Академический Документы
Профессиональный Документы
Культура Документы
Geekfest
25% of corporate
data traffic will bypass
perimeter security.
The way we work has changed, security must too
49% 82%
of the workforce admit to not
is mobile using the VPN
Security controls
must shift to the cloud
70% 70%
increase in of branch offices
SaaS usage have DIA
1. What’s a SIG?
2. Cloud platform:
Advanced malware protection & more
DNS-Layer Proxy File Sandbox 3rd-Party CASB App visibility Inbound New
inspection controls and control* inspection* product*
File Inspection
Problem:
Incomplete coverage of DNS and IP layer PREDICTIVE
DESTINATION
destinations and files INTEL
VENDOR
AV REACTIVE VENDOR + CUSTOMER
AMP RETROSPECTIVE
FEEDS FILE INTEL FEEDS FILE INTEL
125%
increased Gbps
capacity with 1000
more peering
sessions since
2015
PLATFORM DESIGN
*-
PROXY W/ SSL DECRYPTION
MICRO-
RESOLVER AV SERVICES AMP
Domain request
Custom domain lists UMBRELLA
STATISTICAL
IP response (DNS-layer) MODELS
or connection (IP-layer) Custom IP lists (future)
ALLOW, BLOCK, OR PROXY
INTERNET-WIDE TELEMETRY
Data
100B DNS requests resolved per day
Diverse dataset gathered across 85M users Security researchers
across 160 countries
Industry renown researchers across Cisco
Talos and Umbrella
Build models that can automatically
classify and score domains and IPs
Models
Dozens of models continuously analyze
millions of live events per second
Automatically score and identify malware,
ransomware, and other threats
INTELLIGENCE
Determine guilt
by inference, 2M+ live events per second
or pattern
Existing statistical models New statistical models
Spike rank Live DGA prediction
Natural Language Processing rank Sender rank
Predictive IP space
pDNS, WHOIS & Threat Grid correlations
Geo-location & -diversity New security categories
Co-occurrence Newly Seen Domains
fgpxmvlsxpsp.me[.]uk
DGA beuvgwyhityq[.]info
a1.com DGA gboondmihxgc.com
a2.com + pwbbjkwnkstp[.]com
bggwbijqjckk[.]me
b1.com yehjvoowwtdh.com
c2.com ctwnyxmbreev[.]com
Configs upybsnuuvcye[.]net
quymxcbsjbhh.info
Configs vgqoosgpmmur.it
c.com, d.com, …
… Confirm “Hailstorm”
domain New malicious domain
z.spam.ru blocked by Umbrella
MAIL SERVERS
Identify queries to spam Model aggregates hourly Model identifies owners Block 10,000s of domains
reputation services graphs per domain of “Hailstorm” domains before new attacks happen
85M+ DNS users are attacked Short bursts of 1000s of After confirmation, query Attackers often register more
by various spam campaigns “Hailstorm” spam uses many WHOIS records to get domains to embed links in phishing
and use reputation services FQDNs, e.g. subdomains, to registrant of sender domain or C2 callbacks in malware
hide from reputation services
INTELLIGENCE
Cisco potentially
not yet a threat unprotected
protected
Umbrella
Reputation
not yet a threat unprotected protected
systems
DAYS TO WEEKS MINUTES 24 HOURS
EVENTS
1. May have predictively blocked it already, and
likely the first requestor was a free user.
2. E.g. domain generated for CDN service.
3. Usually 24 hours, but modified for best results, as needed.
INTELLIGENCE
*NEW CATEGORIES: These are allowed by default, but can be blocked. And
domains in these categories may have already been categorized as Malware or
Botnet (a.k.a. C2 callbacks) by many other Umbrella statistical models.
Our efficacy
3M+
daily new
60K+
daily malicious
7M+
malicious destinations
domain names destinations while resolving DNS
User experience
Quickly spot unusual
activity patterns
SECURITY OVERVIEW
Identify security
incidents or
deployment issues
Pivot into detailed
destination reports
SECURITY ACTIVITY
Quickly assess
each event’s scope
Group events by
file-based engines or
destination-based sources
REAL-TIME ACTIVITY SEARCH
IDENTITIES REPORT
DESTINATIONS REPORT
Quickly assess
extent of exposure
POLICY
Destination lists
for domains
and URLs
Deployment and Integrations
DEPLOYMENT
DOMAIN REQUEST
IP RESPONSE
CONNECTION
HTTP/S
Securely embed identities within query
Web-based redirects transparent to
using a RFC-compliant mechanism,
user enable same identity for proxy
differing granularity based on deployment
+ +
Umbrella Your DNS or Umbrella roaming Umbrella AD Umbrella virtual Umbrella API for
deployments DHCP server client (RC) Connector appliance (VA) network devices
EDNS
Cisco ISR 4K devices Cisco WLAN controller
SERVER VLAN WORKSTATION VLAN EMPLOYEE WI-FI VLAN GUEST WI-FI VLAN
CLOUDLOCK
CloudLock revokes authentication for risky
UMBRELLA
or inappropriate apps
• They are planned and/or in progress. Too soon for any details though.
• Okay, so when?
Sales Enablement
using dCloud
• Training video series and
selling aids (BDM, TDM, etc.)
cs.co/umbrella-demo-americas
cs.co/umbrella-demo-emear • Available on SalesConnect
cs.co/umbrella-demo-apj http://cs.co/SellingUmbrella
http://cs.co/SellingInvestigate
Cisco Umbrella
DNS Layer Security
DNS Layer Security
DNS
Public IP INTELLIGENT
PROXY
AD Connector
Internal Site Allowed/Safe
• Client queries ‘somesite.com’
• Resolver returns the real IP if Customer Site
the domain is safe
• Resolver returns the Lander EDNS or DNS HTTP/S
address if the domain is
blocked
Roaming Client
Cisco Umbrella Intelligent Proxy
Custom URL Filtering
Custom URL Filtering
DNS
Allowed
Public IP Custom URL INTELLIGENT
PROXY
Blocked
AD Connector
Internal Site
• Client queries ‘example.com’
• Resolver returns the Proxy IP Customer Site
• Allowed URLs go via the proxy
• Blocked URLs redirected to the EDNS HTTP/S
Lander
Roaming Client
Cisco Umbrella Intelligent Proxy
File Inspection
The Grey List
AMP/TG
nginx MPS
Demo
URL Filtering
File Inspection
Cisco Umbrella
SIG Reporting
Survey
At the end of each
session, please complete
the in-app survey. When
Geekfest ends, we will
raffle a prize to one lucky
respondent. We appreciate
your feedback and use it
for future planning.