![Page 1: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/1.jpg)
1 CONFIDENTIAL
Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified
Consulting Systems Engineer, Cyber Security, Denmark
Tech update
![Page 2: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/2.jpg)
2 CONFIDENTIAL
Used to detect:
• Compromised systems
• Command & control callbacks
• Malware & phishing attempts
• Algorithm-generated domains
• Domain co-occurrences
• Newly registered domains
Any Device
Authoritative Logs
Recursive DNS
Through DNS Resolution We Make Many Discoveries
Authoritative DNS
root
com.
domain.com.
Used to find:
• Newly staged infrastructures
• Malicious domains, IPs, ASNs
• DNS hijacking
• Fast flux domains
• Related domains
Request Patterns
![Page 3: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/3.jpg)
3 CONFIDENTIAL
A New Layer of Breach Protection
Threat PreventionNot just threat detection
Protects On & Off NetworkNot limited to devices forwarding traffic through on-prem appliances
Partner & Custom IntegrationsDoes not require professional services to setup
Block by Domains for All Ports Not just IP addresses or domains only over ports 80/443
Always Up to DateNo need for device to VPN back to an on-prem server for updates
UMBRELLAEnforcement
![Page 4: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/4.jpg)
4 CONFIDENTIAL
INTERNET
MALWARE
BOTNETS/C2
PHISHING
& HERE!
The Power of OpenDNS + Cisco
LANCOPE
WSA (+ESA)
FIREPOWER
AMP AMP
AMP AMP
AMP
AMP
AMP AMP
MERAKI
AMP AMP
ASA
HERE
HEREHERE
HERE
HERE
HQ
Branch Branch
Mobile
Mobile
BENEFITS
Alerts Reduced 2x; Improves Your SIEM
Block malware before it hits the enterprise;
Contains malware if already inside
Internet Access Is Faster; Not Slower
Provision Globally in Under 30 Minutes
![Page 5: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/5.jpg)
5 CONFIDENTIAL
We see where attacks are staged
![Page 6: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/6.jpg)
6 CONFIDENTIAL
Single, correlated source of information
Investigate
Types of Threat Information Provided
WHOIS record data
ASN attribution
IP geolocation
IP reputation scores
Domain reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database
![Page 7: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/7.jpg)
7 CONFIDENTIAL
Use Our Global Intelligence To…
Our Global
Context
We Know All Its
Relationships
Your Local
Intelligence
You Know
One IOCSpeed up investigations
Prioritize investigations
& response
Enrich security systems
with real-time data
Stay ahead of attacks
![Page 8: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/8.jpg)
8 CONFIDENTIAL
![Page 9: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/9.jpg)
9 CONFIDENTIAL
Request of Ransom
Encryption of Files
C2 Comms & Asymmetric Key
Exchange
Typical Ransomware Infection
Infection Vector
![Page 10: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/10.jpg)
10 CONFIDENTIAL
NAME DNS IP NO C&C TOR PAYMENT
Locky DNS
SamSam DNS (TOR)
TeslaCrypt DNS
CryptoWall DNS
TorrentLocker DNS
PadCrypt DNS (TOR)
CTB-Locker DNS
FAKBEN DNS (TOR)
PayCrypt DNS
KeyRanger DNS
Encryption C&C Payment MSG
![Page 11: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/11.jpg)
11 CONFIDENTIAL
Automate Security to Reduce Attack Dwell Time
CUSTOMER
COMMUNITYCUSTOMER & PARTNER THREAT
ANALYSIS & INTELLIGENCE
AMP Threat Grid
UMBRELLAEnforcement & Visibility
Automatically Pulls newly discovered malicious domains in minutes
Logs or Blocks all Internet activity destined to these domains
files domains
DEMO
![Page 12: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/12.jpg)
12 CONFIDENTIAL
VIRTUAL APPLIANCEbest for locations that want
granular control & visibility
Any Device @ 10.1.2.2
Global Network 208.67.222.222
DNS Server
@ 10.1.0.1
Gateway
@ 8.2.0.1
DNS SERVERsimple for locations that
manage intranet domains
Any Device
@ 10.1.2.2
DNS Server
@ 10.1.0.1
Global Network 208.67.222.222
Gateway
@ 8.2.0.1
No
DNS Server
DHCP SERVERsimple for locations
without intranet domains
ON-NET: How We Enforce by Public or Internal Networks
Any Device
@ 10.1.2.2
Global Network 208.67.222.222
EXTERNAL DNS=
208.67.222.222
DHCP’s DNS =
10.1.0.1
DHCP’s DNS =
10.1.0.2
OpenDNS VA
@ 10.1.0.2
INTERNAL DNS=
10.1.0.1
Policy for public network ID @ 8.2.0.1
no NAT or proxy
Policy for public network ID @ 8.2.0.1
Policy for internal network ID @ 10.1.2.2
Gateway
@ 8.2.0.1
DHCP’s DNS =
208.67.222.222
![Page 13: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/13.jpg)
13 CONFIDENTIAL
YOUR REALITY TODAY
they get work done via Office 365, Box, etc.
(… plus, VPNs invade privacy & disrupt productivity)
VPN Client
OFF
SANDBOX
PROXY
NGFW
NETFLOW
all ports
Umbrella
ACTIVE
ADMIN BENEFITS
Ensures Network Security is Always-On
Protects Endpoints Beyond Blocking Files
Enforces Location-Aware Policies
Less Backhauling = Less Bandwidth Costs
DNS-Layer Network Security Should Protect Any Location
YOU’VE RELIED ON
users requiring remote access into the
corporate network to get work done
VPN Client
ON
SANDBOX
PROXY
NGFW
NETFLOW
local intel
NEED OFF-NETWORK SECURITY
enable cloud adoption with always-on security
NEED OFF-NETWORK SECURITY
to protect mobile workers with always-on security
and integration w/ your security stack to extend protection
![Page 14: Tech update - Cisco · CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark Tech update. 2 CONFIDENTIAL Used to detect: •Compromised](https://reader034.vdocuments.mx/reader034/viewer/2022042023/5e7b59b61c9c24010f760fd6/html5/thumbnails/14.jpg)
14 CONFIDENTIAL