What's New in Umbrella Cisco's Secure Internet Gateway

#CiscoLive What's New in Umbrella Cisco's Secure Internet Gateway

Jonny Noble – Manager, Technical Marketing @JonnyNoble3 DGTL-BRKSEC-2023

#CiscoLive Agenda - Video 1 of 3

• Introduction • Let’s Catch up Since Last Time • Umbrella’s Secure Web Gateway • Cloud Delivered Firewall + SD-WAN • CASB and App Visibility and Control • Summary

Network Internet / SaaS / IaaS Centralized

Security Single place to enforce policies and protection

MPLS VPN

Branch office HQ Roaming/mobile

Network Internet / SaaS / IaaS Decentralized

Security SD WAN DIA/DCA Protect at data center, cloud, and branch edge

Branch office HQ Roaming/mobile

Gaps in visibility Volume and complexity Limited security and coverage of security tools resources

Networks More mobile transform with workforce SD-WAN

Apps, data Increase in (and more!) encrypted traffic move to cloud (SSL, 5G)

Leads to gaps in visibility and protection Attackers aren’t sitting idly by...

74% of organizations surveyed have experienced some type of cyber attack in the last 12 months 32% of N. American organizations have experienced 5+ cyber attacks

68% of organizations surveyed have experienced a compromise of a remote office or roaming user

Source: Cisco Secure Internet Gateway Survey, ESG Research Survey, January 2020

40% 85% of the workforce of corporate is roaming users bypass VPN Security controls must shift to the cloud 60% 42% increase in of organizations SaaS usage report 250+ branch offices

Source: Cisco Secure Internet Gateway Survey, ESG Research Survey, January 2020

DNS-layer Correlated security threat intel Cisco Umbrella

SD-WAN ON/OFF NETWORK DEVICES

2620:119:35::35

Hostname Password IPv6 Support for SWG supported in sync Protection for ERC AnyConnect AnyConnect

Ability for admins to Password protection to Added Dual Stack Secure Web Gateway sync the identity name prevent uninstall and support (IPv4 and IPv6) is now supported in with the true hostname tampering of the for Roaming and AnyConnect of the computer Windows roaming client Network Identities There are now two Reduces pain of asset AnyConnect Umbrella management and modules, one for DNS improves time to threat and one for SWG response

Now

DNS security Encryption of DNS queries for managed devices Android 6.0.1 or higher all Internal domain support Trusted Network Detection manufactures

DNS security for BYOD IPv6 support (unmanaged devices) User identity support

https://docs.umbrella.com/deployment- umbrella/docs/umbrella-module-for- anyconnect-android-os

• DNSSEC was developed to • Umbrella resolvers cannot protect against cache return DNSSEC resource poisoning attacks records to clients

• Digitally signs data • Leverages different method to provide validity and identity • DNSSEC provides origin authenticity • Umbrella resolvers use DNSCrypt to protect data and • Ensures authenticity of records authenticate identity received

• DNSCrypt for secure DNS communication between client and Umbrella • Verification that responses originated from Umbrella • Umbrella roaming clients, virtual appliance, network integrations use DNSCrypt by default • Combination of DNSCrypt and DNSSEC: • Provides equivalent protection of full DNSSEC support • Umbrella still provides the security protection for which it is intended

Recommended Deployment

• IETF standard for performing • Umbrella now supports DoH DNS queries over a secure, • Customers can encrypt DNS encrypted channel traffic with same level of • Similar outcome as DNSCrypt visibility and protection

• Major browsers and operating • Configuring DoH in Chrome systems starting to adopt and Firefox: https://support.umbrella.com/hc/en- us/articles/360043574271

• DoH Diagnostics page: https://doh.umbrella.com/help

• Customers do want to encrypt • Various solutions in Umbrella DNS queries (DNSCrypt) • Enterprise policies for • However, with DoH the control managed devices using can move away to the end user Chrome and Firefox

• Most DoH clients still require DNS queries • Can be blocked through “Proxy/Anonymized’ category

• Block IP connections to DoH providers at Firewall

• The Umbrella Virtual Appliance now supports deployment on all major cloud platforms and all major on-prem hypervisors

The Umbrella Risk score is made up of hundreds of features that might indicate whether of domain is compromised

Security Indicators provide information on how overall risk score is calculated

Popularity Index: the number of different hosts querying a domain over time

Lexical Score: Domain shares some lexical content with known malicious domains

Investigate API

Enforcement API

Reporting API

#CiscoLive #CiscoLive Agenda - Video 2 of 3

• Introduction • Let’s Catch up Since Last Time • Umbrella’s Secure Web Gateway • Cloud Delivered Firewall + SD-WAN • CASB and App Visibility and Control • Summary

DNS-layer Correlated security threat intel Cisco Umbrella

SD-WAN ON/OFF NETWORK DEVICES

Category or Domain File Type Additional Based Selective Controls IDPs Decryption

App Blocking & Malware Sandboxing SWG Endpoint Client Granular Controls (Threat Grid) (AnyConnect)

• Umbrella Generates CSR • Customer Issues SubCA Cert • Validity 3 Years or Less

1 Download Umbrella’s CSR 2 Dashboard remembers 3 Upload CSR after signed with from dashboard pending state till completed your root CA

• Blocking file downloads by type • File Detection on a combination of • File Extension • File Signature • SWG support only • Over 100 different file types supported with more being added • Users get block page for blocked extensions

• Provides control over user access to approved corporate applications, while blocking access to other instances of these same applications • First iteration supports Office365, Google G Suite, and Slack • Integrated into SWG policy

• Introduction • Let’s Catch up Since Last Time • Umbrella’s Secure Web Gateway • Cloud Delivered Firewall • CASB and App Visibility and Control • Summary

DNS-layer Correlated security threat intel Cisco Umbrella

SD-WAN ON/OFF NETWORK DEVICES

#CiscoLive DGTL-BRKSEC-2023 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Umbrella SIG Capacity Increase 67% increased IPsec tunnel capacity Internet NON-WEB & • Tunnel all outbound traffic to SITE EXCUSIONS Umbrella from HQ and branches • 67% increase of tunnel capacity to 250 Mbps per tunnel (up from 150 Mbps) 80/443

• 500 Mbps capacity available CDFW SWG upon request Umbrella

• Multiple tunnels still supported IPSEC TUNNEL • Transparently forwards to 250 Mbps Umbrella secure web gateway

SD-WAN ON/OFF NETWORK DEVICES

Example: Data Center Region code US-1 • Hard code primary and secondary Los Angeles Palo Alto 146.112.67.8 146.112.66.8 • If only primary tunnel set, Primary Secondary failover to secondary happens In case of primary failure, • DR Site used only if region uses secondary DC in the failure same region • Using anycast and IKE DPD

Dallas TX Automatic

Branch

• Data centers divided into regions • Regions have defined DR sites • Additional DCs to be uplifted during CY20

Region Code Site Failover (DR) Location

US-1 Los Angeles, CA & Palo Alto, CA Dallas, TX

US-2 New York, NY & Ashburn, VA Dallas, TX

CA-1 Toronto, CA & Vancouver, CA Dallas, TX

EU-1 London, UK & Frankfurt, DE Amsterdam, NL

AS-1 Singapore, SG & Tokyo, JP Hong Kong

AU-1 Sydney, AU & Melbourne, AU Hong Kong

https://docs.umbrella.com/umbrella-user-guide/docs/cisco-umbrella-data-centers

• Example: Customer needs to block Tor • Tor can be used in different ways: • Through the Tor browser agent itself • Through the Tor app in iOS/Android • While DNS helps, Tor doesn’t always send DNS queries • SWG cannot intercept as traffic is not HTTP/S • L7 Firewall provides coverage here • Over 1,000 applications supported

• Visible in firewall policy • Total hit count over 24 hours • Time stamp last hit count • Shows logging disabled

Previously Now • Al-la-carte Purchase Order, • Single Purchase Order in Viptela, Manual Provisioning triggers auto provisioning in Umbrella • Manual configuration on two • Single pane of glass to: very different looking • Enable UMB DNS security on cEdge dashboards with a few clicks • Create SIG tunnels on cEdge and • Multiple clicks and user inputs vEdge devices to enable SIG • Sub-optimal and error prone • Unified with fewer touchpoints

Available with IOS-XE 17.2.1R and Viptela 20.1

• Based on Smart Account credentials on both Umbrella and SD-WAN • Automated registration of Edge Devices to Umbrella • Secure API key is automatically provisioned on Umbrella the Edge Device through HTTPS session HTTPS session • No need to manually add API Keys • Available through new DNA Premier licensing for routing, with integrated SIG Essential seats

Edge Device

Umbrella Org ID

Management API key pair

• By pushing the SIG feature template in vManage, customers INTERNET can now set up an IPSec tunnel to Umbrella in a few clicks • Previously customers would need to manually establish the Cloud Delivered Firewall tunnel for each WAN Edge DNS-Layer Security device at branch Secure Web Gateway Umbrella • Automated tunnel creation with cEdge and vEdge devices, allows deployment of hundreds or thousands of sites in seconds Edge Device

https://docs.umbrella.com/umbrella-user-guide/docs/add-auto-tunnel-viptela

Across Cisco the software packaging naming convention looks very similar Ensure to pay close attention to the differences!! DNA ≠ DNS

SD-WAN DNA Umbrella DNS/SIG

Umbrella Insights SIG Essentials (Q4FY19-Q3FY20) (Q4FY20) DNA-P Bandwidth tier Seats (users) Seats (users) 5M 5 5 10M 10 10 Same 25M (T1) 25 25 Seat 50M 50 50 counts! 100M 100 100 250M (T2) 250 250 500M 500 375 1G 750 500 2.5G (T3) 1,000 750 5G 1,000 750 10G 1,000 750

#CiscoLive #CiscoLive Agenda - Video 3 of 3

• Introduction • Let’s Catch up Since Last Time • Umbrella’s Secure Web Gateway • Cloud Delivered Firewall + SD-WAN • CASB and App Visibility and Control • Summary

DNS-layer Correlated security threat intel Cisco Umbrella

SD-WAN ON/OFF NETWORK DEVICES

Visibility Provides reliable visibility Provides additional attributes: into apps usage • Bandwidth consumption • Data traversing apps / data exposure

Control DNS can only block or Provides advanced app control: allow at domain • More accurate blocking and allowing • Activity controls, such as blocking uploads, downloads, email attachments, and social posts

Currently identify ~16K apps; control ~1200 apps; advanced control of 21 apps

Controllable Apps (DNS & SWG): https://docs.umbrella.com/deployment-umbrella/docs/blockable-apps Advanced Controls (SWG-only): https://docs.umbrella.com/umbrella-user-guide/docs/advanced-app-controls

#CiscoLive DGTL-BRKSEC-2023 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Block Uploads Block Attachments Block Posts/Shares to Cloud Storage Apps to Webmail Apps to Social Media Apps

Block Uploads to Block Uploads Block Uploads Office Productivity & to Collaboration Apps to Media Apps Content Mgmt Apps

Add Columns App Filtering

Files in the cloud that contain malware Current gap can do damage once downloaded

By remediating these problems in the cloud, we can Solution prevent the malware from spreading to additional users

Unmanaged devices, or not protected by AMP Examples External sharing- spreading of malware to other companies, or malware entering the org via shares

Functionality • Detects, quarantines, and reports on malware files • Uses Cisco AMP (file reputation) and AV engines • Supported on various platforms • O365 • Box • Dropbox • Webex Teams • Simple customer onboarding through OAuth

• Introduction • Let’s Catch up Since Last Time • Umbrella’s Secure Web Gateway • Cloud Delivered Firewall + SD-WAN • CASB and App Visibility and Control • Summary

Vulnerability discovery

To stop more, you have to see more • The most diverse data set Network Web • Community partnerships • Proactively finding problems

2.2 trillion artifacts seen daily Threat Endpoint traps • 1.9T email artifacts • 200B DNS entries • 47B web requests Data sharing Cloud • 70B network flows (includes cognitive) • 189M file artifacts (14M never-before-seen) • 100M new detection events Email

Now includes SIG services: • Secure Web Gateway • Cloud Delivered Firewall and tunnel head-end • Umbrella CASB • Identity services Additional dropdown area for Cloudlock services

SIG Advanced TG Essentials L7 Cloud-delivered Firewall

Threat Lens | Policy, Reporting and Enforcement APIs | Cisco Threat Response | S3 Log Management | Multi-Org Console

Umbrella DNS security - Domain Filtering, Security Blocking and App Discovery & Control Network and Branch Protection (VA + AD Connector) + Roaming + Mobile User Protection Highly available, Global cloud platform powered by Umbrella and Talos threat intelligence 24x7 access to Cisco Cloud Security Support (Cisco Software Support Enhanced- required attach) | (Optional) Premium Support Upgrade

Pricing is subject to the Customer’s peak bandwidth per seat (the higher of inbound and outbound, measured on a 95th percentile basis) not exceeding an average of 50 kb/s in any calendar month * SIG Advantage orderable in 2H’FY21, till then L7 CDFW will be available as add-on on top of SIG-Essentials

#CiscoLive DGTL-BRKSEC-2023 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Cisco SSO (formerly SBG SSO) Solution: • Single Sign On (SSO) solution for SBG Cloud services customers • With SSO, our customers will be able to log into our products using same login and pivot from one product to another product using the same identity • Our On-Premise Products could leverage that solution as well with both cloud and local Identity providers

What will be supported? • Duo for MFA • Consistent SSO in all apps

Supported Products: Available Now: CDO, Stealthwatch Cloud, Umbrella Next: CTR, AMP4E, Threat Grid, CES Future: Cloudlock https://www.cisco.com/c/en/us/td/docs/security/secure-sign-on/sso-quick-start-guide.html

#CiscoLive DGTL-BRKSEC-2023 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 We are building the most comprehensive Secure Internet Gateway Closing Comments with widest coverage, while keeping it simple to deploy and manage

DGTL-BRKSEC-2023 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Start an Umbrella trial and protect a complete production network and see value within minutes: signup.umbrella.com

Next Steps Speak with your Cisco Security representative who can assist with starting a conversation with product experts and our Products team

#CiscoLive #CiscoLive