It’s Time for a New Era in Advanced
Threat Analysis
Rob Gregg
Tuesday 13th December
Why Cisco Umbrella?
DNS service built for world’s largest cloud security platform
Predictive intelligence
Global Network
•
•
•
•
80B+ DNS requests/day
65M+ biz & home users
100% uptime
Any port, protocol, app
+
•
•
•
•
Security research team
Statistical models
3D visualization engine
Automated classification
=
7M+
unique malicious
destinations enforced
at any given time, at
the DNS-layer
Common Security Challenges
50% of PCs are Mobile
70% of Offices go Direct
70-90% of Malware
is Unique to Each Org
Shortage of
Security Talent
most mobile & remote workers don’t
keep VPN always on, most branch
offices don’t backhaul traffic, and
most new endpoint tools only detect
signature-based tools, reactive
threat intelligence, and isolated
security enforcement cannot
stay ahead of attacks
many tools require
more resources than
you have available
to make work
Problems We Solve
Breach and
Malware Protection
Internet-wide
Visibility
Web Filtering and
Cloud/IoT Visibility
prevent data exfiltration and system
compromise by blocking command &
control callbacks and malicious sites
speed up incident response
with a live, up-to-date
view of the Internet
enforce acceptable use, see
cloud services & IoT devices in
use, and keep guest Wi-Fi safe
What makes up the Cisco
Umbrella Product line?
Cisco Umbrella
Investigate (intelligence)
Insight into the Internet infrastructure use
for attacks and uncovers current and
future malicious places
Cisco Umbrella
(enforcement)
Enforce security at the DNS & IP layers
Block malware, phishing, & C2 callbacks
Umbrella: The Fastest & Easiest Way To Block Threats
SECURITY LABS
CATEGORY
IDENTITY
THREAT (OPENDNS)
INTERNAL IP
THREAT
(3RD-PARTY)
HOSTNAME
CLOUD SERVICE
EXTERNAL IP
WEB CONTENT
AD USER
Domains, IPs, URLs
(via statistical models)
BENEFITS
Simple to point DNS w/o
technical or pro services
No hardware to install
No software to maintain
Domains
(via APIs)
CUSTOM
208.67.222.222
Provision globally in
under 30 minutes
Infinitely scalable
enforcement platform
Adds A New Layer of Breach Protection
Threat Prevention
Not just threat detection
Protects On & Off Network
Not limited to devices forwarding traffic
through on-prem appliances
Always Up to Date
No need for device to VPN back
to an on-prem server for updates
Block by Domains, IPs & URLs for All Ports
Not just IP addresses or domains only over ports 80/443
UMBRELLA
Turnkey & Custom API-Based Integrations
Does not require professional services to setup
Turn-Key and API-Based Integrations
Works with what you already have
THREAT DETECTION
+
OTHERS
THREAT ANALYSIS & INTEL FEEDS
+
OTHERS
Indicators of
Compromise
UMBRELLA
Enforcement & Visibility
THREAT INTEL PLATFORMS
+ CUSTOM
Logs or blocks domains sent from
partner or custom systems
Automate Security to Reduce Attack Dwell Time
CUSTOMER & PARTNER
COMMUNITY
files
AMP THREAT GRID
Unified Analysis
& Intelligence
UMBRELLA
Enforcement
& Visibility
Dynamic & Static
Automatically Pulls
malware analysis identifies
key behavioral indicators
newly discovered malicious
domains in minutes
Threat Content
Logs & Blocks
enriched with global &
historical context for accuracy
all Internet activity
destined to these domains
domains
CUSTOMER
Where Does Umbrella Fit?
WSA/CWS
INTERNET
INTERNET
ALL
OTHER
WEB
EMAIL
TRAFFIC TRAFFIC TRAFFIC
ALL
OTHER
WEB
EMAIL
TRAFFIC TRAFFIC TRAFFIC
proxy/block by
URL, content, or file
ESA/CES
blocks by sender,
content, or file
CWS
proxy/block by
URL, content, or file
ASA
DPI/block by IP, URL,
packet, or file
Umbrella
Umbrella
resolve/block by
domain, IP, or URL
resolve/block by
domain, IP, or URL
ON NETWORK
ESA/CES
blocks by sender,
content, or file
OFF NETWORK
Investigate: The Most Powerful Way to Uncover Attacks
KEY POINTS
Intelligence about domains
and IPs across the Internet
Live graph of DNS requests
& other contextual data
DOMAINS, IPs & ASNs
API
CONSOLE
SIEM, etc.
Correlated against
statistical models
Discover & predict
malicious domains & IPs
Enrich security data with
global threat intelligence
Adds A Single, Correlated Source of Information
Passive DNS database
WHOIS record data
Domain reputation scores
ASN attribution
IP geolocation
IP reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
INVESTIGATE
DNS request patterns/geo. distribution
Our Perspective
Diverse Set of Data
80B
160+
65M
10K
Requests
Per Day
Daily Active
Users
Countries
Enterprise
Customers
How Our Security Classification Works
Ingest
Apply
Identify
millions of data
points per second
statistical models and
human intelligence
probable
malicious sites
a.ru
b.cn
7.7.1.3
e.net
p.com/jpg
5.9.0.1
Use Our Global Intelligence To…
You Know
One IOC
We Know All Its
Relationships
Speed up investigations
Stay ahead of attacks
Prioritize investigations & response
Your Local
Intelligence
Our Global
Context
Enrich security systems with live data
Cisco’s Strategy
Edge
Campus
Data Center
Cloud
Branch
Operational
Technology
Endpoint
Security Everywhere
Umbrella Works With Everything You Use
FUTURE-PROOF
EXTENSIBILITY
SECURE APIs
OPEN TO EVERYONE
ANY
NETWORK
CUSTOMERS
In-house
Security
Systems
Routers, Wi-Fi,
SDN
ANY
ENDPOINT
VPN, IoE
NETWORK
PROVIDERS
ANY
TECHNOLOGY
SECURITY
PROVIDERS
Firewalls,
Gateways
FireEye, Cisco,
Check Point
Meraki, Aruba,
Aerohive
OpenDNS Adds to Cisco’s Security Portfolio
Before, During, and After an Attack
ATTACK CONTINUUM
BEFORE
DURING
AFTER
Discover
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Umbrella
Umbrella Investigate
stay ahead of future attacks
by blocking malicious
domains, IPs, and ASNs
Umbrella Investigate
block callbacks and exfiltration
on any port, protocol, or app
at the DNS & IP layers
query live threat intelligence
of all the domains & IPs
on the internet
Enterprises Worldwide Use Cisco
Umbrella
``
Higher
Education
Petroleum
Refineries
Brokerage
Firms
IT
Services
Engineering
Services
Law Firms/
Legal
Retail
Stores
Insurance
Agencies
Supermarkets
Restaurants
Physicians
Office
Pharmaceutical
Manufacturer
Hospitals
R&D
Organizations
Credit
Unions
Commercial
Banks
Public
Administration
Telecommunication
Providers
Cisco Advanced
Malware Protection
(AMP)
Continuous Analysis and Retrospective Security
Only AMP Continuously Monitors and Analyzes All File Activity,
Regardless of Disposition
Across all control points
WWW
Email
Web
Network
Endpoints
Mobile
Take advantage of key capabilities

Identify a threat’s
point of origin
Track it’s rate of progression
and how it spread
See where it's been
See what it is doing
To answer the questions that matter…
Surgically target
and remediate
The AMP Everywhere Architecture
AMP Protection across the Extended Network for an Integrated
Threat Defense
Remote Endpoints
AMP Threat
Intelligence Cloud
AMP on FirePOWER
NGIPS Appliance
(AMP for Networks)
AMP on Cisco® ASA Firewall
with FirePOWER™ Services
Threat Grid
Malware Analysis +
Threat Intelligence
Engine
AMP for Endpoints
AMP Private Cloud
Virtual Appliance
AMP on Web and Email
Security Appliances
AMP for Endpoints
AMP on ISR with
FirePOWER Services
AMP on Meraki® MX
CWS/
CTA
Windows OS Android Mobile Virtua
l
MAC
OS
AMP for Endpoints can
be launched from
Cisco AnyConnect®
CentOS, Red
Hat Linux for
servers and
datacenters
AMP on Cloud Web Security
and Hosted Email
Gain security backed by the most advanced
threat intelligence
250+
100 TB
Of Data Received Daily
Full Time Threat Intel
Researchers
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00
III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00
1.5 MILLION
II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
MILLIONS
Daily Malware Samples
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
Of Telemetry Agents
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00
00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000
600 BILLION
Daily Email Messages
16 BILLION
Daily Web Requests
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0
00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
24  7  365 Operations
Global
scanning
30 years building
the world’s networks
4
Global Data Centers
Over 100
Threat Intelligence Partners