TechWiseTV Workshop: OpenDNS and AnyConnect
•Télécharger en tant que PPTX, PDF•
3 j'aime•2,386 vues
Join this in-depth look and detailed demonstration of the OpenDNS Umbrella integration with AnyConnect and how it really can stop most threats before they become serious problems, protecting users anywhere they go, even when the VPN is off. Watch the workshop replay: http://bit.ly/2bPT1ax Watch the Video: http://bit.ly/2c60obv
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à TechWiseTV Workshop: OpenDNS and AnyConnect
Similaire à TechWiseTV Workshop: OpenDNS and AnyConnect (20)
Plus de Robb Boyd
Plus de Robb Boyd (20)
Dernier
Dernier (20)
TechWiseTV Workshop: OpenDNS and AnyConnect
- 1. OpenDNS and AnyConnect Adam Winn, Product Manager Aug 30th, 2016
- 2. DNS-Layer Network Security Delivered from the Cloud OpenDNS Umbrella Overview
- 4. Desktops Business Apps Critical Infrastructure Critical Infrastructure (Amazon, Rackspace, Windows Azure, etc.) Business Apps (Salesforce, Marketo, DocuSign, etc.) Roaming Laptops Remote Users
- 5. The NGFW Improves Perimeter Security But Relies on the VPN to Protect Roaming Users Last 20 years of security outside the perimeter: VPN on REMOTE ACCESS
- 6. But Not Every Connection Goes Thru the VPN Creating a Blind Spot for the NGFW VPN off* *or split tunnel Not all traffic —over all ports, all the time— is backhauled
- 7. By 2018, Gartner estimates: 25% of corporate data traffic will bypass perimeter security.
- 8. The Way Your Employees Work has Changed 82%of workers admit to not always using VPN Your network extends beyond the perimeter, and your security must, too. 49%of the workforce is mobile and under defended Security may never stop 100% of the threats, but it must work 100% of the time.
- 9. INTERNET MALWARE C2/BOTNETS PHISHING AV AV AV AV ROUTER/UTM AV AV ROUTER/UTM SANDBOX PROXY NGFW NETFLOW AV AV AV AV MID LAYER LAST LAYER MID LAYER LAST LAYER MID LAYER FIRST LAYER Where Do You Enforce Security? Perimeter Perimeter Perimeter Endpoint Endpoint CHALLENGES Too Many Alerts via Appliances & AV Wait Until Payloads Reaches Target Too Much Time to Deploy Everywhere BENEFITS Alerts Reduced 2-10x; Improves Your SIEM Traffic & Payloads Never Reach Target Provision Globally in UNDER 30 MINUTES
- 10. Predict Threats Before They Happen Real-time, diverse data reveals internet activity patterns, which we learn from to identify attacker infrastructure How We Do It Security Efficacy and Performance DNS xyz.com 1.2.3.4 Blocks malicious domain requests and IP responses as DNS queries are resolved No Extra Agents or User Actions Integrated into Cisco AnyConnect for Windows and Mac, and there’s nothing new for end-users to do
- 11. Requests Per Day 80B Countries 160 Daily Active Users 65M Customers 12K Our Perspective Diverse Set of Data
- 12. Statistical Models • Identifies other domains looked up in rapid succession of a given domain • Correlations uncover other domains related to an attack “C-Rank” Model (co-occurrences) • Detect domain names that spoof brand and tech terms in real-time “NLP-Rank” Model (Natural Language Processing) • Live DGA • SecureRank Many More Models • Geo-Diversity • Geo-Distance Earliest & Most Accurate Predictions & Classifications • Detect domains with sudden spikes in traffic • Finds domains involved in active attacks “SP-Rank” Model (Spike Rank) • Analyzes how servers are hosted to detect future malicious domains • Identifies steps that precede malicious activity Predictive IP Space Monitoring 1M+ Live Events Per Second FULLY AUTOMATED
- 13. No One Combines Better Performance & Effectiveness #1 Fastest & Most Reliable DNS w/ 65M+ Users 3M+ Daily New Domain Names Discovered 60K+ Daily Malicious Destinations Identified 7M+ Total Malicious Destinations Enforced
- 14. OpenDNS and AnyConnect Working Together To Simplify Security
- 15. • OpenDNS Umbrella: Cloud-delivered, predictive network security service for DNS and IP activity. • Cisco Umbrella Roaming: Limited version of OpenDNS Umbrella. For off-network/off-VPN protection. Sold alongside AnyConnect, ASA and NGFW. Cisco-branded. Key Definitions
- 16. • Umbrella Roaming Client (URC): A lightweight, standalone agent that tags and directs an endpoint’s DNS requests to Umbrella. Comes with OpenDNS Umbrella* and Cisco Umbrella Roaming. For Windows and OS X. • Umbrella Roaming module for AnyConnect: A new AnyConnect 4.3 module that performs the same functions as the standalone URC. Comes with OpenDNS Umbrella* and Cisco Umbrella Roaming. For Windows and OS X. Key Definitions * OpenDNS Umbrella Professional, Insights, Platform, and MSP
- 17. • On-premises users are protected by stacks of security products • Remote workers must use VPN to get the same level of protection Umbrella Roaming: The Challenge Under-protected off-network users VPN on SANDBOX PROXY NGFW NETFLOW
- 18. • But VPN utilization is decreasing • 82% of workers admit to not always using VPN when remote Umbrella Roaming: The Challenge Under-protected off-network users SANDBOX PROXY NGFW NETFLOW VPN off
- 19. Cisco Umbrella Roaming VPN on VPN off ODNS active SANDBOX PROXY NGFW NETFLOW Umbrella Malware Phishing Sites C2 Callbacks Block Cloud-Delivered Security Service for Cisco NGFW Protection when off the VPN no additional agent required* Visibility and enforcement at the cloud-edge via DNS Block requests to malicious domains and IPs Predictive intelligence uncover current and emergent threats * When used with the AnyConnect Umbrella module
- 20. Security or System Admin’s Machine Building Installation Package Download Profile for AnyConnect Module dashboard2.opendns.com* Download AC Push- or Pull-Deploy Image software.cisco.com 4.3 *Currently at dashboard2.opendns.com, but will switch to dashboard.umbrella.com in November One-Time Process
- 21. Uploading Installation Package 4.3 Create/Edit VPN Policy to Include Umbrella Module “PUSH” OPTION Upload AC 4.3 and All Files to Endpoint Software Distribution “PULL” OPTION Upload AC 4.3 and All Files to ASA or ISE
- 22. Optional Automatic Updates Eliminates On-Going Maintenance for AnyConnect AnyConnect update on cisco.com Umbrella service Umbrella module enabled in AnyConnect Umbrella service regularly checks for new AnyConnect versions, which includes all modules, not just “Roaming Security” Umbrella module regularly checks for updates, and automatically installs new version without admin or user intervention
- 24. AnyConnect Module: How We Enforce Security at the DNS Layer
- 25. Built-in OS Components .NET API Windows Registry WMI Configuration Any Running App Cisco AnyConnect Roaming Module CISCO NGFWCISCO UMBRELLA STEP 2a domains resolved by OpenDNS when outside VPN and not local or STEP 2b domains resolved by your DNS server when VPN tunneled or if local LOCAL DNS SERVER Any Running App Cisco AnyConnect Roaming Security CISCO UMBRELLA Any Running App LOCAL DNS SERVER Cisco AnyConnect Roaming Module CISCO UMBRELLA DNS Forwarded to Umbrella or Local DNS Server encrypted EDNS request w/device ID forwards the identical DNS request enforces security policy based on threat intel & device ID response from your DNS server returns IP to requested domain or block page DNS requests to internal domains START HERE! DNS requests to Internet domains START HERE! STEP 1 watch for new networks, exempted domains & VPN status device ID device ID device ID LOCAL DHCP SERVER Internal, split tunnel, & search domain lists for customer AnyConnect Driver AnyConnect Driver AnyConnect Driver
- 26. Powerful Security With No Complexity or Latency: Demo
- 27. Simple for Both Security & Sysadmin Teams 1 Enable roaming in minutes 2 Global security by default 3 Instant visibility into threats 4 Detailed logs for incident response
- 28. Where Does Umbrella Fit With CWS? INTERNET ON NETWORK ALL OTHER TRAFFIC WEB TRAFFIC EMAIL TRAFFIC INTERNET ALL OTHER TRAFFIC WEB TRAFFIC EMAIL TRAFFIC OFF NETWORK ASA/FirePOWER DPI/block by IP, URL, packet, or file ESA/CES blocks by sender, content, or file WSA/CWS proxy/block by URL, content, or file ESA/CES blocks by sender, content, or file CWS proxy/block by URL, content, or file Umbrella resolve/block by domain, IP, or URL Umbrella resolve/block by domain, IP, or URL AMP FOR ENDPOINT check/block hash AMP FOR ENDPOINT check/block hash
- 29. • What version of the AnyConnect Client does this work on? o Minimum 4.3 MR1 (4.3.01095) for Windows and Mac • Is there a minimum ASA version required? o Not for the Umbrella Roaming module • Do I have to change the configuration on my ASA? o Not for pre-deploy. The ASA won’t override manual installations and profiles for Umbrella module. • Does it require a separate license? o The Roaming Security module is included with AnyConnect Plus or Apex subscriptions. Devices without AnyConnect can use the Umbrella Roaming Client (standalone) that is included with most Umbrella subscriptions. In either case, an Umbrella subscription is still required. • Is it available for iOS, Android or Chromebook? o While on-network, these devices can be protected with network-level policies (Umbrella Professional and above). There are no off-network agents for these platforms at this time. FAQ
- 30. • IP Layer Enforcement* • Active Directory integration for policies and reporting* • Change Root CA from OpenDNS to Cisco** • And much more… AnyConnect Umbrella Module: Roadmap * OpenDNS Umbrella Insights, Platform, and MSP ** Most relevant to OpenDNS Umbrella Insights and above
- 31. Thank you for watching.
- 32. Appendix
- 33. Umbrella Roaming: Order of Operations Umbrella service AnyConnect Umbrella module 1. Probe to determine network state 2. Tell AnyConnect to pass DNS queries 3. (If non-local domain) Creates EDNS0* packet, embeds unique device id 4. (and if port 443 is open) Encrypt data w/DNScurve** 5. Gives packet to AnyConnect, to forward to OpenDNS’s anycast IP address for DNS resolution root com. domain.com . Authoritative Nameservers *https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS **https://dnscurve.org/ Umbrella service 1. (if encrypted) decrypts DNS query 2. Checks domain and hostname for policy 3. (if not blocked or globally cached) resolves IP 4. Checks IP against intel 5. (if domain & IP safe) returns destination IP or (if domain or IP bad) returns block page IP Umbrella module in AnyConnect
- 34. AnyConnect Module: States of Operation PROTECTED BY UMBRELLA Protected by Umbrella Non-local domain requests forwarded to 208.67.222.222 over 53/UDP Protected & Encrypted Non-local domain requests forwarded to 208.67.222.222 over 443/UDP Protected… …by Umbrella Network* …by Umbrella VA* Probes Umbrella service; unlikely state as its for different Umbrella packages Configuring Probing after network state change Unprotected - Can’t Connect - Missing Profile - Service Unavailable Disabled - Full-Tunnel VPN Active - Trusted Network Detected* NOT PROTECTED BY UMBRELLA ADDITIONAL STATES SHOWN IN PORTAL Offline Service unable to sync with module for a certain time period (e.g. computer not turned on) Uninstalled End-user or admin properly removed module * For other Umbrella packages, IP-Layer Enforcement may be provided by the module even in these states
- 35. 2016 Cisco Annuual Security ReportWEBNON-WEB 15%of C2 bypasses Web ports 80 & 443 DNSIP IP 91%of C2 can be blocked at the DNS layer Why Add Security at the DNS Layer? Lancope Research 68%of orgs don’t monitor recursive DNS
Notes de l'éditeur
- This cover slide should be updated with current information and left on screen as people log in. - Replace ‘Topic’, ‘Guest Speaker’ , ‘Date’
- Think about what’s happening to your network. Before, everything was contained on your network…all of your critical infrastructure, desktops, and business applications.
- Now you’re embracing cloud apps like Office 365, Box or SalesForce, or likely worse, some business units and many employees are using them anyway. Either way, it means that remote and roaming devices can directly work in the cloud, and skip the VPN, because they have no need for remote access. And that security stack you layered with best-in-defense capabilities has no control or visibility of what is happening off-network. You are reliant on only endpoint security to detecting & blocking threats once they are downloaded or run on the device.
- In the past, when your employees left the office, and they needed to get work done, what’d they do first? Usually turn on the VPN, because the infrastructure, apps and data they needed access to were behind your perimeter.
- But, not every connection goes through the VPN today; not all traffic, over all ports, all the time is backhauled to the corporate network. And this creates a blind spot for your next-generation firewall and other perimeter security.
- Gartner predicts by 2018, the average company will have 25% of its corporate data traffic bypassing the network perimeter. Some industries are already there or surpassed this depending on how mobile your workforce is.
- The way your employees work has changed 82% of your workers admit to not always using the VPN. Employees are using more cloud apps for work and leveraging their work laptops for personal use— the reality is that not every connection goes through the VPN. Many connections are not VPN’d due to cloud apps, personal web browsing, or split tunnels. Your network extends beyond the perimeter, and your security must too. (cs.co/IDG-survey) 49% of your workforce is mobile and under defended. (cs.co/sans-survey) Zero-day malware spikes at night and on weekends when we’re roaming and attackers know we’re vulnerable. In fact, 22% of malicious email links are clicked when roaming.(cs.co/proofpoint-report) While security may never stop 100% of the threats, it must work 100% of the time.
- Think about where you enforce security today. You probably have a range of products in your security stack to protect your network and endpoints—whether it’s at your corporate headquarters, branch offices, or on roaming endpoints. And of course, you can block malware on your network and endpoints, but why wait until malware reaches the enterprise when you can block threats out on the Internet? There are many ways that malware can get in, which is why it’s important to have multiple layers of security. But if you consider how malware is often downloaded or how phishing attacks work and how malware exfiltrates data…it often happens on the Internet. ---CLICK--- DNS is a foundational component of how the Internet works and is used by every device in the network. Way before a malware file is downloaded or before an IP connection over any port or any protocol is even established, there’s a DNS request. And that’s where OpenDNS enforces security. OpenDNS Umbrella can be the first layer of defense against threats by preventing devices from connecting to malicious or likely malicious sites in the first place—which significantly reduces the chance of malware getting to your network or endpoints.
- How we do it: No extra agents or user actions Protecting users off the corporate network has never been easier! With Umbrella Roaming, no additional agents are requires. The Umbrella functionality is embedded in the Cisco AnyConnect clients for Windows PCs and Mac. We also designed it to be maintenance-free. It auto-updates just like Chrome browsers do, and without ever requiring a reboot. Plus there’s nothing for end users to do in order to get protection (unlike most VPNs). It just works. ------- Security Efficacy and performance: We block malicious domain requests and IP responses as DNS queries are resolved. Which means we can prevent users from going to bad or likely malicious domains before a connection is ever established or a file is downloaded. ----- Predict threats before they happen: The huge volume of requests that we resolve gives us a very diverse data set. We apply statistical models to that data set which allows us to automatically identify where current attacks are staged on the Internet, and even predict sites that are likely malicious before an attack even launches.
- How do we do that? Well it all starts with data. Not only do we have a massive amount of data, but perhaps more important is the diversity of our data. It’s not just from one segment or geography or one protocol. A diverse set of traffic gives us insight into where the threats are coming from, who is launching them, where they are going to, how wide the net of the attack is, and more. So what kind of data are we talking about? Every day, more than 65 million enterprise and consumer users across 160+ countries rely on OpenDNS for DNS resolution. That results in 80+ billion DNS requests per day. Plus, 500+ peering partners exchange BGP route information with OpenDNS—giving us visibility into the connections between different networks on the Internet. With this combined data, our view of the Internet is like no other security company. The data gives us insight into things like: - global request patterns (where people are going), - when was the first time we saw this domain, - when was the last time, - how many people are going to this site, - how are domains and IPs connected and correlated. - and more
- Similar to Amazon learning from shopping patterns to suggest the next purchase, or Pandora learning from music listening patterns to play the next song, we learn from internet activity patterns to identify attacker infrastructure being staged for the next threat. Our statistical models predict which domains and IPs will be malicious before any other security vendor. To discover patterns and detect anomalies across our data, we design statistical models to categorize and score it. For example: • Many models analyze spatial relationships, such as graphing the relationships between networks across the Internet. • Some models analyze time-based relationships, such as discovering domain co-occurrences as a result of consecutive DNS requests over very short timeframes, repeated by thousands of users. • Other models analyze statistical deviations from normal activity, such as measuring the geographic distribution of IP networks requesting a domain name. Spike Rank (SPRank)- (opendns.com/Sprank) uses sound wave analysis concepts to detect domains that have spikes in their DNS request patterns Now in production, the model identifies hundreds of compromised domains every hour — over a third of which are not detected by any other antivirus or antimalware scanner, according to VirusTotal. - Examines how traffic patterns change when a domain becomes malicious (new domains, recently compromised domains, etc.) Predictive IP Space Monitoring - This model integrates ‘clues’ found by the SPRank Model and categorizes patterns in malicious hosts to determine which domains will be the source of future malicious activity - Predictive IP Space Monitoring tracks every step a criminal goes through to set up the attack infrastructure—from choosing a hosting provider to deploying server images—allowing researchers to identify what steps will precede malicious activity Co-Occurrences Identifies other domains looked up in rapid succession of a given domain Correlations uncover other domains related to an attack NLP-rank- (opendns.com/NLPrank) uses natural language processing to detect domain names that spoof brand and tech terms in real-time
- #1 Fastest and most reliable DNS = Every day more than 65 million users send more than 80 Billion DNS requests to our global network. And we have 3rd party proof that we’re the fastest in North America and one of the fastest worldwide. Plus we’ve had 100% uptime since we launched the network in 2006. 3M+ new domain names discovered daily = the number of new domain names we’re able to discover daily 60k+ malicious destinations identified daily = the number of new malicious destinations we discover daily 7M+ total malicious destinations enforced = at any given time, we’re blocking users from going to more than 7 million malicious destinations. Why is that impressive? Well, not only do we uncover tons of new malicious domains/IPs every day, but because we use the cloud we’re able to process and actually enforce millions of domains at once…which is something that appliance-based solutions can’t do.
- Cisco Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall that protects employees when they are off the VPN. Umbrella Roaming provides visibility and enforcement at the DNS-layer to block requests to malicious domains and IPs before a connection is ever made. No additional agents are required — simply enable the Umbrella Roaming functionality in the Cisco AnyConnect client for seamless protection against malware, phishing, and command & control callbacks wherever your users go. With Umbrella Roaming, you gain always-on security without the hassle of always-on VPN.
- In general for off-network coverage, an endpoint agent is a necessary evil because we need a way to identify which customer and device sent the DNS request. As many of you know, we call it the Roaming Client. But don’t let the name trick you, our client is also used as one of two optional methods to get granular on-network control & visibility. So it’s not just for Windows or Mac laptops. It works great for Windows or Mac desktops, too. ------- The first step, is to point all DNS requests from any running app to 127.0.0.1, which is every device’s home IP address. It does this using built-in OS operational parameters. It also learns from your Umbrella account, which domain names are internal and should not be resolved off-network. The second step depends on whether a DNS request is for a Internet or internal domain name. For an Internet domain name, our client embeds a unique identify into the DNS request that matches the device’s hostname. It also encrypts the DNS request to prevent man-in-the-middle eavesdropping on public networks. No other security or non-security provider in the world offers a lightweight endpoint agent that can do either of these things. When our global network receives this DNS request, it checks our cache as well as your policy for this device for the proper response. If the destination is safe and adheres to your policy, we return the IP registered in the authoritative DNS record. If it is malicious or violates your policy, we return the IP address of OpenDNS’s block page servers or even a custom IP address you own. And if the destination contains both safe and malicious web content, we return the IP of OpenDNS’s cloud-based proxies so we can intercept the connection and filter at the URL-level. ---- Alternatively, requests for internal domains are forwarded to the network’s local DNS server without embedding the identity or encrypting the request. So we won’t interfere with anyone’s internal DNS servers.
- Simply enable the Roaming Security module available in Cisco AnyConnect v4.3 for Windows or Mac OS X. OR • Deploy a stand-alone Umbrella Roaming Client for Windows or Mac OS X alongside any other remote access VPN client. As soon as Roaming Security is enabled, mobile workers are protected against malicious destinations. If a threat is requested via a web browser, end-users receive a customizable block page. To immediately access a blocked site, just allow the domain. View your daily, weekly, or monthly security events occurring off-network either in your inbox or our dashboard. Check if threats are trending up or down as well as the domains and laptops with the most security events. Respond to an incident by drilling into the full activity per domain or laptop. View your daily, weekly, or monthly security events occurring off-network either in your inbox or our dashboard. Check if threats are trending up or down as well as the domains and laptops with the most security events. Respond to an incident by drilling into the full activity per domain or laptop.
- Recall that DNS is ubiquitous for every network and endpoint footprint that exists in an organization. Even IoT devices rely on DNS. It doesn’t require deploying a new appliance in the network. It doesn’t require changing WCCP on a network you manage or deploying PAC files on an endpoint you own to redirect web traffic. And we don’t care if web traffic is encrypted. Leveraging our wireless hardware partnerships, changing a single IP in DNS or DHCP servers, or referring to our network device setup guides make it so easy to point DNS to us. We’re not exaggerating when we say it takes only 30 minutes to cover dozens of locations and thousands of devices. It is the fastest and easiest way to stop the vast majority of threats trying to infiltrate your systems and exfiltrate your data. ---- No endpoint security solution comes close to providing as much visibility into all Internet activity as Umbrella. And by combining the Internet-wide visibility that our Investigate product adds to Umbrella, customers can even identify targeted attacks. ---- But perhaps most valuable, is that because DNS precedes every IP connection, we cut the number of security alerts generated by the rest of a customer’s security stack in half or more. ------ALTERNATIVE STORY----- OpenDNS Umbrella is a new layer in the network security stack. After the Internet was built, our networks started connecting to each other. Everyone installed a firewall at the network’s perimeter to control connections between internal and external hosts by their IP addresses or ports. Think of this an IP gateway. Then, our employees’ Web browsers started requesting content from websites through the firewall. Attackers hosted malicious content on a server and compromised a system once it was executed. Everyone installed a web proxy at the perimeter to block requests by their URLs and files by their signatures. These products were called web gateways; similar to the email gateways people had installed to block senders and attachments. BUT malicious connections and content are still getting through these gateways! WHY is malware still compromising our systems? WHY are attackers still exfiltrating our data? BECAUSE these gateways don’t always stop what they should. BECAUSE software and servers can exchange data over ports other than 80, 443, and 25. What we need is to add a DNS gateway. Across all devices and software, every connection--regardless of its port or protocol--starts with a DNS request. With a DNS gateway, you can control all Internet-bound connections and block malicious content or data theft before the connection ever happens. OpenDNS Umbrella is one such DNS gateway. BUT the only one that works seamlessly on or off the corporate network.
- Can existing Umbrella customers purchase the Roaming package? No. Umbrella Roaming cannot be purchased by existing customers because it is not an add-on to OpenDNS Umbrella. Rather, it is an entry-level package that contains a subset of the features that existing customers already have in their Umbrella Professional, Insights, or Platform package. However, existing Umbrella customers will be able to leverage the AnyConnect integration as part of their subscription. Can we sell Roaming & Branch together? Customers can only purchase one Umbrella package, so if you try to sell Umbrella Roaming to an existing Umbrella customer, you will get an error in the CCW How does this compare to the CWS module for AnyConnect? No content filtering available in Umbrella Roaming — security protection when VPN is off Can Umbrella Roaming subscriptions be co-termed with existing AnyConnect subscriptions? Yes, Cisco Account Managers can co-term Umbrella Roaming with AnyConnect by specifying non-standard terms for an order. Partners are restricted to the standard initial terms of 12 and 36 months in CCW. Partners can enter a co-term request in CCW as a non-standard deal which the Cisco Account Manager would approve/deny.
- Now why do customers want to add security at the DNS layer? You now understand the ability for DNS to cover any device and location, but many security products don’t cover any port or protocol used by threats. By using DNS, we can cover these gaps. According to research done by Lancope,15% of command & control callbacks did not use web ports (80 & 443) — which means that most web security products won’t have any visibility or the ability to block the C2 connections that are trying to exfiltrate data or communicate with the attacker for more instructions. Umbrella covers any port or protocol—which is a big selling point when you consider attacks like these that may use non-standard ports. Additionally, the 2016 Cisco Annual Security Report found that 91% of malware samples used DNS requests for command & control callbacks. Which means that Umbrella could contain the vast majority of C2 callbacks earlier than most other security products. And, for the 9% of attacks that use direct IP connections—we have that covered too.