Most phishing, malware, ransomware, and other threats are hosted on domains that are classified as malicious. Yet some domains host both malicious and safe content — we consider these “risky” domains. These sites often allow users to upload and share content — making them difficult to police.
If you allow all traffic to these “risky” domains, users might access malicious content, resulting in an infection or data theft. But if you block traffic, you can expect false positives and an increase in support inquiries. You need more granular visibility and control.
You can use a proxy to intercept and inspect web traffic, but proxying connections often adds latency and complexity. Traditional web gateways proxy all web connections — safe, malicious, and risky — negatively impacting your network performance and availability. And, configuration is often complex, requiring PAC files and static routes.
Why proxy requests to domains that are already known to be safe or bad? Umbrella’s intelligent proxy only routes the requests for risky domains for deeper inspection.
Umbrella uses the Domain Name System (DNS) as the primary mechanism to get traffic to our cloud platform and enforce security, too. When you click a link, a DNS request initiates the process of connecting any device to the internet. Through DNS, requests for safe and malicious domains are routed as usual or blocked, and requests for risky domains are routed to our proxy for deeper inspection.
Umbrella uses Cisco Talos and other third-party feeds to determine if a URL is malicious. Talos is Cisco’s threat intelligence organization, with hundreds of industry-renown security experts who research attacks and vulnerabilities and feed this intelligence across Cisco products. You can also create a list of custom URLs to be blocked based on your policies.
File signatures and reputation
We use anti-virus (AV) engines and Cisco Advanced Malware Protection (AMP) to inspect files attempted to be downloaded from risky sites. Protect against malicious file downloads whether users are on or off corporate network.
Retrospective notification for files
Through Cisco AMP, if a file is later identified as malicious, you can view details in a report to identify what systems are infected.
Localized web content, like a Google search or bandwidth intensive SaaS app like Office 365, can experience issues when sent through a cloud-based proxy. Because these don’t host malware, they aren’t considered “risky”. So, by default, our proxy doesn’t intercept this traffic. This means that your users receive accurate, localized content and services without the burden of creating a proxy exception.
Because we do not intercept all traffic, users don’t experience slow or broken connections. Additionally, our proxy is built on microservices technology and can automatically scale to handle any volume of traffic. You can achieve the security benefits of a pure-proxy solution without degrading the performance and availability of corporate networks.