Malware and
ransomware
The Cyber challenges
Compromised
accounts and
malicious insiders
Gaps in visibility
and coverage
Data breaches
and compliance
NOTE1: Visual Investigations of Botnet Command and Control Behavior (link)
• malware reached out to 150,000 C2 servers over 100,000 TCP/UDP ports
• malware often used 866 (TCP) & 1018 (UDP) “well known” ports,
whereas legitimate traffic used 166 (TCP) & 19 (UDP) ports
NOTE2: 2016 Cisco Annual Security Report
• 9% had IP connections only and/or legitimate DNS requests
• 91% had IP connections, which were preceded by malicious DNS lookups
• very few had no IP connections
Zbot
ZeroAccess
njRAT
Regin
Gh0st
Storm
Pushdo/Cutwail DarkComet
Bifrose
Lethic
Kelihos
Gameover Zeus
CitadelTinba
Hesperbot
Bouncer (APT1)
Glooxmail (APT1)
Longrun (APT1)
Seasalt (APT1)
Starsypound (APT1)
Biscuit (APT1)PoisonIvy
Tinba
NON-WEB C2 EXAMPLES
DNS
WEBNON-WEB
IP IP
millions of unique malware samples from small office
LANs over 2 years
Lancope Research(now part of Cisco)1
15%of C2 bypasses
Web ports 80 & 443
millions of unique malware samples
submitted to sandbox over 6 months
Cisco AMP Threat Grid Research2
91%of C2 can be blocked
at the DNS layer
Why leverage DNS to Detect and Block ThreatsMost attacker C2 is initiated via DNS lookups with some non-Web callbacks
YOU’VE RELIED ON
Users requiring remote access into the corporate network to get work done Perimeter
Security
VPN ON
DNS-Layer Security Should Protect Any Location
Roaming Laptop w/AnyConnect Module or
Stand-Alone Client for Umbrella
Internet
VPN ON
Threats Blocked
Over Any Port
Malware
Phishing
C2 Callbacks
OpenDNSUmbrella
VPN OFF (or ON*)
Umbrella Active
NEED OFF-NETWORK SECURITY
Protect mobile workforce with always-on security
PerimeterSecurity
*always-on or location-aware policies are supported
Integrate w/your security stack to extend protection
ZEROadded latency
peer w/ top 500 ISPs & CDNs
2%worldwide
activity
globally-shared DNS cache
100% uptime
since 2006
Global Network Built into the Fabric of the Internet
400+ Gbps capacity, protection & global
fail-over
Used to detect:
• Compromised systems
• Command & control callbacks
• Malware & phishing attempts
• Algorithm-generated domains
• Domain co-occurrences
• Newly registered domains
Any Device
Authoritative Logs
Authoritative DNS
root
com.
domain.com.
Used to find:
• Newly staged infrastructures
• Malicious domains, IPs, ASNs
• DNS hijacking
• Fast flux domains
• Related domains
Request Patterns
Gather Intelligence & Enforce Security at the DNS Layer
Recursive DNS
StatisticalModels
• Identifies other domains looked up in
rapid succession of a given domain
• Correlations uncover other domains
related to an attack
“C-Rank” Model (co-occurrences)
• Detect domain names that spoof
brand and tech terms in real-time
“NLP-Rank” Model(Natural Language Processing & AS Matching)
• Live DGA• SecureRank
Many More Models
• Geo-Diversity• Geo-Distance
Earliest & Most Accurate
Predictions & Classifications
• Detect domains with
sudden spikes in traffic
• Finds domains involved in active attacks
“SP-Rank” Model (spike rank)
• Analyzes how servers are hosted to
detect future malicious domains
• Identifies steps that
precede malicious activity
Predictive IP Space Monitoring
1M+ Live Events
Per Second
FULLY AUTOMATED
UMBRELLA SECURITY LABS
Cisco Umbrella Products
DOMAIN, IP, ASN, EMAIL, HASH
API
Investigate(Intelligence)
STATUS & SCORES
RERRENCES
RELATIONSHIPS
ATTRIBUTIONS
PATTERNS & GEOs
Umbrella(Enforcement)
208.67.222.222
CATEGORY IDENTITY
MALWARE INTERNAL IP
C2
CALLBACKHOSTNAME
PHISHING AD USER
CUSTOM
(API)HOSTNAME
First line of defense against internet threats
Umbrella
SeeVisibility to protect
access everywhere
LearnIntelligence to see attacks
before they launch
BlockStop threats before
connections are made
Key points
First line of defense against threats
Visibility and protection everywhere
Enterprise-wide deployment in minutes
Intelligence to see attacks before they launch
Integrations to amplify existing investments
208.67.222.222
UmbrellaThe fastest and easiest way to block threats
Malware
C2 Callbacks
Phishing
What Makes Umbrella Unique
Extend Protection Beyond The Perimeter
block all Internet activity destined to
domains detected by your security
appliances & threat intel sources
Consistent Enforcement & Visibility Everywhere
gain a virtual "bump-in-the-wire" for
internet connections over any port or
protocol — on or off the network
208.67.222.222
MALWARE
BOTNET
PHISHING
Protect Any Device, Anywhere
Predictive Intelligence Using Statistical Models
observes relationships in global DNS
requests & BGP routes to discover
where attacks are staged
Global Network Using Recursive DNS
just point DNS from your network
devices, our virtual appliance, or our
roaming client to our global network
DNSxyz.com 1.2.3.4
How We Do It
Off-Network Security Using Lightweight Agent
does not scan system or run in
kernel space, so it will not crash,
hog memory, or pester the end user
Investigate: The Most Powerful Way to Uncover Threats
DOMAINS, IPs & ASNs
CONSOLE SIEM, TIP
API
Key Points
Intelligence about domains, IPs, &
malware across the Internet
Live graph of DNS requests and
other contextual data
Correlated against statistical
models
Discover & predict malicious
domains & IPs
Enrich security data with global
intelligence
A Single, Correlated Source of Intelligence
INVESTIGATE
WHOIS record data
ASN attribution
IP geolocation
Domain & IP reputation scores
Malware file analysis
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database
What Customers Want to Protect?
Users/Accounts Data Applications
● Who is doing what in
my cloud applications?
● How do I detect
account compromises?
● Are malicious insiders
extracting information?
● Do I have toxic & regulated
data in the cloud?
● How do I detect policy
violations?
● How do I automate incident
remediations?
● How can I monitor app
usage and risk?
● Do I have any 3rd
party connected apps?
● How do I revoke risky
apps?
CASB -API Access (Cloud-to-Cloud)
Public
APIs
Cisco ASA / CWS
Managed
Users
Managed
Devices
Managed
NetworkUnManaged
Users
UnManaged
Devices
UnManaged
Network
ADMIN
OAUTH
ACCES
S
ADMIN
OAUTH
ACCESS
Authorized
CloudLock Platform
DLPUser Behavior
Analytics
Central
Auditing
Configuration
Security
Encryption
Management
Apps
Firewall
Protect the usage of
business apps in
the cloud
Protect the usage of
critical infrastructure
in the cloud
CASB for
SaaS
CASB for
IaaS/PaaS
Include the cloud in
security workflows
Cloud Security
Orchestration
CloudLock Cyber Security Fabric: How it Works
ITSecurity
SaaS
force.com
All End - Users
PaaS and IaaS
force.com
IDaaS
Content
Classification
Apps
Firewall
Security
Analytics
Encryption
Management
Incident
Management
Central
Auditing
Policy
Automation
User Behavior
Analytics
Configuration
Security
CloudLock Cyber Security Fabric: How it Works?
IT Security
Homegrown Apps
IT Apps
ISV Cloud Apps
Enterprise
SaaS
force.com
All End - Users
PaaS and IaaS
force.com
IDaaS
Content
Classification
Apps
Firewall
Security
Analytics
Encryption
Management
Incident
Management
Central
Auditing
Policy
Automation
User Behavior
Analytics
Configuration
Security
Cloudlock’s #1 Toolkit – Free Cybersecurity Assessment
Data User behavior Regulation
Are controls are in
place to enforce
regulatory and
security
compliance, such
as PCI, PHI,
Privacy and SOX ?
Are Employee’s
accounts secure,
is access to
information
safeguarded, are
user acting as
intended ?
Is there toxic,
regulated or
sensitive data
residing in Saas /
PaaS Apps, where
is it located? Is
there Shadow IT in
my network ?
User Behavior
10M Users
Regulation
100+ Pre-built policiesData & Apps
1 Billion Objects
Why CloudLock?
Differentiators
Coverage: for SaaS, IaaS, PaaS
and Homegrown Applications
Platform: Machine learning,1B+ Objects
and 10M+ users |201K Apps detected|
150+ Pre Built Policies
Threat Intelligence: Unit 8200 CyberLab, crowd-
sourced community trust ratings
Proven at Scale: Largest client
has 750,000+ protected users
Expertise: 5+ yrs of fine tuning,
UEBA, Responses , Rapid releases
Recommended