A fundamental problem in cybersecurity is that there is not a single product or service that comes close to providing ...
A fundamental problem in cybersecurity is that there is not a single product or service that comes close to providing comprehensive security to an organization. Instead, basically, the cybersecurity marketplace is made up of categories of siloed products. In each category, one finds offerings from different vendors that provide security in a particular use case or for a specific purpose. For example, there are a handful of applications that provide e-mail security. There is another set of applications that provide access services. There is another set of applications that provide endpoint security. And so on. The major challenge this presents to security professionals is stitching together different products and services so as to achieve something approaching holistic security. This engineering problem involves, crucially, the integration of data streams from these different sources in one place so as to achieve full visibility over the network for coordinated responses.
SecureX: the Basics
There are security solutions on the market for the integrate and respond problem. It is in this broad space that we can place SecureX. SecureX is a cloud-native integration platform from Cisco. It aims to provide unified visibility for detection analysis, investigation remediation, managed policy, and orchestration automation. It can cohere the entire Cisco Secure portfolio across the network, user/endpoint, cloud edge, and application domains. There is a lot to say about SecureX, but two notable features are the following. First, SecureX is actually free. It comes as an add-on when you purchase a product in the Cisco Secure portfolio like Umbrella. Second, SecureX gives customers the ability to integrate non-Cisco applications with whatever Cisco services they have.
In this blog post, I want to walk you through how to integrate Umbrella with SecureX. The good news is that it is a very straightforward process. But before we look at the details involved, let’s take a step back and say a few words about Umbrella.
What is Umbrella?
Broadly speaking, Umbrella is Cisco’s answer to the problem of network detection and response. Network security is critical to an organization for the simple reason that it provides the first line of defense between an organization’s resources and the public internet. A service like Umbrella can block most of the malicious traffic that is directed at your network at its outermost edge. By stopping a high volume of malicious traffic at the perimeter of your network, Umbrella can reduce the stress placed on downstream security tools that will have to contend with threats that might penetrate deeper into your network.
There are a number of aspects to securing an organization’s network. This is to say, Umbrella can provide multiple security functions to a user. These include DNS-layer security, secure internet gateway, cloud-delivered firewall, cloud access security broker (CASB), interactive threat intelligence, as well as integration with Cisco SD-WAN.
Let me expand a little on DNS-layer security, which is the original and perhaps fundamental feature of Umbrella. DNS represents the first step in connecting to the internet. When users type the domain name of a website in their browser - www.example.com - what happens is that the browser sends a request to a DNS server for the associated IP address of the domain name. It is actually the IP address that the browser connects to. Since everyone uses DNS, and since it seems so innocuous that up to 68% of organizations don’t monitor their DNS, this represents a major attack vector. Indeed, 90% of malware uses DNS in attacks in one form or another.
For example, a key point about the DNS protocol is that while it is not intended for a command channel or general-purpose tunneling, it can be misappropriated to do so. This is to say, bad actors can create a DNS tunnel into a network to exfiltrate data from an organization.
Integrating Umbrella with SecureX
Begin by opening SecureX. On the Dashboard, in the left panel, scroll down to Umbrella and click Add.
Integrating Umbrella into SecureX requires 3 sets of information: the Investigate API, Enforcement API, and Reporting API.
Investigate API
In a new tab, navigate to Umbrella. In Umbrella, navigate to Investigate > Investigate API Access. Click Create New Token. Enter a title for the token, and then click Create.
Copy the Access Token.
In SecureX, paste the value into the API Token field on the Add New Umbrella Module form.
Enforcement API
In Umbrella, navigate to Policies > Policy Components > Integrations. Click the Add button. Enter a name. Click Create.
Enable the newly created integration. Copy the URL. Click save.
In SecureX, paste the integration URL into the Custom Umbrella Integration URL.
Reporting API
In Umbrella, navigate to Admin > API Keys and click Create.
Under What should this API do?, click the Umbrella Reporting radio button and then click Create.
Copy Your Key and Your Secret. NOTE: this is the only time the Secret is retrievable on this page; once you close this tab, you will not be able to retrieve it.
In SecureX, under Reporting, paste Your Key in the API Key field. Paste Your Secret in the API Secret field. Enter a timeframe (in days) in the Request Timeframe field. Enter your Organization ID into the Organization ID field. This information can be found in your browser URL; it is the set of numbers between /o/ and /#/.
In SecureX, navigate to Integrations. Verify that you have successfully configured your Umbrella integration.
Conclusion
Network detection and response are mandatory for an organization. Services like Umbrella give an organization coverage across their entire network resources, whether on-premise or in the cloud. It provides the ability to analyze traffic in the long term. And it allows organizations the ability to define and segment their networks.
However, while network security is necessary, it is not sufficient. No single product, no matter how powerful, can provide comprehensive security. The major blindspot of network detection and response applications has to do with endpoints. An offering like Umbrella does not give visibility into endpoint activity. Moreover, it falls short when traffic is encrypted on the network. For this reason, organizations must also utilize some kind of endpoint detection and response service to complement their network detection and response service. In the Cisco Secure portfolio, for example, this would be AMP for Endpoints, which has been rebranded as Secure Endpoint.
Integrating data from Secure Endpoints and Umbrella on the SecureX platform can provide extended detection and response. If you are interested in cybersecurity integration, schedule some time to talk with one of our experts.