Welcome to Cisco

Geekfest

Cisco Umbrella and the Future

of Cloud Delivered Security
Adam Winn
Product Manager
@CiscoGeekfest Feb 23rd, 2017
By 2021, Gartner estimates:

25% of corporate
data traffic will bypass
perimeter security.
The way we work has changed, security must too

49% 82%
of the workforce admit to not
is mobile using the VPN
Security controls
must shift to the cloud

70% 70%
increase in of branch offices
SaaS usage have DIA
 1. What’s a SIG?
2. Cloud platform:
Advanced malware protection & more

What’s new 3. Threat intelligence:

New predictive models & categories
4. User experience:
Improved reports & more integrations
5. Feature readiness & selling it
 On and off the corporate network

All ports and protocols

Secure
Open platform
Internet Gateway
Your secure onramp to the internet, Live threat intelligence
anywhere users go
Proxy and file inspection

Discovery and control of SaaS

Cisco’s Secure Internet Gateway Vision

Threat intelligence, cross-product analytics, APIs, and integrations

DNS-Layer Proxy File Sandbox 3rd-Party CASB App visibility Inbound New
inspection controls and control* inspection* product*

Leveraging Cisco’s global footprint *Future

Cisco Cloud Security Platform
Sanctioned
Applications
Unsanctioned
Applications
Malicious Usage Behavior and Data Leaks
Destinations
Visibility and Access

File Inspection

DNS / IP / URL Control

Devices and Networks

Connect from Anywhere
How a SIG compares SIG SWG
to a SWG Secure internet Granular web usage
access, anywhere controls for compliance
users go and protection

Open platform w/ bi-directional API integrations

SaaS discovery and control; works w/ CASB

Internet traffic enforcement for all ports & protocols

Cloud-delivered security to cover on and off-network

Web traffic enforcement for ports 80/443 and HTTP/S

Web application visibility and control Future release

Web content filtering

Web data loss prevention

Web productivity and bandwidth control

Cisco’s SIG compared to others’ SWG
SWG SIG

Problem:
Incomplete coverage of DNS and IP layer PREDICTIVE
DESTINATION
destinations and files INTEL

HTTP/S layer HTTP/S layer

VENDOR
AV REACTIVE VENDOR + CUSTOMER
AMP RETROSPECTIVE
FEEDS FILE INTEL FEEDS FILE INTEL

TALOS AND AMP SUPPORTING ENTIRE

CISCO SECURITY PORTFOLIO
Enforce intelligence from Talos
and AMP before anything else Malware
C2 Callbacks
Phishing

Network and endpoint

First line SIG
NGFW Safe access anywhere
Network and endpoint users go, even off VPN
Netflow
Proxy
Endpoint First line of defense
Sandbox Router/UTM
and inspection
AV AV AV AV AV
Secure onramp
HQ BRANCH ROAMING to the internet
Platform Design
PLATFORM DESIGN

Umbrella is integrated into the foundation of the internet

125%
increased Gbps
capacity with 1000
more peering
sessions since
2015
PLATFORM DESIGN

Advanced malware protection added to intelligent proxy

Customer’s
security API
stack

GUI BRAIN AND

DASHBOARD INTEL DB
LOGS

*-
PROXY W/ SSL DECRYPTION

MICRO-
RESOLVER AV SERVICES AMP

THREAT GRID (roadmap*)

PLATFORM DESIGN

Breadth to cover all ports and depth to inspect risky domains

Inline enforcement Offline analysis

DNS and IP layer Umbrella / Talos and partner feeds

PREDICTIVE UPDATES

 Domain request
 IP response (DNS-layer)
or connection (IP-layer)
Custom domain lists UMBRELLA
STATISTICAL
MODELS
Custom IP lists (future)
ALLOW, BLOCK, OR PROXY
INTERNET-WIDE TELEMETRY

WBRS3 / Talos + partner feeds

HTTP/S layer
Custom URL lists
 URL request
AV
 File hash RETROSPECTIVE UPDATES
AMP AMP
THREAT
ALLOW, BLOCK, OR ANALYZE GRID
UNKNOWN FILES (ROADMAP)
Threat intelligence
Intelligence to see attacks before launched

Data
 100B DNS requests resolved per day
 Diverse dataset gathered across 85M users
across 160 countries
Security researchers
 Industry renown researchers across Cisco
Talos and Umbrella
 Build models that can automatically
classify and score domains and IPs

Models
 Dozens of models continuously analyze
millions of live events per second
 Automatically score and identify malware,
ransomware, and other threats
INTELLIGENCE

Gather diverse data sets at the recursive DNS layer

User request patterns root

Authoritative DNS logs com.
domain.com.
Any Global
device nameservers
INTELLIGENCE

Determine guilt
by inference, 2M+ live events per second

association, 11B+ historical events

or pattern
Existing statistical models New statistical models
 Spike rank  Live DGA prediction
 Natural Language Processing rank  Sender rank
 Predictive IP space
 pDNS, WHOIS & Threat Grid correlations
 Geo-location & -diversity New security categories
 Co-occurrence  Newly Seen Domains

 Secure rank  Potentially Harmful Domains

 Live DGA detection  DNS Tunneling VPN

INTELLIGENCE

‘Live DGA Prediction’ automated at an unparalleled scale

a.com + b.com b.com

fgpxmvlsxpsp.me[.]uk
DGA beuvgwyhityq[.]info
a1.com DGA gboondmihxgc.com

a2.com + pwbbjkwnkstp[.]com
bggwbijqjckk[.]me
b1.com yehjvoowwtdh.com
c2.com ctwnyxmbreev[.]com
Configs upybsnuuvcye[.]net
quymxcbsjbhh.info

Configs vgqoosgpmmur.it

c.com, d.com, …

Live DNS Automate reverse Predict 100,000s Automate blocking

log stream engineering of future domains pool of C2 domains
Identify millions of domains, Combine C2 domain pairs Combine newly-identified Used by thousands of
many used by DGAs and known DGA to identify configs with DGA to identity malicious samples now
and unregistered unknown configs C2 domains continuously and in the future
 INTELLIGENCE

‘Sender Rank’ model: predict domains related to spammers

REPUTATION SERVICES check

suspect Model automatically places
domain behavior registrants on a watch list
identified patterns
spam.ru
New domains registered
badguy
a.spam.ru. checkspam.com at a future time
? Type of domain
b.spam.ru. checkspam.com
Domain Domain a.spam.ru
? Domain popularity
of sender of service Model automatically
? Historical activity
verifies new domains
b.spam.ru

… Confirm “Hailstorm”
domain New malicious domain
z.spam.ru blocked by Umbrella
MAIL SERVERS

Identify queries to spam
reputation services
85M+ DNS users are attacked
by various spam campaigns
and use reputation services
Model aggregates hourly
graphs per domain
Short bursts of 1000s of
“Hailstorm” spam uses many
FQDNs, e.g. subdomains, to
hide from reputation services
Model identifies owners
of “Hailstorm” domains
After confirmation, query
WHOIS records to get
registrant of sender domain
Block 10,000s of domains
before new attacks happen
Attackers often register more
domains to embed links in phishing
or C2 callbacks in malware
INTELLIGENCE

‘Newly Seen Domains’ category reduces risk of the unknown

Umbrella’s Auto- 1. Any user (free or paid) requests the domain1
WHOIS model 2. Every minute, we sample from our streaming DNS logs.
may predict as 3. Check if domain was seen before & if whitelisted2.
malicious. 4. If not, add to category, and within minutes, DNS resolvers are updated globally.

Attackers Domains Before expiration3, Later, Umbrella

register used in if any user requests statistical models
domains. an attack. this domain, it’s or reputation
logged or blocked systems identify
as newly seen. as malicious.

Cisco potentially
not yet a threat unprotected
protected
Umbrella
Reputation
not yet a threat unprotected protected
systems
DAYS TO WEEKS MINUTES 24 HOURS
EVENTS
1. May have predictively blocked it already, and
likely the first requestor was a free user.
2. E.g. domain generated for CDN service.
3. Usually 24 hours, but modified for best results, as needed.
INTELLIGENCE

New analysis and categories to combat DNS tunneling

Streaming signature-based jobs Malware

(e.g. PisLoader)
Automatically identify malicious or potential data
exfiltration or open-source tools (e.g. DNS2TCP)
100B+ DNS Potentially
Undetermined
requests daily Harmful Domains*
Batch behavior-based jobs
plus researcher inspection DNS
Tunneling VPN*
Manually identify commercial services (e.g.
YourFreedom) or benign uses every hour

Machine learning detects domains with excessive # Hidden whitelist

of subdomains or characters and invalid characters (e.g. AV updates)
or encoded data. Plus, detects clients requesting
excessive # of subdomains over a time period.

*NEW CATEGORIES: These are allowed by default, but can be blocked. And
domains in these categories may have already been categorized as Malware or
Botnet (a.k.a. C2 callbacks) by many other Umbrella statistical models.
Our efficacy

Discover Identify Enforce

3M+
daily new
60K+
daily malicious
7M+
malicious destinations
domain names destinations while resolving DNS
User experience
 Quickly spot unusual
activity patterns

SECURITY OVERVIEW

Identify security
incidents or
deployment issues
Pivot into detailed
destination reports
SECURITY ACTIVITY

Quickly assess
each event’s scope

Group events by
file-based engines or
destination-based sources
REAL-TIME ACTIVITY SEARCH

Clearly show DNS,

proxy, and IP logs
 Allowed, blocked, and proxied
traffic per device or network

IDENTITIES REPORT

Quickly spot and

remediate victims

Top activity and categories

per user, computer, or network
 Local vs. global trends
for malicious domains

DESTINATIONS REPORT

Quickly assess
extent of exposure

Top identities associated

with malicious activity
 Dynamic text search

POLICY

First, select which

identities to protect

Drill into groupings to see or

select individual identities
POLICY

Destination lists
for domains
and URLs
Deployment and Integrations
DEPLOYMENT

Enforcement and visibility

per Umbrella identity

DOMAIN REQUEST

IP RESPONSE

CONNECTION
HTTP/S
Securely embed identities within query
Web-based redirects transparent to
using a RFC-compliant mechanism,
user enable same identity for proxy
differing granularity based on deployment

NETWORK VIA EGRESS IP FOR ALL DEPLOYMENTS

+ +
Umbrella Your DNS or Umbrella roaming Umbrella AD Umbrella virtual Umbrella API for
deployments DHCP server client (RC) Connector appliance (VA) network devices

Hostname (GA) Internal IPs Network

*Usernames
Umbrella device names,
Egress IPs Internal IPs (LA) with groups Subnets
identities interface or
for RC and VA
Usernames* (LA) Usernames* VLAN IDs

*Indicates identity available with Umbrella AD Connector

DEPLOYMENT

Integration with Cisco ISR 4K devices and WLAN controllers

Protection for branch offices and Wi-Fi users

EDNS
Cisco ISR 4K devices Cisco WLAN controller

SERVER VLAN WORKSTATION VLAN EMPLOYEE WI-FI VLAN GUEST WI-FI VLAN

Visibility and enforcement per VLAN

DEPLOYMENT

Enterprise-wide deployment in minutes

Cisco Endpoint Cisco Networking Other Network Devices

ISR 4K WLAN DNS/DHCP servers

AnyConnect
controller Wireless APs
• No additional agents to • Out-of-the-box integration • Simple configuration
deploy with AnyConnect change to redirect DNS
• Use of tags for granular
• Or Umbrella roaming client filtering and reporting
works alongside other • Policies for corporate and
VPNs for DNS redirection • Policies per VLAN/SSID guests
POLICY

How Umbrella integrates with Cisco CloudLock

Complete discovery and control for SaaS apps

Umbrella identifies all the SaaS apps

across an organization
SaaS

CLOUDLOCK
CloudLock revokes authentication for risky
UMBRELLA
or inappropriate apps

Using Umbrella’s enforcement API,

CloudLock can programmatically add
domains to Umbrella
POLICY

How Umbrella fits with Cisco Web Security Appliance (WSA)

Flexibility to fit customers’ use cases

Umbrella provides safe internet access

CISCO anywhere users go, even off the VPN
DEFENSE
ORCHESTRATOR
WSA solves on-prem requirements for
usage/bandwidth controls and compliance

Cisco Defense Orchestrator (CDO) for

ongoing policy management
Single place to add domains/URLs to block across
cloud (Umbrella) and on-prem (WSA, NGFW)
WSA UMBRELLA
• But what about ISE, ISE-PIC, and NGFW?

• They are planned and/or in progress. Too soon for any details though.

• Okay, so when?

• No ETA yet. Sorry.

Why customers will be excited!
 • Umbrella now integrates file
inspection featuring Cisco AMP,
Cisco has launched the plus adds custom destination lists
industry’s first SIG, to URL inspection.
• No other cloud security platform is
which complements this easy to deploy and use.
existing security • No other cloud security platform is
solutions as customers’ this effective using the combination
of Talos, Umbrella statistical
first line of defense. models, Cisco web reputation
systems, and Cisco AMP.
What sets Umbrella Fastest
and most reliable
apart from competitors cloud infrastructure

Broadest Most open

coverage of malicious platform for
destinations and files integration

Easiest Most predictive

connect-to-cloud intelligence to stop
deployment threats earlier
 We’ll be demoing as much as
NOTE
possible at Cisco Live Berlin
Feature Readiness
LA: LIMITED GA: GENERAL
cs.co/UmbrellaProductUpdates AVAILABILITY AVAILABILITY
File inspection – AV engine (1 for now) Now Q3 FY2017
Cloud
File inspection – AMP (no Threat Grid for now) Feb 22 Q3 FY2017
platform
URL inspection – destination lists March Q3 FY2017

Threat Security categories – 3 new Now

intelligence Machine learning models – 2 new Now (not customer-facing; added to inteldb)
Reports – 2 new (Destinations & Identities) Now
Reports – Activity Search updated Now Q3 FY2017
Reports – Security Overview updated Feb 8 Q3 FY2017
Reports – Security Activity updated March Q3 FY2017
User
Reports – AMP retrospective alerts appear March Q3 FY2017
experience
Deployment – Cisco WLAN controllers Feb 24 Mar 6
Policy – New wizard flow Feb 15 Q3 FY2017
Policy – custom categories via CloudLock Now (not yet available in demo)
Policy – destination lists via CDO Now (contact CDO team for WSA readiness)
Umbrella packages ENTRY-LEVEL PACKAGES CORE PACKAGES

Roaming Branch Wireless LAN Professional Insights Platform

Licensed Per user Per ISR 4K Per AP Per user Per user Per user
On-network (any device)
Coverage
Off-network (laptops)
Policy and By network or host (Host only) (Net only) (Net only)
reporting
granularity By subnet or user
DNS layer (domains+IPs)
IPv4 layer (non-DNS IPs)
Enforcement Proxy – URL inspection
Proxy – AV/AMP inspection
API-based integrations
Basic logging and reports

Visibility and Advanced reporting

intelligence Log management via S3
Investigate console

Instantly demo
Cisco Umbrella
using dCloud
cs.co/umbrella-demo-americas
cs.co/umbrella-demo-emear
cs.co/umbrella-demo-apj
Marketing Assets
• Data sheets, feature briefs,
solution briefs, videos and more
• Available on umbrella.cisco.com
and cs.co/umbrella-youtube
Sales Enablement
• Training video series and
selling aids (BDM, TDM, etc.)
• Available on SalesConnect
http://cs.co/SellingUmbrella
http://cs.co/SellingInvestigate
Cisco Umbrella
DNS Layer Security
 DNS Layer Security

DNS

Public IP INTELLIGENT
PROXY

RESOLVER Virtual AD User

Blocked LANDER
DNSnginx
Server EDNS Appliance Block Page
nginx DNS

AD Connector
Internal Site Allowed/Safe
• Client queries ‘somesite.com’
• Resolver returns the real IP if Customer Site
the domain is safe
• Resolver returns the Lander EDNS or DNS HTTP/S
address if the domain is
blocked
Roaming Client
Cisco Umbrella Intelligent Proxy
Custom URL Filtering
 Custom URL Filtering

DNS
Allowed
Public IP Custom URL INTELLIGENT
PROXY

Blocked

RESOLVER Virtual AD User

LANDER
DNSnginx
Server EDNS Appliance Block Page
nginx DNS

AD Connector
Internal Site
• Client queries ‘example.com’
• Resolver returns the Proxy IP Customer Site
• Allowed URLs go via the proxy
• Blocked URLs redirected to the EDNS HTTP/S
Lander
Roaming Client
Cisco Umbrella Intelligent Proxy
File Inspection
The Grey List

Whitelist Grey List Blacklist

• High volume • Known • Known
domains malicious URL’s malicious
domains
• Domains we • Suspicious
don’t want to domains • Domain we
block always want to
• Ad hosts block
Micro Services Architecture

Cisco Umbrella Region

AMP/TG

URL Filter Kaspersky

nginx MPS
Demo
URL Filtering
File Inspection
Cisco Umbrella
SIG Reporting
Survey
At the end of each
session, please complete
the in-app survey. When
Geekfest ends, we will
raffle a prize to one lucky
respondent. We appreciate
your feedback and use it
for future planning.