Join this in-depth look and detailed demonstration of the OpenDNS Umbrella integration with AnyConnect and how it really can stop most threats before they become serious problems, protecting users anywhere they go, even when the VPN is off.
Watch the workshop replay: http://bit.ly/2bPT1ax
Watch the Video: http://bit.ly/2c60obv
5. The NGFW Improves Perimeter Security
But Relies on the VPN to Protect Roaming Users
Last 20 years of security
outside the perimeter:
VPN
on
REMOTE
ACCESS
6. But Not Every Connection Goes Thru the VPN
Creating a Blind Spot for the NGFW
VPN
off*
*or split tunnel
Not all traffic
—over all ports,
all the time—
is backhauled
7. By 2018, Gartner estimates:
25% of corporate data traffic
will bypass perimeter security.
8. The Way Your Employees Work has Changed
82%of workers admit to
not always using VPN
Your network
extends beyond
the perimeter,
and your security
must, too.
49%of the workforce is mobile
and under defended
Security may
never stop 100%
of the threats,
but it must work
100% of the time.
9. INTERNET
MALWARE
C2/BOTNETS
PHISHING
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
SANDBOX
PROXY
NGFW
NETFLOW
AV AV
AV AV
MID LAYER
LAST LAYER
MID LAYER
LAST LAYER
MID LAYER
FIRST
LAYER
Where Do You Enforce Security?
Perimeter
Perimeter Perimeter
Endpoint
Endpoint
CHALLENGES
Too Many Alerts
via Appliances &
AV
Wait Until Payloads
Reaches Target
Too Much Time to
Deploy Everywhere
BENEFITS
Alerts Reduced 2-10x;
Improves Your SIEM
Traffic & Payloads Never
Reach Target
Provision Globally in
UNDER 30 MINUTES
10. Predict Threats
Before They Happen
Real-time, diverse data reveals internet
activity patterns, which we learn from
to identify attacker infrastructure
How We Do It
Security Efficacy
and Performance
DNS
xyz.com 1.2.3.4
Blocks malicious domain
requests and IP responses as
DNS queries are resolved
No Extra Agents
or User Actions
Integrated into Cisco AnyConnect
for Windows and Mac, and there’s
nothing new for end-users to do
12. Statistical
Models
• Identifies other domains looked up in
rapid succession of a given domain
• Correlations uncover other domains
related to an attack
“C-Rank” Model (co-occurrences)
• Detect domain names that spoof
brand and tech terms in real-time
“NLP-Rank” Model
(Natural Language Processing)
• Live DGA
• SecureRank
Many More Models
• Geo-Diversity
• Geo-Distance
Earliest & Most Accurate
Predictions & Classifications
• Detect domains with sudden
spikes in traffic
• Finds domains involved in
active attacks
“SP-Rank” Model (Spike Rank)
• Analyzes how servers are hosted
to detect future malicious domains
• Identifies steps that
precede malicious activity
Predictive IP Space Monitoring
1M+ Live Events
Per Second
FULLY AUTOMATED
13. No One Combines Better Performance
& Effectiveness
#1
Fastest & Most
Reliable DNS w/
65M+ Users
3M+
Daily New
Domain Names
Discovered
60K+
Daily Malicious
Destinations
Identified
7M+
Total Malicious
Destinations
Enforced
15. • OpenDNS Umbrella: Cloud-delivered, predictive network
security service for DNS and IP activity.
• Cisco Umbrella Roaming: Limited version of OpenDNS
Umbrella. For off-network/off-VPN protection. Sold alongside
AnyConnect, ASA and NGFW. Cisco-branded.
Key Definitions
16. • Umbrella Roaming Client (URC): A lightweight, standalone
agent that tags and directs an endpoint’s DNS requests to
Umbrella. Comes with OpenDNS Umbrella* and Cisco
Umbrella Roaming. For Windows and OS X.
• Umbrella Roaming module for AnyConnect: A new
AnyConnect 4.3 module that performs the same functions as
the standalone URC. Comes with OpenDNS Umbrella* and
Cisco Umbrella Roaming. For Windows and OS X.
Key Definitions
* OpenDNS Umbrella Professional, Insights, Platform, and MSP
17. • On-premises users are protected by stacks of security products
• Remote workers must use VPN to get the same level of protection
Umbrella Roaming: The Challenge
Under-protected off-network users
VPN
on
SANDBOX
PROXY
NGFW
NETFLOW
18. • But VPN utilization is decreasing
• 82% of workers admit to not always using VPN when remote
Umbrella Roaming: The Challenge
Under-protected off-network users
SANDBOX
PROXY
NGFW
NETFLOW
VPN
off
19. Cisco Umbrella Roaming
VPN
on
VPN
off
ODNS
active
SANDBOX
PROXY
NGFW
NETFLOW
Umbrella
Malware
Phishing Sites
C2 Callbacks
Block
Cloud-Delivered Security Service for Cisco NGFW
Protection when off the VPN
no additional agent required*
Visibility and enforcement
at the cloud-edge via DNS
Block requests
to malicious domains and IPs
Predictive intelligence
uncover current
and emergent threats
* When used with the AnyConnect Umbrella module
20. Security or System
Admin’s Machine
Building Installation Package
Download Profile for
AnyConnect Module
dashboard2.opendns.com*
Download AC Push-
or Pull-Deploy Image
software.cisco.com
4.3
*Currently at dashboard2.opendns.com, but will
switch to dashboard.umbrella.com in November
One-Time Process
21. Uploading Installation Package
4.3
Create/Edit VPN Policy to
Include Umbrella Module
“PUSH” OPTION
Upload AC 4.3 and
All Files to Endpoint
Software Distribution
“PULL” OPTION
Upload AC 4.3 and
All Files to ASA or ISE
22. Optional Automatic Updates
Eliminates On-Going Maintenance for AnyConnect
AnyConnect update
on cisco.com
Umbrella
service
Umbrella module
enabled in AnyConnect
Umbrella service
regularly checks for new
AnyConnect versions,
which includes all modules,
not just “Roaming Security”
Umbrella module
regularly checks for updates,
and automatically installs
new version without admin
or user intervention
25. Built-in OS
Components
.NET API
Windows Registry
WMI Configuration
Any
Running
App
Cisco AnyConnect
Roaming
Module
CISCO
NGFWCISCO
UMBRELLA
STEP 2a
domains resolved by OpenDNS
when outside VPN and not local
or
STEP 2b
domains resolved by your DNS
server when VPN tunneled or if
local
LOCAL
DNS SERVER
Any
Running
App
Cisco AnyConnect
Roaming
Security
CISCO
UMBRELLA
Any
Running
App
LOCAL
DNS SERVER
Cisco AnyConnect
Roaming
Module
CISCO
UMBRELLA
DNS Forwarded to Umbrella or Local DNS Server
encrypted
EDNS
request
w/device ID
forwards
the identical
DNS
request
enforces security
policy based on
threat intel & device
ID
response
from your
DNS server
returns IP to
requested
domain or
block page
DNS
requests
to internal
domains START
HERE!
DNS
requests
to Internet
domains START
HERE!
STEP 1
watch for new networks,
exempted domains & VPN status
device ID device ID device ID
LOCAL
DHCP
SERVER
Internal, split tunnel, & search
domain lists for customer
AnyConnect
Driver
AnyConnect
Driver
AnyConnect
Driver
27. Simple for Both Security & Sysadmin Teams
1 Enable roaming in minutes
2 Global security by default
3 Instant visibility into threats
4 Detailed logs for incident response
28. Where Does Umbrella Fit With CWS?
INTERNET
ON NETWORK
ALL
OTHER
TRAFFIC
WEB
TRAFFIC
EMAIL
TRAFFIC
INTERNET
ALL
OTHER
TRAFFIC
WEB
TRAFFIC
EMAIL
TRAFFIC
OFF NETWORK
ASA/FirePOWER
DPI/block by IP, URL,
packet, or file
ESA/CES
blocks by sender,
content, or file
WSA/CWS
proxy/block by
URL, content, or file
ESA/CES
blocks by sender,
content, or file
CWS
proxy/block by
URL, content, or file
Umbrella
resolve/block by
domain, IP, or URL
Umbrella
resolve/block by
domain, IP, or URL
AMP FOR
ENDPOINT
check/block hash
AMP FOR
ENDPOINT
check/block hash
29. • What version of the AnyConnect Client does this work on?
o Minimum 4.3 MR1 (4.3.01095) for Windows and Mac
• Is there a minimum ASA version required?
o Not for the Umbrella Roaming module
• Do I have to change the configuration on my ASA?
o Not for pre-deploy. The ASA won’t override manual installations and profiles for Umbrella module.
• Does it require a separate license?
o The Roaming Security module is included with AnyConnect Plus or Apex subscriptions. Devices
without AnyConnect can use the Umbrella Roaming Client (standalone) that is included with most
Umbrella subscriptions. In either case, an Umbrella subscription is still required.
• Is it available for iOS, Android or Chromebook?
o While on-network, these devices can be protected with network-level policies (Umbrella Professional
and above). There are no off-network agents for these platforms at this time.
FAQ
30. • IP Layer Enforcement*
• Active Directory integration for policies and reporting*
• Change Root CA from OpenDNS to Cisco**
• And much more…
AnyConnect Umbrella Module: Roadmap
* OpenDNS Umbrella Insights, Platform, and MSP
** Most relevant to OpenDNS Umbrella Insights and above
33. Umbrella Roaming: Order of Operations
Umbrella
service
AnyConnect Umbrella module
1. Probe to determine network state
2. Tell AnyConnect to pass DNS queries
3. (If non-local domain) Creates EDNS0* packet, embeds
unique device id
4. (and if port 443 is open) Encrypt data w/DNScurve**
5. Gives packet to AnyConnect, to forward to OpenDNS’s
anycast IP address for DNS resolution
root
com.
domain.com
.
Authoritative
Nameservers
*https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS
**https://dnscurve.org/
Umbrella service
1. (if encrypted) decrypts DNS query
2. Checks domain and hostname for policy
3. (if not blocked or globally cached) resolves IP
4. Checks IP against intel
5. (if domain & IP safe) returns destination IP
or (if domain or IP bad) returns block page IP
Umbrella module
in AnyConnect
34. AnyConnect Module: States of Operation
PROTECTED BY
UMBRELLA
Protected by Umbrella
Non-local domain requests
forwarded to 208.67.222.222 over
53/UDP
Protected & Encrypted
Non-local domain requests
forwarded to 208.67.222.222 over
443/UDP
Protected…
…by Umbrella Network*
…by Umbrella VA*
Probes Umbrella service; unlikely
state as its for different Umbrella
packages
Configuring
Probing after network
state change
Unprotected
- Can’t Connect
- Missing Profile
- Service Unavailable
Disabled
- Full-Tunnel VPN Active
- Trusted Network Detected*
NOT PROTECTED BY
UMBRELLA
ADDITIONAL STATES
SHOWN IN PORTAL
Offline
Service unable to sync with
module for a certain time period
(e.g. computer not turned on)
Uninstalled
End-user or admin
properly removed module
* For other Umbrella packages, IP-Layer Enforcement may be provided by the module even in these states
35. 2016 Cisco Annuual
Security ReportWEBNON-WEB
15%of C2 bypasses
Web ports 80 & 443
DNSIP IP
91%of C2 can be blocked
at the DNS layer
Why Add Security at the DNS Layer?
Lancope Research
68%of orgs don’t monitor
recursive DNS
Notes de l'éditeur
This cover slide should be updated with current information and left on screen as people log in.
- Replace ‘Topic’, ‘Guest Speaker’ , ‘Date’
Think about what’s happening to your network. Before, everything was contained on your network…all of your critical infrastructure, desktops, and business applications.
Now you’re embracing cloud apps like Office 365, Box or SalesForce, or likely worse, some business units and many employees are using them anyway.
Either way, it means that remote and roaming devices can directly work in the cloud, and skip the VPN, because they have no need for remote access.
And that security stack you layered with best-in-defense capabilities has no control or visibility of what is happening off-network.
You are reliant on only endpoint security to detecting & blocking threats once they are downloaded or run on the device.
In the past, when your employees left the office, and they needed to get work done, what’d they do first?
Usually turn on the VPN, because the infrastructure, apps and data they needed access to were behind your perimeter.
But, not every connection goes through the VPN today; not all traffic, over all ports, all the time is backhauled to the corporate network.
And this creates a blind spot for your next-generation firewall and other perimeter security.
Gartner predicts by 2018, the average company will have 25% of its corporate data traffic bypassing the network perimeter.
Some industries are already there or surpassed this depending on how mobile your workforce is.
The way your employees work has changed
82% of your workers admit to not always using the VPN.
Employees are using more cloud apps for work and leveraging their work laptops for personal use— the reality is that not every connection goes through the VPN. Many connections are not VPN’d due to cloud apps, personal web browsing, or split tunnels.
Your network extends beyond the perimeter, and your security must too. (cs.co/IDG-survey)
49% of your workforce is mobile and under defended. (cs.co/sans-survey)
Zero-day malware spikes at night and on weekends when we’re roaming and attackers know we’re vulnerable. In fact, 22% of malicious email links are clicked when roaming.(cs.co/proofpoint-report) While security may never stop 100% of the threats, it must work 100% of the time.
Think about where you enforce security today. You probably have a range of products in your security stack to protect your network and endpoints—whether it’s at your corporate headquarters, branch offices, or on roaming endpoints.
And of course, you can block malware on your network and endpoints, but why wait until malware reaches the enterprise when you can block threats out on the Internet? There are many ways that malware can get in, which is why it’s important to have multiple layers of security.
But if you consider how malware is often downloaded or how phishing attacks work and how malware exfiltrates data…it often happens on the Internet.
---CLICK---
DNS is a foundational component of how the Internet works and is used by every device in the network. Way before a malware file is downloaded or before an IP connection over any port or any protocol is even established, there’s a DNS request. And that’s where OpenDNS enforces security.
OpenDNS Umbrella can be the first layer of defense against threats by preventing devices from connecting to malicious or likely malicious sites in the first place—which significantly reduces the chance of malware getting to your network or endpoints.
How we do it:
No extra agents or user actions
Protecting users off the corporate network has never been easier! With Umbrella Roaming, no additional agents are requires. The Umbrella functionality is embedded in the Cisco AnyConnect clients for Windows PCs and Mac. We also designed it to be maintenance-free. It auto-updates just like Chrome browsers do, and without ever requiring a reboot. Plus there’s nothing for end users to do in order to get protection (unlike most VPNs). It just works.
-------
Security Efficacy and performance: We block malicious domain requests and IP responses as DNS queries are resolved. Which means we can prevent users from going to bad or likely malicious domains before a connection is ever established or a file is downloaded.
-----
Predict threats before they happen:
The huge volume of requests that we resolve gives us a very diverse data set. We apply statistical models to that data set which allows us to automatically identify where current attacks are staged on the Internet, and even predict sites that are likely malicious before an attack even launches.
How do we do that? Well it all starts with data.
Not only do we have a massive amount of data, but perhaps more important is the diversity of our data. It’s not just from one segment or geography or one protocol. A diverse set of traffic gives us insight into where the threats are coming from, who is launching them, where they are going to, how wide the net of the attack is, and more.
So what kind of data are we talking about?
Every day, more than 65 million enterprise and consumer users across 160+ countries rely on OpenDNS for DNS resolution. That results in 80+ billion DNS requests per day. Plus, 500+ peering partners exchange BGP route information with OpenDNS—giving us visibility into the connections between different networks on the Internet. With this combined data, our view of the Internet is like no other security company.
The data gives us insight into things like:
- global request patterns (where people are going),
- when was the first time we saw this domain,
- when was the last time,
- how many people are going to this site,
- how are domains and IPs connected and correlated.
- and more
Similar to Amazon learning from shopping patterns to suggest the next purchase, or Pandora learning from music listening patterns to play the next song, we learn from internet activity patterns to identify attacker infrastructure being staged for the next threat. Our statistical models predict which domains and IPs will be malicious before any other security vendor.
To discover patterns and detect anomalies across our data, we design statistical models to categorize and score it.
For example:
• Many models analyze spatial relationships, such as graphing the relationships between networks across the Internet.
• Some models analyze time-based relationships, such as discovering domain co-occurrences as a result of consecutive DNS requests over very short timeframes, repeated by thousands of users.
• Other models analyze statistical deviations from normal activity, such as measuring the geographic distribution of IP networks requesting a domain name.
Spike Rank (SPRank)- (opendns.com/Sprank)
uses sound wave analysis concepts to detect domains that have spikes in their DNS request patterns
Now in production, the model identifies hundreds of compromised domains every hour — over a third of which are not detected by any other antivirus or antimalware scanner, according to VirusTotal.
- Examines how traffic patterns change when a domain becomes malicious (new domains, recently compromised domains, etc.)
Predictive IP Space Monitoring
- This model integrates ‘clues’ found by the SPRank Model and categorizes patterns in malicious hosts to determine which domains will be the source of future malicious activity
- Predictive IP Space Monitoring tracks every step a criminal goes through to set up the attack infrastructure—from choosing a hosting provider to deploying server images—allowing researchers to identify what steps will precede malicious activity
Co-Occurrences
Identifies other domains looked up in rapid succession of a given domain
Correlations uncover other domains related to an attack
NLP-rank- (opendns.com/NLPrank)
uses natural language processing to detect domain names that spoof brand and tech terms in real-time
#1 Fastest and most reliable DNS = Every day more than 65 million users send more than 80 Billion DNS requests to our global network. And we have 3rd party proof that we’re the fastest in North America and one of the fastest worldwide. Plus we’ve had 100% uptime since we launched the network in 2006.
3M+ new domain names discovered daily = the number of new domain names we’re able to discover daily
60k+ malicious destinations identified daily = the number of new malicious destinations we discover daily
7M+ total malicious destinations enforced = at any given time, we’re blocking users from going to more than 7 million malicious destinations. Why is that impressive? Well, not only do we uncover tons of new malicious domains/IPs every day, but because we use the cloud we’re able to process and actually enforce millions of domains at once…which is something that appliance-based solutions can’t do.
Cisco Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall that protects employees when they are off the VPN. Umbrella Roaming provides visibility and enforcement at the DNS-layer to block requests to malicious domains and IPs before a connection is ever made. No additional agents are required — simply enable the Umbrella Roaming functionality in the Cisco AnyConnect client for seamless protection against malware, phishing, and command & control callbacks wherever your users go. With Umbrella Roaming, you gain always-on security without the hassle of always-on VPN.
In general for off-network coverage, an endpoint agent is a necessary evil because we need a way to identify which customer and device sent the DNS request. As many of you know, we call it the Roaming Client.
But don’t let the name trick you, our client is also used as one of two optional methods to get granular on-network control & visibility. So it’s not just for Windows or Mac laptops. It works great for Windows or Mac desktops, too.
-------
The first step, is to point all DNS requests from any running app to 127.0.0.1, which is every device’s home IP address. It does this using built-in OS operational parameters. It also learns from your Umbrella account, which domain names are internal and should not be resolved off-network.
The second step depends on whether a DNS request is for a Internet or internal domain name.
For an Internet domain name, our client embeds a unique identify into the DNS request that matches the device’s hostname.
It also encrypts the DNS request to prevent man-in-the-middle eavesdropping on public networks.
No other security or non-security provider in the world offers a lightweight endpoint agent that can do either of these things.
When our global network receives this DNS request, it checks our cache as well as your policy for this device for the proper response.
If the destination is safe and adheres to your policy, we return the IP registered in the authoritative DNS record.
If it is malicious or violates your policy, we return the IP address of OpenDNS’s block page servers or even a custom IP address you own.
And if the destination contains both safe and malicious web content, we return the IP of OpenDNS’s cloud-based proxies so we can intercept the connection and filter at the URL-level.
----
Alternatively, requests for internal domains are forwarded to the network’s local DNS server without embedding the identity or encrypting the request.
So we won’t interfere with anyone’s internal DNS servers.
Simply enable the Roaming Security module available in Cisco AnyConnect v4.3 for Windows or Mac OS X. OR • Deploy a stand-alone Umbrella Roaming Client for Windows or Mac OS X alongside any other remote access VPN client.
As soon as Roaming Security is enabled, mobile workers are protected against malicious destinations.
If a threat is requested via a web browser, end-users receive a customizable block page.
To immediately access a blocked site, just allow the domain.
View your daily, weekly, or monthly security events occurring off-network either in your inbox or our dashboard.
Check if threats are trending up or down as well as the domains and laptops with the most security events.
Respond to an incident by drilling into the full activity per domain or laptop.
View your daily, weekly, or monthly security events occurring off-network either in your inbox or our dashboard.
Check if threats are trending up or down as well as the domains and laptops with the most security events.
Respond to an incident by drilling into the full activity per domain or laptop.
Recall that DNS is ubiquitous for every network and endpoint footprint that exists in an organization. Even IoT devices rely on DNS.
It doesn’t require deploying a new appliance in the network.
It doesn’t require changing WCCP on a network you manage or deploying PAC files on an endpoint you own to redirect web traffic. And we don’t care if web traffic is encrypted.
Leveraging our wireless hardware partnerships, changing a single IP in DNS or DHCP servers, or referring to our network device setup guides make it so easy to point DNS to us.
We’re not exaggerating when we say it takes only 30 minutes to cover dozens of locations and thousands of devices.
It is the fastest and easiest way to stop the vast majority of threats trying to infiltrate your systems and exfiltrate your data.
----
No endpoint security solution comes close to providing as much visibility into all Internet activity as Umbrella.
And by combining the Internet-wide visibility that our Investigate product adds to Umbrella, customers can even identify targeted attacks.
----
But perhaps most valuable, is that because DNS precedes every IP connection, we cut the number of security alerts generated by the rest of a customer’s security stack in half or more.
------ALTERNATIVE STORY-----OpenDNS Umbrella is a new layer in the network security stack.
After the Internet was built, our networks started connecting to each other.
Everyone installed a firewall at the network’s perimeter to control connections between internal and external hosts by their IP addresses or ports. Think of this an IP gateway.
Then, our employees’ Web browsers started requesting content from websites through the firewall. Attackers hosted malicious content on a server and compromised a system once it was executed. Everyone installed a web proxy at the perimeter to block requests by their URLs and files by their signatures. These products were called web gateways; similar to the email gateways people had installed to block senders and attachments.
BUT malicious connections and content are still getting through these gateways!
WHY is malware still compromising our systems?
WHY are attackers still exfiltrating our data?
BECAUSE these gateways don’t always stop what they should.
BECAUSE software and servers can exchange data over ports other than 80, 443, and 25.
What we need is to add a DNS gateway. Across all devices and software, every connection--regardless of its port or protocol--starts with a DNS request.
With a DNS gateway, you can control all Internet-bound connections and block malicious content or data theft before the connection ever happens.
OpenDNS Umbrella is one such DNS gateway.
BUT the only one that works seamlessly on or off the corporate network.
Can existing Umbrella customers purchase the Roaming package?
No. Umbrella Roaming cannot be purchased by existing customers because it is not an add-on to OpenDNS Umbrella. Rather, it is an entry-level package that contains a subset of the features that existing customers already have in their Umbrella Professional, Insights, or Platform package. However, existing Umbrella customers will be able to leverage the AnyConnect integration as part of their subscription.
Can we sell Roaming & Branch together?
Customers can only purchase one Umbrella package, so if you try to sell Umbrella Roaming to an existing Umbrella customer, you will get an error in the CCW
How does this compare to the CWS module for AnyConnect?
No content filtering available in Umbrella Roaming — security protection when VPN is off
Can Umbrella Roaming subscriptions be co-termed with existing AnyConnect subscriptions?
Yes, Cisco Account Managers can co-term Umbrella Roaming with AnyConnect by specifying non-standard terms for an order. Partners are restricted to the standard initial terms of 12 and 36 months in CCW. Partners can enter a co-term request in CCW as a non-standard deal which the Cisco Account Manager would approve/deny.
Now why do customers want to add security at the DNS layer?
You now understand the ability for DNS to cover any device and location, but many security products don’t cover any port or protocol used by threats. By using DNS, we can cover these gaps.
According to research done by Lancope,15% of command & control callbacks did not use web ports (80 & 443) — which means that most web security products won’t have any visibility or the ability to block the C2 connections that are trying to exfiltrate data or communicate with the attacker for more instructions. Umbrella covers any port or protocol—which is a big selling point when you consider attacks like these that may use non-standard ports.
Additionally, the 2016 Cisco Annual Security Report found that 91% of malware samples used DNS requests for command & control callbacks. Which means that Umbrella could contain the vast majority of C2 callbacks earlier than most other security products. And, for the 9% of attacks that use direct IP connections—we have that covered too.