How Cisco Umbrella Stays Ahead of Attacks

September 27, 2016 Kevin Alexander

Not all attacks are alike. The damage caused by targeted attacks (e.g. DarkHotel) is the most costly because attackers steal or manipulate specific data from specific businesses. The volume of similar security events associated with these attacks will be lowest, whereas the sophistication of attackers’ code and communications will be the highest. Inversely, the damage by widespread attacks is often quite low per victim, which includes both end users and businesses. The volume and sophistication per attack is often flipped. And then there are attacks somewhere in between. Different security methods are required to combat different attacks.

Big Data

Using Big Data and data mining methods to predict attacks before they happen, the Cisco Umbrella Security Research team built Security Graph. Security Graph allows us to block sites distributing malware, controlling bot networks and phishing login credentials-but before these sites are actively used in attacks and customers connect to them. The data is sourced from the 80 billion DNS requests we route and resolve each day from 65 million customers in more than 160 countries.

Data Mining and algorithmic classification techniques such as machine learning, graph theory, anomaly detection, and temporal patterns are used in combination with contextual search, visualization, and scoring in order to predict the Internet origins of attacks. For a more comprehensive demonstration of how the Security Graph provides predictive threat protection, view the on-demand webcast.

Behavioral Analysis

Running suspect executable files and Web-sessions through behavior sandboxes allows the Cisco Umbrella Security Research team to identify and discover malware that is currently undetected by content-based classifiers.

Reputation System

The Cisco Umbrella Security Research team continually tunes our reputation system which utilizes features and attributes of domains, DNS data, Web data, and Internet traffic in order to prevent attacks that match our criteria. This is very effective with lure locations and C&C’s that are targeted and new and have very few other signals to predict.

Content-Based Classification

The ability to scan Web content is key when detecting known Web-delivered malware, mobile malware, and exploits. We use a combination of third-party antivirus and internal scanning engines to catch threats in real time through the Intelligent Proxy.

Research Community

With more than 90 members worldwide, the Cisco Umbrella Security Research team community is second to none. This vetted community has the ability to vote and moderate on security-related material and has access to our security workbench and the Security Graph. Along with having blog posts from members and sometimes highlighting them on our site we also have user forums where they can share and collaborate on the latest threats and research.

3rd-Party Partner Feeds

We share uni- and bi-directional real-time data feeds with more than 200 partners. These include: AV vendors and other security companies, universities, governments and independent researchers. All feeds are run through our automated validation system and, upon approval, are pushed to our data centers in real time. Typically, we do updates every five minutes 24-7.

Previous Article
Network Access Gone Rogue
Network Access Gone Rogue

Gain insights into managing your roaming end-users.

No More Articles