Cisco’s Umbrella Professional solution provides customers with a first line of defence against threats on the internet. All traffic is first sent through Umbrella, which acts as a secure on-ramp to the internet for users, wherever they are accessing from. Users are protected regardless of their location and connection type; no corporate network or VPN is required. Umbrella allows network administrators to block threats easier and block users’ access to sites that could be hosting malware, ransomware, phishing, and/or botnets. Umbrella combines multiple cybersecurity functions into a single solution, allowing all devices, users and locations to be effectively protected.
The purpose of this guide is to assist you, an IT decision-maker, in understanding the available tiers, features and points for consideration when purchasing Cisco Umbrella.m
Introduction to Cisco Umbrella
- Cisco Umbrella Features
Back in 2015, Cisco acquired OpenDNS for $635 million with the intention of making it the foundation of their overall cloud security strategy. OpenDNS was developed as a suite of both enterprise and consumer products with the aim of making your internet connections faster and safer while increasing the overall reliability. You might be wondering how it can increase speeds and reliability, but thanks to their global data centers and peering partnerships, this is possible. After purchasing your Umbrella subscription, installing it at the desired sites and completing the initial setup, you point your internal DNS to the address you configured. Umbrella then routes all your traffic though its proxy service and abides to Cisco’s and your own security and content restrictions. Cisco Talos, their dedicated team of cybersecurity researchers, are constantly identifying and updating their known threat list. Another feature is the automatic detection of possible spoofed domains (e.g. amaz0n.co.uk). Their algorithms check the lexical structure to see if a big brand name is being spoofed or containing any click-bait/scam terminology. The service also analyses the locations that domain requests come from, this allows them to easily identify patterns and anomalies, improving customers’ chances of preventing an attack.
When a user attempts to download anything while under the Umbrella proxy, the file is scanned for malicious content; if present, the download is blocked, and a report is sent to your Umbrella security activity report. Even compressed files such as zips are decompressed and scanned before the download is authorised. This is powered by the Cisco Advanced Malware Protection (AMP) engine, a 500+ million file strong malware database paired with context-aware monitoring and reporting. There are four main security and control components; DNS-layer security, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), cloud delivered firewall, and Extended Detection and Response (XDR).
DNS-Layer Security
DNS is an essential service for all users of the public internet. While it is a hugely beneficial protocol it can provide vulnerabilities to your network. Implementing security procedures at this level helps to largely eradicate such vulnerabilities. Umbrella’s DNS security has the ability to block malicious IPs before a connection is established. This is achieved by monitoring and analysing DNS requests to automatically flag and block destructive activity.
Secure Web Gateway (SWG)
A SWG is a solution that provides an additional barrier between the user and the internet. Features include web address filtering, blocking of harmful content and the monitoring and controlling of web traffic. SWGs safeguard users against web-based threats. Umbrella’s SWG is a full proxy which logs and inspects your organisation’s web traffic to deliver full visibility into application-level access and provide advanced threat protection.
Cloud Access Security Broker (CASB)
CASB is a security solution which is designed to provide detailed access management and protection for SaaS platforms such as Webex, Office 365 and Salesforce. It enables visibility of user behaviour and the safeguarding of data as it leaves the private network and moves to the cloud.
Cloud-Delivered Firewalls (CDFW)
As users and the applications, they require are now from varied locations, the process of backhauling all of the traffic back to their datacenter isn’t feasible. Instead, companies are embracing direct internet access (DIA). To secure these public connections, a cloud-native security service is offered by Cisco. This solution is also able to intelligently route traffic in the cloud and prevent exploits, thanks to Snort’s intrusion prevention system (IPS).
Extended Detection and Response (XDR)
XDR and advanced threat intelligence collects data across email, endpoints, servers, cloud applications and networks, providing visibility into advanced threats. With this data, threats can be analysed and remediated to prevent any data loss or security breaches.
Cisco Umbrella Packages
Cisco Umbrella is available in four different packages, with each providing different security features and controls. Each package incorporates the previous one, adding more features and capabilities. To best visualise the differences between each, see the Cisco Umbrella Package Comparison table below.
DNS Security Essentials
Blocks threats at the DNS layer across your network in minutes without added latency. The entry level package provides basic DNS-layer protection, including the blocking of malicious domains and traffic filtering to block harmful packets. This package is faultless for an organisation looking to implement foundational DNS security.
DNS Security Advantage
Provides additional DNS protection plus additional web security and threat insights to speed up investigations. Includes all the features from the Essential offering. All of these plus enhanced capabilities, such as; more detailed threat intelligence, deeper insights into potential threats and a more thorough screening of high risk domains by utilising proxies and decryption for inspection. This package is better suited for organisations that require advanced threat intelligence and deeper security insights.
Secure Internet Gateway (SIG) Essentials
Allows for advanced security functions to be deployed with simplified management and the most effective security in the industry. SIG Essentials combines DNS-layer security, SWG, CASB, CDFW and XDR into a single package. One difference between this solution and the previous is the incorporation of Cisco’s Talos Intelligence Group. Talos is a team of cybersecurity specialists who protect customers against known and emerging threats through the discovery of new vulnerabilities. SIG Essentials is best for those looking for an integrated solution with all of the latest security features.
SIG Advantage
Customers benefit from the highest levels of protection and control with advanced security functions like Layer 7 firewall with IPS, DLP and more. SIG Advantage facilitates all of the services within SIG Essentials. The biggest difference between the two being the unlimited requests to features like Secure Malway Analytics (sandbox) on suspicious files, which is limited to only 500 samples per day in the Essentials package. This solution is designed for large organisations with dedicated security teams and a heavy use of cloud based applications.
| Security & Controls | DNS Security Essentials | DNS Security Advantage | SIG Essentials | SIG Advantage | ||
|---|---|---|---|---|---|---|
| DNS-Layer Security | Block domains for malware, phishing, botnet, and other high risk | ✓ | ✓ | ✓ | ✓ | |
| Block domains from Cisco SecureX, direct integrations (Splunk, Anomali, & others), and custom lists using enforcement API | ✓ | ✓ | ✓ | ✓ | ||
| Block direct-to-IP traffic for C2 callbacks (destinations with no domain) | ✓ | ✓ | ✓ | |||
| Secure Web Gateway (SWG) | Proxy web traffic for inspection (Decrypt and inspect SSL (HTTPS) traffic) | Risky domains only | ✓ | ✓ | ||
| Enable web filtering | Of domains | ✓ | ✓ | ✓ | ✓ | |
| Of URLs | ✓ | ✓ | ||||
| Create custom block/allow lists | Of domains | ✓ | ✓ | ✓ | ✓ | |
| Of URLs | ✓ | ✓ | ||||
| Block URLs based on Cisco Talos and other feeds; block files based on AV Engine and advanced file analysis | Risky domains only | ✓ | ✓ | |||
| Use Secure Malware Analytics (sandbox) on suspicious file downloads | 500 samples/day | Unlimited samples | ||||
| Use retrospective security to identify previously-seen files that became malicious | ✓ | ✓ | ||||
| Cloud Access Security Broker (CASB) | Block and redirect shadow IT with App Discovery report | Of domains | ✓ | ✓ | ✓ | ✓ |
| Of URLs | ✓ | ✓ | ||||
| Create policies with more granular controls (block uploads, attachments, and posts) | ✓ | ✓ | ||||
| Scan and remove malware from cloud-based file storage apps | 2 applications | All supported applications | ||||
| Cloud-Delivered Firewall (CDFW) | Create layer 3/layer 4 policies to block specific IPs, ports, and protocols | ✓ | ✓ | |||
| Enable protection for outbound traffic using application layer 7 policies with intrusion prevention system (IPS) | Add-on | ✓ | ||||
| Use IPsec tunnel termination | ✓ | ✓ | ||||
| Data Loss Prevention (DLP) | Enable inline inspection of web and cloud app traffic for sensitive data | Add-on | ✓ | |||
| Remote Browser Isolation (RBI) | Provide safe access to risky sites, web apps and email attachments | Add-on | Add-on | |||
| XDR and Threat Intelligence | Integrate with SecureX to aggregate activity across Cisco products | Reporting & Enforcement APIs | ✓ | ✓ | ✓ | ✓ |
| All APIs | ✓ | ✓ | ✓ | |||
| Access Umbrella’s deep domain, IP and ASN data for rapid investigations | ✓ | ✓ | ✓ | |||
Buying Cisco Umbrella
- Buying Cisco Umbrella Considerations
When purchasing Cisco Umbrella, there are some considerations and questions that should be addressed. It is essential that you evaluate your organisation’s needs, budget and restrictions to ensure the optimal solution is selected.
Assessing Organisational Needs
As the IT decision-maker, you should have a good knowledge of your infrastructure, including applications, the number of users and current solutions. Are you frequently experiencing phishing attacks, malware or other cyberattacks? What security solutions do you already have in place? What is missing? You should align your security needs with your business objectives. For example, if remote work is offered to your employees, you must ensure that your security solution supports and protects remote access.
Evaluate Features
Cisco Umbrella offers a plethora of security features. You should carefully identify if each feature is required for your organisation. The previous section evaluated the features of each package and provided which is optimal for different types of organisations. Starting with DNS Security Essentials which is ideal for any organisation looking to implement basic DNS protection, up to SIG Advantage which is best suited for large organisations that require as much DNS protection as possible. All of the packages provide suitable defence, but at different strengths and price ranges.
Consider Scalability
Are you a rapidly growing organisation? Maybe you are a start up offering a groundbreaking SaaS product. Or you could be a SME that offers accounting services in your local area, but now allows employees to work remotely. Either way, you should be considering your growth and where users and devices are accessing your network. It could be beneficial to opt for a package that can accommodate future business plans.
Integration Capabilities
It is understandable that you require a seamless integration with your existing security tools. Umbrella provides APIs that allow you to tailor the solution to work with existing services such as Splunk, ArcSight and IBM Radar. You should also evaluate if your existing network vendor, if not Cisco, is compatible.
Budget Considerations
Arguably one of the most important factors for most businesses (hopefully after overall protection) is cost. Balancing the cost against potential risks is a crucial component when deciding on what solution to opt for. You should evaluate the overall cost of the solution in relation to the protection that it provides. But remember, a security breach will always cost more than the software to prevent it. The ROI can be assessed by calculating potential savings from prevented breaches and reduced downtime.
How to Purchase Cisco Umbrella
After you have assessed your organisation’s needs and evaluated the available packages, the next step is to purchase the solution. This can be achieved in two main ways, either directly through Cisco or through an authorised reseller.
Direct Purchase
Umbrella can be purchased directly through the Cisco website. But before you get to the point of purchase, you have the opportunity to consult a Cisco security expert. These experts are able to answer any questions you might have regarding which solution is best for your prerequisites. After the consultation, Cisco will provide you with a tailored proposal that outlines the recommended solution and associated cost.
Authorised Resellers and Partners
As opposed to going direct to Cisco, you might opt to purchase Umbrella through an authorised reseller or partner. The overall experience should be similar to going direct and you should be provided with a customised solution and cost. Third party providers often offer additional services such as service implementation, support and training.
Free Trials and Product Demonstrations
Before purchasing any of the packages mentioned, it is highly recommended that you request a trial and demonstration from Cisco. This can be requested here.
