Re: Cisco Umbrella

["Gramke, Jim" <0000018b95783deb-dmarc-request () LISTSERV EDUCAUSE EDU>]

Our experience and configuration are almost identical that of Brian's.  We do not have the virtual Appliances on 
campus.    

We like it a lot.   Rarely an trouble at all.  We recently compared it to Palo Alto basic DNS sinkholing, and found 
that it blocked far more domains than the PA did, and so we decided it was worth the extra expense.    

Sadly, we don't have the logging into our Logrhythm SIEM.    Brian, are you getting your logs off of the Virtual 
appliance?

Jim Gramke
IT Security Manager
College of Saint Benedict, St. John's University.


-----Original Message-----
From: Brian Epstein <bepstein () IAS EDU> 
Sent: Wednesday, April 22, 2020 10:33 AM
Subject: Re: Cisco Umbrella


------=3D_Part_1001195_982921792.1587569565791
Date: Wed, 22 Apr 2020 11:32:45 -0400 (EDT)
From: Brian Epstein <bepstein () ias edu>
To: The EDUCAUSE Security Community Group Listserv <SECURITY@LISTSERV.EDUCA= USE.EDU>
Message-ID: <1701365260.1001193.1587569565709.JavaMail.zimbra () ias edu>
In-Reply-To: <SECURITY%202004211758159360.4EBC () LISTSERV EDUCAUSE EDU>
References: <SECURITY%202004211758159360.4EBC () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Cisco Umbrella
MIME-Version: 1.0
Content-Type: text/plain; charset=3Dutf-8
Content-Transfer-Encoding: 7bit
X-Mailer: Zimbra 8.8.15_GA_3918 (ZimbraWebClient - GC81 (Linux)/8.8.15_GA_3=
895)
Thread-Topic: Cisco Umbrella
Thread-Index: gZxr+IOTG5hsImAwe/FPFU8DSUHBug=3D=3D

Hi Ryan,

We purchased Cisco Umbrella before Cisco purchased it under the name of Ope= nDNS.

In general, we've been very happy with the purchase and have seen success o= f it blocking malware and reducing the 
amount on our campus.  Here are some=  quick notes from our perspective.

1. We utilize OpenDNS Virtual Appliances for our campus.  They will separat= e internal DNS from external DNS and only 
query Cisco Umbrella for external=  queries.  This is done via an encrypted link from our campus to Umbrella.

2. We block all outbound UDP/TCP port 53 traffic from our campus, forcing o= ur users to utilize OpenDNS.

3. At the recommendation of Cisco and our Email Gateway provider (Proofpoin= t), we do not utilize Cisco Umbrella for 
lookups from our email gateway.  T= his allows for raw DNS queries to be interpreted by Proofpoint and block ba= sed on 
the reputation engines that they have in place.  We do the same for = our IDS/IPS systems and any security related 
system that needs raw DNS.

4. Our campus is an open academic campus as far as the Internet goes, so we=  only block known malware.  We created a 
policy within Cisco Umbrella that = we called Academic Freedom which doesn't block any category of site (Social=  
Media, Adult content, etc), but only blocks Malware and Newly Created Doma= ins (this is very effective).

5. Our IT team that has access to Cisco Umbrella has been asked to ignore c= ategorization of DNS traffic to avoid 
invasion of privacy for users.

6. We don't use the agents on computers.  If someone checks their email fro= m a Starbucks and clicks on a phishing 
link, they will not be protected unl= ess they are using our VPN (which does not do split tunneling).  We recomme= nd 
everyone use our VPN when off campus.

7. When we first turned OpenDNS on, there was an upstream network glitch th= at caused an OpenDNS outage.  This lead us 
to engineer a contingency plan i= n the case that Cisco Umbrella/OpenDNS went down.  We are doing this with o= ur F5 
load balancers and a priority groups.  If OpenDNS is down, it fails t= o our secondary systems which bypass OpenDNS.  
For our campus, access is pa= ramount and we'll accept the risk in these rare circumstances of users bein= g able to 
access malicious domains.

8. We've had very few false positives.  The ones we have gotten are usually=  taken care of quickly by Cisco Umbrella.  
By utilizing policy block and al= low lists, we can customize the experience.  Newly created domains is somet= imes an 
issue, but we have found it to block a lot of malware in practice. =  For the most part, this hasn't been a big issue 
for our helpdesks.

9. We recently started logging all DNS requests and pull them into our logg= ing environment.  We have a log file 
retention policy to ensure they are de= leted in a timely manner, and the access is limited due to privacy concerns= .  
However, having that log has been invaluable to determine who clicked on=  a phish and has allowed us to avoid phishing 
our users.  We use real phish= ing attempts to determine who clicked.

I hope that this has been helpful,
Thanks,
ep

--=20
Brian Epstein <bepstein () ias edu>                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint =3D A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78

----- Original Message -----
From: "Ryan Conley" <rconley () URI EDU>
To: "The EDUCAUSE Security Community Group Listserv" <SECURITY () LISTSERV EDU= CAUSE.EDU>
Sent: Tuesday, April 21, 2020 1:47:57 PM
Subject: [SECURITY] Cisco Umbrella

Hello Everyone,

We are currently in the process of setting up a Cisco Umbrella POC. I was curious as to who is using Umbrella and what 
your experience has been?
Also, how did you go about creating/testing policies for your institution?
Any information/lessons learned is much appreciated.

Thank you,

--=20

Ryan Conley

Information Security

University of Rhode Island

Surge Building Room 136

Kingston, RI

Office: 401-874-9511

rconley () uri edu

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community=  list. If you want to reply only to the 
person who sent the message, copy a= nd paste their email address and forward the email reply. Additional partic= 
ipation and subscription information can be found at https://urldefense.pro= 
ofpoint.com/v2/url?u=3Dhttps-3A__www.educause.edu_community&d=3DDwIBAg&c=3D=
Cvk6809QJWx44KVfpEaK-g&r=3DypDw3FcCb7rX_Q-YmUKj7s1u09mY1f6k7JwhN3g7QZk&m=3D=
YJXx1pvzqCpumwDMOs1E0sn5KsE3Yzcw0Uat3nqXVrQ&s=3D0tiaVCDXuF68C_yrBK9MMqk9T5B=
pyOZunG7_l3Jvpxg&e=3D=20

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community=  list. If you want to reply only to the 
person who sent the message, copy a= nd paste their email address and forward the email reply. Additional partic= 
ipation and subscription information can be found at https://urldefense.pro= 
ofpoint.com/v2/url?u=3Dhttps-3A__www.educause.edu_community&d=3DDwIBAg&c=3D=
Cvk6809QJWx44KVfpEaK-g&r=3DypDw3FcCb7rX_Q-YmUKj7s1u09mY1f6k7JwhN3g7QZk&m=3D=
YJXx1pvzqCpumwDMOs1E0sn5KsE3Yzcw0Uat3nqXVrQ&s=3D0tiaVCDXuF68C_yrBK9MMqk9T5B=
pyOZunG7_l3Jvpxg&e=3D=20
------=3D_Part_1001195_982921792.1587569565791
Content-Type: application/pkcs7-signature; name=3Dsmime.p7s; smime-type=3Ds= igned-data
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=3D"smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCAMIIF
xjCCBK6gAwIBAgIQJfir5MziSaN78BA9IJqMhjANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3IxEjAQBgNVBAoTCUludGVybmV0MjER
MA8GA1UECxMISW5Db21tb24xMjAwBgNVBAMTKUluQ29tbW9uIFJTQSBTdGFuZGFyZCBBc3N1cmFu
Y2UgQ2xpZW50IENBMB4XDTE5MDcxNTAwMDAwMFoXDTIwMDcxNDIzNTk1OVowgcExDjAMBgNVBBET
BTA4NTQwMSUwIwYDVQQKExxJbnN0aXR1dGUgZm9yIEFkdmFuY2VkIFN0dWR5MRkwFwYDVQQJExAx
IEVpbnN0ZWluIERyaXZlMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRIwEAYDVQQHEwlQcmluY2V0b24x
CzAJBgNVBAYTAlVTMRYwFAYDVQQDEw1CcmlhbiBFcHN0ZWluMR8wHQYJKoZIhvcNAQkBFhBiZXBz
dGVpbkBpYXMuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsdLCEqToUpXyMU03
xAlXy/PxB1Z80pZ66qOZIoTs1b+5BdHPH/fuaXhVjJv6+qarUJrxhU6bokUystkqYHkQUQgjzkGG
j3TsFZls9TM+nTT/GIrk5MsyZTtqD6hLkl9+42tepaISncVsaXjuF036dVFRR7PPuibSU1br
j3TsFZls9TM+LgmB
DMl4MQ5znsVb+iIeP7OlsHbNWuINUmA0Fj+rPRTA5anO0IKO+Bgee9EqNdsdHCgs9HWSQLeF
DMl4MQ5znsVb+iIeP7OlsHbNWuINUmA0Fj+rPRTA5anO0IKO+yrii
tTmcNJ1w3saoGPbqgOrprR6z91OPlPcLf70NOBSC0H1y8Ii1g9XcZr8Emk+A7CZN/D/No+L+
tTmcNJ1w3saoGPbqgOrprR6z91OPlPcLf70NOBSC0H1y8Ii1g9XcZr8Emk+Pdd6
gt4FI8E06H87gK4RQeeHywIDAQABo4IB7jCCAeowHwYDVR0jBBgwFoAUfe5x0B/rqWFtj2aErQ8r
B+Ix27wwHQYDVR0OBBYEFNGdwK7O4Bx5fjOBGvJfG4G+VOa/MA4GA1UdDwEB/wQEAwIFoDAM
B+Ix27wwHQYDVR0OBBYEFNGdwK7O4Bx5fjOBGvJfG4G+BgNV
HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjBqBgNVHSAEYzBhMF8GDSsG
AQQBriMBBAMDAAEwTjBMBggrBgEFBQcCARZAaHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQv
cmVwb3NpdG9yeS9jcHNfc3RhbmRhcmRfY2xpZW50LnBkZjBVBgNVHR8ETjBMMEqgSKBGhkRodHRw
Oi8vY3JsLmluY29tbW9uLXJzYS5vcmcvSW5Db21tb25SU0FTdGFuZGFyZEFzc3VyYW5jZUNsaWVu
dENBLmNybDCBigYIKwYBBQUHAQEEfjB8MFAGCCsGAQUFBzAChkRodHRwOi8vY3J0LmluY29tbW9u
LXJzYS5vcmcvSW5Db21tb25SU0FTdGFuZGFyZEFzc3VyYW5jZUNsaWVudENBLmNydDAoBggrBgEF
BQcwAYYcaHR0cDovL29jc3AuaW5jb21tb24tcnNhLm9yZzAbBgNVHREEFDASgRBiZXBzdGVpbkBp
YXMuZWR1MA0GCSqGSIb3DQEBCwUAA4IBAQByvLEsaj/gXHRcoOFctFq5kBWjq0rkVEnn6OR15+cF
6awiPMNfbFnfixZsU2pbe2I5N/8z+Hktm5Vrz5WxTqixnxmfCbQEAgDElomSoCiA57g8C5QJwMkO
SDZG6YI1EhelpmFUQ4FsyPsHW2khpuL60t5P1r6Ms0b3ZC9MbIAu9F3jVK97Njnoy5wn3Z3cD/De
KtmNM4I8a4R/oWJnoheFeiuGGfIMxGDnGCxl3BdWTVU19yymwQQE/QUYKPJJKD2bNX9/36odtwO3
0S/F3jZOUfKUAldK4nAvltMOVCcfDcD8+dkjlWgUYO4WCyZU88e4QelWKhm9WMzO2LwMKrKyAAAx
ggKbMIIClwIBATCBnjCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4g
QXJib3IxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xMjAwBgNVBAMTKUlu
Q29tbW9uIFJTQSBTdGFuZGFyZCBBc3N1cmFuY2UgQ2xpZW50IENBAhAl+KvkzOJJo3vwED0g
Q29tbW9uIFJTQSBTdGFuZGFyZCBBc3N1cmFuY2UgQ2xpZW50IENBAhAl+moyG
MA0GCWCGSAFlAwQCAQUAoIHOMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTIwMDQyMjE1MzI0NVowLQYJKoZIhvcNAQk0MSAwHjANBglghkgBZQMEAgEFAKENBgkqhkiG
9w0BAQsFADAvBgkqhkiG9w0BCQQxIgQgpDDw/0tBNoWmIBUSM4D1BafytDzIGGX3qEAj6Z9ukscw
NAYJKoZIhvcNAQkPMScwJTAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwDQYJ
KoZIhvcNAQELBQAEggEAYsSO8prWmcKKlrdQVNBZijet40LNxrE0xt+DKsgHhQWewL799WJZ
KoZIhvcNAQELBQAEggEAYsSO8prWmcKKlrdQVNBZijet40LNxrE0xt+bzx1
gr7alkiuAF+ym6f3dbwlgDmF/Oef3M3psF4jWYvm2mtqbyGMR5j2YxSqWqk9YJO5Ou8eCeKe
gr7alkiuAF+9aIe
dCSNOVnOr23baYMbS89OlgmWC9C0SDgfXttsZJJyZZQnQuhqUV7SwBTBk4UVissDJopy9c+D
dCSNOVnOr23baYMbS89OlgmWC9C0SDgfXttsZJJyZZQnQuhqUV7SwBTBk4UVissDJopy9c+v
dCSNOVnOr23baYMbS89OlgmWC9C0SDgfXttsZJJyZZQnQuhqUV7SwBTBk4UVissDJopy9c+1
dCSNOVnOr23baYMbS89OlgmWC9C0SDgfXttsZJJyZZQnQuhqUV7SwBTBk4UVissDJopy9c+t
dCSNOVnOr23baYMbS89OlgmWC9C0SDgfXttsZJJyZZQnQuhqUV7SwBTBk4UVissDJopy9c+H
Xu2AuiEyiIXPQRtDZ/lVbNXRUxzVk3gdTtHVVV5CRIRjL+15Jkp+oPTG7tDRLGXcXUOxlYN/eo54
Z3z0sar8JBoUGtVpjY1N5O1MG0rML5XXfNwFQcUzAOh5tnwGOrh814/UHAAAAAAAAA=3D=3D
------=3D_Part_1001195_982921792.1587569565791--

-------

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community