Umbrella ローミング セキュリティ - Cisco · •Umbrellaローミングセキュリティの起動と実行(3ページ) •OrgInfo.jsonファイルの設定(3ページ)
Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security...
Transcript of Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security...
![Page 1: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/1.jpg)
CISCO UMBRELLA
03.10.2018 | Bolzano, Andrea Dainese
PROTECTION AND VISIBILITY FOR ENTERPRISE NETWORKS
![Page 2: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/2.jpg)
ABO
UT
§ Network and Security Architect (15+ years’ exp.)§ Security Evangelist (Blue Team)§ Automation Addicted/Developer (UNetLab)§ Cisco CCIE #38620/VMware VCP/Red Hat RHCE
ANDREA DAINESE - SENIOR SYSTEMS ENGINEER
@adainese
www.linkedin.com/in/adainese
![Page 3: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/3.jpg)
INTRODUCTION
![Page 4: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/4.jpg)
INTR
OD
UCTI
ON
You cannot protect what you don’t know
![Page 5: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/5.jpg)
INTR
ODU
CTIO
N
§ Where users navigate?§ What they download?§ What they execute?§ What they attach to the computer/laptop?§ Where they are used to work?§ Are endpoints left unattended?
WHAT ABOUT ENDPOINTS?
![Page 6: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/6.jpg)
INTR
OD
UCTI
ON
Multi layered security approach
![Page 7: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/7.jpg)
INTR
OD
UCTI
ON
Must:§ Categorized web sites§ Set policies for user groups (AD integration)§ Protect on premises and mobile users
Should:§ Work for all protocols§ Easy to setup and maintain
PREREQUISITES FOR A WEB CONTENT FILTER
![Page 8: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/8.jpg)
INTR
OD
UCTI
ON
SWG SIGProtection Enterprise
NetworksEverywhere
Control Granular web usage*
Any protocol
Setup Time Days Minutes
User experience
Can break some sites/apps**
No latency
WEB CONTENT FILTER COMPARISON
*: Encrypted websites require a MITM approach**: Some applications do not work behind a proxy server
![Page 9: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/9.jpg)
CISCO UMBRELLA
![Page 10: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/10.jpg)
CIS
CO
UM
BREL
LABRIEF HISTORY§ 2006: OpenDNS Founded§ 2012: Umbrella enters the enterprise market§ 2015: Cisco squires OpenDNS/Umbrella
WHAT IS OPENDNS/UMBRELLA?The largest cloud-based DNS service (and more)
TODAY§ 100B requests/day§ 85M daily users§ 12k Enterprise Customers
![Page 11: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/11.jpg)
CIS
CO
UM
BREL
LA
Threat prevention for:§ Homes (OpenDNS)*§ Enterprises (Umbrella)
*: Dynamic IP Internet connection require to update the OpenDNS account using a DDNS protocol (link).
![Page 12: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/12.jpg)
CIS
CO
UM
BREL
LA
§ Unwanted Websites§ Suspicious Websites§ Advertising§ Malware§ Phishing Attacks§ Newly Seen Domains (and DGA*)§ Command and Control Callbacks§ DNS Tunnelling VPN**
CISCO UMBRELLA PROTECT AGAINST:
*: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com**: A MRZGS3TLEBWW64TFEBXXMYLMOR.t.example.com
CNAME WW2IDPOZQWY5DJNZSQ.t.example.com
![Page 13: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/13.jpg)
VISIBILITY
![Page 14: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/14.jpg)
VISIBILITY
Cisco Umbrella v1 - Instant Demo @ Cisco dCloud
DASHBOARD
![Page 15: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/15.jpg)
VIS
IBIL
ITY
ACTIVITY SEARCH (C&C)
![Page 16: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/16.jpg)
VIS
IBIL
ITY
ACTIVITY SEARCH (DETAIL)
![Page 17: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/17.jpg)
VIS
IBIL
ITY
ACTIVITY SEARCH (GENERIC)
![Page 18: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/18.jpg)
VIS
IBIL
ITY
CLOUD SERVICES
![Page 19: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/19.jpg)
A FAMOUS CRYPTOLOCKER
![Page 20: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/20.jpg)
#WA
NN
AC
RYA BRIEF STORY
• A Long Time Ago: EternalBlue by NSA• March 14th, 2017: Microsoft Security Bulletin (MS17-010)• April 15th, 2017: Shadow Brokers release
• May 12th, 2017 | 07:24 UTC: #WannaCry Patient Zero• May 12th, 2017 | 07:30 UTC: @MalwareTechBlog Post• May 12th, 2017 | 07:43 UTC: Kill Switch on Umbrella
![Page 21: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/21.jpg)
UMBRELLA INVESTIGATE
![Page 22: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/22.jpg)
INVE
STIG
ATE
#WANNACRY (SUMMER 2017)
![Page 23: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/23.jpg)
INVE
STIG
ATE
#WANNACRY (AUTUMN 2017)
![Page 24: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/24.jpg)
INVE
STIG
ATE
#WANNACRY (GEOGRAPHIC DISTRIBUTION)
![Page 25: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/25.jpg)
INVE
STIG
ATE
TARGETED MALWARE
![Page 26: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/26.jpg)
ARCHITECTURE
![Page 27: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/27.jpg)
ARC
HITE
CTU
RE DEPLOYMENT MODES
§ Networks§ Internal Networks (VA)§ Network Devices
Roaming Computers§ Mobile Devices
![Page 28: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/28.jpg)
ARCHITECTURE NETWORKS
![Page 29: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/29.jpg)
ARC
HITE
CTU
RE INTERNAL NETWORKS
![Page 30: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/30.jpg)
ARC
HITE
CTU
RE ROAMING CLIENTS
![Page 31: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/31.jpg)
ARC
HITE
CTU
RE HIGH AVAILABILITY (GLOBAL)
Anycast:§ 208.67.220.0/24 (.220 and .222)§ 298.67.222.0/24 (.220 and .222)
![Page 32: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/32.jpg)
ARC
HITE
CTU
RE HIGH AVAILABILITY (LOCAL)
Windows:§ timeout 1s§ attempts 1§ use the last one for 15mOS X:§ timeout 1s§ attempts 2§ use the last one for 10mLinux:§ timeout 5s§ attempts 2§ use always the first one
![Page 33: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/33.jpg)
ARC
HIT
ECTU
RE
Know your networkor
Start with non blocking policy
![Page 34: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/34.jpg)
ARC
HIT
ECTU
RE
Multi-Layer Security1. DNS: Cisco Umbrella2. Url Filtering
![Page 35: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/35.jpg)
DEMO
![Page 36: Cisco Umbrella and... · 2020-06-23 · CISCO UMBRELLA 03.10.2018 | Bolzano ... §Security Evangelist (Blue Team) §AutomationAddicted/Developer (UNetLab) §Cisco CCIE #38620/VMware](https://reader034.fdocuments.us/reader034/viewer/2022050502/5f94a1128d93ce6b5e55e648/html5/thumbnails/36.jpg)