Cisco Umbrella

Once you have a SASE solution, you need to evolve it. The SASE model is unlike installing a firewall and configuring policies; you can add and enhance your SASE technology in many ways to increase your security posture. With Umbrella SASE, we are moving our security to the cloud and expanding this with the Cisco Umbrella platform and Zero Trust Identity from Cisco Duo. First, Cisco Umbrella provides the core SASE technology security functionality, such as DNS-layer filtering, and then Cisco Duo focuses on the Zero Trust Identity side.

Traditional Security Devices

Firewalls and other security services will still have a crucial role, but we must modernize the solution, especially regarding encrypted traffic and applying policies on an enterprise-wide scale. It’s a good idea to start offloading functions to the SASE solution and replacing them with Umbrella SASE. The SASE model is more of a journey than a product you can switch on and could take 3 – 5 years.

New Cloud Locations

The enterprise data center’s virtual private network (VPN) must remain. Even though most applications are SaaS-based, on-premise applications will still be around for compliance and security, or they will be more complex to offload to the Internet. This could be partner resources. We need a solution to satisfy all these access requirements: cloud and on-premises application access. So, we need VPN access to the enterprise data center’s enterprise application and protected DIA for SaaS-based applications.

Related: Before you proceed, you may find the following posts helpful:

1. SD WAN SASE
2. Zero Trust SASE
3. SASE Definition
4. SASE Visibility

Back to Basics: SASE Model | Zero Trust Identity

Zero Trust and SASE

Zero Trust is essential to protecting IT systems, data, and infrastructure because all organizations must move away from the traditional perimeter-based approach to security, which no longer fits the intention in an era of cloud computing and remote working. Because Zero Trust is one of the security components that enables SASE, they are complementary, but their relationship is a little more complicated.

For instance, SASE solutions often include ZTNA as one of the capabilities. Still, it may be debated whether the dependence on SD-WAN as the underlying infrastructure needs to stand in contrast to the basic principles of Zero Trust. The risk is to suppose that SD-WAN is always secure and can be trusted, but trusting a single element in the multi-layered security stack is the exact opposite of what zero trust is about.

♦ Key Components of SASE

SASE is built on several key components that deliver comprehensive security and networking capabilities. These components include cloud-native security services, software-defined wide area networking (SD-WAN), zero-trust network access (ZTNA), and secure web gateways (SWG). Each component provides secure and efficient access to applications and resources.

Implementing the SASE model brings a multitude of benefits to organizations. Firstly, it enables seamless and secure access to applications from anywhere, anytime, and on any device. SASE also reduces complexity by consolidating security functions, leading to simplified management and improved operational efficiency. Additionally, it enhances scalability and agility, allowing organizations to adapt quickly to changing business needs.

Organizations increasingly adopt cloud services and embrace remote work as the digital landscape evolves. SASE is uniquely positioned to address these shifts by providing a flexible and scalable security framework. With its cloud-native approach, SASE enables organizations to adapt to changing network demands while maintaining a strong security posture.

Challenging Landscape

When you think about it, surface challenges must be solved by examining recent trends. For a start, historically, most of the resources lived in the data center, and we could centralize our security stack. However, with users accessing the network anywhere, we have public cloud apps with different connectivity metrics to understand.

In addition, we now have an internet/cloud-centric connectivity model. So, we need to re-think to facilitate these new communication flows.

As a first step, you don’t need to throw out all your network and security appliances and jump to the SASE model. For an immediate design, you can augment your on-premises network security appliance with Umbrella SASE DNS-layer security. DNS-layer security is a good starting point with Cisco Umbrella.

It would be best if you made some slight changes to this. This way, you don’t need to make any significant architectural changes to get immediate benefits from SASE and its cloud-native approach to security.

SASE Technology with Zero Trust Identity

You can then further this SASE model to include Zero Trust Identity with, for example, Cisco Duo. With Cisco Duo, we are moving from inline security inspection on the network to securing users at the endpoint or the application layer. An actual Zero Trust Identity strategy changes the level of access or trust based on contextual data about the user or device requesting access.

Now, we are heading into identity as the new perimeter. Identity, in its variety of different forms, is the new perimeter. The new identity perimeter needs to be protected with other mechanisms you may have in your existing environments.

We have identity sprawl with potentially unprecedented access, making any of the numerous identities a high-value target for bad actors to compromise. For example, in a multi-cloud environment, it’s common for identities to be given a dangerous mix of entitlements, further extending the attack surface area security teams need to protect.

Identity attacks are hard to detect

Nowadays, bad actors can use even more gaps and holes as entry points. With the surge of identities, including humans and non-humans, IT security administrators face the challenge of containing and securing the identity sprawl as the attack surface widens. 

What makes this worse is that security teams’ primary issue is that identity-driven attacks are hard to detect. How do you know if a bad actor or a sys admin uses the privilege controls? 

Security teams must find a reliable way to monitor suspicious user behavior to determine the signs of compromised identities. For this, there needs to be some behavioral analysis happening in the background, looking for deviations from baselines. Once a variation has occurred, we can trigger automation, such as with a SOAR playbook that can, for example, perform threat hunting.

Example: Social-Engineering Toolkit. 

Credential harvester or phishing attacks aim to trick individuals into providing their sensitive login information through fraud. Attackers often create deceptive websites or emails resembling legitimate platforms or communication channels. These masquerading techniques exploit human vulnerabilities, such as curiosity or urgency, to deceive unsuspecting victims.

The Mechanics Behind the Attack

To execute a successful credential harvester attack, perpetrators typically utilize various methods. One common approach involves creating fake login pages that mimic popular websites or services. Unaware of the ruse, unsuspecting victims willingly enter their login credentials, unknowingly surrendering their sensitive information to the attacker. Another technique involves sending phishing emails that appear genuine, prompting recipients to click on malicious links and unknowingly disclose their login details.

Consequences of Credential Harvester Attacks

The consequences of falling victim to a credential harvester attack can be severe. From personal accounts to corporate networks, the compromised login information paves the way for unauthorized access, data theft, identity theft, and financial fraud. It is not uncommon for attackers to leverage their credentials to gain entry into other platforms, potentially compromising sensitive information and causing extensive damage to individuals or organizations.

Mitigating the Risks

Thankfully, several proactive measures can mitigate the risks associated with credential harvester attacks. First and foremost, user education plays a crucial role. Raising awareness about the existence of these attacks and providing guidance on identifying phishing attempts can empower individuals to make informed decisions. Implementing robust email filters, web filters, and antivirus software can also help detect and block suspicious activities.

Two-factor Authentication as a Defense Mechanism

One highly effective strategy to fortify defenses against credential harvester attacks is the implementation of two-factor authentication (2FA). By requiring an additional verification step, such as a unique code sent to a registered mobile device, 2FA adds an extra layer of security. Even if attackers obtain login credentials, they would still be unable to access the account without secondary verification.

The Changing Landscape: Evolution to a SASE Model

The Internet: New Enterprise Network

We are stating that there has been a substantial evolution. The Internet is the new network, and users and apps are more distributed; the Internet is used to deliver those services. As a result, we have a more considerable dependency on the Internet, but the reliability of the Internet could be more consistent around the globe. For example, BGP is unreliable, and we always have BGP incidents. We need to look at other tools and solutions to layer on top of what we have to improve Internet reliability.

BGP operates over TCP port 179. BGP TCP Port 179 serves as the channel through which BGP routers establish connections and exchange routing information. The linchpin facilitates the dynamic routing decision-making process across diverse networks. However, due to its criticality, BGP Port 179 has become an attractive target for malicious actors seeking to disrupt network operations or launch sophisticated attacks.

Common Threats Targeting BGP TCP Port 179

BGP TCP Port 179 faces various security threats as the backbone of internet routing. From route hijacking to Distributed Denial of Service (DDoS) attacks, the vulnerabilities within this port can have severe consequences on network stability and data integrity. Understanding these threats is essential in implementing effective countermeasures.

Also, the cloud is the new data center. So, we no longer control and own the data and apps in the public cloud. Instead, these apps communicate to other public clouds and back to on-premises to access applications or databases that can’t be moved to the cloud. Not to mention the new paradigm to try and solve. We also reduce the types of applications on our enterprise network.

Most are trying to minimize custom applications and streamline SaaS-based applications. For most, we can implement a lot of SaaS-based applications. These applications are hosted in public and private clouds and accessed online. The service model is now accessible only via the public Internet.

We also want the same experience at home as in the office. When I return to the office, all the network and security functions at home stay the same.

How To Approach The SASE Model?

How do you do this? Well, there are two ways. You can facilitate this with a bespoke platform, which can be self-managed with many on-premise network and security stacks, sticking the product together and then building your own PoPs. However, you can get away from this and consume this as a service from a SASE provider, so we have a cloud consumption model of all network and security services. This is the essence of the SASE model. Why not offload all the complexity to someone else?

Umbrella SASE and SASE Technology

Network Connectivity and Network Security

You want an any-to-any connectivity model, even though your users and applications are highly distributed. What types of technology do you need to have to support this? You need two essential things: network connectivity and security services. Network connectivity, such as SD-WAN for branch locations. With everything, you start with network connectivity, and then you can layer security services on top of this stack.

These services include BGP sinkhole, DNS protection, secure firewall, WAN encryption, web security, and Cisco Duo with zero trust access. We have many components that need to work together, and you will have a lot of infrastructure components used and managed.

End Visibility

We also need to have good visibility into the full end-to-end path. You can use your SASE technology with Cisco ThousandEyes for end-to-end visibility and tools to orchestrate all of this together. This has many challenges, such as building and operating these components together.

A better way is to have all these services available via one unified portal. For example, we can have network and security as a service where you can add services you need on-demand to each Umbrella SASE PoP that is outsourced to a SASE provider. Some PoPs can filter the DNS layer, while others have the entire security stack. They are turning functions on and off at will.

Policy Maintenance

This should be wrapped up with policy maintenance so you can implement policy at any point, along with good scalability and multi-tenancy. It would help if you lowered the cost, and employing the SASE can help. Not to mention the skills used. With the SASE model, you can export this to the experts and consume it.

The Issue of Provisioning

You can now bring users closer to the application with the Umbrella SASE PoP architecture. Also, we have access to a more modern and diverse toolkit by employing SASE technology. Remember that a big issue with on-premise hardware appliances is that we always over-provision, which can result in high management for handling traffic spikes that may only happen sometimes. When it comes to hardware-based solutions, we always over-provision them.

With SASE, we have the agility of a software-based model where we can scale up and down, which you can do with a hardware-based model. If you need more scale, you or your Umbrella SASE provider can introduce another Virtual Network Function (VNF) and scale this out in software configuration instead of a new hardware appliance.

Required SASE Technology: Encryption Traffic.

We have inline security services that inspect traffic and try to glean metadata about what is happening. The inspection was easy when we connected to a web page on port 80, and everything was in clear text. Inspection and seeing what the user was doing can be done with standard firewall monitoring. But now we have end-to-end encryption between the user device and the applications.

The old IDS/IPS and firewalls need help to gain insights into encrypted traffic. We need complete visibility at the endpoint and the application layer to have more context and to understand if there is any malicious activity in the encrypted traffic—Also, appropriate visibility of encrypted traffic is more important than having control. 

Required SASE Technology: SIEM with Splunk and Machine Data

You are also going to need a SIEM tool. Splunk can be used as the primary SIEM tool and log collection from various data sources to provide insights and traffic traversing the network. Remember that machine data is everywhere and flows from all the devices we interact with, making up around 90% of today’s data. And harnessing this data can give you powerful security insights.

The machine data can be in many formats, such as structured and unstructured. As a result, it can be challenging to predict and process. There are plenty of options for storing data. Collecting all security-relevant data and turning all that data into actionable intelligence, however, is a different story.

Example Solution: Splunk

This is where Splunk comes into play, and it can take any data and create an intelligent, searchable index—adding structure to previously unstructured data. This will allow you to extract all sorts of insights, which can be helpful for security and user behavior monitoring. In the case of Splunk, it helps you quickly know your data. Splunk is a big data platform for machine data. It collects raw unstructured data and converts them into searchable events.

Umbrella SASE – Starting

Start with DNS Protection

As a first SASE model step, we need DNS protection. This is the first SASE technology to be implemented with a SASE solution. Cisco Umbrella can be used here. Cisco umbrella is a recursive DNS service; you can get a lot of information from DNS requests, and a great place to start security. You can learn to see attacks before they launch, have the correct visibility to protect access anywhere, and block and stop threats before the connection.

Below is a recap on DNS. DNS, by default, uses UDP and works with several records.

DNS and TTL 

DNS can be updated dynamically and has very little TTL. If you can interact with that traffic at a base level regardless of where the user is, you can see what they are doing. For example, you can see what updates happen if a malware attack occurs. DNS is very lightweight; we can protect the endpoint and block malware before attempting the connection.

Suppose someone clicks on a phishing link or malware calls back to a C&C server for additional attack information. In that case, that connection does not happen, and you don’t need to process this traffic across a firewall or other security screen stack that can add latency.

Connecting to Umbrella SASE does not cause latency issues. We can offload the hardware used to protect this and now put it into the cloud, and you don’t need the additional hardware to accommodate traffic spikes and growth protection at a DNS layer. Cisco Umbrella gives you accuracy at the DNS layer without any overhead. You can control this traffic and see what is going on to see who is and where. All of the traffic can be identified with DNS.

Do you think you could implement Umbrella SASE?

Gaining Insight: DNS 

Point the existing DNS resolver to Cisco Umbrella, then connect users and get insight into DNS requests for on or off-the-network traffic. We start with passive monitoring, and then we go to deploy blocking. It would help if you did this without re-architecting your network with the ability to minimize false positives. Therefore, pointing your existing DNS to Umbrella, a passive change, is a good starting point. Then, enable blocking internally based on policy.

There is an enterprise network, and endpoints must point to internal DNS servers. You can modify existing internal DNS servers to have their traffic go to the Cisco Umbrella for screening. So the DNS query goes to Cisco Umbrella for internet-bound traffic, and then Cisco Umbrella carries the recursive DNS queries to the Authoritative DNS servers.

The Role of Clients and Agents

It would help to get an Umbrella client or agent on your endpoint. When you have an agent on the endpoint, it will give you additional visibility. What happens when the users go home from the office? You want to maintain visibility, which can be achieved with an agent. What I like about SASE is that you can have an enterprise-wide policy in a few minutes. You can also increase your DNS performance by leveraging the SASE PoPs. The SASE PoPs should be well integrated with an authoritative DNS server. 

In summary, there are two phases. First, you can start with a network monitoring and blocking stage with DNS-layer filtering and then move to the endpoint, gaining visibility and lowering your attack surface. Now, we are heading into the zero-trust identity side of things.

Key SASE Technology: Zero Trust Identity

For additional security, we can look at Zero Trust Identity. This can be done with Cisco Dou, which provides Zero Trust Identity on the endpoint and ensures the device is healthy and secure. We need to trust the user, my endpoint, and the network they are on. In the past, we just looked at the IP as an anchor for trust. With zero trust, we can now have adaptive policies and risk-based decisions, enforce the least privilege with, for example, just-in-time access, and bring in a lot more context than we had with IP addressing for security.

Highlighting Cisco Duo Technologies for Umbrella SASE

Duo’s MFA (multi-factor authentication) and 2FA (two-factor Authentication) app and access tools can help make security resilience easy for your organization with user-friendly features for secure access, strong authentication, and device monitoring. The following are some of the technologies used with Cisco Duo.

Multi-factor Authentication (MFA): Multi-factor Authentication (MFA) is an access security product used to verify a user’s identity at login. Using secure authentication tools adds two or more identity-checking steps to user logins.

Adaptive Access: With adaptive access, we have security policies for every situation. Now, we can gain granular information about who can access what and when. Cisco Duo lets you create custom access policies based on role, device, location, and other contextual factors. So we can take in a lot of contextual information to make decisions.

Device Verification: Also, verify any device’s trust, identify risky devices, enforce contextual access policies, and report on device health using an agentless approach or by integrating your device management tools.

Single-Sign-On: Then we have single sign-on (SSO): Single sign-on (SSO) from Duo provides users with an easy and consistent login experience for any application, whether on-premises or cloud-based. With SSO, we have a platform that we connect to for access to all of our applications. Not just SaaS-based applications but also custom applications. CyberArk is good in this space, too.

• Key Technology: Adaptive policies

First, adaptive policies. Cisco Duo has built a cloud platform where you can set up adaptive policies to check for anomalies and then give the user an additional check. This is like step-up authentication. Then, we move towards conditional access, a step beyond authentication.

Conditional access goes beyond authentication to examine the context and risk of each access attempt. For example, contextual factors may include consecutive login failures, geo-location, type of user account, or device IP to either grant or deny access. Based on those contextual factors, it may be granted only to specific network segments. 

• Key Technology: Risk-based decisions 

The identity solution should be configurable to allow SSO access, challenge the user with MFA, or block access based on predefined conditions set by policy. It would help if you looked for a solution that can offer a broad range of requirements, such as IP range, day of the week, time of day, time range, device O/S, browser type, country, and user risk level. 

These context-based access policies should be enforceable across users, applications, workstations, mobile devices, servers, network devices, and VPNs. A key question is whether the solution makes risk-based access decisions using a behavior profile calculated for each user.

• Key Technology: Enforce Least Privilege and JIT Techniques

Secure privileged access and manage entitlements. For this reason, many enterprises employ a least privilege approach, where access is restricted to the resources necessary for the end-user to complete their job responsibilities with no extra permissions. 

A standard technology here would be Just in Time (JIT). Implementing JIT ensures that identities have only the appropriate privileges, when necessary, as quickly as possible and for the least time required. 

A technology to enforce the least privilege is just-in-time (JIT) techniques that dynamically elevate rights only when needed. The solution allows for JIT elevation and access on a “by request” basis for a predefined period, with a full audit of privileged activities. Full administrative rights or application-level access can be granted, time-limited, and revoked.

A final note: Zero Trust Identity

The identity-centric focus of zero trust uses an approach to security to ensure that every person and every device granted access is who and what they say they are. It achieves this authentication by focusing on the following key components:

1. The network is always assumed to be hostile. 
2. External and internal threats always exist on the network. 
3. Network locality needs to be more sufficient for deciding trust in a network. Just so you know, other contextual factors, as discussed, must be taken into account.
4. Every device, user, and network flow is authenticated and authorized. All of this must be logged.
5. Security policies must be dynamic and calculated from as many data sources as possible.