the unchangeable characteristics of infrastructure provisioning, this model can identify more than 300 new potentially malicious domains every hour and can block them before they are used in an attack campaign, thereby overcoming the evasion techniques that criminals typically employ.


70BRKSEC-1980

Secure-Rank determines whether destinations, including domains and IPs, are good or bad beyond just basic reputation scoring.It maps all identities to all destinations based on DNS requests and neighborhoods, respectively, to create a massive bipartite graph of internet activity.Identities include networks of multiple endpoints or individual endpoints. Neighborhoods include the domain and the IPs, prefixes and ASNs mapped to the domain.------The key capability of this graph is to rank new “neighborhoods” that will have indifferent reputation scores.The graph answers whether the new “neighborhood” is requested by identities that had requested other “neighborhoods” with good or bad reputations?

Unlike static reputation systems, our graph and rankings change in real-time based on past and present internet activity.------An analogy is that bad people tend to hang out in bad neighborhoods, and vice-versa. So, if many bad people are hanging out in a new neighborhood, then that neighborhood is also likely bad (and ranked as such).


71BRKSEC-1980

One of the most recent statistical models we built is called NLPrank.

It detects fraudulent branded domains that often serve as C2 and phishing domains for targeted attacks.

One our researchers found in other labs’ APT-style reports that there were multiple examples of suspicious looking domains advertising “java updates”.

Upon a quick check in our data, many existed on the same infrastructure and exhibited similar and interesting DNS request patterns

So a combination of heuristics such as natural language processing, ASN mappings and weightings, WHOIS data patterns, and HTML tag analysis were used to classify such domains as malicious.At first the algorithm was run manually and spot checked for accuracy, but after tuning to prevent false positives, we were able to fully automate it and Umbrella enforces newly discovered domains immediately.


72BRKSEC-1980

Many security providers talk about machine learning, but what does that really mean?Most use machine learning to reactively determine whether a domain name was generated using an algorithm.But this technique doesn’t stop the attack before it happens. We should know, Umbrella did this first back in 2012.

Umbrella sees 3 million new domains every day. Many of these are used by domain generation algorithms (aka. DGAs) that attackers leverage to maintain command and control of infected devices. Different malware families will tweak these algorithms using different config files. Such that for every new config, security providers must reverse engineer the malware samples to identify domains used for command and control. This process is manual, slow, and too late to protect customers.

Our researchers figured out how to automate reverse engineering simply using the domain names we see every day. This enables us to predict 100,000s of future domains in a fraction of the time as our competitors, and protect customers from thousands of pieces of malware both now and in the future.


73BRKSEC-1980

- Another element we analyze is where the IPs are hosted. Malicious hosts tend to have multiple IP addresses that are located far away from each other, not on the same network –since they are often compromised servers themselves. Here we can see that this domains is hosted by IP addresses in more than 20 countries. While this doesn’t confirm that it’s malicious, it’s another piece of evidence.- We also analyze the relationship of where the domain is hosted and where people who are requesting the domain are located. For example, if a domain name has a country-code in Russia but has a large amount of traffic from far away from that country (i.e. the US), it is suspicious!


74BRKSEC-1980

Because the majority of email is spam, a market of hundreds of spam reputation services exist to help combat the problem. And our 85M recursive DNS users, use many of these reputation services. We see these requests, which include the spam sender domains in question. One popular spam technique has been dubbed “Hailstorm”, and these spam reputation services haven’t detected most of the fully qualified domain names used by hailstorm attackers due to how they send a massive volume of spam in less than a hour across many such domain names.

Once we aggregate all the request volumes per domain, we can confirm that it’s a hailstorm attack and identify the owner using WHOIS information, which contains domain registrant.

Such attackers register many domains for various malicious uses over time, including the links within spam, and even domains used for command and control of infected devices upon a success spam attack. We predict these domains by watching for newly registered domains by this attacker, and combined with other data gathered by Umbrella, can block these domains as emergent threats.


75BRKSEC-1980

1. May have predictively blocked it already, and likely the first requestor was a free user.

2. E.g. domain generated for CDN service.3. Usually 24 hours, but modified for best results, as needed.

There are millions of domains registered daily, some by attackers. And Umbrella does leverage models that can predict new domains as malicious based on the registrant being a known attacker, but that doesn’t always happen.

Over the last few years, attackers learned that by waiting days to weeks before using such domains, they could bypass reputation systems that score newly registered domains as risky.

That’s why Umbrella also focuses on newly seen domains.Once any of our 65 million users, the majority of whom just use our free DNS service, request the new domain, we’ll categorize it within minutes. Such that when another user, or even data center server autonomously, requests this domain within the next 24 or so hours, Umbrella will log or block it per policy.This gives Umbrella statistical models, or even other security solutions relying on reputation systems, time to classify the threat using other data.


76BRKSEC-1980

Potentially Harmful Domains and DNS Tunneling VPN: These NEW CATEGORIES are allowed by default, but can be blocked. And domains in these categories may have already been categorized as Malware or Botnet (a.k.a. C2 callbacks) by many other Umbrella statistical models.

DNS tunneling is a technique to communicate non-DNS information over the DNS protocol and port 53. It has both benign and malicious uses, as well as many that lie somewhere in between.

Security services, such as AV clients use it to request and receive signature updates. Commercial VPN services use it to bypass paid wi-fi captive portals. And malware such as one dubbed PisLoader use it to bypass firewalls to exfiltrate data.

While identifying DNS tunneling is not incredibly difficult, accurately classifying it is very challenging to mitigate false positives. Cisco’s ability to see more live DNS requests than any other security company, uniquely allows Umbrella to overcome this challenge. Using various automated and machine learning jobs, DNS tunneling domains are classified as 1 of 4 categories, 2 of which are new.

An important reminder is that Umbrella identifies known and emergent malicious domains using other statistical models, so often we’ve already blocked DNS tunneling, but just didn’t classify it as such.


77BRKSEC-1980

Let’s look at a real-world example of a Ransomware attack, and how Umbrella works to block the threat before launched.

Leveraging our in-depth understanding of Internet infrastructure and statistical models we are able to map and block attackers infrastructure before attackers use it to launch the attack.

Details: - We start the process with domain already blocked by Umbrella based on our statistical

models and is linked with Locky ransomware. - Umbrella predictive intelligence blocked this domain 26 days earlier than a first submission

appeared on VT by community- As we have a very broad view of the Internet infrastructure we can leverage this and see if

we can find more IPs/domains etc. that relate to Locky or other ransomware leveraging various relationships that naturally exists in the Internet.


78BRKSEC-1980

The internet itself has many built–in relationships that we can leverage to quickly map attackers infrastructure. We start with one domain and get very quickly to 1000.

Details:- Domain to IP association - based on DNS information we learn that the domain resolves to

two IP address. Both IPs are blocked. - Let’s now see what domains are hosted on 185.101.218.206 via IP to Domain association –

>more then 1000 DGA like domains linked with Cerber. - Looks like Locky and Cerber share the infrastructure. - Umbrella and AMP TG integration gives is IP-Sample mapping.->more than 600 samples

clearly marked as Cerber ransomware. - Focus on 2nd IP 91.223.89.201 and explore new association – IP to Autonomous Systems

(for simplicity we refer to AS as network). Every public IP belongs to an network typically owned by ISP or large enterprise like Facebook or Google.

- The IP 91.223.89.201 belongs to network 197569 which is owned by Russian service provider ENERGOMONTAZH ltd.

- Let’s see what other domains are within the network AS 197569 have been recently spotted by our algorithms.


79BRKSEC-1980

Our statistical models were able to identify and block 2 domains that were generated by DGA alg. several days before the domain has been even register thus eliminating the damage that could be done. This is specially critical for ransomware.

Details:- What we are doing now is looking what other malicious domains have been recently

spotted within this network range. - Not very surprisingly two additional domains which clearly look like generated with DGA

alg. - Compare when Umbrella marked the domains as malicious vs. first evidence available in

Virus Total- Both domains are related to Locky ransomware.

- The first domain was registered on July and immediately blocked based using our DGA detection alg. The first evidence on VT was 7days later.

- The 2nd domain highlights our predictive capabilities even more – 26days earlier. - Notice this domain was blocked 4 days before it was registered by the

attacker - With predictive intelligence malicious infrastructures can be blocked in advance to

significantly cripple malware operations.


80BRKSEC-1980


81BRKSEC-1980

- Cisco Umbrella Investigate is offered as a web console or API for users to enrich their existing security data with our global intelligence.

- It is a single, correlated source with the most complete view of the relationships and evolution of domains, IPs, autonomous systems (ASNs), and file hashes.

- It adds the security context needed to help customers uncover and predict threats.- It takes massive amount of data and applies statistical models to it. This helps us

automatically discover and predict malicious domains and IPs.


82BRKSEC-1980

• All of this intelligence is available in a single, correlated source with Cisco Umbrella Invesitgate.

• One of the biggest differentiators with this tool is that we are bringing together many pieces of information.

• Without Investigate’s aggregate intelligence, organizations would need to try to get this information from many other places, which is time consuming and only shows one piece of the puzzle. Security teams are then left to figure out the correlations and connections manually.

Additional Notes:

Passive DNS = historical DNS data (other vendors: FarSight)Domain reputation (other vendors: Webroot)ASN Attribution (IP-> ASN) (other vendors: Team Cymru)IP Geo Location (other vendors: Maxmind)IP reputation (other vendors: Norse)

Domain co-occurrences (no one else provides this)

Anomaly detection- DGA/fast flux detection


83BRKSEC-1980

- So what kind of data are we talking about?Every day, more than 85 million enterprise and consumer users across 160+ countries rely on Cisco Umbrella for DNS resolution. That results in 100+ billion DNS requests per day. Plus, 500+ peering partners exchange BGP route information with Cisco -- giving us visibility into the connections between different networks on the internet. With this combined data, our view of the internet is like no other security company.


84BRKSEC-1980

• Attackers try to hide their tracks by changing their information when registering a new domain, but they sometimes forget. So even a single piece of information can give vital clues about the attacker or campaign.

• By incorporating WHOIS record data in Investigate – users will have insight about who registered a domain, when and where it was registered – including contact information and any changes over time.

• Our intelligence provides visibility into any malicious domains registered using any of the same contact information, which can be used to tie attacks together.


85BRKSEC-1980

• And with the integration of Cisco’s AMP Threat Grid data in Investigate, Investigate can be used to uncover intelligence about the attacker’s piece of malware.

• Similar to how Investigate provides intelligence about the relationships between domains, IPs and ASNs, Cisco AMP Threat Grid provides intelligence about malware files so security teams can quickly understand what malware is doing or attempting to do, how large a threat it poses, and how to defend against it.

• In Investigate, you can query by file hash (SHA256, SHA1, or MD5) , domain, IP, or ASN. And get more insight into which are file hashes calling out to a given domain with associate samples, their threat score, behavioral indicators, and other file analysis data.

• Threat Grid license holders can even pivot directly into Threat Grid with a click of a button


86BRKSEC-1980

Splunk Add-on for Cisco Umbrella Investigate:- Automatically enriches security alerts inside Splunk, allowing analysts to discover the

connections between the domains, IPs, and file hashes in an attacker’s infrastructure. - As a result, improves SOC efficacy to better triage and respond to critical incidents, and

even uncover potential threats.


87BRKSEC-1980

Let’s walk through a sample flow of using Splunk as a SIEM: - (1) Like we mentioned, Splunk collects a massive amount of logs from various sources (

security controls like the firewall, proxy, endpoint security, and network infrastructure) - (2) Once all the data is aggregated in Splunk, users can use the Investigate Add-on to query

the Investigate API and enrich security events with context about domains, IPs, and file hashes within Splunk

- (3) With this powerful integration, security analysts can immediately get pertinent and accurate information regarding security events to better triage during incident response & speed up investigations

- (4) For a more additional research and the ability to interactively pivot between data points, analysts can use the Investigate console


88BRKSEC-1980

The infrastructure and related findings can be visualized by OpenGraphiti, our 3D visualization tool. - The cluster on the right hand side is linked with IP 185.101.218.206 to which more than 600

samples classified as Cerber Ransomware by AMP ThreatGrid connected during sandboxing- The cluster on the left shows hundreds of DGA based domains related to Cerber

ransomware


89BRKSEC-1980


90BRKSEC-1980


91BRKSEC-1980

As Umbrella evolves over the next 1-2 years, CWS customers will be migrated to Umbrella at their convenience.

Flex bundles: Equal number of seats across both solutions.Currently, flex bundles are only for CWS Essentials and Umbrella Insights.The Umbrella subscription in these bundles includes basic email-based support and customers can choose the optional Gold support within the bundle configuration. No support PID needed for CW Essentials, as gold-level support is included.Outside of flex bundles, CWS SKUs can now be ordered and renewed for a maximum of 1 year terms.


92BRKSEC-1980


93BRKSEC-1980


94BRKSEC-1980


95BRKSEC-1980


96BRKSEC-1980


97BRKSEC-1980

98


BRKSEC-1980

99


BRKSEC-1980


100BRKSEC-1980

101


BRKSEC-1980

102


BRKSEC-1980

1 23-feb-17 cisco live 2017 brksec-1980

Documents