New Digital Opportunity.

Are you Ready?

mailto:sersilva@cisco.com

Introduction

Challenges

OpenDNS Overview

CloudLock Overview

Demo @ Cisco Stand

Agenda

The Way We Work Has Changed

Headquarters Branch offices

Perimeter security used to be effective

By 2018, Gartner estimates:

25% of corporate

data traffic will

bypass perimeter

security.

HQ BranchRoaming user

Security challenges have evolved

PaaSIaaS

Users Data Apps

SaaS

Malware and

ransomware

The Cyber challenges

Compromised

accounts and

malicious insiders

Gaps in visibility

and coverage

Data breaches

and compliance

DNS is used by every device

on your network.

Protect users wherever

they access the internet

Malware Phishing

C2 Callbacks

NOTE1: Visual Investigations of Botnet Command and Control Behavior (link)

• malware reached out to 150,000 C2 servers over 100,000 TCP/UDP ports

• malware often used 866 (TCP) & 1018 (UDP) “well known” ports,

whereas legitimate traffic used 166 (TCP) & 19 (UDP) ports

NOTE2: 2016 Cisco Annual Security Report

• 9% had IP connections only and/or legitimate DNS requests

• 91% had IP connections, which were preceded by malicious DNS lookups

• very few had no IP connections

Zbot

ZeroAccess

njRAT

Regin

Gh0st

Storm

Pushdo/Cutwail DarkComet

Bifrose

Lethic

Kelihos

Gameover Zeus

CitadelTinba

Hesperbot

Bouncer (APT1)

Glooxmail (APT1)

Longrun (APT1)

Seasalt (APT1)

Starsypound (APT1)

Biscuit (APT1)PoisonIvy

Tinba

NON-WEB C2 EXAMPLES

DNS

WEBNON-WEB

IP IP

millions of unique malware samples from small office

LANs over 2 years

Lancope Research(now part of Cisco)1

15%of C2 bypasses

Web ports 80 & 443

millions of unique malware samples

submitted to sandbox over 6 months

Cisco AMP Threat Grid Research2

91%of C2 can be blocked

at the DNS layer

Why leverage DNS to Detect and Block ThreatsMost attacker C2 is initiated via DNS lookups with some non-Web callbacks

YOU’VE RELIED ON

Users requiring remote access into the corporate network to get work done Perimeter

Security

VPN ON

DNS-Layer Security Should Protect Any Location

Roaming Laptop w/AnyConnect Module or

Stand-Alone Client for Umbrella

Internet

VPN ON

Threats Blocked

Over Any Port

Malware

Phishing

C2 Callbacks

OpenDNSUmbrella

VPN OFF (or ON*)

Umbrella Active

NEED OFF-NETWORK SECURITY

Protect mobile workforce with always-on security

PerimeterSecurity

*always-on or location-aware policies are supported

Integrate w/your security stack to extend protection

ZEROadded latency

peer w/ top 500 ISPs & CDNs

2%worldwide

activity

globally-shared DNS cache

100% uptime

since 2006

Global Network Built into the Fabric of the Internet

400+ Gbps capacity, protection & global

fail-over

Used to detect:

• Compromised systems

• Command & control callbacks

• Malware & phishing attempts

• Algorithm-generated domains

• Domain co-occurrences

• Newly registered domains

Any Device

Authoritative Logs

Authoritative DNS

root

com.

domain.com.

Used to find:

• Newly staged infrastructures

• Malicious domains, IPs, ASNs

• DNS hijacking

• Fast flux domains

• Related domains

Request Patterns

Gather Intelligence & Enforce Security at the DNS Layer

Recursive DNS

StatisticalModels

• Identifies other domains looked up in

rapid succession of a given domain

• Correlations uncover other domains

related to an attack

“C-Rank” Model (co-occurrences)

• Detect domain names that spoof

brand and tech terms in real-time

“NLP-Rank” Model(Natural Language Processing & AS Matching)

• Live DGA• SecureRank

Many More Models

• Geo-Diversity• Geo-Distance

Earliest & Most Accurate

Predictions & Classifications

• Detect domains with

sudden spikes in traffic

• Finds domains involved in active attacks

“SP-Rank” Model (spike rank)

• Analyzes how servers are hosted to

detect future malicious domains

• Identifies steps that

precede malicious activity

Predictive IP Space Monitoring

1M+ Live Events

Per Second

FULLY AUTOMATED

UMBRELLA SECURITY LABS

Cisco Umbrella Products

DOMAIN, IP, ASN, EMAIL, HASH

API

Investigate(Intelligence)

STATUS & SCORES

RERRENCES

RELATIONSHIPS

ATTRIBUTIONS

PATTERNS & GEOs

Umbrella(Enforcement)

208.67.222.222

CATEGORY IDENTITY

MALWARE INTERNAL IP

C2

CALLBACKHOSTNAME

PHISHING AD USER

CUSTOM

(API)HOSTNAME

First line of defense against internet threats

Umbrella

SeeVisibility to protect

access everywhere

LearnIntelligence to see attacks

before they launch

BlockStop threats before

connections are made

Key points

First line of defense against threats

Visibility and protection everywhere

Enterprise-wide deployment in minutes

Intelligence to see attacks before they launch

Integrations to amplify existing investments

208.67.222.222

UmbrellaThe fastest and easiest way to block threats

Malware

C2 Callbacks

Phishing

What Makes Umbrella Unique

Extend Protection Beyond The Perimeter

block all Internet activity destined to

domains detected by your security

appliances & threat intel sources

Consistent Enforcement & Visibility Everywhere

gain a virtual "bump-in-the-wire" for

internet connections over any port or

protocol — on or off the network

208.67.222.222

MALWARE

BOTNET

PHISHING

Protect Any Device, Anywhere

Predictive Intelligence Using Statistical Models

observes relationships in global DNS

requests & BGP routes to discover

where attacks are staged

Global Network Using Recursive DNS

just point DNS from your network

devices, our virtual appliance, or our

roaming client to our global network

DNSxyz.com 1.2.3.4

How We Do It

Off-Network Security Using Lightweight Agent

does not scan system or run in

kernel space, so it will not crash,

hog memory, or pester the end user

Investigate: The Most Powerful Way to Uncover Threats

DOMAINS, IPs & ASNs

CONSOLE SIEM, TIP

API

Key Points

Intelligence about domains, IPs, &

malware across the Internet

Live graph of DNS requests and

other contextual data

Correlated against statistical

models

Discover & predict malicious

domains & IPs

Enrich security data with global

intelligence

A Single, Correlated Source of Intelligence

INVESTIGATE

WHOIS record data

ASN attribution

IP geolocation

Domain & IP reputation scores

Malware file analysis

Domain co-occurrences

Anomaly detection (DGAs, FFNs)

DNS request patterns/geo. distribution

Passive DNS database

CloudLock: Gain visibility and

control to secure cloud apps

and infrastructure.

What Customers Want to Protect?

Users/Accounts Data Applications

● Who is doing what in

my cloud applications?

● How do I detect

account compromises?

● Are malicious insiders

extracting information?

● Do I have toxic & regulated

data in the cloud?

● How do I detect policy

violations?

● How do I automate incident

remediations?

● How can I monitor app

usage and risk?

● Do I have any 3rd

party connected apps?

● How do I revoke risky

apps?

CASB -API Access (Cloud-to-Cloud)

Public

APIs

Cisco ASA / CWS

Managed

Users

Managed

Devices

Managed

NetworkUnManaged

Users

UnManaged

Devices

UnManaged

Network

ADMIN

OAUTH

ACCES

S

ADMIN

OAUTH

ACCESS

Authorized

CloudLock Platform

DLPUser Behavior

Analytics

Central

Auditing

Configuration

Security

Encryption

Management

Apps

Firewall

Protect the usage of

business apps in

the cloud

Protect the usage of

critical infrastructure

in the cloud

CASB for

SaaS

CASB for

IaaS/PaaS

Include the cloud in

security workflows

Cloud Security

Orchestration

SaaS

Cloud Native

CASB

Cloud Native Approach to CASB

Deep Dive IT Security

All End - Users

CloudLock Cyber Security Fabric: How it Works

ITSecurity

SaaS

force.com

All End - Users

PaaS and IaaS

force.com

IDaaS

Content

Classification

Apps

Firewall

Security

Analytics

Encryption

Management

Incident

Management

Central

Auditing

Policy

Automation

User Behavior

Analytics

Configuration

Security

CloudLock Cyber Security Fabric: How it Works?

IT Security

Homegrown Apps

IT Apps

ISV Cloud Apps

Enterprise

SaaS

force.com

All End - Users

PaaS and IaaS

force.com

IDaaS

Content

Classification

Apps

Firewall

Security

Analytics

Encryption

Management

Incident

Management

Central

Auditing

Policy

Automation

User Behavior

Analytics

Configuration

Security

Cloudlock’s #1 Toolkit – Free Cybersecurity Assessment

Data User behavior Regulation

Are controls are in

place to enforce

regulatory and

security

compliance, such

as PCI, PHI,

Privacy and SOX ?

Are Employee’s

accounts secure,

is access to

information

safeguarded, are

user acting as

intended ?

Is there toxic,

regulated or

sensitive data

residing in Saas /

PaaS Apps, where

is it located? Is

there Shadow IT in

my network ?

User Behavior

10M Users

Regulation

100+ Pre-built policiesData & Apps

1 Billion Objects

Trusted by the leading Organisations

Why CloudLock?

Differentiators

Coverage: for SaaS, IaaS, PaaS

and Homegrown Applications

Platform: Machine learning,1B+ Objects

and 10M+ users |201K Apps detected|

150+ Pre Built Policies

Threat Intelligence: Unit 8200 CyberLab, crowd-

sourced community trust ratings

Proven at Scale: Largest client

has 750,000+ protected users

Expertise: 5+ yrs of fine tuning,

UEBA, Responses , Rapid releases