Apr 03

Protecting Our End Users from Themselves, Under an Umbrella


Most companies today are faced with greater and greater security risks. Businesses of all types and sizes can be paralyzed by crypto walls and other viruses.

The modern organization, even when adhering to best security practices, faces increasing difficulty protecting their environment.

Common security practices are not always enough. Typically, we start with simple things like locking down workstations with good group policies, using MDM (mobile device management) for company assets, and installing anti-virus/anti-malware software. We also implement network intrusion/detection like Cisco FirePOWER or other IDS/IPS solutions, network monitoring tools and anti-spam solutions like Sophos’ Reflexion.  Even still, sometimes things get by in the form of spam emails, browser attacks, and other forms of social engineering.

A few weeks ago, to better protect ourselves, we implemented a product from Cisco called Cisco Umbrella.  This simple solution intercepts all DNS lookups in the environment.  When any software wants to reach out to the web, it does a DNS lookup.  This is where Umbrella comes into play. With Umbrella, we set up rules to intercept or bypass, eventually redirecting these lookups, allowing for completely transparent protection for all devices on the network.

Spammers are now crafting emails with much lower Bayesian scores. Often, they are sending them from email servers with valid SPF records using the latest Whaling and Phishing tricks. They have realized that spam with the payload attached gets caught too easily, so now they have reverted to sending emails with links that look legitimate.  We can educate our teams on good email practices:

  • Don’t open email that you weren’t expecting
  • Don’t open attachments you weren’t expecting
  • Don’t release emails from spam quarantine if you weren’t expecting them
  • If there is anything suspicious about an email, reach out to the sender by other means to confirm

When spam emails still get in, we tend to see them in surges. Alerting end users about these types of email attacks and educating them not to click links, conceptually, is a good idea, but it doesn’t always work. Using Umbrella, we simply add these embedded email links to a black list (if they aren’t already black listed from community sources). This process ultimately protects our end users from mistakenly browsing to these sites, making our environment more secure and better protected.