Cisco Umbrella

The first line of defense: DNS-layer security

 Umbrella’s global network reveals threat trends

8 out of 10 5 out of 10 2 out of 10

5 out of 10 4 out of 10
targeted by malware targeted by targeted by
cryptomining ransomware

targeted by targeted by phishing

trojans

Source: Cisco Umbrella Research (Midmarket (<5,000 users, January 2019 – June 2019)
 1 in 4 $3.92M
face risk of a major breach average cost
in the next 24 months of data breach

Threats creates frequent, costly breaches

Source: Ponemon 2019 Cost of a Data Breach Study
Our new reality Move to direct
internet access

Networks More mobile

transform with workforce
SD-WAN

Apps, data Increase in

(and more!) encrypted traffic
move to cloud (SSL, 5G)

Leads to gaps in visibility and protection

Attackers aren’t sitting idly by...
Security teams struggle

Orchestration
79% struggle to orchestrate
alerts across vendors

Source: Cybersecurity Ventures Cybersecurity Jobs 2019 Report | Cisco 2019 CISO Benchmark Survey
End complexity
Simplify with DNS-layer security

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 90% of malware use DNS in attacks

Often used, not often monitored

68% of organizations don’t monitor their DNS

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Source: Cisco Security Research Report
 1 in 3 $100-200B
reported breaches could have global losses could have
been controlled by DNS been prevented by DNS

Untapped gold mine

Sources: CGA Report: The Economic Value of DNS Security
Why is DNS useful
for security?
Internet
First step in connecting
to the internet
Cisco.com 72.163.4.161
Precedes file execution
and IP connection

Used by nearly all devices

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meet Cisco Umbrella

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Umbrella DNS-layer security Malware
C2 Callbacks
Phishing

Benefits
First line See all internet traffic across users

NGFW Block attacks earlier

SWG
Contain malware if already inside
Sandbox

DLP Router/UTM
Easily enforce content web filtering

AV Manage and block cloud apps

AV AV AV AV

Gain context for faster investigation

HQ BRANCH ROAMING

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enterprise-wide coverage in minutes
On-network coverage
With one setting change
Integrated with Cisco SD-WAN, Cisco ISR
1K and 4K series, Cisco Meraki MR, and Cisco
WLAN controllers

Off-network laptop coverage

With AnyConnect VPN client integration
Or with any VPN using lightweight Umbrella client
ANY DEVICE ROAMING / BRANCH
ON NETW ORK MOBILE OFFICES Or with Umbrella Chromebook client

Off-network mobile coverage

With Cisco Security Connector
Large, global footprint

30+
data centers
worldwide
Reliable, fast
global network YVR
208.67.222.222
DFW
208.67.222.222

100% Anycast automatically

re-routes to next fastest
business uptime available
since 2006
 Unmatched view
of the internet

200B 100M
requests daily active
per day users

18.5K 190+
enterprise countries
customers worldwide
Unmatched threat intelligence
Massive & diverse data
• 200B requests per day
• Represents 100M active users,
Security researchers
18.5K enterprise customers • Industry renown researchers
• From 190+ countries • Build models that can
automatically classify and
score domains and IPs
Models
• Dozens of models continuously
analyze millions of live events
per second
• Automatically uncover malware,
ransomware, and other threats
Statistical models
2M+ live events per second
11B+ historical events

Spike rank model

Co-occurrence model
Identifies other domains looked up in
rapid succession of a given domain
Natural language processing model
Detect domain names that spoof terms
and brands
Detect domains with sudden
spikes in traffic
Predictive IP space monitoring
Analyzes how servers are hosted
to detect future malicious domains
Dozens more models
Umbrella Investigate
Rich threat intelligence: respond faster to malicious domains,
IPs, and internet-borne malware
Live graph of DNS requests and
other contextual data

Correlated against statistical

models
domains, IPs, ASNs, file hashes
Discover and predict malicious
API domains and IPs

Console SIEM, TIP Enrich security data with global

intelligence
APIs to easily enable integration
Enrich data and extend protection across existing tools and workflows
CUSTOMER UMBRELLA APIs
ENVIRONMENT

Network
devices
Umbrella
Network Enforcement Investigate
Security device API API API
stack

Workflow Reporting Management

API API
What sets Umbrella apart from competitors
Fastest
and most reliable
cloud infrastructure

Broadest Most open

coverage of malicious platform for integration
destinations and files

Easiest Most predictive

connect-to-cloud intelligence to stop
deployment threats earlier
Meet our customers

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Survey says: time to value

>85%
report time to value
>50%
report time to value
in under a week in under a day

Sources: TechValidate of Cisco Umbrella customers

Survey says: reduced incidents and alerts

75%
reduction in malware
50%
reduction in alerts

Sources: TechValidate of Cisco Umbrella customers

Why do an Umbrella POV?

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
It’s the easiest POV you’ll ever do.
1) Signup 2) Point DNS 3) Done

After your POV, you’ll receive a custom

security report to help answer:
• How effective is this solution?
• How does it compare (or add)
to my current security stack?
• Does it deliver great time-to-value?
Uncover more with Umbrella
Across 200+ recent POVs:

50% 82% 77%

Encountered APT Encountered Encountered
(Advanced Persistent Threat)
ransomware phishing

653 C2 callbacks blocked 1150 malware requests blocked

Uncover more with Umbrella
Across 200+ recent POVs:

50% 82% 77%

Encountered APT Encountered Encountered
(Advanced Persistent Threat)
ransomware phishing

81% 86% 74%

Encountered Encountered Encountered
C2 callback Angler Locky

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Umbrella deployment scenarios
DEPLOYMENT

Appropriate for small branch

offices with no internal domain
applications
DEPLOYMENT

Protect on-network devices via gateway’s DHCP

Internet gateway

208.67.222.222
Your policy Network egress IP
Enforce all security settings for 67.215.87.11
67.215.87.11 DNS server
208.67.222.222
Default

YOUR NETWORK
DEPLOYMENT

Protect on-network devices via partner network device

Partner internet gateway

208.67.222.222
Your policy Network egress IP
Enforce all security settings for 67.215.87.11
67.215.87.11 DNS server
208.67.222.222
Supported

+Custom
YOUR NETWORK
DEPLOYMENT

Appropriate for any size office

with internal domain applications
DEPLOYMENT

Protect on-network devices using Cisco ISR 4K

Inserts VLAN identity

in EDNS request,
encrypts and forwards
WORKSTATION VLAN
Cisco ISR 4K

208.67.222.222
Your policy Network egress IP
Enforce all security settings for 67.215.87.11 SERVER VLAN
Workstation VLAN Workstation VLAN
DNS server
or 208.67.222.222
Server VLAN Sever VLAN
DNS server
208.67.222.222

YOUR NETWORK
DEPLOYMENT

Protect on-network devices using Cisco WLAN controller

Inserts SSID identity

in EDNS request and
forwards
EMPLOYEE WI-FI SSID
Cisco WLAN controller

208.67.222.222
Your policy Network egress IP
Enforce all security settings for 67.215.87.11 GUEST WI-FI SSID
Employee Wi-Fi SSID Employee Wi-Fi
SSID DNS server
or 208.67.222.222
Guest Wi-Fi SSID Guest Wi-Fi SSID
DNS server
208.67.222.222

YOUR NETWORK
DEPLOYMENT

Protect on-network devices via DNS server

Laptop IP
Internet gateway 10.1.1.3
Internal DNS Server
208.67.222.222
Server IP
Your policy Network egress IP 10.1.1.1
Enforce all security settings for 67.215.87.11 External DNS resolution
67.215.87.11 DNS server 208.67.222.222
10.1.1.1

YOUR NETWORK
DEPLOYMENT

Protect internal networks via Umbrella virtual appliance

Internal DNS Server

Server IP
Inserts 10.1.1.3, GUID and 10.1.1.1
Org ID in EDNS request,
encrypts and forwards
Laptop IP
Internet gateway 10.1.1.3
Umbrella VA
208.67.222.222
Appliance IP
Your policy Network egress IP 10.1.1.2
Enforce all security settings for 67.215.87.11 DNS server
10.1.1.3 DNS server 10.1.1.1
10.1.1.1 Internal domains
office.acme.com

YOUR NETWORK
DEPLOYMENT

Protect AD users via Connector and Umbrella virtual appliance

AD Server
w/AD connector

Associates
CEO with Associates CEO
EXEC group with 10.1.1.3
(via HTTPS
Internet gateway push)
Internal
Umbrella VA DNS Server
208.67.222.222
Appliance IP DHCP IP
Your policy Network egress IP Inserts 10.1.1.3, 10.1.1.2 10.1.1.1
Enforce all security settings for 67.215.87.11 GUID and Org ID DNS server
DNS server in EDNS request, 10.1.1.1
EXEC group encrypts and
(GUID = CEO, a member of EXEC group) 10.1.1.1 Internal domains Laptop IP
forwards office.acme.com 10.1.1.3

CEO

YOUR NETWORK
DEPLOYMENT

Appropriate for laptops at any

managed or unmanaged location,
with or without internal domain
applications
DEPLOYMENT

Protect off-network Win/Macs via Umbrella roaming client

AnyConnect roaming
security module
Internet gateway

208.67.222.222 or
Embed unique device ID
and GUID (if AD) in EDNS
Your policy Network egress IP request, encrypts and
Enforce all security settings based on N/A forwards
User identifiers DNS server
N/A
Umbrella
roaming client

ANY NETWORK