Welcome

Our Story

4Key Ingredients PASSION

▪ Founded in 1997▪ Started, Managed, and Led by Engineers▪ Known & Recognized for our Engineering

Core Technologies

5Verticals MANAGED

SERVICES

▪ Dedicated Teams for Each Vertical▪ 75% of Our Staff Are Engineers▪ Home Grown Engineers

Commitment

1Pledge

▪ Thrilled for our first engagement ▪ Focused on achieving the next engagements▪ Quick Response and Delivery Times▪ Phenomenal Engineering and Support

PARTNERSHIP

WE ARE YOUR PARTNER- DEDICATED TO SUPERIOR SOLUTIONS- PASSIONATE IN TECHNOLOGY- EXCITED FOR SUCCESSFUL BUSINESS TRANSFORMATION - COMMITTED TO OUR CONSULTATIVE PARTNERSHIP

CISCO UMBRELLAIntroduction & Demo

LA Networks

Alex Wehmeier

awehmeier@la-networks.com

February 2018

THE CHALLENGE:

• Implementing network security products is difficult

• Today’s mobile workforce needs on-network and off-network protection

• Many companies require web filtering and proxy solutions

WHAT IS UMBRELLA:

• Filter and block DNS requests to bad hosts, before TCP/IP connection is even established

• Removes a large bulk of incidents from having to be analyzed by traditional security (firewalls, IDS/IPS, AV, URL filtering, etc.)

• OpenDNS started as a DNS provider (2006)

• Added filtering and blocking features (2007)

• Created business-specific offering (2009)

• Created Umbrella suite (2012) and Investigate feature (2013)

• Cisco acquired OpenDNS (Aug 2015)

WHAT IS DNS?

DNS = Domain Name System

• First step in connection

• Precedes file execution and contact

• Used by all devices, browsers, applications

• Port agnostic

Umbrella

Cisco.com 72.163.4.161

UMBRELLA GLOBAL NETWORKVIEW OF THE INTERNET

125Brequests per day

15Kenterprise customers

90Mdaily active

users

160+countriesworldwide

WHERE DOES UMBRELLA FIT?

Malware

C2 Callbacks

Phishing

HQ

Sandbox

NGFW

Proxy

Netflow

AV AV

BRANCH

Router/UTM

AV AV

ROAMING

AV

First line

Benefits

Block malware before

it hits the enterprise

Contains malware

if already inside

Internet access is faster

Provision globally in minutes

BREADTH TO COVER ALL PORTS AND DEPTH TO INSPECT RISKY DOMAINS

ALLOW, BLOCK, PROXYINTERNET-WIDE TELEMETRY

PREDICTIVE UPDATES

Umbrella / Talos and partner feeds

Custom domain lists

Custom IP lists (future)

UMBRELLA STATISTICAL & MACHINE LEARNING MODELS

DNS and IP layer

▪ Domain request

▪ IP response (DNS-layer)

or connection (IP-layer)

ALLOW OR BLOCK

WBRS / Talos + partner feeds

Custom URL lists

AV

AM

P

HTTP/S layer

▪ URL request

▪ File hash

INTELLIGENCE TO SEE ATTACKS BEFORE LAUNCHED

Data

▪ Cisco Talos feed of malicious

domains

▪ Cisco Threat Grid file-based

intelligence (1.5M+ daily

samples)

▪ Umbrella DNS data —

125B requests per day

Security researchers

▪ Industry renown researchers

▪ Build models that can

automatically classify and

score domains and IPs

Models

▪ Dozens of models continuously

analyze millions of live events

per second

▪ Automatically uncover malware,

ransomware, and other threats

STATISTICAL MODELS

Guilt by inference

▪ Co-occurrence model

▪ Sender rank model

▪ Secure rank model

Guilt by association

▪ Predictive IP Space Modeling

▪ Passive DNS and WHOIS Correlation

Patterns of guilt

▪ Spike rank model

▪ Natural Language

Processing rank model

▪ Live DGA prediction

2M+ live events per second

11B+ historical events

CO-OCCURRENCE MODELDomains guilty by inference

a.com b.com c.com x.com d.com e.com f.com

time - time +

Co-occurrence of domains means that a statistically significant number of identities

have requested both domains consecutively in a short timeframe

Possible malicious domain Possible malicious domain

Known malicious domain

SPIKE RANK MODELPatterns of guilt

y.com

DAYS

DN

S R

EQ

UE

ST

SMassive amount

of DNS request

volume data is

gathered and

analyzed

DNS request volume matches known

exploit kit pattern and predicts future attack

DGA MALWARE EXPLOIT KIT PHISHING

y.com is blocked before

it can launch full attack

PREDICTIVE IP SPACE MONITORING Guilt by association

Pinpoint suspicious domains and

observe their IP’s fingerprint

Identify other IPs – hosted on the

same server – that share the

same fingerprint

Block those suspicious IPs and

any related domains

DOMAIN

209.67.132.476

209.67.132.477

209.67.132.478

209.67.132.479

FEATURE LIST

• Features• Protect on or off network

• Stop connections based on 80+ content categories

• AD group membership integration

• Proxy risky traffic

• IP-layer enforcement

• Reporting

• Log retention via Amazon S3

• 3rd party device integrations (Aruba, Cradlepoint, Aerohive)

• Threat enforcement integrations (Splunk, FireEye, Anobmali)

• Multi-organizational console

• Umbrella Investigate for direct access to threat intelligence

PACKAGES/LICENSING• Wireless LAN

• For guest wireless access

• Professional• For small companies

• Insights• For mid-sized companies

• Proxy and AD integration

• Platform• For advanced security teams

• Threat enforcement integrations & Investigate access

• User License• Per user, per WLAN, per ISR4K, per roaming user

• Subscription – 12, 36, 60 months

DEPLOYMENT TYPES

Existing

DNS/DHCP servers,

Wi-Fi APs

Simple config

change to

redirect DNS

ISR4K(today)

WLC(today)

Network footprint

Meraki MR(future)

Endpoint footprint

Granular filtering and

reporting on- & off-network

(Umbrella roaming client

also available)

AnyConnect roaming module

Cisco Security Connector

(in LA)

vEdge(future)

▪ Provisioning and policies per VLAN/SSID;

tags for granular filtering and reporting

▪ Out-of-the-box integration

(Umbrella virtual appliance also available)

PROTECT ON-NETWORK DEVICES VIA DNS SERVER

Internal DNS Server

YOUR NETWORK

Network egress IP67.215.87.11

DNS server10.1.1.1

Internet gateway

Your policyEnforce all security settings

for

67.215.87.11

Server IP10.1.1.1

External DNS resolution208.67.222.222

Laptop IP10.1.1.3

208.67.222.222

PROTECT INTERNAL NETWORKS VIA UMBRELLA VIRTUAL APPLIANCE

Umbrella VA

YOUR NETWORK

Network egress IP67.215.87.11

DNS server10.1.1.1

Internal DNS Server

Server IP10.1.1.1

Internet gateway

Appliance IP10.1.1.2

DNS server10.1.1.1

Internal domainsoffice.acme.com

Your policyEnforce all security settings

for

10.1.1.3

Appliance IP10.1.1.2

DNS server10.1.1.1

Internal domainsoffice.acme.com

Laptop IP10.1.1.3

Inserts 10.1.1.3, GUID and Org ID in EDNS request, encrypts and forwards

208.67.222.222

Internal

DNS Server

PROTECT AD USERS VIA CONNECTOR AND UMBRELLA VIRTUAL APPLIANCE

YOUR NETWORK

Network egress IP67.215.87.11

DNS server10.1.1.1

Internet gateway

208.67.222.222

Laptop IP10.1.1.3

CEO

AD Server w/AD connector

Umbrella VA

Appliance IP10.1.1.2

DNS server10.1.1.1

Internal domainsoffice.acme.com

DHCP IP10.1.1.1

Associates CEO with 10.1.1.3

Inserts 10.1.1.3, GUID and Org ID in EDNS request, encrypts and forwards

Your policyEnforce all security settings for

EXEC group(GUID = CEO, a member of EXEC group)

Associates CEO with

EXEC group(via HTTPS

push)

DEPLOYMENT STEPS/ORDER

• Cloud service setup

• Setup internal domains, IP addresses (internal & public)

• Virtual Appliances (VA)

• AD connectors

• AD configuration script

• Setup user/group identities

• Define security policies (url, block, whitelist)

• Setup SSL cert trust & enable proxy

• Setup mobile user

• Setup apple IOS users

DEMO

• Cisco dCloud

• Dashboard

• Reporting

• Settings

• Investigate

CISCO CLOUDLOCKIntroduction & Demo

LA Networks

Alex Wehmeier

awehmeier@la-networks.com

February 2018

THE PROBLEM

• Ever increasing use of sanctioned and unsanctioned (shadow IT) cloud

services by corporate users

• Exposure to attacks, misuse, and accidental data breaches

• Regulatory and internal security compliance headache

WHAT IS CLOUDLOCK?

• Company founded in 2011

• Acquired by Cisco in 2017

• Cloud-native cloud access security broker (CASB) by using native APIs

• It protects cloud users, data, and apps

• Users logged in to cloud apps from multiple geographic places

• Files inadvertently shared publicly

• Block users granting access via OAuth to malicious cloud apps

FEATURES

• Data Security & Compliance (Data Loss Prevention)

• Threat Protection (User and Entity Behavior Analytics)

• Application Discovery & Control (App Firewall)

• Integration & Orchestration (aggregates feeds to SIEMs)

CLOUD SERVICES

• 8 main services

• 2 main add-ons

FEATURES

• Cloudlock aggregates data feeds across existing IT infrastructure to enrich security intelligence and harmonize data protection across on-premises and cloud environments for unprecedented insight and control.

LICENSING

• Minimum 100 users

• User count is the highest number of users on any one service

• 1 or 3 yr subscriptions

• Basic (email) or Gold (24x7) support options

DEPLOYMENT

DEPLOYMENT

• Nothing to install; hosted in AWS

• Cloud service setup

• Pick and enable known cloud services, sharing API keys or OAuth info

• Define security policies

• User policies

• Whitelist/Blacklist countries

• DLP filters

• Whitelist/Blacklist apps

• Integrate with existing SEIMs

DEMO

• Cisco dCloud

• Dashboard

• Incidents

• Policies

• Reporting

FINThank you for your time!