introducing cisco umbrella for cloud based threat ... · comodo level3 dyn neustar google umbrella...
TRANSCRIPT
Introducing Cisco Umbrella for Cloud BasedThreat Protection
Szilard Csordas,
Consulting Security Engineer
• Introduction
• What is Cisco Umbrella
• Architecture & Data Flow
• Statistical Models
Agenda
By 2020, Cisco Global Cloud Index estimates:
92% of global data center traffic will come from the cloud
By 2021, Gartner estimates:
25% of corporate data traffic will bypass perimeter security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
How IT was Built
Workplace
desktops
Business
apps
Critical
infrastructure
Internet
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IT Today
Business appsSalesforce, Office 365,
DocuSign, etc.
Branch office
Critical infrastructureAmazon, Rackspace,
Windows Azure, etc.
Roaming laptops
Workplace
desktops
Business
apps
Critical
infrastructure
Internet
• Introduction
• What is Cisco Umbrella
• Architecture & Data Flow
• Statistical Models
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
On and off the corporate network
All ports and protocols
Open platform
Live threat intelligence
Proxy and file inspection
Discovery and control of SaaS
Your secure onramp to the internet,
anywhere users go
Secure
Internet Gateway
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
DNS Overview
Authoritative DNS
Owns and publishes
the “phone books”
Domain registrar
Maps and records names
to #s in “phone books”
Recursive DNS
Looks up and remembers
the #s for each name
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
DNS is the Critical Lifeline of the Network
Every possible Device All Network Architectures All Operating Systems
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What happens when you visit a single site?
11
CNN[.]COM:
26 Domains
39 Hosts
171 Objects
557 Connections
68%of organizations
don’t monitor
DNS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Simplest Security Deployment on the PlanetPoint external DNS traffic to UmbrellaNETWORK DEPLOYMENT
DNS
208.67.222.222 (P)208.67.220.220 (S)
Provision DNS or DHCP servers
Provision corporate and guest wireless APs
Any device Any owner
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Cisco AnyConnect ModuleRoaming protection without another agent
208.67.222.222 (P)208.67.220.220 (S)1
2
3
Enable roaming security module
Set roaming policy in Umbrella
Gain visibility into internet activity
and detailed logs for incident response
ENDPOINT DEPLOYMENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
VISIBILITY & CONTROL
• DNS-layer enforcement and encryption via net new iOS 11 functionality
• Customizable URL-based protection with intelligent proxy
• Available to Umbrella1 customers at no extra charge
if subscription already covers iOS users
VISIBILITY
• App-layer auditing and correlation via net new iOS 11 functionality
• Logs encrypted URL requests without SSL decryption
• Available to AMP for Endpoints customers at no extra charge
if subscription already covers iOS devices
One app, two layers of security to protect enterprise iOS usersMOBILE DEPLOYMENT
Cisco Security Connector
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Enforcing Inline, Analyzing OfflineBreadth to cover all ports and depth to inspect risky domains
ALLOW, BLOCK, OR PROXY2
INTERNET-WIDE TELEMETRY
PREDICTIVE UPDATES
Umbrella / Talos and partner feeds
Custom domain lists
Custom IP lists (future)
Inline Enforcement
AMP
THREAT
GRID
UMBRELLA
STATISTICAL
MODELS
Offline Analysis
DNS and IP layer
Domain request
IP response (DNS-layer)
or connection (IP-layer)1
ALLOW, BLOCK, OR ANALYZE4
UNKNOWN FILES (ROADMAP)
RETROSPECTIVE UPDATES
WBRS3 / Talos + partner feeds
Custom URL lists2
AV
AMP
HTTP/S layer
URL request
File hash
PROXY
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Gather Intelligence, Enforce Security at the DNS Layer
Authoritative DNS logs
Used to find:
• Newly staged infrastructures
• Malicious domains, IPs, ASNs
• DNS hijacking
• Fast flux domains
• Related domains
User request patterns
Used to detect:
• Compromised systems
• Command and control callbacks
• Malware and phishing attempts
• Algorithm-generated domains
• Domain co-occurrences
• Newly registered domains
Any device
Recursive DNS
root
com.
domain.com.
Authoritative DNS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Where Does Umbrella Fit?Malware
C2 Callbacks
Phishing
HQ
Sandbox
NGFW
Proxy
Netflow
AV AV
BRANCH
Router/UTM
AV AV
ROAMING
AV
First lineNetwork and endpoint
Network and endpoint
Endpoint
It all starts with DNS
Precedes file execution
and IP connection
Used by all devices
Port agnostic
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-1980
Umbrella Resolver Flow
Intelligent proxy
Deeper inspection
Safe
Original destinations
Security controls
• DNS and IP enforcement
• Risky domain inspection through proxy
• SSL decryption available
Blocked
Modified destination
Internet trafficOn- and off-network
DestinationsOriginal destination or block page
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Protection for Command and Control Callbacks
SWG(cloud or on-prem)
Infected device
of C2 bypasses
web ports 80 & 44315%
of C2 can be blocked
at the DNS layer91%
• Introduction
• What is Cisco Umbrella
• Architecture & Data Flow
• Statistical Models
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Umbrella Data Centers Co-located at Major IXPs
Umbrella Datacenters
• Amsterdam
• Berlin
• Bucharest
• Chicago
• Copenhagen
• Dallas
• Frankfurt
• Hong Kong
• Johannesburg
• London
• Los Angeles
• Miami
• New York
• Palo Alto
• Paris
• Prague
• Seattle
• Singapore
• Sydney
• Tokyo
• Toronto
• Vancouver
• Warsaw
• Washington DC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKSEC-1980
https://system.opendns.com/
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
How Fast does Umbrella Resolve DNS Requests?
154
70
134
118
141
126
180
154
247
Latin America
102
21
94
165
166
138
217
267
212
Africa
136
48
55
43
30
26
20
27
18
FreeDNS
OpenNIC
SafeDNS
Comodo
Level3
Dyn
Neustar
Umbrella
North America
44
36
35
39
41
52
94
147
53
Europe / EMEA
Measured in milliseconds
Source: MSFT Office 365 Researcher,
ThousandEyes Blog Post, May 2015
65
56
83
85
201
215
241
247
316
Asia / APAC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
On-network Protection
• Uses built-in DHCP server on router, switch, Wi-Fi AP, firewall, SWG, or Windows Server
• DNS IP address is changed to Umbrella
• All devices connected to the network will point DNS requests to Umbrella
• Works best if there are no internal domains i.e. printers or intranet that require local resolution
DHCP Server – For locations without internal domains
No internal
DNS server
Any device
@ 10.1.2.2
Enforce policy for public network ID @ 8.2.0.1
Gateway
@ 8.2.0.1
DHCP’s DNS =
208.67.222.222
Umbrella @ 208.67.222.222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
On-network Protection
• DNS server (or any device performing resolution) present on the network for internal resolution
• DNS server is configured to forward all external DNS requests for Internet domains to Umbrella
• In this and previous deployment scenario, policy control and visibility is still limited to the network’s public facing IP address
DNS Server – For locations that manage internal domains
DNS server
@ 10.1.0.1
Any device
@ 10.1.2.2
Enforce policy for public network ID @ 8.2.0.1
Gateway
@ 8.2.0.1
DHCP’s DNS =
10.1.0.1
Umbrella @ 208.67.222.222
External DNS =
208.67.222.222
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
On-network Protection
• Supported on VMware and Hyper-V
• Internal/external requests sent to VA
• Internal requests resolved locally
• VA embeds local IPs into RFC-compliant extension mechanisms for DNS
Umbrella Virtual Appliance – For locations that require local IP granularity
DNS server
@ 10.1.0.1
Any device
@ 10.1.2.2
Encrypt EDNS with embedded ID
Enforce policy for internal IP
Gateway
@ 8.2.0.1
DHCP’s DNS =
10.1.0.2
Umbrella
Internal domains & updates
Umbrella VA
@ 10.1.0.2No
NAT or
proxyInternal DNS =
10.1.0.1
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
On-network Protection
• DCs registered with Umbrella
• Connector service is installed on oneDC/member:
1. Syncs group memberships of users and computers with Umbrella
2. Sends IP to user mapping to VAs
• VA embeds unique identifiers that Umbrella uses for control & visibility
Virtual Appliance + AD Connector – For granular control and visibility with AD sync
DNS server
@ 10.1.0.1
Any device
@ 10.1.2.2
Enforce policy for user, host, or group membership
Gateway
@ 8.2.0.1
Umbrella
Sync group memberships
Umbrella VA
@ 10.1.0.2
Bill = 10.1.2.2
BillPC=10.1.2.2
User = Bill
Host = BillPC
AD domain
controller(s)
Script (run per DC)
AD Connector (1)
Sync login events
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
AnyConnect
• Captures all DNS traffic locally transparently, and redirects from Kernel level to Umbrella (Uses the AC Kernel driver)
• Supported when on and off VPN
• Supports optional binary updates (for all AC modules) without the need of an ASA head-end
Off-network protection, with and without VPN
Network
adapter
Any
running
app
Kernel driver
Umbrella
Internal DNS server
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Data Flow - Recap
• DNS request sent to Umbrella
• For safe requests that are not blocked by policy, the resolved IP address is returned
• Requests to malicious or prohibited destinations get redirected to block page (hosted by Umbrella or company)
• Requests to unknown destinations, or those that were defined for further inspection will be redirected to the intelligent proxy for further analysis
Safe request
Blocked request
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Enforcing Inline, Analyzing OfflineBreadth to cover all ports and depth to inspect risky domains
ALLOW, BLOCK, OR PROXY2
INTERNET-WIDE TELEMETRY
PREDICTIVE UPDATES
Umbrella / Talos and partner feeds
Custom domain lists
Custom IP lists (future)
Inline Enforcement
AMP
THREAT
GRID
UMBRELLA
STATISTICAL
MODELS
Offline Analysis
DNS and IP layer
Domain request
IP response (DNS-layer)
or connection (IP-layer)1
ALLOW, BLOCK, OR ANALYZE4
UNKNOWN FILES (ROADMAP)
RETROSPECTIVE UPDATES
WBRS3 / Talos + partner feeds
Custom URL lists2
AV
AMP
HTTP/S layer
URL request
File hash
PROXY
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Cloud-to-Cloud Log Storage Solutionwith Amazon S3
S3 Benefits
Triple redundant and encrypted storage
Pre-built SIEM / log analytic integrations
Elastic: pay only for the storage usedTAP
Every 10 min
Pre-builtintegrations
Amazon APIs
HTTPS
• Introduction
• What is Cisco Umbrella
• Architecture & Data Flow
• Statistical Models
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Authoritative DNS logs
Used to find:
Newly staged infrastructures
Malicious domains, IPs, ASNs
DNS hijacking
Fast flux domains
Related domains
User request patterns
Used to detect:
Compromised systems
Command and control callbacks
Malware and phishing attempts
Algorithm-generated domains
Domain co-occurrences
Newly registered domains
Gathering Intelligence at the DNS Layer
Any device
Recursive DNS
root
com.
domain.com.
Authoritative DNS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Statistical Models
Guilt by inference
Co-occurrence model
IP Geo-Location model
Secure rank model
Sender rank model
Guilt by association
Predictive IP Space Modeling
Patterns of guilt
Spike rank model
Natural Language
Processing rank model
Live DGA Prediction
2M+ live events per second
11B+ historical events
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Statistical Models: Inference Graph
Domain-IP Relationships in C2 Infrastructure Domains Related to Malware Hashes
Domains Related to Malicious Registrant Email …
36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Co-occurrence ModelDomains guilty by inference
a.com b.com c.com x.com d.com e.com f.com
time - time +
Co-occurrence of domains means that a statistically significant number of identities
have requested both domains consecutively in a short timeframe
Possible malicious domain Possible malicious domain
Known malicious domain
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39BRKSEC-1980
Spike Rank ModelPatterns of guilt
y.com
DAYS
DN
S R
EQ
UE
ST
SMassive amount
of DNS request
volume data is
gathered and
analyzed
DNS request volume matches known
exploit kit pattern and predicts future attack
DGA MALWARE EXPLOIT KIT PHISHING
y.com is blocked before
it can launch full attack
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Predictive IP Space MonitoringGuilt by association
755.12.144.325
179.67.473.666
672.78.928.793
Pinpoint suspicious domains,
and observe their IP’s fingerprint
Identify other IPs (hosted on the
same server) that share the same
fingerprint
Block those IPs and their
malicious domains
DOMAIN
209.67.132.476
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43BRKSEC-1980
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
NLP-Rank Model (natural language processing)Identifies malicious domain-squatting and targeted phishing domains
Read APT reports Patterns in domains used in attacks
Checked data & confirmed intuition
Built model and continue to tune
• Domain spoofing used to obfuscate
• Often saw brand names and terms like “update”
• Examples:update-java[.]netadobe-update[.]net
• Dictionary words & company names merged
• Changed small # of characters to obfuscate
• Domains hosted on ASNs unassociated w/company
• Different webpage fingerprints
Detects fraudulent brand domains:
1inkedin.net
linkedin.com
1 2 3 4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46BRKSEC-1980
IP Geo-location Analysis
Host InfrastructureLocation of the server
IP addresses mapped to domain
Hosted across 28+ countries
DNS RequestersLocation of the network and off-network device
IP addresses requesting the domain
Only US-based customers requesting a .RU TLD
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47BRKSEC-1980
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
‘Newly Seen Domains’ Category Reduces risk of the unknown
1. Any user (free or paid) requests the domain1
2. Every minute, we sample from our streaming DNS logs.
3. Check if domain was seen before & if whitelisted2.
4. If not, add to category, and within minutes, DNS resolvers are updated globally.
Domains
used in
an attack.
Umbrella’s Auto-
WHOIS model
may predict as
malicious.
Attackers
register
domains.
Before expiration3,
if any user requests
this domain, it’s
logged or blocked
as newly seen.
Later, Umbrella
statistical models
or reputation
systems identify
as malicious.
EVENTS
Reputation
systemsprotected
Cisco
Umbrella
24 HOURS
protected
DAYS TO WEEKS
not yet a threat
not yet a threat
unprotected
potentially
unprotected
MINUTES
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49BRKSEC-1980
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50BRKSEC-1980
Thank You
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
How Umbrella integrates with Cisco CloudlockComplete discovery and control for SaaS apps
Umbrella identifies all the SaaS apps
across an organization
Cloudlock revokes authentication for risky
or inappropriate apps
Using Umbrella’s enforcement API,
Cloudlock can programmatically add
domains to Umbrella
CLOUDLOCK
SaaS
UMBRELLA
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54BRKSEC-1980