Category: OpenDns

#CyberSelfCare: Reinvest Your Commute Time with Cybersecurity Training and Education

This is the second article in our set of #CyberSelfCare blogs to help you educate yourself, your coworkers, family, and friends about how to protect their digital presence.

In last week’s blog post, we talked about how to maintain your sanity while working from home. Working from home has a lot of challenges, but it has major benefits, too. When you work from home, your commute time is greatly reduced. Instead of driving your car, riding a train, riding a bike, or walking to the office, all you have to do is turn on your computer and start working. Anyone who has ever had a long commute can appreciate this.

For my first job, I commuted on the train to New York City from a small town in the suburbs. Every day, I spent more than 4 hours on my commute — just traveling to and from the office — and this was before the days of WiFi on public transit. Later, I switched to commuting by car, but with unpredictable traffic, it wasn’t much better. It’s not quite that bad everywhere, but anyone who works in a major metropolitan area like San Francisco, London, or Los Angeles will agree – commuting is exhausting and stressful!

One of the single biggest benefits of working remotely is spending less time traveling to and from the office. If you’re new to working from home, you might find yourself with more time in your day. How will you spend it? With that time, you can focus on things that you might not otherwise have time to do if you were still commuting. Sure, you can spend that extra time sleeping and watching reality shows, but what about setting a goal to invest some of that extra time in cybersecurity training?

In this week’s post, we’ve curated a list of educational resources you can use to learn more about cybersecurity on your own schedule.

Read Cybersecurity Blogs

You’re already reading our blog, so why not start reading a few more? In these blogs, you get immediate access to some of the best minds in cybersecurity research and threat hunting.

  • Krebs on Security is written by Brian Krebs, a former Washington Post reporter and well-known cybersecurity expert.
  • Schneier on Security is written by Bruce Schneier, a Harvard fellow and internationally renowned cybersecurity guru.
  • Cisco Talos Blog is written by one of the largest commercial threat intelligence teams in the world, made up of world-class researchers, analysts and engineers.

Listen to a Security Podcast

If you used to have a long commute, you may already listen to podcasts. Podcasts are a great way to stay up to date on a topic that interests you, and are especially good for listening when taking a walk or during a workout. There’s a podcast for everyone, and that includes people interested in security threats.

  • Talos Takes — join Cisco Talos researchers and analysts as they cover everything from breaking news to the latest trends in cybersecurity.
  • Beers with Talos — listen to the security experts from Talos as they dive into topics like emerging threats, hacking, and other security issues over beers. Shhh… we won’t tell anyone if you enjoy an adult beverage while you listen.
  • Security Stories — enjoy an interview-based podcast full of insights from CISOs and featuring unique, strange, and often hilarious stories about leading cybersecurity efforts in an organization.

Attend a Live or On-Demand Webinar

Our security experts deliver virtual talks on a wide range of topics, with options for technical and non-technical audiences. There are plenty of live and on-demand webinars to choose from, including:

Want to listen to a webinar, but don’t have a lot of time? We have the answer for you! Our Dip in the Deep End series of mini-webinars packs a treasure trove of information into 10 short minutes. Check out some of our recent topics:

Read a Cybersecurity Book

Maybe you prefer reading a book to listening to a podcast or webinar. The Cisco Umbrella team has published a vast library of cybersecurity ebooks for you to read, and they’re short enough to read in one sitting.

Complete a Cyber Ops Certification

If you have a lot of spare time and a desire to challenge yourself, consider the new Cisco Certified Cyber Ops Associate certification. This credential is designed to prepare you for associate-level job roles in a security operations center (SOC).

The program consists of a training course and exam that cover the foundational skills, processes, and knowledge you need to prevent, detect, analyze, and respond to cybersecurity incidents. At the time of writing this blog post, all Cisco certification exams can be completed online from the comfort of your home.

Even if you’re not pursuing a career in cybersecurity operations, a certification is a great option for anyone who wants to do a deeper dive into cybersecurity topics and prove their knowledge to current and future employers.

Knowledge is Power

At Cisco, we’re always learning, and our researchers are pushing the boundaries of threat research and security best practices. It’s harder than ever to keep up with the constant changes in the network security world. Spending just a few minutes per day on continuing education can make you into the trusted cybersecurity expert at your company!

Source :
https://umbrella.cisco.com/blog/cyberselfcare-reinvest-your-commute-time-with-cybersecurity-training-and-education

AV-TEST Places Cisco Umbrella First in Security Efficacy

When it comes to rating the effectiveness of security solutions, efficacy is king. Why? All it takes is one malicious request slipping through the net for a damaging breach to take place.

Lots of network security providers claim they are the best at threat detection and prevention. But can they prove it? Brand new third-party research from AV-TEST reveals that Cisco Umbrella is the industry leader in security efficacy, according to the 2020 DNS-Layer Protection and Secure Web Gateway Security Efficacy report.

Overview

AV-TEST is the leading independent research institute for IT security in Germany. For more than 15 years, the cybersecurity experts from Magdeburg have delivered quality-assuring comparison and individual tests of virtually all internationally relevant IT security products.

In November and December 2019, AV-TEST performed a review of Cisco Umbrella alongside comparable offerings from Akamai, Infoblox, Palo Alto Networks, Symantec and Zscaler.

In order to ensure a fair review, the research participants did not supply any samples (such as URLs or metadata) and did not influence or have any prior knowledge of the samples being tested. All products were configured to provide the highest level of protection, utilizing all security-related features available at the time.

The test focused on the detection rate of links pointing directly to PE malware (e.g. EXE files), links pointing to other forms of malicious files (e.g. HTML, JavaScript) as well as phishing URLs. A total of 3,668 samples were included in the testing.

DNS-Layer Protection Test

In the first part of this study, DNS-layer protection was tested. DNS-layer protection uses the internet’s infrastructure to block malicious and unwanted domains, IP addresses, and cloud applications before a connection is ever established as part of recursive DNS resolution. DNS-layer protection stops malware earlier and prevents callbacks to attackers if infected machines connect to your network.

An ideal use case for DNS-layer protection is guest wifi networks. With guest wifi it is usually not possible to install a trusted certificate on the guests’ devices, so HTTPS inspection is not possible. The study however shows that DNS-layer protection without a selective proxy still provides a good base layer of security.

DNS-layer protection with selective cloud proxy redirects only risky domain requests for deeper inspection of web content, and does so transparently through the DNS response. A common use case for selective proxy is corporate owned devices where there is a need to inspect risky traffic including HTTPS, but for privacy considerations, certain content categories such as financial or healthcare can be excluded from HTTPS inspection in the selective proxy.

For the DNS-layer protection testing, the products achieved the following blocking rates:

AV-TEST DNS-Layer Protection Test Result Graph Cisco Umbrella Blog

Cisco Umbrella performed significantly better than other vendors with a 51% detection rate for DNS-layer protection. Cisco Umbrella’s selective proxy makes a big difference in effective threat detection and increased the blocking rate to 72%.

Secure Web Gateway Test

In the second part of the study, the web gateway solutions were tested. A secure web gateway is based on a full web proxy that sees and inspects all web connections. Unlike DNS-layer protection which only analyzes domain names and IP addresses, a web proxy sees all files and the full URLs enabling more granular inspection and control.

Organizations adopt secure web gateways when they are looking for more flexibility and control. Common use cases for a secure web gateway include: needing full visibility of web activity, inspection of granular app controls, the ability to block specific file types and inspection of all HTTPS content with the ability to exclude specific content.

For secure web gateway testing, the products achieved the following blocking rates:

AV-TEST Secure Web Gateway Test Result Graph Cisco Umbrella Blog

In this test scenario, Cisco Umbrella outperformed the other vendors’ offerings in terms of security efficacy.

Conclusion

In both test scenarios, the Cisco Umbrella detection rate outperformed the offerings from other vendors.

These test results demonstrate several key takeaways. Organizations should adopt a layered approach to security. DNS-layer protection is simple and adds to the overall security efficacy. In use cases where deploying a selective proxy is possible , the security efficacy and blocking rates improve significantly. As seen in the test results, a secure web gateway full proxy solution provides the highest level of protection.

For more information on specific configurations and the detailed test results, click here to read the full report by AV-TEST.

 

Source :
https://umbrella.cisco.com/blog/2020/02/18/av-test-places-cisco-umbrella-first-in-security-efficacy/

Cybersecurity Terms and Threats You Need to Know in 2020

Let’s do a show of hands — who loves jargon? Anyone?

I didn’t think so.

Face it, aside from trivia champions, jargon doesn’t make life any easier for us. If you’re attending your first security conference this year, you might feel like you need an interpreter to make sense of the technical terminology and acronyms you’ll find around every corner.

At Cisco Umbrella, we’re fluent in cybersecurity – and we want to help you make sense of the often-confusing security landscape! In this post, we define key cybersecurity terms that everyone should know in 2020 — and beyond.

Part 1: Threats

Backdoor: A backdoor is an access point designed to allow quick and undetected entrance to a program or system, usually for malicious purposes. A backdoor can be installed by an attacker using a known security vulnerability, and then used later to gain unfettered access to a system.

Botnet: A botnet is a portmanteau for “robot network.” It’s a collection of infected machines that can be used for any number of questionable activities, from cryptomining to DDoS attacks to automated spam comments on blogs.

Command-and-control (C2) attacks: Command-and-control attacks are especially dangerous because they are launched from inside your network. Security technologies like firewalls are designed to recognize and stop malicious activity or files from entering your network. However, a command-and-control attack is trickier than a standard threat. A file doesn’t start out showing any malicious behavior, so it is deemed harmless by your firewall and permitted to enter your network. Once inside, the file stays dormant for a set period of time or after being triggered remotely. Then, the file reaches out to a malicious domain and downloads harmful data, infecting your network.

Denial of Service (DoS) Attack: This type of attack consumes all of the resources of a target so that it can no longer be used or reached, effectively taking it down. DoS attacks are designed to take a website or server offline, whether for monetary, political, or other reasons. A DDoS, or Distributed Denial of Service attack, is a subcategory of DoS attack that is carried out using two or more hosts, often via a botnet.

Drive-by download: A drive-by download installs malware invisibly in the background when the user visits a malicious webpage, without the user’s knowledge or consent. Often, drive-by downloads take advantage of browser or browser plug-in vulnerabilities that accept a download under the assumption that it’s a benign activity. Using an up-to-date secure browser can help protect you against this type of attack.

Exploit: An exploit is any attack that takes advantage of a weakness in your system. It can make use of software, bits of data, and even social engineering (like pretending to be someone from your IT team who needs your password to perform a security update). To minimize exploits, it’s important to keep your software up-to-date and to be aware of social engineering techniques (see below).

Malware: Malware is a generic term for any program installed on a system with the intent to corrupt, damage, or disable that system. Razy, TeslaCry, NotPetya, and Emotet are a few recent examples.

  • Cryptomining malware: Cryptomining by itself is not necessarily malicious — many people mine crypto currency on their own systems. Malicious cryptomining, however, is a browser- or software-based threat that enables bad actors to hijack system resources to generate crypto currencies. Cryptomining malware is an easy way for bad actors to generate cash while remaining anonymous and without having to use their own resources. Learn more about the cryptomining malware threat.
  • Ransomware: Ransomware is malware used to encrypt a victim’s data with an encryption key that is known only to the attacker. The data becomes unusable until the victim pays a ransom to decrypt the data (usually in cryptocurrency). Ransomware is a fast-growing and serious threat — learn more in our newly updated guide to ransomware defense.
  • Rootkits: A rootkit is a malicious piece of code that hides itself in your system, prevents detection, and enables bad actors to gain continued access to your system. If attackers gain full access to your system once, they can use rootkits to continue that access over a long period of time.
  • Spyware: Malicious code that gathers information about you and your browsing habits, and then sends that information to a third party.
  • Trojans: A trojan is a seemingly innocuous program that acts as a front for malicious code hiding inside. Trojans can do any number of things, from stealing data to allowing remote system control.  These programs take their name from the famous Grecian “Trojan Horse” that took advantage of a similar vulnerability.
  • Viruses: Often used as a blanket term, a virus is a piece of code that attaches itself to files, such as email attachments or files you download online. Once it infects your system, it can cause all kinds of problems, whether that means deleting system files or corrupting your data. Computer viruses also replicate and spread across networks – just like viruses in the physical world.
  • Worms: A worm is a type of malware that clones itself in order to spread to other computers, performing various damaging actions on whatever system it infects. Unlike a virus, a worm exists as a standalone entity — it isn’t hidden inside something else like an attachment.

MitM or Man-in-the-Middle Attack: A MitM attack is pretty much what it sounds like. An attacker will intercept, relay, and potentially change messages between two parties without their knowledge. MitM can be used to break encryption, compromise account details, or gain access to systems by impersonating a user.

Phishing: Phishing is a technique that mimics a legitimate communication (like an email from your online bank) to steal sensitive information. Like fishermen with a lure, attackers will attempt to take your personal information by using fake emails, forms, and web pages to coax you to provide it to them.

  • Spear phishing is a form of phishing that targets one specific individual by using publicly accessible data about them, like from a business card or social media profile.
  • Whale phishing goes one step further than spear phishing and describes a targeted attack on a high-ranking individual, like a CEO or government official.

Social engineering: A general term for any activity in which an attacker is trying to manipulate you into revealing information, whether over email, phone, web forms, or social media platforms. Passwords, account credentials, social security numbers — we often don’t think twice about giving this information away to someone we can trust, but who’s really on the other end of the line? Protect yourself, and think twice before sharing. It’s always OK to verify the request for information in another way, like calling an official customer support number.

Zero-day (0day): A zero day attack is when a bad actor exploits a new, previously unknown software vulnerability for which there is no patch. It’s a constant struggle to stay ahead of attackers, but you don’t have to do it alone — you can get help from the security experts at Cisco Talos.

Part 2: Solutions

Anti-malware: Anti-malware software is a broad category of software designed to block, root out, and destroy viruses, worms, and other nasty things that are described in this list. These products need to be updated regularly to ensure that they remain effective against new threats. They can be deployed at various points in the network chain (email, endpoint, data center, cloud) and either on-premises or delivered from the cloud.

Cloud access security broker (CASB): This is software that provides the ability to detect and report on the cloud applications that are in use across your environment. It provides visibility into cloud apps in use as well as their risk profiles, and the ability to block/allow specific apps. Read more about securing cloud apps here.

Cloud security: this is a subcategory of information security and network security. It is a broad term that can include security policies, technologies, applications, and controls that are used to protect sensitive company and user data wherever it is exposed in a public, private, or hybrid cloud environment.

DNS-layer security: This is the first line of defense against threats because DNS resolution is the first step in establishing a connection to the internet. It blocks requests to malicious and unwanted destinations before a connection is even established — stopping threats over any port or protocol before they reach your network or endpoints. Learn more about DNS-layer security here.

Email security: This refers to the technologies, policies, and practices used to secure the access and content of email messages within an organization. Many attacks are launched via email messages, whether through targeted attacks (see note on phishing above) or malicious attachments or links. A robust email security solution protects you from attacks whether email is in transit across your network or when it is on a user’s device.

Encryption: This is the process of scrambling messages so that they cannot be read until they are decrypted by the intended recipient. There are several types of encryption, and it’s an important component of a robust security strategy.

Endpoint security: if DNS-layer security is the first line of defense against threats, then you might think of endpoint security as the last line of defense! Endpoints can include desktop computers, laptop computers, tablets, mobile phones, desk phones, and even wearable devices — anything with a network address is a potential attack path. Endpoint security software can be deployed on an endpoint to protect against file-based, fileless, and other types of malware with threat detection, prevention, and remediation capabilities.

Firewall: Imagine all the nasty, malicious stuff on the Internet without anything to stop it. A firewall stands between your trusted entities and whatever lies beyond, controlling access based on security rules. A firewall can be hardware or software, a standalone security appliance or a cloud-delivered solution.

Next-generation firewall (NGFW): This is the industry’s new solution for an evolved firewall.  It is typically fully integrated with the rest of the security stack, threat-focused, and delivers comprehensive, unified policy management of firewall functions, application control, threat prevention, and advanced malware protection from the network to the endpoint.

Security information and event management (SIEM): This is a broad term for products that deal with security information management (SIM) and security event management (SEM). These systems allow for aggregation of information and events into a single “pane of glass” for security teams to use.

Secure web gateway (SWG): This is a proxy that can log and inspect all of your web traffic for greater transparency, control, and protection. It allows for real-time inspection of inbound files for malware, sandboxing, full or selective SSL decryption, content filtering, and the ability to block specific user activities in select apps.

Secure internet gateway (SIG): This is a cloud-delivered solution that unifies a variety of connectivity, content control, and access technologies to provide users with safe access to the internet, both on and off the network. By operating from the cloud, a SIG protects user access anywhere and everywhere, with traffic routing to the gateway for inspection and policy enforcement regardless of what users are connecting to, or where they’re connecting from. Because a SIG extends security beyond the edge of the traditional network — and without the need for additional hardware or software — thousands of enterprises have adopted it as a modern catch-all for ensuring that users, devices, endpoints, and data have robust protection from threats.

Secure access service edge (SASE): Gartner introduced an entirely new enterprise networking and security category called “secure access service edge.” SASE brings together networking and security services into one unified solution designed to deliver strong security from edge to edge — in the data center, at remote offices, with roaming users, and beyond. By consolidating a variety of powerful point solutions into one solution that can be deployed anywhere from the cloud, SASE can provide better protection and faster network performance, while reducing the cost and work it takes to secure the network.

Cybersecurity is always evolving, and it can be hard to keep up with the rapid pace of changes. Be sure to bookmark this blog post – we’ll keep it up to date as new threats and technologies emerge. To learn more, check out our recent blog posts about cybersecurity research, or come chat with our security experts in person in Barcelona at Cisco Live EMEA this month. Don’t be shy!

 

Source :
https://umbrella.cisco.com/blog/2020/01/14/cybersecurity-terms-and-threats-you-need-to-know-in-2020/

How DNS-Layer Security Can Improve Cloud Workloads

More organizations are adopting the public cloud for their enterprise workloads. Gartner has forecasted1 that by 2020, less than 5% of enterprise workloads will be running in true on-premises private clouds. As workloads move to public clouds, it is crucial that security architectures evolve to protect those workloads, wherever they are.

Like with on-premises applications, a layered security approach works better than point solutions for cloud workloads. But the security challenges in the cloud are different. Without a physical data center in which you build your security stack to protect your data, it’s difficult to know if you’re fully protected everywhere your enterprise data is exposed.

That’s where DNS-layer security comes in. Since DNS is built into the foundation of the Internet, security at the DNS-layer can be simple to deploy and highly effective, whether your enterprise uses on-premises architecture or the public cloud. Cisco Umbrella provides DNS-based security that blocks requests to malware, phishing, and botnets before a connection is even established. It can prevent cloud workloads from being leveraged for malicious cryptomining by blocking requests to suspicious domains. Content category blocking can also be configured to prevent cloud workloads from being used by employees to circumvent on-premises content filtering rules.

One of the simplest approaches to enable DNS-based security for cloud-native workloads is to point the DNS server used by these workloads to Cisco Umbrella. This enables DNS-level blocking of malicious domains and provides an added layer of security. However, since most cloud workloads tend to access the Internet through an ephemeral public IP address, it is difficult to define policy or to view reporting of DNS activity in the public cloud.

Another approach is to deploy the Cisco Umbrella Virtual Appliance in a Virtual Private Cloud (VPC) in the public cloud. Workloads in that VPC can use the Virtual Appliance as their DNS server. The Virtual Appliance forwards DNS requests for external domains to Umbrella and includes the source IP of the requesting workload in the DNS metadata. Virtual Appliances include a customer identifier in each outgoing DNS request, which enables them to be used for environments with ephemeral public IP addresses. With the Virtual Appliance approach, subnet-based content filtering policies can be defined for cloud workloads. Umbrella can also provide visibility into the source of malicious domain requests, allowing administrators to quickly remediate these workloads.

The Cisco Umbrella Virtual Appliance now supports deployment in the three major public cloud platforms: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). With many organizations now adopting a multi-cloud strategy2, deploying Umbrella Virtual Appliances in the respective public cloud VPCs can provide a highly effective added layer of security for workloads deployed in any of these platforms, as well as improved visibility into activity.

What are you waiting for? Sign up for a free trial of Cisco Umbrella, and start leveraging the power of DNS-layer security to protect your cloud workloads.

  1. Modernize IT infrastructure in a hybrid world, Gartner, Mar 2019. Retrieved from https://www.gartner.com/smarterwithgartner/modernize-it-infrastructure-in-a-hybrid-world/
  2. Why organizations choose a Multicloud strategy, Gartner, May 2019. Retrieved from https://www.gartner.com/smarterwithgartner/why-organizations-choose-a-multicloud-strategy/

Source :
https://umbrella.cisco.com/blog/2020/01/23/how-dns-layer-security-can-improve-cloud-workloads/

What is DNSSEC and Why Is It Important?

If you’re like most companies, you probably leave your DNS resolution up to your ISP. But as employees bypass the VPN, and even more organizations adopt direct internet access, it’s more than likely that you have a DNS blind spot. So what steps can you take to ensure your visibility remains free and clear?

One simple and easy thing you can start doing right away is to mine your DNS data. Each time a browser contacts a domain name, it has to contact the DNS server first. Since DNS requests precede the IP connection, DNS resolvers log requested domains regardless of the connection’s protocol or port. That’s an information gold mine! Just by monitoring DNS requests and subsequent IP connections you will eliminate the blind spot and easily gain better accuracy and detection of compromised systems and improve your security visibility and network protection.

But what about those pesky cache poisoning attacks, also known as DNS spoofing?

DNS cache poisoning attacks locate and then exploit vulnerabilities that exist in the DNS, in order to draw organic traffic away from a legitimate server toward a fake one.This type of attack is dangerous because the client an be redirected, and since the attack is on the DNS server, it will impact a very large number of users.

Back in the early nineties, the era of the world-wide-web, Sony Discmans and beepers (we’ve come a long way kids!), the Internet Engineering Task Force, or  IETF started thinking about ways to make DNS more secure. The task force proposed ways to harden DNS and in 2005, Domain Name System Security Extensions, aka DNSSEC, was formally introduced.

DNS Security Extensions, better known as DNSSEC, is a technology that was developed to, among other things, protect against [cache poisoning] attacks by digitally ‘signing’ data so you can be assured [the DNS answer] is valid. DNSSEC uses cryptographic signatures similar to using GPG to sign an email; it proves both the validity of the answer and the identity of the signer. Special records are published in the DNS allowing recursive resolvers or clients to validate signatures. There is no central certificate authority, instead parent zones provide certificate hash information in the delegation allowing for proof of validity.

Cisco Umbrella now supports DNSSEC by performing validation on queries sent from Umbrella resolvers to upstream authorities. Customers can have the confidence that Cisco Umbrella is protecting their organization from cache poisoning attacks, without having to perform validation locally.

Cisco Umbrella supports DNSSEC

Cisco Umbrella delivers the best, most reliable, and fastest internet experience to every single one of our more than 100 million users. We are the leading provider of network security and DNS services, enabling the world to connect to the internet with confidence on any device.

Get the details on how Cisco Umbrella supports DNSSEC.

 

Source :
https://umbrella.cisco.com/blog/2020/01/28/what-is-dnssec-and-why-is-it-important/

BlueCat’s DNS Edge Is Cisco Umbrella’s Newest Integration

 

Cisco Umbrella is widely recognized as one of the strongest products on the market for a secure and fast connection to the internet. And we are always looking for ways to deepen visibility and control for our customers. This is why we are teaming up with BlueCat, a leading provider of DNS, DHCP, and IPAM (DDI) management solutions.

Studies show that 91% of malware uses DNS to establish command and control callbacks, navigate through network pathways, and exfiltrate data. Cisco Umbrella fills this traditional gap in network security by blocking the outbound requests made to the malicious domains. When Umbrella customers point their network traffic to our resolvers they get visibility into the egress (external) IP address of their network. By leveraging capabilities such as the Umbrella roaming client, Umbrella virtual appliance or AnyConnect integration, customers can get additional attribution such as Active Directory user names, internal IP addresses and hostname of computers.

With the BlueCat DNS Edge integration, customers get greater visibility into the attribution of the external DNS query (ie. the source IP), as well as additional control with the use cases outlined below. This integration expands the use cases for DNS security into investigations of internal network traffic, restricting lateral movement, and decreasing forensic response times. The integration enables customers to get full visibility and protection for DNS traffic leaving your environment for users on and off network.

How It Works
DNS Edge deploys as a virtual machine at the “first hop” of any DNS query. This gives DNS Edge the ability to tie every request on the network to a specific device without the need for an agent. With the integration, BlueCat Edge sends additional attribution information (ie. internal client IP) for each external DNS query to Umbrella. This allows viewing of device-level data directly in Cisco Umbrella, providing more granular information into the source of network threats.

Expand network visibility and control with the Cisco Umbrella and BlueCat integration

Use Cases
Investigate internal, “east-west” traffic: BlueCat’s “first hop” position on the network provides visibility into internal, “east-west” traffic – that’s 60% of all network queries – which mostly go unmonitored today. You can investigate internal traffic within DNS Edge, or send it to a SIEM and correlate it with other threat indicators. Using DNS Edge to apply security policies to this internal traffic means that security teams can contain lateral movement associated with advanced persistent threats and malicious insiders.

BlueCat's Integration with Cisco Umbrella is now available

This screenshot shows how internal traffic appears in DNS Edge. Searching by source IP, you can see all internal and external domains queried by that device, and refine the search further by subdomains or any other factor you choose. In this example, you can see how a query to a known bad domain then results in lateral movement to other internal resources. This expands your visibility beyond the external domain that is shown in Umbrella.

Investigate lateral movement from IoT devices without agents: The threats to Internet of Things (IoT) devices are well known but difficult to properly control at an enterprise level. Since many IoT devices lack the capacity for security agents or any external software, blocking DNS queries as they leave the device is both a more elegant and more operationally feasible way to control a fleet of sensors at the enterprise level.

BlueCat's Integration with Cisco Umbrella is Now Available

Here’s an example of how a rogue IoT device would look in DNS Edge. This is a security camera which should only ever be hitting a single internal domain. When it unexpectedly connects to an external domain (in this case, easyridegolfcars.com), this is the first indicator of a compromise. Looking at the subsequent queries, you can see both lateral movement to internal domains as well as potential data exfiltration attempts to the same external site.

Improve forensic response time: With all of this new data at their disposal, security teams are cutting their response time significantly – from days to minutes. Forensic investigators and threat hunters no longer have to compile DNS logs from recursive servers to find a source device – the data is available right in Cisco Umbrella or can be exported directly to a SIEM for further analysis. The rich context available from internal DNS data adds a new dimension to that analysis as well, uncovering additional connections to malicious activity.

Improve network performance: Device-level DNS data is a critical source of intelligence on how networks are performing. With visibility into the source, type, and result of every DNS query across the network, operators can quickly spot DNS misconfigurations, architectural shortcomings, misbehaving clients, and a host of other issues that may be impacting network performance and client reliability.

Getting Started
With a few simple steps, you can connect Cisco Umbrella to DNS Edge and start applying security policies. This integration leverages the network device API integration available in Umbrella. This allows for additional attribution information to be sent from the BlueCat Edge device to Umbrella. This allows the investigating user to see the internal IP of the requesting client instead of just the egress IP that Umbrella would see in a traditional network deployment.

Follow the steps below to take advantage of this integration.

Start off by creating an API key in Cisco Umbrella – you’ll want to choose the “Umbrella Network Devices” option.
Add that API key into DNS Edge. To do this, go to the Cisco Umbrella Integration tab on the main menu of DNS Edge. Paste in the API key and the secret.
BlueCat's Integration with Cisco Umbrella is Now Available

Once the API key is inserted, DNS Edge will appear as a network device within Cisco Umbrella. Initially, it will appear as “offline”, but will automatically switch to “active” once the data starts flowing.

BlueCat's Integration with Cisco Umbrella is Now Available

3. Create a policy within Cisco Umbrella to handle external-facing traffic which comes from the DNS Edge service point (network device), just as you would do for any other network device.

BlueCat's Integration with Cisco Umbrella is Now Available

When looking at the DNS queries in Umbrella you will now see additional attribution. For example, in the screenshot below we can see which Edge device the query came from, alongside the internal IP of who made that request.

BlueCat's Integration with Cisco Umbrella is Now Available

WANT TO LEARN MORE?
Cisco and BlueCat recently presented this new integration at a Tech Field Day event. You can check out the session recording, as well as the Cisco Umbrella BlueCat integration data sheet to learn more.

This new integration with BlueCat adds one of the largest providers of DDI services to Umbrella’s integration arsenal, expanding on our existing integration with EfficientIP. If you’re heading to Cisco Live Barcelona next month be sure to stop by the BlueCat booth or La Taberna where Cisco Umbrella will be serving coffee and beer throughout the day. We would love to see you at the show!

Source :
https://umbrella.cisco.com/blog/2020/01/09/bluecats-dns-edge-is-cisco-umbrellas-newest-integration/

Cisco Umbrella’s Top 10 Cybersecurity Tips

By Lorraine Bellon
December 4, 2019

As the holidays are approaching, everyone is getting busier, and to-do lists keep getting longer. It feels like there’s never enough time in the day, and it’s easy to get distracted when time is in short supply. We’ve heard it all before —  security should always be at the top of your to-do list — but we know that’s not always the case.

The weakest link in any security system is always the same — people. No matter how comprehensive, effective, or expensive your security tools are, it can all come crashing down if a single careless user makes one simple mistake. Every time someone decides to click on an unfamiliar link or open a suspicious email attachment, your organization could be facing massive data loss and significant disruption to your business.

Most IT professionals know how to stay safe online, but most users aren’t experts. To help you stay protected, we’ve compiled a list of things everyone should be thinking about whenever they’re using the Internet.

To help strengthen your organization’s cyber security practices, you can share this blog post with your users, or use these tips as a starting point for a security refresher training. You’ve probably heard many or all of these tips before, but repetition doesn’t hurt.

Here is our list of top 10 cybersecurity tips for anyone on the Internet (hint: that means you!).

  1. Realize that you are an attractive target to attackers, and it can happen to anyone, anytime, anywhere, on any device. Don’t ever say “It won’t happen to me.”
  2. Practice good password management. Use a strong mix of characters, and don’t use the same password for multiple sites. Don’t share your password with others and don’t write it down — no post-it note attached to your monitor! If you have trouble remembering your passwords, consider using a secure password vault. Then you only have to remember one (very strong) password.
  3. Never leave your devices unattended. If you need to leave your computer, phone, or tablet for any length of time — no matter how short — lock the screen so no one can use it while you’re gone. If you keep sensitive information on a flash drive or external hard drive, make sure to lock those up as well.
  4. Always be careful when clicking on attachments or links in email. If an email is unexpected or suspicious for any reason, don’t click on it. Even if it seems like it’s from your company CEO! Scammers can look up that information online and use it to target individuals in your company. Double check the URL of the website to see if it looks legitimate. Bad actors will often take advantage of spelling mistakes to direct you to a harmful domain.
  5. Sensitive browsing, such as banking or shopping, should only be done on a device that belongs to you, on a network that you trust. Whether you’re using a friend’s phone, a public computer, or free Wi-Fi at a coffee shop — your data could be copied or stolen.
  6. Back up your data regularly. Make sure your antivirus software is always turned on and up to date.
  7. Be conscientious of what you plug in to your computer. Malware can be spread through infected flash drives, external hard drives, and even smartphones. You might want to help someone find their lost item, but end up falling into a trap.
  8. Watch what you’re sharing on social networks. Criminals can find you and easily gain access to a shocking amount of information — where you go to school, where you work, when you’re on vacation — that could help them gain access to more valuable data.
  9. Be wary of social engineering, where someone attempts to gain information from you through manipulation. If someone calls or emails you asking for sensitive information like login information or passwords, it’s okay to say no. You can always call the company directly to verify credentials before giving out any information.
  10. Be sure to monitor your accounts for any suspicious activity. If you see something unfamiliar, it could be a sign that you’ve been compromised. Don’t be afraid to speak up and tell your IT team if you notice anything unusual. Remember, you’re the victim of the attack, and you’re not in trouble!

Share this list with your users and help them understand what IT teams already do — that cyber security is a team sport.

Of course, it’s important to have strong security tools to protect your users too. But how do you know if your current set of tools is enough? Check out our infographic to learn about 3 red flags you’re not getting what you were promised from your security stack.

There’s no substitute for educating your users, but defense matters too. Nothing is more important than your first line of defense. Because it’s built into the foundation of the internet, Cisco Umbrella can protect your network from malware, ransomware, malicious cryptomining, and other advanced threats by blocking connections at the DNS layer. Your users may never thank you, but your security operations team will!

Source
https://umbrella.cisco.com/blog/2019/12/04/cisco-umbrella-top-10-cybersecurity-tips/