WHITE PAPER

30 Minutes to
a more secure
enterprise.
Why Cisco Umbrella is the simplest decision you
can make to improve your company’s security.
You have to make some serious security decisions when you’re an
IT leader. That’s because both the volume and sophistication of
attacks are intensifying relentlessly — and it’s clear that conventional
defenses alone are no longer adequate. More effective blocking of
attackers is particularly important because under-the-radar attacks
are wreaking havoc on enterprises that rely on antivirus products,
firewalls, and sandboxing alone.

Plus, no one has an unlimited security budget — so you must act

quickly to enhance your digital security without spending excessively
or overburdening your staff.

Given these realities, DNS-layer security offers extremely

compelling value. With the right combination of internet
infrastructure data and predictive intelligence, a DNS-layer solution Security in the DNS-layer
can quickly identify malicious domains even before those domains
and IPs are used to actually launch any type of attack. In fact,
DNS-layer security is especially useful as your first line of defense,
because DNS requests precede all internet activity.

This proactive DNS-based identification of malicious domains

enables you to do the following:

• I mmediately block dangerous connections between your

users and any potentially malicious domains

• S
 top command-and-control (C2) callbacks and data
exfiltrations — even if you haven’t yet noticed or pinpointed a
compromised internal host

• D
 ramatically reduce security incidents and alerts by
proactively neutralizing them before they occur

© 2016 Cisco and/or its affiliates. All rights reserved. 2

Just as important, because DNS- • The sophistication
based security technology is of deceptive email
available as a cloud-delivered spearphishing techniques
service, you can gain all of these that enable attackers to bypass
benefits within just 30 minutes conventional defenses and
of reading this document. All successfully install ransomware
you have to do is send your DNS and other malicious code
requests to Cisco Umbrella.
• T
 he ease with which
attackers can now generate
New defenses one-off malware packages
Innovation isn’t restricted
to legitimate businesses.
for new threats that can’t readily be detected Attackers also innovate
using conventional signature- aggressively, motivated
Innovation isn’t restricted to by financial rewards. 
based solutions — no matter
legitimate businesses. Attackers
how quickly those signatures
also innovate aggressively. This
and profiles are updated in
innovation is in part motivated
response to attacks elsewhere
by necessity, since the security
industry has a pretty good track • T
 he trend toward “low and
record of developing policies, slow” attacks that evade
processes, and products to cope conventional network-based
with each new wave of attacks. defenses and thereby allow
attackers to infiltrate enterprise
In recent years, however, attacker
infrastructure and take data
innovation has also become even
over extended periods of time
more motivated by the growing
without detection
financial rewards that come with
successful criminal activity. As • T
 he speed and adaptability
people and organizations make with which attackers spin up
greater use of digital technology, attack infrastructure, which
the volume and value of their creates new challenges when
data are increasing. Attacks can it comes to identifying and
be highly profitable, whether blocking potentially malicious
they take the form of data theft traffic
and subsequent resale on the
open market or the increasingly • T
 he advent of malware kits
common ransomware attacks, and malware-as-a-service
which force an organization to resources that substantially
pay for access to its own data. increase threat volume
by empowering individual
Several aspects of attack bad actors and criminal
innovation have become organizations to engage in
particularly troubling to enterprise cyberattacks despite their
IT security leaders, including: personal lack of technical
skill sets

© 2016 Cisco and/or its affiliates. All rights reserved. 3

DNS-layer network security should
be cloud-delivered

Multiple fragmented internet connections are  ith a cloud security platform, management of
W
difficult to secure. DNS requests can be unified and secured across
all endpoints.

ISP? ISP1 ISP? ISP1

Enterprise Enterprise
Home location A
Home location A
users Internal InfoBlox users Internal InfoBlox
appliance appliance

Enterprise Enterprise
Roaming location B
ISP? ISP2 ISP? Roaming location B ISP2
laptops Internal Windows
DNS server laptops Internal Windows
DNS server

Remote Enterprise
Enterprise
sites location C Remote
Internal BIND server location C
sites
ISP3 Internal BIND server
ISP? ISP3
ISP?

Recursive DNS for internet domains

Authoritative DNS for intranet domains

Recursive DNS for internet domains

Authoritative DNS for intranet domains

This multidimensional attack would itself be
troubling enough for IT security leaders. However,
the heightened risk caused by new kinds of
attacks is exacerbated by changes taking place
in the enterprise itself. These changes include an
expanding threat surface, the growing tendency of
mobile users to connect directly to cloud resoures
via unsecured public Wi-Fi (rather than through
secure VPN connections back to the enterprise),
and an often overwhelming volume of security alerts
generated by the multiple generations of “point”
security solutions that IT has accumulated over time.
The bottom line: IT security leaders are looking for
more effective security strategies that don’t add
complexity to their security operations.

© 2016 Cisco and/or its affiliates. All rights reserved. 4

The indispensability of DNS-layer security
DNS-layer security operates on the simple principle that attacks — no
matter how sophisticated or unique — must originate from somewhere.
By pre-emptively blocking all requests over any port or protocol to
any and all suspicious “somewheres,” DNS-layer security can stop
command-and-control exfiltration, ransomware, and other attacks
without the burden of first having to identify the specific nature of
those attacks. Bad domains are blocked because they are quickly and
accurately identified as bad domains.

Attacks never get a chance to carry out their malicious work, because
they never touch the network, endpoints, or any protected remote user
outside the corporate network.

There are two basic elements to DNS-layer security: 

1. Predictive identification threat to the business. Because

of malicious hosts. By this blocking is provided as a
DNS-layer security can
aggregating and analyzing cloud service, its protection can
stop attacks without
DNS-related data, including be extended anywhere users go first having to identify
tens of billions of daily DNS — including to roaming laptops the specific natures of
requests, WHOIS records, outside the network perimeter. those attacks.
and Border Gateway Protocol Because such a blocking service
routing information, it’s possible will be used for all DNS requests
to identify suspicious domains across all endpoints, it also
with a very high degree of needs to be highly reliable and
accuracy. This analysis entails not introduce latency into the
more than merely blacklisting user experience.
hosts in newly created domains.
It also involves sophisticated The combination of intelligent
analytical models that automate attacker identification and cloud-
the detection of anomalies — based request blocking provides
such as detecting suspicious benefits that are indispensable
domain traffic spikes that are in today’s intensifying threat
characteristic of attack activity environment. Those benefits
and using natural language include:
processing to flag domain
• Proactive protection against
names, including slightly
emerging threats. With
obfuscated brand names that
predictive DNS-layer security,
are typically created for use in
IT doesn’t need to wait until an
spearphishing campaigns.
attack is launched and identified.
2. DNS request blocking as a Attacks can be stopped in
cloud service. Armed with their tracks before they ever
a constantly updated list of come into contact with the IT
suspect domains, a cloud environment, regardless of how
service provider can pre- well-camouflaged their
emptively block requests for any malicious payloads or social
domain or IP that might pose a engineering techniques may be.

© 2016 Cisco and/or its affiliates. All rights reserved. 5

DNS-layer network security should
block threats others miss. 

91%
of C2 can be
blocked at the
DNS-layer

15%
SWG
Cloud or of C2 bypasses
on-prem web ports 80 & 443

Infected device

• Early interdiction of can represent a substantial cost lax practices by contractors

command-and-control traffic.
In cases where an infiltration
does occur, DNS-layer security
can put a rapid end to C2 traffic
and prevent data exfiltration.
Communication with malicious
domains is blocked because
the domain is malicious, not
because any exfiltration has to
first be specifically identified.
• Reduced security alert traffic.
Because DNS-layer security
blocks such a high volume
of malicious activity before it
comes in contact with enterprise
IT infrastructure, it can
significantly reduce the volume
of alerts that the security staff
has to review and clear. This
savings and allow staff-hours to
be reallocated to higher-value
tasks.
• M
 ore agile and aggressive
adoption of cloud
opportunities. Security
concerns often inhibit
businesses from adopting new
cloud or as-a-service solutions.
DNS-layer security can allay
some of these concerns,
allowing more aggressive
adoption of cloud-based
services.
• M
 itigation of contractor and
partner vulnerabilities. Many
organizations have suffered
security breaches because of
and other third parties. By
implementing DNS-layer
security, businesses can better
protect themselves against
these vulnerabilities without
placing excessive compliance
burdens on their partners.
The bottom line: No organization
should wait until after an attack
is launched to neutralize it —
especially given how difficult
it is to do so in a sufficiently
timely manner. Instead, all IT
security leaders should make
proactive DNS-layer security a
core component of their overall
enterprise strategy.

© 2016 Cisco and/or its affiliates. All rights reserved. 6

Why Cisco Umbrella?
Umbrella is committed to delivering the best, most reliable, and fastest
internet experience to every single one of our more than 65 million
users. We are the leading provider of network security and DNS services,
enabling the world to connect to the internet with confidence on any
device.

We are unique among security providers for several reasons, including:

• A
 decade of DNS leadership.
Ten years of hands-on
experience working with DNS
technology and data gives Cisco
Umbrelsignificant advantages
when it comes to understanding
how both legitimate and
nonlegitimate parties register
domains, provision infrastructure,
and route IP traffic over the
autonomous system life cycle.
• U
 nmatched DNS data volume
and variety. The accuracy and
completeness of any analytic
outcome is largely contingent
upon the quality, volume, and
completeness of the data
inputs. As a DNS provider, Cisco
Umbrella processes 80 billion
DNS requests for 65 million users
and 12,000 businesses every
day. By combining that data with
third-party feeds, Cisco Umbrella
possesses unmatched visibility
into DNS activity worldwide.
• D
 ifferentiated algorithms and
analytics. The statistical models
required for truly effective and
predictive DNS-layer security
go far beyond simply spotting
anomalies. In fact, the automated
generation of malicious
infrastructure by attackers has
become so commonplace
that it’s not anomalous at all.
That’s why Cisco Umbrella has
developed highly specialized
models that block 7 million
malicious destinations at any
given time — and that often
detect them before any other
security provider on the planet.
• N
 o added latency, 100%
uptime service. As a DNS
OpenDNS is the leading
provider, Cisco Umbrella has
provider of network
crafted a highly resilient network security and DNS services,
environment that boasts 100% letting you connect to the
uptime since 2006. We also internet with confidence.
peer with more than 500 of
the world’s leading internet
service providers and content
delivery networks to ensure
that our response times are
some of the fastest worldwide.
Use of Umbrella does not add
any latency to our customers’
network performance — and
in many cases performance is
even better than that of their
incumbent regional provider.

© 2016 Cisco and/or its affiliates. All rights reserved. 7

Where do you enforce security?

Malware
C2 Callbacks
Phishing

Umbrella

Network and endpoint

First line It all starts with DNS
NGFW
Network and endpoint Precedes file execution
Netflow and IP connection
Proxy
Endpoint Used by all devices
Sandbox Router/UTM
Port agnostic
AV AV AV AV AV

HQ BRANCH ROAMING

• 30-minute deployment. Implementing Umbrella is also far simpler,

faster, and less disruptive than any other security solution. Any
business that’s using the internet is already sending its DNS requests
to external servers. It’s just not reaping the benefits of the industry’s
leading DNS-layer security intelligence and domain blocking at the
same time. To gain those benefits, all that’s required is to point those
requests to Umbrella. It’s that easy.

Cisco Umbrella is the most trusted name in networking. Cisco

makes it easier for IT organizations to leverage Umbrella technology
as part of a multilayered security architecture that includes firewall,
sandboxing, and endpoint protection from Cisco and its certified
partners.

These distinctive attributes make Umbrella inarguably the best choice

for enterprise-class threat protection.

© 2016 Cisco and/or its affiliates. All rights reserved. 8

30 minutes to a safer enterprise The Cisco Umbrella advantage

Umbrella is a proven service provider whose security services are

#1 with/65M+ daily active users
fastest & most reliable DNS
completely nondisruptive. Identification and blocking of malicious
infrastructure are simply value-adds provided as part of a high-
performance DNS lookup service that replaces whatever service is
already being used. There are no new boxes to add, nor is there any
new technology debt or vendor lock-in. In fact, Umbrella is so simple 80B+ daily internet
requests or connections
to implement that you can try it for free just by clicking the link below.

The bigger risk is to postpone implementation too long. Threat

activity has become extremely intense, and conventional defenses 3M+ daily new domain names
discovered
don’t provide sufficient protection.

A mere 30 minutes from now, any business can be more secure than it
was before. That’s the simple reality of DNS-layer security.
60K+ daily malicious destinations
indentified

1. L
 ancope Research. “Visual Investigations of Botnet Command and
Control Behavior.” 2013.

7M+ enforced at any given time

total malicious destinations
2. Cisco. “Cisco 2016 Annual Security Report.” January 2016.

80M+ blocked
daily malicious requests

To launch a free 14-day trial

of Umbrella, simply click
signup.opendns.com.
There’s no cost, no
obligation, and no phone
calls. Just immediate,
substantial improvement of
your organization’s security —
along with a time- and
money-saving reduction in
your security alert volume. 

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the
U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the
property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)