DNS Security & Proxy: Cisco Umbrella but Why?

As most of you know Cisco claims Umbrella as first line of defense against threats on the internet wherever user goes. By analyzing and learning from Internet activity patterns, Umbrella automatically uncovers attacker infrastructure staged for current and emerging threats.
It also proactively blocks malicious requests before they reach a customer’s network or endpoints. With Umbrella, you prevent devices from connecting to malicious sites in the first place, before a malware file is downloaded or an IP connection is even established. We can also stop phishing and malware infections earlier, identify already infected devices faster, and prevent data exfiltration.

Fig 1.1- OpenDNS (Cisco Umbrella)

Collecting intelligence on advanced attacks that target your network is vibrant, but we need a way to easily enforce that intelligence. Umbrella blocks new threats beyond the network perimeter everywhere your employees work. Because Umbrella is built into the foundation of the Internet and delivered from the cloud, it provides complete visibility into Internet activity across all locations and users.

Through integration partnerships, Umbrella extends and enforces the local intelligence from your existing security stack to protect employees, whether they’re working on or off the corporate network. Most security integrations involve custom development and many hours of professional services. Not with Umbrella. In minutes, your local intelligence about malicious domains is extended to protect users beyond your perimeter.

Cisco Umbrella Benefits
  • Serves as the first line of defense, so security teams will have fewer malware infections to remediate and threats will be stopped before they cause damage.
  • Contains command and control callbacks over any port or protocol and provides real-time reports on that activity.
  • Provides crucial visibility for incident response and also gives you confidence that you’re seeing everything.
  • Provides visibility into sanctioned and unsanctioned cloud services in use across the enterprise, so you can uncover new services being used, see who is using them, and identify potential risk.

Cisco Umbrella Features
  • Anycast routing: Requests are transparently sent to the fastest available node and automatically re-routed in the event of downtime
  • There is no added latency compared to your current service provider or local server. Many customers even experience a boost to their Internet speed. Add security without latency.
  • Statistical and machine learning models: Models are created to automatically score and classify our data so we can detect anomalies and uncover known and emergent threats.
  • Umbrella Investigate: Use the Investigate web-based console or API for access to Umbrella’s threat intelligence on domains, IPs, and malware across the Internet. Gain context about what Umbrella is blocking and why
  • DNS-layer enforcement: The vast majority of Internet connections begin with a DNS request, and Umbrella uses that as the first point of inspection. Stop connections to malicious domains and IPs at the earliest point.
  • IP-layer enforcement: Umbrella provides IP-layer enforcement on and off the corporate network using the roaming client or Cisco AnyConnect integration
  • Intelligent proxy: With the Umbrella intelligent proxy, only requests to risky domains (those hosting malicious and legitimate content) are provided for deeper inspection, thereby removing performance impacts felt by traditional proxies

Cisco Umbrella Packages:
  • Cisco Umbrella Professional: The Professional package offers a cloud security platform that provides protection against malware, phishing, and C2 callbacks when users are on and off the corporate network, in addition to web filtering and basic reporting.
  • Cisco Umbrella Insights: The Insights package offers everything in the Professional package plus user-based policies with Active Directory integration, URL and IP-layer enforcement, custom URL blacklists, file inspection using AV engines and Cisco AMP, the ability to retain logs indefinitely and advance reporting.
  • Cisco Umbrella Platform: The Platform package offers everything in the Insights package, plus prebuilt and custom API integrations and the ability to access threat intelligence in the Investigate web-based console for deeper context during investigations.
  • Cisco Umbrella Branch: The Branch package is an entry-level cloud-delivered security service for the Cisco 4000 Series ISRs, which provide protection for guests and corporate users who are accessing the Internet at branch offices.
  • Cisco Umbrella Roaming: The Roaming package is an entry-level cloud-delivered security service that provides protection when employees are off the VPN. Customers can use the built-in Cisco AnyConnect integration or deploy a standalone client.
  • Cisco Umbrella WLAN: The Cisco Umbrella WLAN (wireless LAN) package is a cloud-delivered security service that provides protection for guests and corporate users who are accessing the Internet from wireless access points. Umbrella has been tightly integrated with the Cisco 2504, 5508, 5520, 8510, and 8540 wireless LAN controllers (WLCs) as well as the Wireless Services Module 2 (WiSM2)