fbpx

What is Cisco Umbrella?

Cisco Umbrella provides security for cloud applications, protecting devices and remote users in distributed locations with its secure internet gateway. It delivers visibility into internet activity across all locations, devices, and users, and blocks threats before they ever reach your network or endpoints.

It combines DNS-layer security, threat intelligence, firewall and cloud access security broker functionality (CASB) into one cloud-delivered platform. Cisco Umbrella prevents users from accessing known malicious websites to help protect them against phishing and ransomware.

Detect & Respond By Integrating Blumira With Cisco Umbrella

Blumira’s integration with Cisco Umbrella allows you to retrieve event data from Cisco Umbrella and send it directly to your Blumira sensor. This enables you to start centralizing logs and leveraging Blumira’s security insights to automatically detect and respond to threats.

Blumira parses, monitors and analyzes data pulled from Cisco Umbrella, comparing it to other logs across your environment. Our platform correlates it to the latest threat intelligence feeds and our custom detection rules to identify anomalous activity and indicators of a compromise, notifying your team of prioritized alerts. We provide security playbooks to guide you through next steps and remediation to help contain or block threats.

Detecting Malicious Plugin Behavior

In one example of a recent real Blumira customer deployment, the organization received multiple alerts on persistent attempted connections. They didn’t have the time to manually sort through the numerous Cisco Umbrella alerts and logs.

By surfacing more focused alerts like persistent connections with the help of Blumira’s platform, their IT analyst quickly discovered that Google Chrome extensions were installed on several corporate devices and they were attempting to connect to command-and-control (C&C or C2) servers. This allowed them to quickly remediate the hosts by uninstalling the malicious Chrome plug-ins, resulting in increased security without requiring an increase in headcount.

Cloud SIEM Detections for Cisco Umbrella

User Visited Blocked Websites
In this finding, Blumira alerts you to a Cisco Umbrella user that has attempted to visit a website categorized as against your company policy, at least three times in a short time period. We record the website domain name/URL for your records.

This can indicate that the user’s device might be compromised with malware that uses beaconing techniques, or that the user is trying to visit a website that is non-compliant with your browsing policy. Beaconing is the practice of sending consistent communications from an infected host to an attacker-controlled host. If we find multiple access attempts, it may indicate that the machine is infected and needs to be reformatted.

Other detections include finding multiple Cisco Umbrella users attempting to visit a blocked website, or a user visiting multiple blocked websites. Blumira also detects when a Cisco Umbrella command-and-control site is blocked.

Additional Resources

Cisco Umbrella & Blumira Integration Documentation – How to easily connect and retrieve event data from Umbrella to start monitoring your cloud security using Blumira’s platform.

Remote Work Security – Secure your distributed remote workforce, including collaboration, productivity and cloud tools by detecting and responding to an increase in remote attacks.

Try It Out

Test out a free trial of Blumira’s threat detection & response platform, ranked as ‘Best ROI,’ ‘Fastest Implementation,’ and ‘Easiest to Use’ by real customers in the G2 Winter 2021 Grid® Reports.

Get a cloud SIEM up and running in hours, quickly integrate with your existing cloud technology like Umbrella, and start detecting cloud security threats today.

Free Trial

Security news and stories right to your inbox!