Umbrella Instant v2-2

Cisco dCloud
Cisco Umbrella v2 – Instant Demo

Last Updated: 06-SEPTEMBER-2018
About This Demonstration

This guide for the preconfigured demonstration includes:
• Requirements
• About This Solution
• Get Started
• Scenario 1: Umbrella Overview
o Dashboard
o Identities
o App Discovery
o Reporting
o Cisco Umbrella Investigate
o Integrations
• Scenario 2: Umbrella Extras
o Creating Scheduled Reports
o Overview of Log Management
o Overview of Internal Domains
o Selecting Pre-defined Content Category Template
o Creating Custom Block Pages
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
● Laptop with Cisco AnyConnect® ● Cisco AnyConnect
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 43
Cisco dCloud
About This Solution

Umbrella Roaming is a cloud-delivered security service for Cisco's next-generation firewall. It protects your employees even when
they are off the VPN. No additional agents are required. Simply enable the Umbrella functionality in the Cisco AnyConnect client.
You’ll get seamless protection against malware, phishing, and command-and-control callbacks wherever your users go.
• First line of defense against threats: Cisco Umbrella is built into the foundation of the internet and blocks requests to
malicious/unwanted destinations before a connection is even established—without adding any latency. Stop threats over
any port before they reach your network and endpoints.
• Visibility and protection everywhere: Your users and apps have left the perimeter. Cisco Umbrella provides the visibility
needed to protect internet access across all devices on your network, all office locations, and roaming users.
• Enterprise-wide deployment in minutes: Cisco Umbrella is the simplest security product to deploy, so you can start
protecting users across your organization in minutes. It’s powerful, effective security without the typical operational
complexity. By performing everything in the cloud with 100% uptime, there is no hardware to install, and no software to
manually update.
• Intelligence to see attacks before they launch: We see the relationships between malware, domains, IPs, and
networks across the internet. Similar to Amazon learning from shopping patterns to suggest the next purchase, we learn
from internet activity patterns to automatically identify attacker infrastructure being staged for the next threat.
• Integrations to amplify existing investments: Easily integrate Cisco Umbrella with your existing security stack and
local intelligence. Leveraging open APIs, you can programmatically extend protection for devices and locations beyond
your perimeter, and enrich your incident response data.
Umbrella is Cisco’s cloud security platform that provides the first line of defense against threats on the internet wherever users go.
Cisco dCloud
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front
of a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.
Follow the steps to schedule a session of the content and configure your presentation environment.
1. Initiate your dCloud session. [Show Me How]
2. Click Catalog and select Instant Demo from the side bar. This lists all the dCloud Instant Demos.
3. Click the appropriate View button.
Cisco dCloud
Scenario 1. Umbrella Overview

This Cisco Umbrella demonstration is a high-level overview of Umbrella Platform, with an emphasis on showing its simplicity and
the automated, effective solution it provides. The demo enables the user to become familiar with the user interface and various
features of the Umbrella environment.
In the scenario provided, the user will be able to walk through an overview of the Umbrella environment. Areas of interest covered
in this demo include: security overview dashboard, provisioning networks, provisioning roaming computers, security activity,
destinations reports, Investigate Console, identities reports, integrations, and policy and settings.
Steps
Dashboard
1. Once you click View in dCloud you should be automatically logged into the Umbrella portal.
2. On the Cisco Umbrella Overview page, hover your mouse over the vertical menu on left to expand options.
Cisco dCloud
3. From the menu, select Reporting > Core Reports> Security Overview.
4. The security overview helps you learn the volume of all requests, all blocked requests, and security blocks--over any port or
protocol--that are trending over time.
5. Scroll down to view the top security blocks by destination, identity, or type.
• Blocked destinations can be a domain name, IP address, or URL path.
• Blocked identities can be a network, specific device, or AD user.
• Blocked types give more insight into what caused the block.
Cisco dCloud
6. Scroll down to view the deployment summary, which highlights any issues requiring your attention.
Identities
Now that you’ve walked through the Overview, it’s time to show how specific identities are created.
1. From the menu, select Deployments > Core Identities > Networks.
2. The most common deployment is to point DNS from your internal DNS or DHCP servers to the Umbrella global network.
Alternatively, use a network device integration with Cisco Integrated Services Router or various Wi-Fi access points.
NOTE: You may optionally navigate to Identities > Network Devices but there is no information currently populated in this demo.
Cisco dCloud
3. Select Deployments > Configuration > Internal Networks.
4. To add granularity, optionally deploy our virtual appliance to forward internal network and user identities embedded within your
DNS traffic.
NOTE: You may optionally navigate to Deployments > Configuration > Sites and Active Directory
Cisco dCloud
5. Select Deployments > Core Identities > Roaming Computers.
6. Review the Roaming Computers screens that help ensure users are protected 100% of the time:
• on your corporate network,
• at all office locations with direct internet access,
• and when they’re at home or on the road
Cisco dCloud
7. In Roaming Computers window, click on the Roaming Client icon.
8. Scroll down to AnyConnect section to view details.
NOTE: Any of the 185 million users in the world using Cisco AnyConnect can simply upgrade it to the newest version and enable
the Umbrella module.
9. Scroll back up to Windows and Mac OS X Clients to review information there.
NOTE: If you use another VPN, our stand-alone roaming client works alongside it without any conflicts or added latency.
Cisco dCloud
10. Switching over for a moment to the end user experience, we see a roaming computer deployment using Cisco AnyConnect.
Even though the VPN is turned off, the off-network user is protected automatically by Umbrella-- without any end user action
needed.
NOTE: This demo does not include the ability to view the end user experience. You may view use the video at the provided link to
show the end user experience: https://www.youtube.com/watch?v=iss1SIpu8ng
11. What about when the user is phished with an email attachment containing ransomware? Upon opening it, the infected laptop
can call back to the attacker infrastructure over any port or protocol to download an encryption key. Umbrella uses both DNS-
and IP-layer enforcement, which silently protects the user, even if ransomware uses hardcoded IP addresses for command &
control.
Cisco dCloud
12. Demo a frequent attack – phishing the user to click a malicious link. Often in targeted attacks, the email may appear to come
from the CEO’s email address and links to the company’s website.
NOTE: Even tech-savvy users usually don’t spot a substituted or repeated character in the domain name used for both.
Cisco dCloud
13. Using Umbrella’s default block page, your custom block page, or redirecting the connection to your own server, the user is
informed that the destination contained a security threat.
NOTE: You can even configure this block page differently per identity and type of destination blocked.
App Discovery
Next let’s explore a newly added dashboard into Umbrella called App Discovery. App Discovery, a Shadow IT dashboard, provides
full visibility into cloud app usage based on DNS log activity. The combination of category roll ups, app details and risk profiles
empowers customers to optimize productivity, minimize expense and reduce risk. This enables secure and informed cloud
adoption.
1. From the menu, select Reporting > Additional Reports > App Discovery.
Cisco dCloud
2. From the dashboard point out the total number of apps discovered.
3. Scroll down to DNS Requests by App Risk. Hover over the graph to show how DNS requests are tracked over time. Mention
that this is where they can see any spikes in usage and drill in deeper to see the specific apps responsible (no need to drill in
yet).
4. Scroll down to Apps by Category and Risk to show other visuals (risk filters at the top).
5. Scroll back up to category cards and click on Details of one them (Anonymizer or P2P).
Cisco dCloud
6. You have now pivoted to the Apps Grid. Note that there is a Category filter that is pre-populated. You can also show that
other filters can also be applied, such Risk, App Type, Status and Date. Click on one app (CyberGhost VPN, for example) to
further drill down for more details.
7. Review App Details. Expand each risk component (Business, Usage, and Compliance) to understand components of each
risk type.
Cisco dCloud
8. Click on Identities. Highlight usage details for the identities, point out DNS requests and Blocked Requests.
9. Scroll back up and show that the app status can be changed to Approved, Not Approved or Under Audit.
10. Click on Apps at the top of the page.
Cisco dCloud
11. Use the Block this app link next to an app to navigate directly to the Application Settings page.
NOTE: When the “Block this app” link is selected this pivots to Applications Settings which is another new feature added to
Umbrella. This feature provides a way for admins to control applications within their environment and control access to these apps.
Application Settings can be selected in any policy created as well as from Policies > Application Settings.
12. The app you selected to block will be pre-populated in the Application Settings policy components. For example, expand the
AVC Global Policy.
13. The application you chose should now appear in the Applications to control menu. Click Cancel and move to the next step.
Cisco dCloud
14. In a normal scenario you can save this setting and the app will be blocked for any main policy (under Policy > All Policies)
using this application policy.
15. To show how this list is applied to a policy, navigate to Policy > All Policies. Click on Application Policy and show setting
under Application Setting Applied.
Reporting
Next let’s look at the reporting capabilities of Umbrella as well as understanding how to view various activities.
1. From the menu, select Reporting > Core Reports > Security Activity.
NOTE: This returns to the admin user experience to act on this or another blocked web link or C2 callback by viewing all recent
security activity.
Cisco dCloud
2. This screen allows you to filter or sort by different security event types.
3. Scroll down and click on any row to get expanded information.
Cisco dCloud
4. Check the Group Events by Type checkbox to sort the graph by type. Toggle back to the previous view by unchecking the
box.
5. Scroll up to the timeline graph and click one of the bars. This takes you directly to the Activity Search report.
Cisco dCloud
6. This page displays a snapshot of all user activity that Umbrella has seen over the last day, or change to a different time range.
7. Click the All Requests tab then select Domain Requests (DNS) to see recent activity that was enforced at the DNS layer.
To help you get an insight into the different activity types, there are separate activity reports for traffic by DNS, Proxy, or IP
layers.
NOTE: The DNS report contains relevant information concerning users’ DNS requests, such as the requested domain, private and
public IP addresses, and the outcome of the request.
8. Under the Response filters on the left side, select Blocked. Click Apply. This quickly filters the results to only blocked
requests.
Cisco dCloud
9. Deselect Blocked and select to filter by Security Categories. Select some at random, and click Apply to observe the results.
As filters are added or cleared, the results in the main table update with the changes.
10. Click the [...] (View Actions) button at the right side of a table row. This displays additional options for filtering on specific
attributes of the selected line, for example, by a specific user or domain. If you are using Investigate you can view further
details about the selected domain.
Cisco dCloud
11. Type roaming into the Search Requests box to show how all matched results filter as you type.
12. Clear any filters you have added in the Search Requests box.
13. In the Filter bar on the left, change the Response selection from Blocked to Proxied. Click Apply.
NOTE: This displays responses where the outcome is forwarded to the intelligent proxy for further inspection.
Cisco dCloud
14. This displays report activity at the proxy level, including results of proxy activity and specific proxy information, such as the full
URL in the Destination column.
15. Clear all filters and select URL Requests from the Requests tab. Select Blocked from the Response filter list and click apply.
Cisco dCloud
16. Scroll to the right and locate a line where the Response is Blocked — Cisco AMP. This displays a file blocked by Cisco
AMP. The AMP cloud database was queried in real time with the SHA256 for this file, but the file was blocked since it is known
to be malicious.
NOTE: You can also use the filters on left side to display only blocked responses.
17. Click [...] (View Actions) for a line that was blocked by AMP. The actions available now also include the URL level.
NOTE: In some cases, you can select View SHA255 in Investigate to get additional details.
Cisco dCloud
18. Click See Full Details from the top of the context menu. This allows examination of all details of the block in a single
summary.
NOTE: Files that were blocked by AMP will display the SHA256 hash.
Cisco dCloud
19. Click the Requests tab on the top right of the results pane and select . IP Requests. If you have implemented IP layer
enforcement through the roaming client, you can also view this activity, with details of IP requests that were blocked, the
destination IP and port, and why they were blocked.
20. Clear any existing filters and select Blocked under Response then click Apply and select Domain Requests (DNS) from the
Requests tab in the top right. Click on a URL that appears in the results under Destination
NOTE: There will be semi-random recent activity populated in this demo, so reach out to cloud security CSEs for interesting
destinations to demo Umbrella reports & Investigate.
By clicking on the destination, we display your local activity trend for the last 24 hours and up to the last 30 days.
Cisco dCloud
21. Click drop-down at top of the UI to select 30 days. In this example, Umbrella defended you against a recurring threat.
22. Click Global Traffic %. By viewing the Global Traffic %, we can infer whether the attack may be more targeted or
opportunistic which enables you to better prioritize investigations.
23. Right-click View <Destination> in Investigate to open this information in a new tab.
Cisco dCloud
Cisco Umbrella Investigate
Cisco Umbrella Investigate provides the most complete view of the relationships and evolution of Internet domains, IP addresses,
and autonomous systems to pinpoint attackers’ infrastructures and predict future threats.
NOTE: If further response is warranted, the Investigate product can supply a complete view of this domain’s relationships and
evolution on the internet.
1. Right-click View <Destination> in Investigate to open this information in a new tab.
NOTE: For example, you may identify global traffic spikes over the past 30 days indicating the launch of an attack campaign.
2. Scroll down to the WHOIS Record Data section to display domain ownership and uncover other malicious domains registered
with the same contact emails or hosted by the same nameservers.
Cisco dCloud
3. Scroll down to the Associated Samples section. This information allows you to correlate files analyzed by Cisco AMP Threat
Grid with this destination to understand how any malware would behave on infected systems.
4. Scroll down to the Co-occurrences section.
5. Point out the Related Domains section, which displays other domains that are frequently requested within seconds before or
after the domain you’re investigating. These requests often happen automatically without user interaction.
Cisco dCloud
6. Return to the tab containing the Destinations report, and scroll down to the Access & Policy Details section. This
information includes the top identities that were defended against this same threat.
NOTE: For this demonstration, it is optional to speak about and review the details of the Recent Activity section.
7. Click on the Top Identity in the list to display the Identities report for this item.
NOTE: One common risk identified is the fact that when a malicious destination is requested, many others are usually requested
simultaneously. This report displays the total requests allowed, blocked, or proxied for this identity, and whether these requests
match the historical trend or not.
Cisco dCloud
8. Scroll down to Top Destinations section.
NOTE: This displays top destinations classified as security threats, or destinations just frequently requested by the identity. Many
top security categories come from other Cisco or third-party products.
Integrations
Now we’ll focus on Integrations. Leveraging our application programming interface, you can integrate Umbrella with partner
products in minutes or create your own custom integration with a simple script. These integrations enable you to convert local
intelligence into global prevention in seconds.
1. From the menu, select Policies > Policy Components > Integrations.
Cisco dCloud
2. Leveraging our application programming interface, you can integrate Umbrella with partner products in minutes or create your
own custom integration with a simple script. These integrations enable you to convert local intelligence into global prevention
in seconds.
3. Navigate to Policies > Management > All Policies.
4. Click AD User Policy: Bandwidth Hogs + Security + Log All Events to show details of this policy.
Cisco dCloud
5. Click Edit Identity in the 57 Identities Affected area. This policy impacts 3 AD Groups, 51 AD Users and 3 AD Computers.
NOTE: User and group identities synced from your Active Directory domain can also be used in policies.
6. Click Cancel.
7. Click Edit in the Content Setting Applied - Custom area. Category settings for content filtering, are applied to these AD
users. You can apply predefined profiles with a high, moderate, or low level of filtering, or create a custom list.
Cisco dCloud
8. Click Cancel.
9. Click Edit in the Security Setting Applied area. Security settings not only include allowing or blocking specific categories, but
a number of security categories that can be applied according to predefined profiles, or individually.
10. Click Edit next to Categories to Block. Here all the security categories have been selected, meaning that all these security
categories will be blocked for the identities in this policy.
11. Click Integrations to expand that area. This allows you to use any of the integrations that were previously defined in policies.
Cisco dCloud
12. Click Cancel.
13. Click Edit in the Custom Block Page Applied area. The default settings have been selected for the AD users in this policy,
but if other customized messages have been created, they can be selected from here. You can preview the selected block
page from here too.
NOTE: Bypass options are also available and configured in this area.
14. Click Cancel.
Cisco dCloud
15. Click on Advanced Settings. Here you can enable or disable the Intelligent Proxy.
NOTE: Certain security features such as file inspection and IP-Layer enforcement are dependent on the Intelligent Proxy, and their
selection above will get disabled if you disable the Intelligent Proxy. You can also choose to log everything, just security events, or
nothing for this policy.
16. Click Cancel to close the advanced settings.
17. Click Cancel again to close the selected policy.
Cisco dCloud
Scenario 2. Umbrella Extras
Steps
Creating Scheduled Reports
1. Click Reporting > Core Reports > Activity Search, then click the down arrow icon. View security activity in real time with
globally aggregated reports and directly export to your system.
2. Click Reporting > Management > Scheduled Reports. You can also schedule and send these reports to your inbox.
Cisco dCloud
Overview of Log Management
1. Click Admin > Log Management. The Log Management feature enables a simple cloud-to-cloud log storage solution with
Amazon S3 that retains all DNS logs for as long as required.
2. Click Deployments > Configuration > Sites and Active Directory. The Virtual Appliance and AD Connector components
identifies sites, internal networks, or Active Directory users infected or targeted by attacks, without touching devices or re-
authenticating users.
3. Click Download Components to deploy a pair of virtual appliances on VMware or Hyper-V such that the pair can ensure
auto-updates and active-active backup. Running our configuration script once on the domain controllers, and our connector
service on one domain member, enables consistent policy management by the AD user or computer group membership.
Cisco dCloud
Overview of Internal Domains
1. Click Deployments > Configuration > Internal Domains.
NOTE: Most likely, an internal DNS server is running that is authoritative for internal domains, such as for printers, the intranet, or
wiki servers. Other networks from which roaming users connect to the internet may also have private internal domains that are not
known to the public internet.
After deploying the roaming client or AnyConnect module on endpoints, or our virtual appliance inside the network, ensure that
these DNS forwarders are aware of any internal domains. By default, any RFC-1918, search or local domains are handled as
internal domains. But using this setting, you can add any other non-default internal domains.
2. Click Policies > Policy Components > Destination Lists.
Cisco dCloud
3. Click the Bandwidth Hogs list.
NOTE: By default, every policy has a global allow list and global block list applied. To customize policies for threat protection or
access control, create an unlimited number of additional destination lists to allow or block per policy.
This demonstration does not have the capability to add lists.
Cisco dCloud
Selecting Pre-defined Content Category Template
1. Click Policies > Policy Components > Category Settings.
2. Click the High Web Filter list.
NOTE: Umbrella’s 60+ content categories cover millions of domains (and billions of Web pages) to give control over which sites
can be accessed by users on the network. High, moderate and low filters are pre-configured and can be customized to add
additional filters for use in policies.
Cisco dCloud
Creating Custom Block Pages
1. Click Policies > Block Page Settings > Block Page Appearance.
NOTE: This allows you to create and edit different block page messages, or even destination URLs per policy and per block type.
Optionally, you can allow blocked users to contact an admin from the block page. This page includes the ability to enable users to
bypass block pages per content categories.
Cisco dCloud
Summary
• Mitigate remediation costs and breach damage: Because Cisco Umbrella is the first line of defense, security teams will
have fewer malware infections to remediate and threats will be stopped before they cause damage.
• Reduce the time to detect and contain threats: Cisco Umbrella contains command & control callbacks over any port or
protocol and provides real-time reports on that activity.
• Increase visibility into internet activity across all locations and users: Cisco Umbrella provides crucial visibility for
incident response and also gives you confidence that you’re seeing everything.
• Gain visibility into cloud apps used across the business: Cisco Umbrella provides visibility into sanctioned and
unsanctioned cloud services in use across the enterprise, so you can uncover new services being used, see who is using
them, and identify potential risk.
For more information on Cisco Umbrella sales and technical training and Cisco On-Line Training (COLT) exam, you may view the
available videos at the following links:
• Cisco Umbrella Sales Training Videos and COLT
• Cisco Umbrella Technical Training Videos and COLT
By completing the sales or technical training videos and COLT exam for Cisco Umbrella, internal or partner team members will be
provisioned their very own one-year account to Cisco Umbrella Platform for free personal- or work-related use. This account will
not be setup as a pre-populated demo environment, but sales members can choose to leverage their own account for tailored
demo purposes.

Umbrella Instant v2-2

Загружено:

Сведения о документе

Авторское право

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Umbrella Instant v2-2

Загружено:

Авторское право:

Cisco dCloud

Cisco Umbrella v2 – Instant Demo

About This Demonstration

• About This Solution

• Scenario 1: Umbrella Overview

o Cisco Umbrella Investigate

• Scenario 2: Umbrella Extras

o Creating Scheduled Reports

o Overview of Log Management

o Overview of Internal Domains

o Selecting Pre-defined Content Category Template

o Creating Custom Block Pages

● Laptop with Cisco AnyConnect® ● Cisco AnyConnect

About This Solution

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

1. Initiate your dCloud session. [Show Me How]

3. Click the appropriate View button.

Scenario 1. Umbrella Overview

• Blocked destinations can be a domain name, IP address, or URL path.

• Blocked identities can be a network, specific device, or AD user.

3. Select Deployments > Configuration > Internal Networks.

5. Select Deployments > Core Identities > Roaming Computers.

• on your corporate network,

• at all office locations with direct internet access,

• and when they’re at home or on the road

7. In Roaming Computers window, click on the Roaming Client icon.

8. Scroll down to AnyConnect section to view details.

9. Scroll back up to Windows and Mac OS X Clients to review information there.

10. Click on Apps at the top of the page.

3. Scroll down and click on any row to get expanded information.

Cisco Umbrella Investigate

1. Right-click View <Destination> in Investigate to open this information in a new tab.

4. Scroll down to the Co-occurrences section.

8. Scroll down to Top Destinations section.

3. Navigate to Policies > Management > All Policies.

12. Click Cancel.

14. Click Cancel.

16. Click Cancel to close the advanced settings.

17. Click Cancel again to close the selected policy.

Scenario 2. Umbrella Extras

Creating Scheduled Reports

Overview of Log Management

Overview of Internal Domains

1. Click Deployments > Configuration > Internal Domains.

2. Click Policies > Policy Components > Destination Lists.

3. Click the Bandwidth Hogs list.

This demonstration does not have the capability to add lists.

Selecting Pre-defined Content Category Template

1. Click Policies > Policy Components > Category Settings.

2. Click the High Web Filter list.

Creating Custom Block Pages

• Cisco Umbrella Sales Training Videos and COLT

• Cisco Umbrella Technical Training Videos and COLT

Вам также может понравиться