The Security Categories in Umbrella are categories of security defence that Cisco Umbrella provides. We've categorized security threats to give you more control over exactly what you'd like to enable and report. This article will help you gain an understanding about the threat type each category will block.
IMPORTANT NOTE (March 29, 2017)
We want to notify you of a few changes to the Cisco Umbrella service specifically around Security Categories. We have been looking for ways to better categorize security threats to give you more control over exactly what you'd like to enable and report. No changes are required on your part.
Based on customer feedback the following changes have been made:
Suspicious Response category is being removed. The Suspicious Response category was initially created several years ago to address a theoretical attack that did not end up being widely used in the wild. After speaking with many customers, we decided it would be best to remove this category. Our goal is to help you focus on the most important events in the security reports. This category was not adding value and instead was creating confusion and noise in the reports.
Mobile Threats, Drive by Downloads, and High Risk Sites will be consolidated into the Malware Category. We have decided to merge these categories in order to simplify category management. We think you will find it easier to manage. You will not lose any functionality.
As a result, the entire categorization of threats under "Advanced Threats" will be consolidated under the existing categories. Again, there is no loss of protection or functionality, this change is to better help with reports and clarifying threats into actionability within your environment.
Configuring your Security Categories
The information below should be cross-referenced against the Security Settings under Policies > Security Settings in your Umbrella dashboard.
The security settings categories are, at a minimum, the ones listed below:
There is also a sub-category that's available for certain packages, named Integrations. The Integrations security category consists of domains that have been added to Umbrella through individual integrations. For more about integrations, read https://support.umbrella.com/hc/en-us/sections/206680227-Umbrella-Integrations.
Having information in this section of your configuration depends on what, if any, integrations you've enabled It can include technology partners like Cisco AMP Threat Grid and FireEye. It can include any custom integrations you've created as well.
Security Categories Explained
By default, no security categories are enabled. In general, we suggest that you find the right combination for your organization's policies-- some identities may require a more strict security posture than others. However, there are some categories we recommend enabling for most or all identities, unless you are simply testing to see what Umbrella would have blocked.
This does not mean you shouldn't use those categories in your policy, just that you should monitor your reports to see if these categories make sense to apply to your identities.
|Recommend to enable by default?|
|Malware||Yes||Block requests to access servers hosting malware and compromised websites via any application, protocol, or port.|
|Command and Control Callbacks||Yes||Prevent compromised devices from communicating with hackers' command and control servers via any application, protocol or port and help identify potentially infected machines on your network.|
|Newly Seen Domains||No||Domains that have become active very recently. These are often used in new attacks.|
|Dynamic DNS||No||Block sites that are hosting dynamic DNS content.|
|DNS Tunneling VPN||No||VPN services that allow users to disguise their traffic by tunneling it through the DNS protocol. These can be used to bypass corporate policies regarding access and data transfer.|
|Potentially Harmful Domains||No||Domains that exhibit suspicious behavior and may be part of an attack. This category has a higher risk of unwanted detections.|