Kuppingercole Report Addressing Modern Cyber Threats With Cisco Umbrella PDF

KuppingerCole Report
WHITEPAPER by Alexei Balaganski | January 2019
Next-Generation Enterprise Security Delivered

from the Cloud: Addressing Modern Cyber
Threats with Cisco Umbrella
As businesses embrace the Digital Transformation and become increasingly cloud-
native, mobile and interconnected, the corporate network perimeter is gradually
disappearing, exposing users to malware, ransomware, and other cyber threats.
Traditional perimeter security tools no longer provide adequate visibility, threat
protection, and scalability, nor can they offer convenience and productivity for
users on the go. There is a need for the next-generation enterprise security
solutions delivered from the cloud.
by Alexei Balaganski
ab@kuppingercole.com
January 2019
Commissioned by Cisco
KuppingerCole Whitepaper
Next-Generation Enterprise Security Delivered from the Cloud: Addressing
Modern Cyber Threats with Cisco Umbrella
Report No.: 80017
Content
1 Introduction ................................................................................................................................. 3
2 Highlights ..................................................................................................................................... 5
3 Cybersecurity Challenges for Modern Enterprises .......................................................................... 6
3.1 Extending Beyond the Perimeter ..................................................................................................... 7
3.2 Data Loss Prevention ........................................................................................................................ 8
3.3 Cloud Compliance and Shadow IT .................................................................................................... 8
4 Security from the Cloud: Capabilities and Challenges ................................................................... 10
4.1 Potential Challenges .......................................................................................................................10
4.2 Key Capabilities...............................................................................................................................11
5 Cisco Umbrella: The First Line of Defense .................................................................................... 12
5.1 Cisco Umbrella Platform Overview ................................................................................................12
5.2 Extending Protection Beyond the Perimeter .................................................................................13
5.3 Additional Capabilities ....................................................................................................................14
6 Recommendations...................................................................................................................... 15
7 Copyright ................................................................................................................................... 16
Related Research
Leadership Compass: Cloud Access Security Brokers – 72534

Leadership Compass: Dynamic Authorization Management – 70966
Advisory Note: Top Cyber Threats – 71032
Advisory Note: Connected Enterprise Step-by-step – 70999
Executive View: Cisco Advanced Malware Protection - 72518
Report No.: 80017
Page 2 of 17
1 Introduction
Modern businesses are operating in a rapidly changing global environment. Agility becomes the key
capability to be able to adapt to new technologies, market regulations, and customer demands. Cloud
services, mobile devices, the Internet of Things – all these technologies enable completely new business
models, new ways of collaboration with business partners and customers, and businesses are eager to
adopt them. However, as companies become more interconnected, the very notion of their security
perimeters gradually ceases to exist.
What just a decade ago was seen as an impenetrable castle wall surrounding all the
corporate workstations, applications, and sensitive data, nowadays rather resembles
the ruins of medieval city walls that can be found in many historical European cities.
Embracing the use of cloud apps and services brings multiple benefits in terms of flexibility and cost
reduction, but it leaves a substantial part of the corporate IT assets outside of the traditional IT and
access governance processes. Business expansion, as well as mergers and acquisitions, make existing IT
infrastructures increasingly distributed and heterogeneous. Mobile users connected devices and smart
sensors no longer need to connect to your on-premises network at all. Even worse, these developments
are fast and unpredictable, making even the basic IT operations, not to mention enforcing security and
compliance policies with perimeter-based approach difficult and costly.
Protecting sensitive resources of an increasingly distributed company with a large mobile workforce is
becoming a challenge that traditional security tools are no longer able to address. The most obvious
challenge is the growing number of potential threat vectors, so a simple firewall is no longer sufficient: a
proper security gateway has to combine a large number of specialized technologies to cover just the
most dangerous ones. To protect multiple remote offices, enterprises must either supply each location
with a full stack of security appliances or route all local traffic to a central gateway, which dramatically
increases hardware costs and bandwidth losses. Often, smaller locations and mobile users are left
completely unprotected.
However, an even more crucial problem is the general lack of full visibility across disjointed
heterogeneous environments that makes the daily job of a security expert painfully complicated – after
all, you cannot protect what you do not know or can’t see. Or for that matter, what you simply cannot
reach because it operates outside of the corporate perimeter. Beyond the usual security implications,
this lack of visibility also leads to a massive compliance problem, namely the “Shadow IT”. As soon as
employees - either frustrated with the inefficiency of their current business applications or simply for
lack of better judgment – start using their personal cloud services to perform their jobs, this introduces
massive potential impacts not just on compliance but may directly lead to a data breach. Detecting and
regulating unsanctioned cloud usage, especially for mobile workers that bypass any perimeter-based
controls, is, therefore, a key factor for compliance with regulations like GDPR.
Report No.: 80017
Page 3 of 17
But do all these challenges mean the imminent death of the traditional firewall and an immediate need
to rip it out and replace with something entirely new? No, we believe that for the majority of
organizations, the existing perimeter defenses are not going away anytime soon. And since the
perimeter security alone is no longer able to provide full protection, these organizations should now be
looking for additional components for their security infrastructures to plug the gaps in their eroding
perimeters and to extend protection to the resources and users outside of them.
An increasingly popular alternative to traditional on-premises security gateways, which are costly,
complicated to operate, and create a performance and productivity bottleneck for mobile users, is a
security gateway operating directly in the cloud or rather a whole “security cloud” consisting of multiple
breakout points across different geographical regions.
Thus, every user or device outside of the perimeter that is currently consuming cloud services directly
can continue doing it without any performance penalties and changes in user experience, yet constantly
remain protected from the latest cyber threats the same way they used to be behind the corporate
perimeter. This way, a secure cloud gateway can be considered the first line of defense in a multilayered
“defense in depth” security infrastructure, providing visibility into all internet activities, enforcement of
the most important security and compliance policies and identifying and mitigating cyber attacks.
The market now offers a substantial number of cloud-based security solutions that vary in their
functional scope, platform coverage, and operational complexity. One crucial distinction among these
solutions is the range of network protocols and services that they are able to intercept, analyzing and
mitigating threats in real-time – some security gateways only focus on web traffic, leaving all other
applications unprotected.
Cisco Umbrella, on the other hand, utilizes the Domain Name Service (DNS) layer to analyze all network
connections across all protocols and ports. Harnessing the power of the Umbrella global network – one
of the world’s largest DNS resolution services – and the latest threat intelligence from the company’s
own Talos Intelligence Group, Cisco Umbrella can identify known malicious or otherwise unwanted
network destinations and stop the threats even before a connection is established. Suspicious and
potentially risky activities are transparently routed to Cisco’s cloud-based proxy for deeper inspection –
customers can even decide to include additional third-party products into the analysis.
Most importantly, all this happens completely transparently for the users, works
everywhere outside of the corporate perimeter and does not require any hardware or
software deployment.
Report No.: 80017
Page 4 of 17
2 Highlights
• In the past, all corporate assets, applications, and sensitive data were kept safe behind the
corporate network perimeter. Modern IT infrastructures are much more complex, geographically
distributed and heterogeneous. The very notion of the corporate perimeter is nearly disappeared.
• Exponential growth of cloud computing, while bringing multiple business benefits and reducing
costs, has dramatically reduced the degree of visibility and control IT departments have over their
sensitive data and business-critical assets. Still, organizations retain full responsibility for protecting
them in the cloud, making compliance violations increasingly costly.
• Thanks to the increasingly mobile workforce accessing cloud services directly, a large part of
corporate traffic bypasses the network perimeter completely, remaining out of reach of the
traditional security tools. Extending their scope requires significant redesign of existing security
infrastructures.
• Traditional on-premises secure gateways are costly, do not scale well and hinder productivity.
Cloud-based security platforms offer a modern alternative but choosing the right one is not a trivial
challenge.
• What makes Cisco Umbrella Secure Internet Gateway a viable choice for extending the enterprise
security beyond the corporate perimeter. What are the key functional requirements for Security
Cloud solutions and how Cisco Umbrella fulfills them?
Report No.: 80017
Page 5 of 17
3 Cybersecurity Challenges for Modern Enterprises
The proverbial Digital Transformation has left a profound impact on our whole society. Such
groundbreaking technologies as cloud computing, mobile devices and the Internet of Things have
completely changed the way modern enterprises are doing their business.
By enabling new business models, unlocking new ways of communicating with their partners and
customers, and commoditizing large-scale computing and storage that was previously available only to
the largest enterprises, they have made digital information the core asset and sometimes even the
primary product for many companies. Unfortunately, this transformation has also led to a massive
increase in the size and complexity of the corporate IT infrastructure.
Like a medieval city, it has outgrown the castle walls and sprawled out in all directions – primarily
towards the cloud. A typical IT infrastructure of a modern enterprise is both distributed and
heterogeneous, extending across multiple branches and remote offices, on-premises datacenters,
industrial networks, cloud service providers, and, of course, anywhere else in the world on the move.
On-prem Cloud
DB Big Data
Mainframe Big Data Cloud storage
File Server
Employees
API
Application Website SaaS
Plant Partners Contractors Customers

SCADA IoT Gateway
Machines IoT
Mobile devices Wearables Connected vehicles
Figure 1: Typical IT infrastructure of a modern enterprise
What just a decade ago was seen as an impenetrable castle wall surrounding all the corporate
workstations, applications, and sensitive data, nowadays rather resembles the ruins of medieval city
walls that can be found in many historical European cities – the very notion of the traditional corporate
security perimeter has almost ceased to exist.
Report No.: 80017
Page 6 of 17
3.1 Extending Beyond the Perimeter
Protecting corporate resources in such a deperimeterized company with a large mobile workforce is
becoming a task that traditional security tools are no longer able to address. Cyber attacks are becoming
increasingly sophisticated and diverse, the number of potentially malicious actors is also growing – the
cyber threat landscape is constantly evolving, changing quickly and unpredictably. For example, even
the largest companies that have invested heavily in various security tools were completely unprepared
for ransomware outbreaks. Cryptojacking, fileless attacks, business email compromise – the bad guys
out there never cease to innovate.
In a traditional perimeterized environment, the role of central security enforcement point is usually
taken by a security gateway that controls all network traffic passing from and to the corporate network.
What once was a simple firewall has now evolved into a range of specialized security appliances –
malware scanners, content filters, or intrusion detection systems – and to stay on top of the modern
threats, companies often have to deploy massive stacks of those just to cover the most dangerous
threat vectors.
Such on-premises gateways are expensive and difficult to manage and operate. Even bigger, however, is
that their protection does not extend to any user or device outside of the perimeter. In a large company
with multiple remote offices, the cost of deploying a full stack of security appliances in every location
will be prohibitive. Also, any mobile user not connected to the corporate network is inevitable left
unprotected.
Until quite recently, the only technically feasible way of bringing remote users back under the safety of
the security perimeter was traffic backhauling: instead of letting those users connect to the Internet
directly, all their traffic must be routed back to the hub of the corporate network and forced to pass
through the central security gateway. For individual users on the go, this is typically performed using a
dial-in VPN connection; remote offices would have to be permanently connected to the central one with
an MPLS network.
Needless to say, this hub-and-spoke approach has multiple disadvantages:
• Traffic backhauling introduces additional bandwidth requirements and thus incurs constant
additional costs;
• Such networks do not scale well for a large number of connections, especially for companies with a
global presence, so they have to invest in multiple hubs;
• Additional network latency and the need to establish a VPN connection manually reduces employee
productivity.
Also, it’s often simply impossible to enforce backhauling on mobile users – they will
still be able to access the internet directly.
Report No.: 80017
Page 7 of 17
3.2 Data Loss Prevention
Protection from external threats, however, is not the only challenge in a heterogeneous and
deperimeterized IT environment. Recent studies clearly indicate that it is the insiders - the contractors,
third-party vendors, and even your internal privileged employees who already have full access to
corporate IT systems – that cause the costliest data breaches by leaking sensitive information. And even
the definition of a privileged employee nowadays has a new meaning: it’s no longer the IT
administrators, but the CEO or CFO, a developer or almost any other user that has access to sensitive
information as a part of their daily job. The number of new attacks targeting privileged insiders
specifically is on the rise, but employee negligence alone can be enough to cause a massive and costly
data leak.
The security market nowadays can offer a broad range of tools designed specifically to address these
challenges – ranging from the classical appliance-based DLP solutions to modern AI-based user behavior
analytics systems, but the former is usually completely inefficient outside of the perimeter and the latter
depends heavily on the amount of information about user activities that can be collected across the
corporate network.
It is the general lack of full visibility across disjointed heterogeneous environments that makes the daily
job of a security expert painfully complicated – after all, you cannot protect what you do not know or
can’t see simply because it’s happening outside of the corporate perimeter. The only architecture that
can efficiently ensure reliable data loss prevention in such a complex infrastructure has to be one
designed according to the “defense in depth” principle, when multiple security solutions operate in
accord, from the initial data discovery and classification all the way to real-time blocking of data
exfiltration activities on endpoints, on the network and in applications and cloud services.
However, the first line of defense in this multi-layer security architecture is always the consistent
visibility into all network activities across all locations, devices, and users.
Only when you know with confidence what’s going on everywhere on your network
does it become possible to mitigate malicious activities in real time.
3.3 Cloud Compliance and Shadow IT
Embracing the use of cloud apps and services brings multiple benefits in terms of flexibility and cost
reduction, but it leaves a substantial part of the corporate IT assets outside of the traditional IT and
access governance processes. With corporate data and business applications beyond the perimeter and
out of direct control of the IT administrators, businesses are no longer able to keep an eye on their
usage and to continue enforcing security and compliance policies across multiple cloud environments.
Many companies seem to honestly believe that giving up control over a part of their IT infrastructure to
a cloud service provider automatically means that the CSP also takes over all the responsibilities for
Report No.: 80017
Page 8 of 17
ensuring security and compliance of the information kept in the cloud. This cannot be further from the
truth, however: although the exact border between responsibilities of cloud service providers and their
customers vary depending on the exact type of cloud usage, customers always retain full responsibility
for the security and compliance of any data processed in the cloud services. In terms of the EU General
Data Protection Regulation, cloud service customers are still considered Data Controllers and thus bear
all the harsh consequences of GDPR violations.
Unfortunately, not many organizations have a truly comprehensive and consistent cloud service
adoption strategy. Even those that have strict cloud guidelines and carefully evaluate risks of every
cloud service before sanctioning its use, usually have very limited visibility into the true scale of their
cloud usage. This lack of visibility can potentially lead to a massive compliance problem, namely the
“Shadow IT”.
As soon as employees - either frustrated with the inefficiency of their current business applications or
simply for lack of better judgment – start using their personal cloud services to perform their jobs, this
introduces massive potential impacts not just on compliance but may directly lead to a data breach.
Detecting and regulating unsanctioned cloud usage, especially for mobile workers that bypass any
perimeter-based controls, is, therefore, a key security and compliance factor.
Uncontrolled, shadow IT leads to higher risks and higher costs. To address this problem, a whole new
class of security solutions has emerged in recent years – the Cloud Access Security Brokers (CASB) -
whose sole purpose is to sit between cloud applications and their users, monitor their activities and
enforce security policies. Broadly, CASBs can have two possible methods of operation – either inline,
when cloud traffic must somehow be intercepted by a network proxy or routed to it by on-device
agents, or out-of-band, when the CASB collects cloud usage information from log files or through API
calls directly to cloud service providers.
Inline inspection of cloud traffic allows for real-time analysis, access control and threat mitigation, but
has the same disadvantages as any other gateway-based security solution – in many scenarios,
especially for mobile users outside of the perimeter, it is very easy to bypass. Out-of-band inspection,
however, can only detect malicious activities after the fact and thus offers no real-time protection.
Modern CASB solutions usually combine both approaches along with a number of methods of
intercepting cloud traffic for different environments – only this way can they provide the full visibility
into both sanctioned and unsanctioned cloud usage, offer comprehensive risk and threat analysis and,
last but not least, enforce access policies to ensure compliance.
Cloud Access Security Brokers deployed on-premises have already proven their
efficiency. But how to extend their coverage beyond the perimeter? Can cloud
security be delivered from the cloud?
Report No.: 80017
Page 9 of 17
4 Security from the Cloud: Capabilities and Challenges
The exponential adoption rate of cloud services clearly shows that such obvious business benefits of
Software as a Service (SaaS) solutions as quick setup and deployment, easy upgrades, elastic scalability
and, finally, cost reduction significantly outweigh such shortcomings of the SaaS model like partial lack of
control and additional compliance concerns.
But does this sentiment extend to the security solutions offered from the cloud? In theory, Security as a
Service (SECaaS) solutions offer the same benefits to their customers, along with almost universally
greater security expertise offered by the vendor that is typically available within the organization. And of
course, a cloud-based security solution does not differentiate between on-premises and mobile users,
making them naturally perimeter-agnostic.
As opposed to a traditional on-premises security gateway that typically comprises a stack of standalone
security appliances, a cloud-based security solution is usually offered as an integrated suite that
combines multiple security technologies in a unified cloud platform. If supported by unified analytics,
such platform offers much better visibility into the corporate security posture than a simple sum of
individual tools.
4.1 Potential Challenges
However, choosing the right cloud-based security solution is not a trivial task. One has to consider their
potential drawbacks as well and look for services that address them explicitly and efficiently.
The most obvious challenge of any cloud-based security gateway is, of course, the additional network
latency it introduces due to the need to forward all traffic to a remote location for analysis. This is
exactly why a proper Security Gateway is not really a functional analog of a traditional on-premises
gateway deployed on a cloud infrastructure. Instead, it should implement a “Security Cloud” comprising
multiple traffic analysis nodes distributed around the world, which offers a method of choosing the
closest one for connection automatically along with transparent failover by switching to another node in
case of connectivity problems.
Such security clouds can also naturally address the next major challenge that involves data residency
regulations. A customer in a European Union country connecting to a cloud service hosted within the EU
would expect that his sensitive data never leaves the EU boundaries simply to be inspected by a US-
based security gateway. Data sovereignty clause must be an explicit part of every SECaaS contract.
However, the most crucial yet less obvious challenge for a security gateway is the range of network
protocols and services it’s able to analyze and protect. This depends directly on the supported methods
of traffic capture and routing.
Some solutions may for various reasons (like advertising as a fully agentless platform) depend on
browser settings or similar methods that only redirect web traffic for analysis, leaving a huge part of
network activities completely unprotected.
Report No.: 80017
Page 10 of 17
4.2 Key Capabilities
Let’s summarize the key functional capabilities of a Security Cloud that customers should be looking for
when selecting the best solution for their needs.
• Global distributed cloud infrastructure that offers consistent high performance across all key
geographical regions along with built-in high availability support. A cloud security gateway should be
considered the most critical component of your network infrastructure and under no circumstances
should it become the single point of failure.
• Compliance with data residency and data protection regulations. In addition to the guaranteed
ability to keep all analyzed data within a specific geographic region, this may involve additional
configuration options: for example, customers should be able to exclude specific sensitive traffic
flows from analysis partially or completely if needed. Full audit trail of the platform activities must
be available as well.
• Threat protection across all network protocols and services. To enable this, the solution is expected
to support multiple methods of capturing or redirecting network traffic for analysis suitable for
different platforms and environments. Additionally, it should be capable of blocking any malicious or
unwanted network connection, not just a web session, for example.
• Easy deployment, centralized management, and transparent operation. A cloud security gateway is
expected to operate across all devices in use by the customer, without any interaction with users
needed to enable it. Should a specific scenario require the protection to be temporarily disabled,
this should be possible with a custom policy defined in a central management console.
• Open platform that integrates with existing and future security tools. A cloud security platform
should be able to integrate with existing on-premises security tools to augment their efficiency. It is
also expected to share security events with SIEM and other forensic systems. Finally, the platform
should be able to provide additional security features and threat intelligence through API-based
integrations with 3rd party vendors.
• Cloud Access Security Broker. By analyzing all network traffic between users and cloud services, a
cloud security gateway has the unique opportunity to offer native CASB functionality or to integrate
with a standalone solution to provide visibility and control over sanctioned and unsanctioned SaaS
usage.
Above all, however, a cloud-based security solution is expected to work consistently

for all users within and beyond the corporate perimeter, anywhere and anytime.
Report No.: 80017
Page 11 of 17
5 Cisco Umbrella: The First Line of Defense
Cisco Umbrella is a secure internet gateway that provides the first line of defense against threats on the
internet wherever users go. It provides visibility and threat protection for internet access across all
devices and users both on the corporate network and beyond the perimeter.
Cisco Systems, Inc. is a multinational technology company headquartered in San Jose, California, USA.
Founded in 1984 by the pioneers of the multi-protocol network router concept, the company has quickly
grown into the world’s largest manufacturer of networking hardware and telecommunications
equipment.
The company’s Security unit offers a broad portfolio of products and services in various areas of
information security, including firewalls and other network security solutions; web, email, and cloud
security; identity and access control and more. In 2015, Cisco acquired OpenDNS, a company that
operates one of the world’s largest Domain Name System (DNS) infrastructures and extends it with a
cloud security product suite. After the acquisition, this enterprise security suite is offered under the
Cisco Umbrella brand.
5.1 Cisco Umbrella Platform Overview
Cisco Umbrella is a global, large-scale security cloud comprising 30 datacenters across all continents.
Through over 800 peering partnerships with top internet service providers, Cisco guarantees that the
Umbrella cloud can always be reached by the shortest route with minimal latency. By using Anycast
routing every data center is accessible through the same IP address, so every request transparently
reaches the closest one with automated failover. However, customers can explicitly select the region
where their data will be stored.
The main mechanism Umbrella uses to intercept and analyze internet requests to the cloud is DNS.
Since every device needs to perform a DNS request to resolve a domain name into an IP address before
it establishes a connection anywhere, pointing traffic to Umbrella is incredibly simple. For any corporate
network, this can be easily configured centrally, but for mobile devices that constantly switch between
different networks, an additional step is needed: a lightweight roaming client must be deployed on a
device, and its only function is to forward all DNS requests to Umbrella regardless of the local network
settings.
For supervised iOS devices, Cisco provides a Security Connector application that adds Umbrella support.
Surprisingly, there is still no official support for Android-based mobile devices, although they can be
partially covered using 3rd party apps.
Since the Umbrella cloud processes billions of DNS requests from millions of users around the world
every day, it collects an immense amount of security intelligence about malware, URLs and domains
across the internet. In addition, it can tap directly into the reputation database maintained by Talos
Intelligence Group that powers all of Cisco’s security products. Thus, even before a network connection
Report No.: 80017
Page 12 of 17
is established, Umbrella can already determine whether it is associated with any kind of known risky
activity as well as classify it according to over 60 predefined content categories.
For known malicious destinations like malware command and control domains or fraudulent websites,
or simply to enforce acceptable use policies, a connection will be immediately blocked. For less risky
domains or to allow deep inspection of specific URLs, a DNS request will be transparently resolved to the
Umbrella proxy service, which will perform real-time analysis using Cisco Advanced Malware Protection.
In addition, customers may enable additional API-based integrations with security tools from vendors
like FireEye or Check Point or even define their own ones. Based on the scan result, the connection will
be allowed or blocked, again completely transparently for the user. A full audit trail of all network
activities is stored for later analysis. Of course, Umbrella supports integrations with SIEM and Log
management solutions as well.
5.2 Extending Protection Beyond the Perimeter
From the ground up, the Umbrella platform was built with a bi-directional API to support integrations
with other systems including specialized security solutions, threat intelligence platforms, other various
networking products and any custom software tools – allowing you to extend protection beyond the
corporate network and to leverage existing tools from both Cisco and other security providers.
Currently, Umbrella offers pre-built integrations with around a dozen security providers – like Splunk,
FireEye or Anomali – and also supports up to 10 custom integrations. In addition, the platform is
integrated with multiple products across the Cisco Portfolio, including Meraki MR access points, Cisco
Wireless LAN controllers, and the Cisco ISR 1K & 4K series.
To extend protection to Software-as-a-Service (SaaS) solutions, Umbrella can be integrated with Cisco
Cloudlock – the company’s Cloud Access Security Broker (CASB) solution that focuses on enforcing
corporate security and compliance policies across cloud services.
KuppingerCole has reviewed Cloudlock in detail in the latest Leadership Compass on Cloud Access
Security Brokers and recognized its strong capabilities in such areas as the wide range of SaaS products
covered out of the box, abnormal user behavior detection, and app risk ratings. When working in
conjunction with Umbrella, Cloudlock operates as an API-based CASB, thus providing simple and
effective cloud app security and control solution that deploys easily, works transparently to all users, yet
is nearly impossible to bypass.
Leveraging both Umbrella and Cloudlock together provides organizations with comprehensive
protection of both internet and cloud service usage. One example of the synergy between the two
solutions is Umbrella’s App Discovery and Blocking. This feature provides comprehensive insights into all
shadow IT and cloud app usage and allows companies to easily and selectively block access to unwanted
services with Umbrella. The company continues to actively develop additional integrations between the
two solutions to enable further innovative security and compliance capabilities.
Report No.: 80017
Page 13 of 17
5.3 Additional Capabilities
To address different requirements of companies of various sizes and budgets, Cisco offers several
packages of Umbrella ranging from Professional aimed towards small companies to Platform for large
enterprises with own security teams. A separate package with limited functionality for Wi-Fi protection
is available as well.
Security experts interested in advanced forensic investigation capabilities may opt for an additional
license for Umbrella Investigate – a tool for accessing the complete threat intelligence library. The
Investigate Console provides a dynamic search engine for flexible querying and pivoting on various data
points to support forensic analysis. The Investigate API provides automated access to this data to import
additional context data into a SIEM, threat intelligence or incident response platform.
Looking back at the key selection criteria we’ve defined in the previous chapter, we can confidently say
that Cisco Umbrella fulfills them all and even goes beyond in functionality and integration capabilities.
Of course, a Secure Internet Gateway (or even a full-featured Security Cloud) alone will never replace all
traditional security tools - be it next-generation firewalls, endpoint detection, and response solutions, or
API security gateways.
Still, Cisco Umbrella does offer a unified cloud-based security platform that provides
coverage across on-premises, cloud and mobile environments that can serve as the
first line of defense in your multi-layered IT security infrastructure.
Report No.: 80017
Page 14 of 17
6 Recommendations
The rapid adoption of cloud services and increasingly mobile workforces employed by modern businesses
have profoundly changed their way they operate. On one hand, these new technologies have
significantly improved business productivity and reduced operational costs, yet on the other, they have
introduced multiple new security and compliance challenges.
All this led to a significant increase in the complexity and heterogeneity of corporate IT infrastructure
and thus to the continued disappearance of traditional security perimeters. Even worse, these
developments are fast and unpredictable, making even the basic IT operations, not to mention enforcing
security and compliance policies with perimeter-based tools difficult and costly.
This requires a major rethinking of the way modern corporate security architectures are designed. On
one hand, this paradigm shift calls for drastic measures – no wonder that new revolutionary approaches
like Zero Trust networking are gaining traction. On the other hand, the “rip and replace” method won’t
work for most organizations: there are still too many legacy systems which will remain on-premises for
years and there are no turn-key products that can magically transform existing infrastructures in one
step anyway.
Keeping up with the modern cybersecurity and compliance challenges without breaking the bank
requires careful planning. We recommend considering the following:
• Always have a long-term strategy with a bold final goal (like the full implementation of the Zero
Trust paradigm), but keep in mind that this goal will never be achieved in a single step. Or ever, for
that matter. However, every change you make in your IT infrastructure should bring you closer to
the goal.
• Do not disregard existing security tools – even if they cannot keep up with the newest challenges,
every tool still has a job to fulfill in the grand scheme of things which is your multi-layered “defense-
in-depth” security architecture.
• In the era of the cloud, your security architecture must be cloud-ready as well. Still, do not expect to
go 100% cloud anytime soon and plan your strategy to be heterogeneous and hybrid by design.
• Do not view cloud-delivered security solutions as mere traditional tools hosted in the cloud. To be
able to utilize the full potential of the Security Cloud, look for products designed to be cloud-native –
distributed, scalable and always available - from the ground up. Do not let a cloud gateway become
a single point of failure.
• Carefully consider the key Security Cloud capabilities outlined earlier in this document and look for
solutions that can deliver the full potential of the cloud yet manage to avoid the common pitfalls of
such solutions.
Report No.: 80017
Page 15 of 17
7 Copyright
© 2019 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form are forbidden
unless prior written permission. All conclusions, recommendations, and predictions in this document represent KuppingerCole’s
initial view. Through gathering more information and performing deep analysis, positions presented in this document will be
subject to refinements or even major changes. KuppingerCole disclaims all warranties as to the completeness, accuracy and/or
adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security
and technology, KuppingerCole does not provide any legal services or advice and its publications shall not be used as such.
KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion
expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks
of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Report No.: 80017
Page 16 of 17
The Future of Information Security – Today
KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in

relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand
vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions
essential to your business.
KuppingerCole, founded in 2004, is a global Analyst Company headquartered in Europe focusing on

Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise,
thought leadership, outstanding practical relevance, and a vendor-neutral view on the information
security market segments, covering all relevant aspects like: Identity and Access Management (IAM),
Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well
as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting,
Governance, and Organization & Policies.
For further information, please contact clients@kuppingercole.com
KuppingerCole Analysts AG Phone +49 (211) 23 70 77 – 0

Wilhelmstr. 20-22 Fax +49 (211) 23 70 77 – 11
65185 Wiesbaden | Germany www.kuppingercole.com

Kuppingercole Report Addressing Modern Cyber Threats With Cisco Umbrella PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kuppingercole Report Addressing Modern Cyber Threats With Cisco Umbrella PDF

Uploaded by

Copyright:

Available Formats

KuppingerCole Report

WHITEPAPER by Alexei Balaganski | January 2019

Next-Generation Enterprise Security Delivered

Leadership Compass: Cloud Access Security Brokers – 72534

Plant Partners Contractors Customers

Mobile devices Wearables Connected vehicles

Figure 1: Typical IT infrastructure of a modern enterprise

3.3 Cloud Compliance and Shadow IT

4.1 Potential Challenges

Above all, however, a cloud-based security solution is expected to work consistently

5.1 Cisco Umbrella Platform Overview

5.2 Extending Protection Beyond the Perimeter

KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in

KuppingerCole, founded in 2004, is a global Analyst Company headquartered in Europe focusing on

For further information, please contact clients@kuppingercole.com

KuppingerCole Analysts AG Phone +49 (211) 23 70 77 – 0

You might also like