Welcome
Our Story
4Key Ingredients PASSION
▪ Founded in 1997▪ Started, Managed, and Led by Engineers▪ Known & Recognized for our Engineering
Core Technologies
5Verticals MANAGED
SERVICES
▪ Dedicated Teams for Each Vertical▪ 75% of Our Staff Are Engineers▪ Home Grown Engineers
Commitment
1Pledge
▪ Thrilled for our first engagement ▪ Focused on achieving the next engagements▪ Quick Response and Delivery Times▪ Phenomenal Engineering and Support
PARTNERSHIP
WE ARE YOUR PARTNER- DEDICATED TO SUPERIOR SOLUTIONS- PASSIONATE IN TECHNOLOGY- EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION - COMMITTED TO OUR CONSULTATIVE PARTNERSHIP
THE CHALLENGE:
• Implementing network security products is difficult
• Today’s mobile workforce needs on-network and off-network protection
• Many companies require web filtering and proxy solutions
WHAT IS UMBRELLA:
• Filter and block DNS requests to bad hosts, before TCP/IP connection is even established
• Removes a large bulk of incidents from having to be analyzed by traditional security (firewalls, IDS/IPS, AV, URL filtering, etc.)
• OpenDNS started as a DNS provider (2006)
• Added filtering and blocking features (2007)
• Created business-specific offering (2009)
• Created Umbrella suite (2012) and Investigate feature (2013)
• Cisco acquired OpenDNS (Aug 2015)
WHAT IS DNS?
DNS = Domain Name System
• First step in connection
• Precedes file execution and contact
• Used by all devices, browsers, applications
• Port agnostic
Umbrella
Cisco.com 72.163.4.161
UMBRELLA GLOBAL NETWORKVIEW OF THE INTERNET
125Brequests per day
15Kenterprise customers
90Mdaily active
users
160+countriesworldwide
WHERE DOES UMBRELLA FIT?
Malware
C2 Callbacks
Phishing
HQ
Sandbox
NGFW
Proxy
Netflow
AV AV
BRANCH
Router/UTM
AV AV
ROAMING
AV
First line
Benefits
Block malware before
it hits the enterprise
Contains malware
if already inside
Internet access is faster
Provision globally in minutes
BREADTH TO COVER ALL PORTS AND DEPTH TO INSPECT RISKY DOMAINS
ALLOW, BLOCK, PROXYINTERNET-WIDE TELEMETRY
PREDICTIVE UPDATES
Umbrella / Talos and partner feeds
Custom domain lists
Custom IP lists (future)
UMBRELLA STATISTICAL & MACHINE LEARNING MODELS
DNS and IP layer
▪ Domain request
▪ IP response (DNS-layer)
or connection (IP-layer)
ALLOW OR BLOCK
WBRS / Talos + partner feeds
Custom URL lists
AV
AM
P
HTTP/S layer
▪ URL request
▪ File hash
INTELLIGENCE TO SEE ATTACKS BEFORE LAUNCHED
Data
▪ Cisco Talos feed of malicious
domains
▪ Cisco Threat Grid file-based
intelligence (1.5M+ daily
samples)
▪ Umbrella DNS data —
125B requests per day
Security researchers
▪ Industry renown researchers
▪ Build models that can
automatically classify and
score domains and IPs
Models
▪ Dozens of models continuously
analyze millions of live events
per second
▪ Automatically uncover malware,
ransomware, and other threats
STATISTICAL MODELS
Guilt by inference
▪ Co-occurrence model
▪ Sender rank model
▪ Secure rank model
Guilt by association
▪ Predictive IP Space Modeling
▪ Passive DNS and WHOIS Correlation
Patterns of guilt
▪ Spike rank model
▪ Natural Language
Processing rank model
▪ Live DGA prediction
2M+ live events per second
11B+ historical events
CO-OCCURRENCE MODELDomains guilty by inference
a.com b.com c.com x.com d.com e.com f.com
time - time +
Co-occurrence of domains means that a statistically significant number of identities
have requested both domains consecutively in a short timeframe
Possible malicious domain Possible malicious domain
Known malicious domain
SPIKE RANK MODELPatterns of guilt
y.com
DAYS
DN
S R
EQ
UE
ST
SMassive amount
of DNS request
volume data is
gathered and
analyzed
DNS request volume matches known
exploit kit pattern and predicts future attack
DGA MALWARE EXPLOIT KIT PHISHING
y.com is blocked before
it can launch full attack
PREDICTIVE IP SPACE MONITORING Guilt by association
Pinpoint suspicious domains and
observe their IP’s fingerprint
Identify other IPs – hosted on the
same server – that share the
same fingerprint
Block those suspicious IPs and
any related domains
DOMAIN
209.67.132.476
209.67.132.477
209.67.132.478
209.67.132.479
FEATURE LIST
• Features• Protect on or off network
• Stop connections based on 80+ content categories
• AD group membership integration
• Proxy risky traffic
• IP-layer enforcement
• Reporting
• Log retention via Amazon S3
• 3rd party device integrations (Aruba, Cradlepoint, Aerohive)
• Threat enforcement integrations (Splunk, FireEye, Anobmali)
• Multi-organizational console
• Umbrella Investigate for direct access to threat intelligence
PACKAGES/LICENSING• Wireless LAN
• For guest wireless access
• Professional• For small companies
• Insights• For mid-sized companies
• Proxy and AD integration
• Platform• For advanced security teams
• Threat enforcement integrations & Investigate access
• User License• Per user, per WLAN, per ISR4K, per roaming user
• Subscription – 12, 36, 60 months
DEPLOYMENT TYPES
Existing
DNS/DHCP servers,
Wi-Fi APs
Simple config
change to
redirect DNS
ISR4K(today)
WLC(today)
Network footprint
Meraki MR(future)
Endpoint footprint
Granular filtering and
reporting on- & off-network
(Umbrella roaming client
also available)
AnyConnect roaming module
Cisco Security Connector
(in LA)
vEdge(future)
▪ Provisioning and policies per VLAN/SSID;
tags for granular filtering and reporting
▪ Out-of-the-box integration
(Umbrella virtual appliance also available)
PROTECT ON-NETWORK DEVICES VIA DNS SERVER
Internal DNS Server
YOUR NETWORK
Network egress IP67.215.87.11
DNS server10.1.1.1
Internet gateway
Your policyEnforce all security settings
for
67.215.87.11
Server IP10.1.1.1
External DNS resolution208.67.222.222
Laptop IP10.1.1.3
208.67.222.222
PROTECT INTERNAL NETWORKS VIA UMBRELLA VIRTUAL APPLIANCE
Umbrella VA
YOUR NETWORK
Network egress IP67.215.87.11
DNS server10.1.1.1
Internal DNS Server
Server IP10.1.1.1
Internet gateway
Appliance IP10.1.1.2
DNS server10.1.1.1
Internal domainsoffice.acme.com
Your policyEnforce all security settings
for
10.1.1.3
Appliance IP10.1.1.2
DNS server10.1.1.1
Internal domainsoffice.acme.com
Laptop IP10.1.1.3
Inserts 10.1.1.3, GUID and Org ID in EDNS request, encrypts and forwards
208.67.222.222
Internal
DNS Server
PROTECT AD USERS VIA CONNECTOR AND UMBRELLA VIRTUAL APPLIANCE
YOUR NETWORK
Network egress IP67.215.87.11
DNS server10.1.1.1
Internet gateway
208.67.222.222
Laptop IP10.1.1.3
CEO
AD Server w/AD connector
Umbrella VA
Appliance IP10.1.1.2
DNS server10.1.1.1
Internal domainsoffice.acme.com
DHCP IP10.1.1.1
Associates CEO with 10.1.1.3
Inserts 10.1.1.3, GUID and Org ID in EDNS request, encrypts and forwards
Your policyEnforce all security settings for
EXEC group(GUID = CEO, a member of EXEC group)
Associates CEO with
EXEC group(via HTTPS
push)
DEPLOYMENT STEPS/ORDER
• Cloud service setup
• Setup internal domains, IP addresses (internal & public)
• Virtual Appliances (VA)
• AD connectors
• AD configuration script
• Setup user/group identities
• Define security policies (url, block, whitelist)
• Setup SSL cert trust & enable proxy
• Setup mobile user
• Setup apple IOS users
DEMO
• Cisco dCloud
• Dashboard
• Reporting
• Settings
• Investigate
THE PROBLEM
• Ever increasing use of sanctioned and unsanctioned (shadow IT) cloud
services by corporate users
• Exposure to attacks, misuse, and accidental data breaches
• Regulatory and internal security compliance headache
WHAT IS CLOUDLOCK?
• Company founded in 2011
• Acquired by Cisco in 2017
• Cloud-native cloud access security broker (CASB) by using native APIs
• It protects cloud users, data, and apps
• Users logged in to cloud apps from multiple geographic places
• Files inadvertently shared publicly
• Block users granting access via OAuth to malicious cloud apps
FEATURES
• Data Security & Compliance (Data Loss Prevention)
• Threat Protection (User and Entity Behavior Analytics)
• Application Discovery & Control (App Firewall)
• Integration & Orchestration (aggregates feeds to SIEMs)
CLOUD SERVICES
• 8 main services
• 2 main add-ons
FEATURES
• Cloudlock aggregates data feeds across existing IT infrastructure to enrich security intelligence and harmonize data protection across on-premises and cloud environments for unprecedented insight and control.
LICENSING
• Minimum 100 users
• User count is the highest number of users on any one service
• 1 or 3 yr subscriptions
• Basic (email) or Gold (24x7) support options
DEPLOYMENT
DEPLOYMENT
• Nothing to install; hosted in AWS
• Cloud service setup
• Pick and enable known cloud services, sharing API keys or OAuth info
• Define security policies
• User policies
• Whitelist/Blacklist countries
• DLP filters
• Whitelist/Blacklist apps
• Integrate with existing SEIMs
DEMO
• Cisco dCloud
• Dashboard
• Incidents
• Policies
• Reporting
FINThank you for your time!