In 2018, the economic impact of cybercrime was estimated to be $600 billion! According to a report published by the Global Cyber Alliance (GCA), DNS firewalls could annually prevent between $19 billion and $37 billion in losses in the United States and between $150 billion and $200 billion in losses worldwide. About a full one-third of the total losses due to cybercrime could be prevented with DNS protection!
This is where Cisco Umbrella comes in. Cisco Umbrella delivers secure, reliable, and performant internet experience to over 100 million users on a daily basis. Umbrella unifies firewall, secure web gateway, DNS-layer security, cloud access security broker (CASB), and threat intelligence solutions into a single cloud-delivered platform to help enterprises secure their network. Using statistical and machine learning models to uncover both known and emerging threats, Umbrella proactively blocks connections to malicious destinations at the DNS and IP layers. And because DNS is a protocol used by all devices that connect to the internet, you simply point your DNS to the Umbrella global network, and any device that joins your network is protected.
As DNS security is deployed upstream of perimeter firewalls, one of the challenges of the approach is visibility into client identity. For example, it can be difficult to ascertain the source of command and control traffic from within the network when the firewall translates the client IP address.
NS1 addresses this challenge. NS1 has partnered with Cisco Umbrella to provide comprehensive traffic management and security across both internal and external DNS traffic. The combined solution also provides in-depth visibility into malicious web traffic enabling security administrators to quickly respond to, contain, and mitigate web-based threats.
How does it work?
When NS1 Enterprise DDI and Cisco Umbrella are deployed together, NS1 Enterprise DDI serves as the authoritative DNS server for all traffic internal to the network behind the firewall. It forwards all outbound DNS requests to Umbrella which in turn acts as the recursive DNS responder for all external domains. This allows Umbrella to apply security policies to protect the user from known malicious threats. The integration allows users to get the best of intelligent DNS traffic steering behind the firewall while protecting outbound queries with Umbrella resulting in performant, secure, and resilient DNS internally and externally.
Let’s walk through an illustrative example:
When a query is made to, say, internetbadguys[.]com by any device in your network, NS1 Enterprise DDI forwards this request to Umbrella’s recursive resolver network. Identifying information including the source IP as well as the actual query or destination that the device is attempting to connect to is also sent. Once the query hits the recursive resolver security policies and content filtering restrictions are applied to either block or allow the particular request by responding with the IP address for the approved domain. For this domain, we would, of course, expect it to be blocked.
Detect, root-cause and contain threats instantly
Since NS1 Enterprise DDI is deployed behind the corporate firewall, security operations teams can get instant visibility into the source IP address of the endpoint device as well as every outbound public DNS query. This helps reduce MTTD and MTTR for security incidents as the source IP of the device that is compromised can quickly be identified. This is also useful in understanding the extent and impact of a threat in order to minimize the attack surface.
Reduce MTTR by quickly zeroing in on the source IP of every outbound DNS query
Protect your enterprise from a variety of threats
This integration enables you to prevent attackers from redirecting queries to known malware sites and malicious locations by gaining access into your network, otherwise known as command and control callbacks. Other attacks that can be prevented include malicious direct-to-IP connections, zero-day threats and DNS tunneling.
Unify NetOps, DevOps and SecOps teams with NS1 and Cisco Umbrella
The trio of DNS, DHCP, and IP Address Management, (DDI), is one of the last remaining groups of foundational technologies that have not been modernized. Built on a cloud-native, API-first architecture, NS1 Enterprise DDI is a flexible and powerful platform that unlocks unprecedented automation, scale, and velocity for network operations teams and DevOps teams. This integration fulfills the needs of security operations teams as well by providing deep visibility into traffic flows and equipping them with the right information to quickly spot and mitigate threats.
Please reach out to us to learn more about this integration.