Cisco Umbrella: Professional vs Insight

Professional: Offers basic DNS-layer Security

Insight: Adds advanced enforcement, URL blocking, file inspection and improved visibility.

Without diving deep into the technicalities just yet, Cisco’s Umbrella solution provides customers with a first line of defence against threats on the internet. All traffic is first sent through Umbrella, which acts as a secure on-ramp to the Internet for users wherever they are located.

Table of Contents

Users are protected regardless of their location and connection type, no corporate network or VPN is required. Umbrella allows network administrators to block threats easier by denying users the chance to access sites which could be hosting malware, ransomware, phishing and/or botnets. Umbrella combines multiple cybersecurity functions into a single solution allowing all devices, users and branch-office locations to be effectively protected.

How does Cisco Umbrella work?

Back in 2015, Cisco acquired OpenDNS for $635 million with the intention of it becoming the foundation of their overall cloud security strategy. OpenDNS was developed as a suite of both enterprise and consumer products with the aim of making your internet connections faster and safer whilst increasing overall reliability. You might be asking how security services can enable speed increases and reliability, but thanks to their global datacenters and peering partnerships, performance enhancements are possible.

Cisco Umbrella Demo
Cisco Umbrella Demo

After purchasing your Umbrella subscription, installing at the desired sites and completing the initial setup, you point your internal DNS to the address you configured. Umbrella then routes all your traffic though its proxy service and abides to Cisco’s and your own security and content policy restrictions.

Cisco Talos, the company’s dedicated team of cybersecurity researchers, are constantly identifying and updating their known threat list. Another feature is the automatic detection of possible spoofed domains (e.g. amaz0n.co.uk) through, their algorithms check the lexical structure to see if a big brand name is being spoofed or containing any click-bait/scam terminology.

The service also analyzes the locations which domain requests originate from, allowing the team to easily identify patterns and anomalies, improving customers’ chances of preventing an attack. When a user attempts to download files whilst under the Umbrella proxy, the file is scanned for malicious content, if issues are detected, the download is blocked and a report is sent to your Umbrella security activity report. Even compressed files such as .zips are decompressed and scanned before the download is authorized. The feature-set is powered by the Cisco Advanced Malware Protection (AMP) engine, a 500+ million file strong malware database paired with context-aware monitoring and reporting.

Versa SASE Cybersecurity reporting
Versa SASE Cybersecurity reporting

Source: Cisco Umbrella; cloud security

What are they differences between Professional and Insight?

Performance

Other than overall protection, performance will be the most important factor for IT decision makers when looking into a new security solution. It is necessary for the service to work smoothly yet still have the powerful capabilities. Cisco Umbrella is no exception to this.

The performance that you receive is the same across all subscriptions which includes 100% uptime thanks to 30 global data centers processing the 100+ billion DNS requests daily. Miercom, the independent network and security testing firm, verified Cisco’s speed and security service.

Cisco reported that using Umbrella customers can benefit from the following;

  • Reduced hop count by 33%
  • Reduce latency and traffic inconsistency/jitter by up to 63%
  • Substantially better network performance and overall quality

Umbrella is available worldwide with North America receiving the quickest average query time (around 8ms) and South America with the slowest average (45ms) where the worldwide average is 19ms.

Protection

Arguably the most important component of any security solution is the overall protection that is offered. Regardless of your subscription, the level of protection that you receive is always the same.

Umbrella features include; application-layer security for any device regardless of location, malware and virus prevention, user policy enforcement using 60 available content categories, Secure Web Gateway (SWG), cloud-derived firewall and Cloud Access Security Broker (CASB) to identify any gaps in security across your environment.

One key point is that users are protected even if they aren’t connected to the host network. Thanks to the Umbrella Roaming Client or Cisco AnyConnect (with Umbrella Roaming Security Module) users receive the same level of protection regardless of location. This heavily reduces the spread of viruses and malware from network to network.

With more employees working from remote locations, this poses a threat to security as there is no way of enforcing security on their home networks. An employee’s laptop could become compromised which is propagated as they go into the office and ultimately infect the corporate network.

Trusted by 24,000 companies, Umbrella provides the most effective and quickest way to add an additional layer to your security stack.

Enforcement

Umbrella can be used to easily enforce company policies, most commonly web content filtering, to ensure employees aren’t visiting unsuitable websites/content categories such as gambling or adult sites. Policies can be applied to individual users and groups. Enforcement is where we see the first difference between the three subscription levels. Whilst Professional only blocks malicious domain name requests and IP responses at the DNS layer, both Insight and Platform include this and have more to offer. Insight and Platform include the ability to block malicious URL paths and direct IP connections at the IP layer, a proxy for potentially risky domains and file inspection using Cisco’s Advanced Malware Protection (AMP).

Custom integrations can be implemented using the Umbrella Enforcement API, allowing customers with existing SIEM/Threat Intelligence Platform (TIP) solutions to inject events and/or threat intelligence into Umbrella to increase visibility.

An example of this is a TIP such as ThreatConnect which might flag a domain as malicious, instead of manually adding it to Umbrella for implementation – the Enforcement API automates this process.

Visibility

Over one quarter of corporate data traffic bypasses the network perimeter, this poses a huge risk to the organization’s network as these users are increasingly vulnerable to malicious threats.

To be fully protected, your security solution must reach past the perimeter. Umbrella provides administrators/engineers with an increased level of visibility over users, devices and locations. All three packages provide real time activity and search reports to gain insights into requests and blocked activity to determine if any users are attempting to access inappropriate resources. Insight and Platform subscribers receive additional visibility via automatically identifying targeted attacks by comparing local and global web activity and reporting usage risks on more than 1800 cloud and IoT services.

Umbrella does a solid job of enhancing overall visibility of security, helping to identify compromised systems and possible attacks.

Management

The Umbrella dashboard easily handles all management, similar to the Meraki dashboard, and is powered by a single, cloud based system.

Simply log in at https://login.umbrella.com/ on any device from any location. Cisco wants Umbrella to be a simple to use service and the management of it is no different. Having a straightforward dashboard allows you to save time and money, which can be spent on business growth. The cloud-derived service allows for seamless scalability and is a solid choice for growing enterprises.

After researching I discovered that pricing is around $2.25 per user, per month, although there is no clarification of what subscription level this is. The dashboard can provide admins with statistics on all successful and denied connections for each machine and user. Also any information on infected or potentially infected machines are stored and presented in a user friendly way, allowing admins to rectify any issue. A range of custom options can be configured easily using the dashboard, such as access lists, IDS and IPS.

Similar to other subscription components, Insight and Platform have more features. Professional allows users to create custom block/allow lists, customized block pages and bypass options. Insight and Platform subscribers have the capability of enhanced enforcement and visibility per internal network or active directory user/group and are able to retain logs for however long they desire by integrating with AWS S3 bucket.

Summary

In summary, Cisco takes great pride in offering the industry’s best cloud-based Secure Internet Gateway and extending your network security beyond your own perimeters. Providing customers with these key features:

  • Fast and visible protection regardless of location with no effect on overall performance
  • Advanced intelligence to uncover attacks before they even happen
  • Easy deployment and management

I hope that this article has been informative, please feel free to leave comments.