Cisco Umbrella CASB
We must opt for a platform approach to visibility and control. More specifically, a platform that works in a 3rd party environment. So for cloud security, this is where secure access service edge (SASE) can assist. In particular, the Cisco version is SASE, known as Cisco Umbrella CASB, which comes with various versions depending on your needs. The SASE Cisco umbrella CASB solution has a variety of CASB security functions and CASB tools, along with Data Loss Prevention (DLP) and Umbrella Remote Browser Isolation (RBI), that can help you better understand and control your environment.
The manual process involves investigating and mapping traffic patterns along with data movement and usage. For this, we need automatic discovery and risk profiling. It would help if you had visibility in applications, files and data you may know but also the ones you do not know about. You will be amazed by the number of malicious files and data already in sanctioned applications.
- A key point: Cisco Umbrella
The Cisco Umbrella SASE solution offers other security functionality, such as a cloud-delivered Layer 7 Firewall, Secured Web Gateways (SWG), DNS-layer security, SD-WAN, and Thousand Eyes integration for Monitoring and Observability conditions. So we have the traditional security stack you are familiar with and added enhancements to the security stack solution to make it more cloud friendly. All of these functionalities are part of a single SASE solution that you can benefit from a Cisco Umbrella dashboard with API integrations.
Use Case: Cisco Umbrella CASB
The Cisco Umbrella CASB fulfils a variety of CASB security use cases. The use case to employ the CASB solution depends on where you are in your SASE and cloud security voyage. For example, if you are interested in blocking Malware and content, then Umbrella DNS filtering would be fine. However, you may be looking for additional security requirements. For example, you will need Data Loss Prevention (DLP), Cloud Access Security Brokers (CASB) and Umbrella Remote Browser Isolation (RBI). In that case, we need to move toward Umbrella SIG, which includes Layer 7 Firewalls. Cisco Umbrella offers a number of packages ranging from DNS Security Essentials to SIG Advantage. More information can be found here: Cisco Umbrella Packages.
Along with these security features, Cisco Umbrella also has continuous file monitoring. You scan data at rest for any sanctioned application and files within those sanctioned applications that could be malicious. These tools will improve your security posture and protect organizations against cloud-specific risks.
This post will examine how you start discovering and controlling applications with Cisco Umbrella. The Cisco Umbrella CASB components take you from the initial Discovery to understanding the Risk to maintaining activity by controlling access to certain applications for certain users and actions. These security activities are carried out with the Cisco Umbrella’s Data Loss Prevention (DLP), Cloud Access Security Brokers (CASB), and Remote Browser Isolation engines.
Cloud security threats
Today’s shared challenge is that organizations need to know what applications they have in their environment. They also need to figure out what to do with specific types of data or how to find users and assign policies to them. These requirements must be met on someone else’s infrastructure, the cloud. There are big risks to working in cloud environments that differ significantly from on-premises. Just look at storage. For example, unprotected storage environments pose a much greater security risk in the public cloud than in a private data center.
Within an on-premise private data center, the firewall controls generally restrict the direct access to storage, limiting the exposure of an unprotected file to users who already have access to data centre systems. On the other hand, an improperly managed storage bucket in the public cloud may be completely unfiltered to the entire Internet, with only a few clicks by a single person or automated playbooks without role-based access control (RBAC).
Umbrella Remote Browser Isolation
However, with Umbrella Remote Browser Isolation (RBI), the remote browser runs in an isolated container in the cloud, thus mitigating the attack surface to an absolute minimum and removing the potential to move laterally. The most sensible thing to do is to isolate the browsing function. With browser isolation technologies, Malware is kept off of the end user’s system, reducing the surface area for attack by shifting the risk of attack to the server sessions, which can be reset to a known good state on every new browsing session, tab opened or URL accessed.
Umbrella Remote Browser Isolation protects users from Malware and threats by redirecting browsing to a cloud-based host, which for some is based on a containerized technology. Isolation is achieved by serving web content to users via a remotely spun-up surrogate browser located in the cloud.
The Umbrella Remote Browser Isolation allows users to access whatever content they want, such as web location or doc. So the user is sent via an isolation engine, stripping away anything that can be malicious, such as Macros or Malware, and then giving them a fully rendered version of whatever the content is. For example, this could be a web app or a website. So with remote browser isolation, you are scrubbing away anything that could be malicious and giving them a rendered, clean version.
So to the user, it is fully transparent, and they have no idea that they are looking at a rendered version, but it gives a clean and safe piece of content that will not introduce Malware into the environments without a performance hit.
Cisco Umbrella CASB
You can use Cisco Umbrella CASB to discover your actual usage of cloud services through multiple means, such as network monitoring, integration with existing network gateways and monitoring tools, or even monitoring Domain Name System (DNS) queries. This is a form of discovery service that the CASB solution provides. This is the first step to CASB security, understanding both sanctioned and shadow I.T. Once the different services are discovered, a CASB solution can monitor activity on approved services through two common deployment options. First, we have an API connection or inline (man-in-the-middle) interception. Some vendors offer a multimode approach. Both deployment modes have their advantages and disadvantages.
The CASB alone is far from a silver bullet and works in combination with other security functions. The power of Cisco Umbrella CASB is dependent on its Data Loss Prevention (DLP) capabilities which can be either part of the CASB solution or an external service, depending on the CASB security vendor’s capabilities. In the case of the Cisco Umbrella, it has an inline DLP engine.
Data Loss Prevention
After the Discovery is performed, CASB security can be used as a preventative control to block access to SaaS products. This functionality, however, is being quickly replaced through the integration of DLP. DLP systems inspect network traffic, leaving your systems looking for sensitive data. Traffic carrying unauthorized data is then terminated to protect it from loss and leakage.
Through integration with a DLP service, you can continue to allow access to a SaaS product, but you can control what is being done within that SaaS product. So, for example, if somebody uses Twitter, you can restrict certain keywords or statements from being sent to the platform.
So, for example, if you’re using something like an application like Salesforce in the cloud, and you have a policy you’re not allowed to copy customer or download customer databases from Salesforce, the CASB solution can enforce that as well as monitor if someone does attempt to download or violate the policies.
Cisco Umbrella CASB: SASE Capabilities
Cisco Umbrella’s CASB, DLP and Umbrella remote browser isolation (RBI) offering is a core part of Cisco’s overall SASE strategy. The value of CASB security is from its capability to give insight into cloud application use across cloud platforms and identify unsanctioned use. CASBs use auto-discovery to detect cloud applications and identify high-risk applications and users. In addition, they include DLP functionality and the capability to detect and provide alerts when abnormal user activity occurs to help stop internal and external threats. This enables Cisco Umbrella to expose shadow I.T. by providing the capability to detect and report on the cloud applications used across your environment.
Cisco Umbrella Visibility
App Discovery Provides:
Extended Visibility into cloud apps in use and traffic volume
App Discovery Provides:
App details and risk information
App Discovery Provides:
Capability to block/allow specific apps
Now we have a central place for all applications. Cisco Umbrella CASB looks at all your cloud applications and puts them on a single box, on a single pane of glass that you can manage and look at what’s happening, but that functionality has to exist already. So instead of going to a hundred different applications, a hundred different cloud providers, you’re just going to one system, your CASB solution handling everything.
The CASB security should detect all cloud services, assign each a risk ranking, and identify all users and third-party apps able to log in. More often than there are a lot of power users, such as finance, that have access to large data sets. So within the content of files used, files are shared, exposed, and apps are installed. This is generally down to a small majority of users controlling most applications. So it’s these users, which are a small amount, that introduce a considerable amount of security risk. In addition, these users often collaborate with several external parties, which will be cloud-based sharing. Not to mention sharing with non-corporate email addresses.
- A key point: Understanding risk.
So the first thing you want to do is understand the risk. And here, you can identify risky applications by gaining visibility on any shadow I.T. These apps that admins have no control or visibility into are being used in their environment that they need to protect. You can also dig into what identities are using these applications and why they are used. How do you gain visibility? You may be wondering how you get all this data. Well, a couple of sources can be used to discover data we will discuss in just a moment.
So applications used in your environment can be displayed in different categories and break down risk based on different criteria. For example, there is business risk, usage risk and vendor compliance. Each risk category has different factors used to make up the risk categories. Cisco Umbrella CASB integrates with Cisco Talos, which helps you get the reputation information by looking at the Host domain and URL associated that can inform you if the app has a good reputation.
To gain visibility, we have to perform Discovery. The discovery process involves pulling in, logging data out of other security products and then analyzing the information. All of the capabilities to discover apps work out of the box. All You need to do is set the user traffic to the Umbrella system. The first is DNS, which we can also discover with the Secure Web Gateway (SWG) proxy and a cloud-delivered firewall.
These SASE engines offer you a unique view of sanctioned and unsanctioned applications. So if you send traffic through one of these engines that are part of Cisco Umbrella, it can collect this data automatically. Also, Cisco Umbrella has a Layer 7 application Firewall that can provide information such as application protocols that will give you information on the top-used protocols per application.
The Umbrella has several components of engines that help with Discovery, such as native proxy, Firewall and DNS logs. So, the user can be determined when every engine picks up the traffic, such as DNS level or Firewall level. This will give you a holistic view of the application, such as the risk associated and the identity on a per-app basis. Now we can have a broader look at risk to understand cloud apps and traffic going to, for example, Malware hosts and going to C&C command servers, and if any ToR endpoints are running on your network.
Pillar 2: Data Security and Control
When dealing with any systematic issue, prevention is key, with a focus on data protection. A good start would be to define which applications are risky. From there, you can build a workflow and data sets that you need to protect from, for example, data leakage. Once Discovery is performed along with risk assessment, you can prevent unwanted applications in your environment, which is the first step in enforcement.
So the first component is the CASB security and then DLP to enforce controls. So we are creating DLP policies to prevent data leakage. The CASB should be able to identify and control sensitive information. Here we have DLP features and the capability to respond to classification labels on content.
So there is a component called granular control, in which you can allow access to special applications but control different actions for certain applications and users. For example, you can allow access to the app but block uploads. And you can then tie this to an identity, so only your finance team can upload it. So you can allow, block and also isolate. The CASB DLP can operate natively and in conjunction with enterprise DLP products via Internet Content Adaptation Protocol (ICAP) or REST API integration.
A common DLP engine for the on-premise and cloud locations will eliminate policy duplication. This Cisco Umbrella solution opts for an inline DLP engine without the need to service chain to an additional appliance.
Inline Data Loss Prevention
The Data Loss Prevention policy monitors content classified as personally identifiable or sensitive information. When necessary, content is blocked from an upload or a post. With Cisco DLP, there is only one data loss prevention policy. Rules are added to the policy to define what traffic to monitor (identities and destinations), the data classifications required, and whether content should be blocked or only monitored. For example, an office may want to monitor its network for file uploads that include credit card numbers because the uploads are a breach of company privacy and security policies. A rule that monitors the network and uploads to domains can block these files.
Cisco Umbrella: 80 pre-built data Identifiers
There are two primary functions of DLP. The first piece identifies and classifies sensitive data, and the second is the actions to take. Cisco Umbrella has robust DLP classification with over 80 pre-built data identifiers aligned with detailed reporting on every DLP report. So working with DLP, you have first to select data classification. This is where you start your DLP and have different identities for the data. So if you are concerned with financial data sets and want to examine credit card numbers, you can choose a list of predicted identifiers. Then you can add your customizations.
Cisco umbrella DLP engine also supports regular expressions that support pattern patterns. This allows you to match any pattern. So we have a custom action and pre-built and then apply this to a DLP policy. Keep in mind there is only one data loss prevention policy. Rules are added to the policy to define what traffic to monitor (identities and destinations), the data classifications required, and whether content should be blocked or only monitored.
Deployment: CASB Solution
CASBs operate using two different approaches: Inline CASB solutions reside in the users and service connection path. They may do this through a hardware appliance or an endpoint agent that routes requests through the CASB. This approach requires the configuration of the network and endpoint devices. However, it provides the advantage of seeing requests before they are sent to the cloud service, allowing the CASB to block requests that violate policy.
API-based CASB solutions do not interact directly with the user but rather with the cloud provider through the provider’s API. This approach provides direct access to the cloud service and does not require any user device configuration.
However, it also does not allow the CASB to block requests that violate policy. As a result, API-based CASBs are limited to monitoring user activity and reporting on or correcting policy violations after the fact.
Starting a SASE Project
DLP starting points
As a starting point, when considering DLP, there are a couple of best practices to follow. First, you need to “train” a DLP to understand sensitive data and what is not. Especially with DLP, you should have it in monitoring-only mode and not be aggressive and block. You want to understand what is happening before you start to block.
Sometimes you want to understand more about data and data I.D. and where it is moving. Second, a DLP cannot inspect encrypted traffic and if they do check the performance hit. Some cloud SDKs and APIs may encrypt portions of data and traffic, which will interfere with the success of a DLP implementation.
With Cisco Umbrella, as a best practice, you can start with the pre-built identifiers and create custom dictionaries to monitor your organization’s specific keywords and phrases. Then you can create specific rules based on users, groups, devices and locations you want to monitor data for. Finally, choose which destination and apps you like to monitor; many organizations choose only to monitor when creating DLP rules and then enable block over time.
Data Loss Prevention
Cisco Umbrella CASB starting points
Consider the following recommendations when starting a project that consists of CASB functionality. First, discover both sanctioned and unsanctioned cloud services and then access the cloud risk based on cloud service categories. This includes all cloud services and cloud plug-ins. Once this information has been gained, it can be measured, along with risk. This can then be compared to the organization’s risk tolerance.
Next, identify and protect sensitive information. Once you find all sensitive information in the cloud, you can classify it and then apply controls to control its movement, such as DLP. For example, additional protections can be applied if sensitive data is moved out of the cloud services to a local unmanaged laptop.
- A final note: Detect and mitigate threats.
Access the user’s behaviour and any deviations that may signal out-of-normal activity. The CASB is one of many solutions that should be used here. More mature products with advanced detection, such as Splunk User Behavior Analytics (UBA). Once a significant deviation from the baseline is noticed, trust has been decreased, and you could implement step-down privileges or more extreme courses, therefore changing the level of access. In addition, it would be useful to track all data’s movement and detect and eliminate Malware. And then have an implementation strategy for remediation.