Note: This blog is solely based on my work experience and research. This is NOT an official Cisco document. All the details and recommendations in this blog are my personal opinion.

As per Gartner’s definition, “SASE capabilities are delivered as a Service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions.”

The word “Partner” also means “MSP” or “Managed Service Provider” in this blog.

For an end-customer the SASE capabilities has to deliver “as-a-Service”. The preferred approach to consume SASE capabilities is from a single vendor. Having said that, the Gartner report supports alternative approach to separate the “connect it” infrastructure from the “secure it” infrastructure of SASE. The only requirement common in both approaches is to have cloud-based services. So the question is,….The capabilities of SASE can only be delivered directly from a Vendor or it can delivered from a Partner in case of Managed Service model?.

Or in other words,

If a customer can consume SASE capabilities directly from the vendors and at the same time, the traditional product vendors are turning into service providers. What is the role of a Partner?

Good question !..

Customers (Enterprises) are on their journey to become a digital organization. Many customers have transformed most of their assets and business into digital to gain competitive advantage. To deal with the fast-changing industry landscape, customers use their IT to generate business value. For an Enterprise IT team, managing a hybrid digital infrastructure, the scale, the complexity and to provide business value, makes it a challenging task.

With SASE, customers can directly purchase and consume the capabilities from the vendors. But customer still owns the burden to manage and implement the SASE capabilities. Purchasing flexibility is one part of the puzzle, implementing and managing is the other part. This is where a Partner can add value.

There are mainly three ways SASE capabilities can be consumed as shown in the below Figure:1.

Note: You can purchase SASE services from re-sellers / distributers etc. I have limited the scope of the discussion to these three.

1. Customer purchased SASE services directly from the vendor and it is managed by their own IT department.
2. Customer purchased SASE services directly from the vendor and it is managed by an MSP on customer’s behalf.
3. Customer purchased Managed SASE services from a Managed Service Provider(MSP).

This blog is focused on the last bullet point. The Figure: 2 below shows you four different scenarios of delivering and consuming Managed SASE. The two scenarios in the left side has partner’s perspective and the right side has end-customer’s perspective.

From Left side,

Scenario 1— Partner using a single vendor to provide Managed SASE

Scenario 2 — Partner using multiple vendors to provide Managed SASE

Scenario 3 — Customer consumes multi-vendor Managed SASE from multiple Partners

Scenario 4 — Customer consumes single-vendor Managed SASE from multiple Partners

There are other scenarios where customer purchased SASE capabilities from one vendor/or multiple vendors and handed over the management to partner(s) on behalf of the customer. It is a whole different story and this blog does not cover those scenarios.

Scenario 1 — Partner using a single vendor to provide Managed SASE

Partner using a single vendor to create a manged offer to deliver SASE capabilities as-a-Service. SASE vendors may provide tools for managing multiple tenets, centralized setting & reports, flexible license and billing etc. Partner can focus on managing the SASE policies, provide support and usual operations. This is an ideal scenario.

Pros

One of the major reason to use single vendor is to reduce the cost and complexity.

Need not to hire headcounts for other vendor platforms. May able to manage with a focused team with expert skill set to deliver quality service.

Able to build good relationship with vendors to utilize loyalty based special discounts and programs.

Cons

May end up in vendor lock-in situation with not much choice.

Moving away from one vendor to another may take time and investment on resources and staff.

Limited options to create differentiated offers.

Scenario 2 — Partner using multiple vendors to provide Managed SASE

Partner uses multi-vendor SASE solutions to extend the SASE to end-customer as-a-Service. If managing the operational cost and complexity is feasible for an MSP/Partner then this model may provide a tad bit more advantage than a single vendor in my opinion.

Pros

Partner has the flexibility to choose best vendors from the market to put together a SASE offer

With multiple choice to select, Partner can negotiate the pricing with the vendors.

Mixing multiple vendors may open up new possibilities to create differentiated services.

Very less chances to be in a vendor lock-in situation

Cons

Need to handle different licensing terms and agreements with each vendors

Have to manage more than one portal or product console can add extra burden on existing staff. Need to invest resources in integrating and automating to achieve optimum results.

In case of break-fixing, in some situation engineers may need to coordinate with more than one vendor to resolve the issue. This may add significant delay to provide resolution and impact customer satisfaction.

Partners should have a mechanism to consolidate end-customers consumption (usage / metering) from multiple vendors in order to provide the monthly billing.

Scenario 3 — Customer consumes multi-vendor Managed SASE from multiple Partners

This scenario provides customer perspective. Like Partners, Customers have the flexibility to consume SASE capabilities from their choice of MSPs. If an MSP-A is best known for their connectivity services but not much into security services. Then customer can go with MSP-A for connectivity and choose another MSP for security services. In the end, Customer can enjoy the best of both worlds.

For example, MSP-A offers SD-WAN + Telemetry & Analytics as a package for connectivity, when compared with MSP-B’s simple SD-WAN only offer. Technical superiority in the offer led MSP-A to win the connectivity service. When it comes to security both MSPs provide very similar offer from one vendor so it may come down to the best pricing. Customer has chosen MSP-B for security, based on the offer pricing.

Pros

Flexibility for a customer to pick the MSP of their choice to deliver set of SASE capabilities as a service.

The competition between MSPs can help customers with the best offers and with a good price tag.

Cons

Add complexity to manage multiple partners and their service agreements . Make sure that the SLAs from all the vendors are similar.

In case of break-fix, especially in a high severity cases, vendors may ended-up pointing each other than working together to find a fix.

Scenario 4 — Customer consumes single-vendor Managed SASE from multiple Partners

It is less likely that a customer would care more on the internal systems and the vendors choice of an MSP. In a Managed Service world the focus will be the reputation of an MSP and the quality of the offers they deliver.

Having said that, for the sake of an argument let me take an example to explain the scenario. Assume both the MSPs are using Cisco. If MSP-A provides connectivity services including VPN and MSP-B provides security service (Umbrella) then the end customer will have to install only one Cisco AnyConnect agent. AnyConnect agent on an endpoint can be used for VPN connectivity as well to re-direct DNS and Web traffic to Cisco Umbrella. If both MSPs were using different vendors then the customer will have to install more than one software agent on the endpoint.

Conclusion

Most partners may have concerns about losing their existing revenue generated from managing the legacy boxes. Especially, when the new service offers like SASE are moving towards cloud. With the change in the IT industry, the role of a partner may change as well.

As per Gartner report, it is clear that those MSPs who are stuck with managing boxes to keep IT On and only offer operational management for internal enterprise IT environment will fail to grow [1].

Well, let’s see this change as an opportunity. In fact, in my opinion, Managed Services + SASE combination is a match made in heaven. With this combination end-customer can enjoy the true experience of the SASE capabilities and its management fully delivered as-a-Service.

Reference

[1] https://blogs.gartner.com/rene-buest/2019/10/08/infrastructure-msps-offer-operational-management-internal-enterprise-environments-will-fail-grow/VCD

Cisco Umbrella is a security product for safe internet access. It is a cloud-delivered solution with lots of security features including DNS-Layer security, Web security, Cloud access security broker (CASB), Cloud Delivered Firewall etc. For more details please check this link.

Umbrella has different packages. A package is a set of Umbrella features bundled based on market, for easy pricing and selling purpose. There are different packages for each segment of market, such as, Packages for Service Providers(SP) — Easy Protect, and Mobile Protect. Packages for Enterprise — DNS Essential, DNS Advantage and SIG Essential. Packages for Managed Service Providers (MSP), Packages for Managed Security Service Providers (MSSP), OpenDNS Home and Small business packages — OpenDNS Family Shield (Free) & OpenDNS Home (Free), OpenDNS VIP Home, OpenDNS Umbrella Prosumer etc.

For more details on package and comparison, please check below links

Cisco Umbrella Package Comparison

Cisco package comparison for Service providers & Distributors

Cisco OpenDNS Family and Small Business packages

Before we talk about different Umbrella consoles, we need to understand how a user account is mapped to an Umbrella packages. Figure: 1 illustrates a logical flow of a user account accessing a package.

Note: This is not an official Cisco diagram. Diagram is only for discussion purpose and may not reflect the actually infrastructure.

A username can assign access privileges to one or more than one Umbrella organization (Org). An Org is an instance of Umbrella and has its own dashboard. Orgs are identified by their name and their organization ID (Org ID). The Org ID is a unique seven-digit number.

Dashboard is a GUI (Graphical User Interface) to interact with the Org instances. Other than dashboard for each Org, Cisco provides Console, a GUI tool to manage multiple organisations through a single instance of the console. There are few variants of consoles. Though they have very similar GUI but the features will be slightly different on each console.

MSSP (Managed Security Service Provider) Console

MSSP console typically for large service providers focused on managed security services for enterprises with security expertise. Usually they have customers with more than 250 employees or more to protect. MSSP Console main features includes centralised Customer Management & Reporting, able to manage Customer & license (MSLA &Term-based), Provide Trials, monitor, convert customers from trial to subscription and centralised configuration settings.

To get started with the MSSP console, first the service provider/partner has to determine Umbrella licensing and then add customer accounts. Service providers/partners have to two license type available on behalf of a customer.

• Term/GPL (Global Price List) — Term licenses are procured through CCW and owned by the customer. Licenses are sold to you ahead of time.
• MSLA — Managed Service License Agreement. A volume-based monthly, post-paid billing model for Managed Service Providers of any kind: MSP, MSSP, or ISPs. Licenses are issued when a customer account is added by the MSSP and at the end of each month Cisco bills you based on the number of licenses — customers added — during that thirty day period. There is no minimum or maximum number of licenses.
• Both — Allows you the option of selecting either Term or MSLA when adding a new customer account.

Please check the link for more details on MSSP requirements for a partner to access MSSP console.

MSP (Manged Service Provider) Console

MSP console are designed for service providers who manages IT services on behalf of a customer. They have fewer than 250 employees to protect per customer. Their security requirements may not complex like MSSP customers. MSP customers may have simple security need to defend them from threats like malware, phishing, ransomware etc. MSP console’s main feature includes centralised Customer Management, Setting & Reporting. Also the console is designed to integrate with the Connectwise and AutoTask PSAs. Also provides you with the information you need to deploy through a Remote Monitoring and Management (RMM) tool.

Unlike MSSP, MSPs can purchase a bucket of seats to allocate and reallocate those seats to customers as best fits their business needs. Because the license is typically blended into a managed service provided by the MSP, it’s owned by the MSP and not the customer.

Umbrella Partner Console (UPC)

UPC is more of a trail management tool. The console is designed for service providers/partners to set up and manage customer free trials and in the end of the trail, provide them with reports showing the threats and vulnerabilities that Umbrella was able to detect and mitigate during their free trial. UP Console feature includes Centralised Reports & Setting and Trail Management.

Please check the link for more details on UPC eligibility.

Mult-Org Console

Multi-org console is not designed for service providers but for an large enterprise. This console is suitable for organisations that are highly distributed but share a common IT group or network security team. As per Umbrella documentation — The Multi-org console is a good fit for these types of organisations: ones divided in structure but with a centralized security team that ensures compliance across all areas. The Console feature includes Centralised Reports & Settings and Org Management. A customer has to purchase separate license for Multi-Org console.

Conclusion

MSSP Console is for large Service Providers/Partners focused on Security managed services.

MSP Console is for small IT managed service providers who manages IT infrastructure behalf of their customer.

UP Console is for Partners to help with Umbrella trail management.

Multi-Org Console is for large enterprise to managed their internal distributed sub-orgs.

SASE is becoming the new buzzword in the IT industry. Secure Access Service Edge (SASE) architecture is a converge of network & network security delivered as-a-Service model. As per Gartner, by 2023, 63% of global MSPs will gain their revenue through digital business infrastructure operations (DBIO) [1]. SASE brings various opportunities and helps Infrastructure MSPs to monetise the new architecture.

Note: In this blog word “MSP” and word “Infrastructure MSP” mean the same.

To support the customer’s digital transformation, Infrastructure MSPs have to step into new arenas. Today, Enterprise IT are built on hybrid-cloud network with workloads in multiple private and public cloud. New applications demand decentralisation of data processing (computing power), which brings the processing closer as much as possible to the customer for low latency and high performance. This change forces MSPs to consider its focus on not only “what” to manage but also to deem “where” to manage.

Cisco can greatly help infrastructure MSPs to start their Journey to capture the changing market and build new DBIO for SASE Managed Services. For security services, Cisco is backed with their industry-leading security portfolio with 100% cloud-based service deployment. For connectivity, everyone knows Cisco is a pioneer in this field. To highlight, one of the recommendations from Gartner, SASE is to have all the services (both network and network security) ideally from one vendor. All this unsurprisingly make Cisco an ideal choice for SASE managed services.

SASE consists of different components, Figure: 1 shows a high-level view of a SASE managed service. Tiers, vaguely to show the different focus areas in the SASE managed service layers. Layers roughly represents each component required to build a SASE managed service. Components provide the flexibility to deploy each layer one-by-one on top with the choice of customer phase. This may make the MSPs to choose their existing managed SD-WAN customers as their primary choice to start the SASE offer.

Layers can also use as a reference to create different SASE packages. Example, Base package may include Services and Connectivity components, whereas Advanced package may include Base package plus Telemetry & Analytics component.

In short, For a SASE managed service.

· Infrastructure MSPs may have to own the underline physical hardware

· Connectivity solutions can co-create with Cisco and managed by MSPs

· Security services are hosted in Cisco cloud and consumed as SaaS

· Optional services (cloud based) can layer on top to differentiate the SASE offer

· Purpose built administrative consoles for MSPs for management

· Integration with MSP’s existing platform to reduce operational complexity

Managed Tier

Traditional managed services or Infrastructure out-sourcing focus is to reduce the IT cost. The infrastructure MSP manage the physical boxes on behalf of their customer’s IT department which includes maintaining the physical availability of the boxes, stacking and racking, managing the life cycle of hardware and software, applying the configuration and policies etc. Though the physical boxes may own and reside in the premises of the customer, this model provides an abstract of a Network-as-a-Service or an Infrastructure-as-a-Service outcome for the customer.

Value-add Tier

The focus on value-add tier is the need of the hour for the infrastructure MSPs. With the proliferation of public cloud, customer’s on-prem workloads are shifting to public cloud. Limiting to manage the end-customers infrastructure and workload may not help to grow the business. As per Gartner, “Infrastructure MSPs that only offer operational management for internal IT environments will fail to grow” [2].

A high percentage of infrastructure MSPs are adapting to the new public cloud environment by helping to manage on-prime legacy infrastructure and cloud applications, operate, migrate legacy applications to cloud. But only few MSPs are brainstorming to leverage the capabilities of cloud technologies & services to create new business opportunities [3]. It is important for the MSPs to move their primary focus from managing a box to providing an outcome-based service, this is the key differentiator. More than keeping customer’s IT infrastructure operational, MSPs should evolve as true business enablers.

Helping customers in their digital business transformation by co-creating new solutions and leading with differentiated offers in the MSPs service catalogue.

Cisco security products have great features, by enabling one and then combining with other advance features may help to create a new offer itself. To provide you an example, A large enterprise on average use 1200+ cloud services and 98% of those are shadow IT apps [4], and 27% of discovered shadow IT apps are classified as high risk [5]. Cisco Umbrella is one of the main products in SASE, has shadow IT feature (depends on the package), MSP can use this feature to create a monthly based report (Eg. Application visibility & Risk audit report) for an extra fee to show the level of cloud service activities and risk associated with each application in a customer organization. Report may help the customer to manage cloud adoption in a secure and organized fashion. In short, it is like turning the humble egg (approx. $1) into a gourmet omelette (approx. $12).

Cisco SD-WAN edge devices are packed with security features. MSPs can use and enable them to differentiate from others. Example, Enable AMP for Network feature, which is the only network-based malware defence in the industry. Having this feature enabled on all SD-WAN edge routers helps to extend the malware threat defence capability from endpoints to the network edge.

Add Threat Intelligence, integrate with customer security stack to provide report on in-depth analytics on threats for a premium rate. Example Using Umbrella Investigate (depends on package), gives the most complete view of the relationships and evolution of internet domains, IPs, and files — helping to pinpoint attackers’ infrastructures and predict future threats [6]

Operational efficiency Tier

Operational efficiency is one of the key tiers in the SASE managed services. Improving operational efficiency helps to increase margins. Most MSPs has the concern about scaling the business mainly due to talent shortage [7] and with pressurize on budget. Keep adding the headcounts is not the only way to manage the scalability problem.

Especially, when the MSP has to deal with multi-vendor platforms and cutting-edge technologies. Hiring experts on every vendor platform or technology may not go well with the profit margins. On top of this, end-customers may demand with unique requirements on different report types, request access privileges and other services may result in having some headcounts dedicated for each account. With all these the MSPs has to keep their pricing very competitive to win new business as well.

Network Operations Centre (NOC) or Security Operations Centre (SOC) employees may need to perform some repeatable tasks. As we all know, automation helps to increase productivity. Automating repeatable tasks helps to save money. Without automation, for a security alert, an engineer may have to login into multiple portals to verify the events to corelate and take a decision to act or to ignore. An engineer may get more such alerts in his/her eight-hour shift, almost half of the may be shift consumed by the manual process. For example, an average $35 per hour for a NOC engineer, 4 hours spend on manual task in a day ($35×4 Hours=$140), in a year ($140×365 days=$51100) per Engineer. Around $50K can be saved by integrating and automating manual tasks.

NOTE: The dollar values showed in the example is an assumption and not accurate.

Traditionally with most Infrastructure MSPs, WAN connectivity such as MPLS, VPN, Internet etc are managed and monitored in NOC and Security related services are manged and monitored in SOC. SASE is a combination of Network and Security Service, which may demand both NOC and SOC to come together with a centralised monitoring centre or tightly integrate both the teams to break the silos.

Leverage the capability of APIs and Open standard STIX/TAXII data formats to automate the exchange of the security events between different tools from both teams. Cisco has rich set of RESTful APIs and support STIX/TAXII to integrate with network and security tools, allow MSPs to automate processes, decreasing response time and gain better visibility of the network. This helps to create a new control-plane for variety of network and security functions of SASE in SOC environment.

Conclusion

SASE brings new revenue opportunities for infrastructure MSPs. Cisco has almost all the components required for an MSP to start SASE managed services Journey.

• Innovate, customize, and deliver business outcomes in ways that an MSP hasn’t been able to in the past.
• Accelerate managed service business value with new revenue streams like SASE and differentiated service offers in your service catalogue.
• Embrace an integrated architectural approach for scalability, stability and performance to deliver high quality customer service
• Gain operational excellence by improving the current operations with more integration between tools and with automation.

References

[1] Gartner, “Managed Services Are Dead, Long Live Managed Services!,” 29 Mar 2019. [Online]. Available: https://blogs.gartner.com/rene-buest/2019/03/29/managed-services-dead-long-live-managed-services/.

[2] Gartner, “Infrastructure MSPs That Only Offer Operational Management of Internal Enterprise IT Environments Will Fail to Grow,” 08 Oct 2019. [Online]. Available: https://blogs.gartner.com/rene-buest/2019/10/08/infrastructure-msps-offer-operational-management-internal-enterprise-environments-will-fail-grow/.

[3] Gartner, “Who Drives Digital Business From the Cloud Through the Edge to the Digital Touchpoint?,” 08 Sep 2018. [Online]. Available: https://blogs.gartner.com/rene-buest/2018/09/08/who-drives-digital-business-from-the-cloud-through-the-edge-to-the-digital-touchpoint/.

[4] Cisco Blogs, “Gartner Report Says Shadow IT Will Result in 1/3 of Security Breaches,” [Online]. Available: https://blogs.cisco.com/cloud/gartner-report-says-shadow-it-will-result-in-13-of-security-breaches.

[5] Help Net Security, “27% of cloud apps are high risk,” [Online]. Available: https://www.helpnetsecurity.com/2016/06/14/risky-cloud-apps/.

[6] Cisco , “Cisco Umbrella Investigate,” [Online]. Available: https://umbrella.cisco.com/products/umbrella-investigate.

[7] Gartner, “Confront the Cybersecurity Talent Shortage,” 23 June 2017. [Online]. Available: https://www.gartner.com/smarterwithgartner/solve-the-cybersecurity-talent-shortage/.

Umbrella has per-build APIs for easy integration with few security vendors like Check Point, FireEye, ThreatConnect, ThreatQ, ZeroFox. Umbrella also has the flexibility to create custom integration with most of the other security platforms. More information on integration with above vendors are documented here.

Destination List provides the fundamental security policy to blocking or allowing an internet connection to a destination. Destination list contain a list of internet destinations created based on security policies of an origination. A destination entry in the list can be a Domain Name, IPv4 Address or an URL.

The entries in the destination list can come from Threat Intelligence Platforms (TIP), Firewalls Appliances, Security information and event management (SIEM) or even homegrown systems. If for any reason, if a customer cannot integrate with Umbrella then the destination list can manually update via Umbrella GUI. Umbrella has bulk update feature to upload a file into a destination list. File must be in .txt or .csv format, with one destination entry per line, with a maximum of 5000 destination entries per file.

If new to Cisco Umbrella API and like to know how to interact with Umbrella using API client, please read my previous blog. This blog is focused on to create/update/deletion of destination list and its entries.

In real-world use case, customers have requirements to frequently update the entries of a destination list. The list of entries may collected from multiple threat intelligent sources. For example, domain A will be in a block list today but tomorrow (for some reason) customer like to remove from the block list and add it to the allow list. Manually performing these tasks will be cumbersome for an admin. Automation play an important to role in this use case.

In this blog we are focusing on 4 points

1. Create a destination Allow List

2. Create a destination Block List

3. Add destination list entries to a destination List

4. Delete an entry from a destination list or a destination list itself

1 – Create a Destination Allow List

POST https://management.api.umbrella.com/v1/organizations/{OrgID}/destinationlists

Umbrella has Allow & Block destination list. To create an Allow list we must specific that using “access” (string) parameter in the API body along with other required parameters. “isGlobal” is a boolean — either true or false. true value will make the destination list a global list in that Org. ”name”(string), to add name to a destination list. Optionally, we can add the destination list entries while creating the destination list or later.

Note: There is a small difference in the syntax when we are adding entries while creating the new destination list, we must add it in the “destination” array. If we are directly adding a new entry into an existing destination list then we don’t need add “destination” in the API body, just create an array and list the entries, which is shown later in this blog.

Below is a screenshot of my postman client as an example to show you the API body and URL. We can see that the “access” parameter is declared as “allow” to make this destination list as an Allow List. “isGobal” is false because we are creating a new non-default destination list. Global List is a default list in an Umbrella Org which applies to all identities. Non global list helps to enforce the list of destinations on sub-set of identities.

The “destination” array contain both domains and IPv4 address. Also please note the Domains counter and the IPs counter reflected in Umbrella GUI.

2 — Create a Destination Block List

POST https://management.api.umbrella.com/v1/organizations/{OrgID}/destinationlists

The only difference when compare to create a destination allow list is the “access” parameter in the API body.

Note: IPv4 address as an entry can be included only in Allow List, and URL as an entry can be included only in Block List. Domains name entries can be in both list.

Below screenshot shows you an example of Block list created with exact same parameters of as Allow list. Only the difference is with the “access” parameter is declared as “block” to create a destination block list.

The “destination” array contain both domains and URL. Also please note the Domains counter and the URLs counter reflected in Umbrella GUI.

3 — Add destination list entries to existing Destination List

To add a new entry into an existing destination allow list, we must first need to have the List “id”. To collect the list id, Retrieve all the destination list under the Org and choose the id for which we need to add an entry.

Step A — Retrieve and collect the destination list “id”

GET https://management.api.umbrella.com/v1/organizations/{OrgID}/destinationlists

To retrieve (GET method) no parameter is required in the API body. Just execute the GET method to the URL. Below screenshot shows you an example of the URL and the output. Make sure to have the correct OrgID .

From the GET output, pick the destination list in which you like to add/remove entries and note the “id”.

Step B — Add destination entries to the list

POST https://management.api.umbrella.com/v1/organizations/{OrgID}/destinationlists/{destinationlistID}/destinations

To add destination entries into an exiting destinations list is by adding the domains and IPv4 address into an array. Please refer the below screenshot example, note the URL which has the Destination List ID “id”, collected from previous step A. API body parameter is in JSON array format with destination entries. Because it is an Allow List, URL destinations cannot add and if you tried to add you will get error.

Here is another screenshot to show you how to add entries to an exiting destination Block list. The destination list “id” in the URL has been change to match the block list.

Please note that while adding URLs into a destination Block list. If it is a well know domain and the URL is very wide then we may get error. Check below screenshot for example.

In the above example, I have used “box.com” instead of “mypersonal.com”. In the output section we can see the message in the error “high_volume_list_domain”. Even if we tried to add the URL via GUI we will get the error as shown in below screenshot.

4 — Delete an entry from a destination list or a destination list itself

Using DELETE method we can remove an entry from an allow / block destination list or the whole destination list.

Step A — Retrieve and collect the destination list “id”

GET https://management.api.umbrella.com/v1/organizations/{OrgID}/destinationlists/{destinationlistID}/destinations

To remove an entry from a destination list, we use destination “id” or list of “id”s. if you do not know the “id” then with GET method retrieve all the entries in a destination list and select the “id”or “id”s which you would like to remove.

Below screenshot is an example of GET output of a destination list.

Step B — Delete the entry /entries or a destination list

The main parameter required to delete an entry or destination list is to have the correct entry “id”.

DELETE https://management.api.umbrella.com/v1/organizations/{OrgID}/destinationlists/{destinationListID}/destinations/remove

Below screenshot is an example to delete an entry “www.malware.com” from an existing destination list. The syntax is same for both Allow & Block list. Select the entry “id”, insert it into the API body in JSON array format and execute. We cannot use domain names, IPv4 address or URL in the array to delete an entry.

To delete a destination list, use destination list “id” in the URL no API body parameter is required

DELETE https://management.api.umbrella.com/v1/organizations/{OrgId}/destinationlists/{destinationListId}

Below screenshot is an example to delete a destination list. In the example we used the “id” of destination list “VCD block List” to delete the destination list. It is very simple and straight to delete the whole entries of a destination list.

Cisco Umbrella has number of RESTful Application Programming Interfaces (API) – broadly categorized based on their purpose.

Management API — Mainly for administration task like to manage networks (add / remove) or roaming clients etc.

Reporting API — To pull information on security activities, top destinations, top categories etc.

Enforcement API — Use to integrate with other security products to enforce the policy using Umbrella.

Investigate API — Helps to query Cisco Umbrella’s security data lake created by security research team.

Network Device API — For device registration and policy related applications.

Legacy Network Device API (deprecated) — Used to register legacy network devices to Umbrella to get visibility of DNS traffic flow. We can use Network device API to achieve the same results.

One of the main use-case is to allow customers to perform a variety of Umbrella-related functions without performing configuration steps in a dashboard. Another use-case is to integrate Umbrella with other security products to automate the work-flow such as remediation process. API can also use to pulling real-time threat information to the monitoring systems or collect logs from Umbrella Amazon S3 bucket to Security information and event management (SIEM) tools for further analysis.

Currently Umbrella use HTTP Basic Authentication with API Key and Secret Key. The Cisco documentation may refer the keys as Username and Password.

Step 1: Generate API key pair

For Management API, Reporting API, Network Device API and Legacy Network Device API use Umbrella dashboard -> Admin -> API Keys section to generate the key pairs.

For Investigation API you must go to Umbrella Investigation console (via Umbrella Dashboard) and click “Investigate API Access” link under the tabs

For Enforcement API use Umbrella dashboard -> Policies ->Integrations. Note: Unlike other API Key, Enforcement API key is not a pair of keys but a URL. Key is included in the URL

Step 2: Setup Postman

Download the Postman API Client APP from https://www.postman.com/product/api-client/

Step 3: Generate API request using Postman

From the Postman GUI -> Launchpad tab -> select “Create a request”

From the new GET tab -> select “Authorization” tab. Then on that table select “Basic Auth” option from the TYPE drop down options. After you select the Basic Auth please provide the Umbrella API keys on the right hand side option. For “Username” use Public Key and “Password” use Secret Key. Leave rest of the settings to default in Postman.

To generate an API request we need Umbrella Org ID (organization Identity). Every Umbrella instance in Umbrella cloud is identified using a Unique Org ID. Every customer Umbrella dashboard has unique Org ID in the URL. https://dashboard.umbrella.com/o/{organizationId}/#/overview

Note : An organization ID is a required parameter for all subsequent queries.

All APIs are restricted to HTTPS and hosted at these locations

Management API — https://management.api.umbrella.com

Reporting API — https://reports.api.umbrella.com

Investigate API — https://investigate.api.umbrella.com

Enforcement API — https://s-platform.api.opendns.com

Legacy Network API — https://api.opendns.com

Below example shows you a GET request to an Umbrella Org to list all the policies using Management API.

For more details on Umbrella API please refer the documentation https://docs.umbrella.com/umbrella-api/docs/about-the-umbrella-api

Cisco DevNet Security DevCenter https://developer.cisco.com/site/security/

After the invention of World Wide Web (WWW) by British scientist Tim Berners-Lee in 1989 within couple of years web browser application was released to the general public. The Internet become a platform with new commercial, social, cultural and technical opportunities.

Following the release of web browser WWW grew rapidly, so did the users who use Internet. Info.cern.ch was the first ever published website in August 1991 [1]. Currently there are 1.7 billion websites hosted in the internet [2]. Having said that, not all the websites may be active today. A website means a unique hostname which can be resolved using DNS service.

Most of the websites which we access regularly are indexed in the web search engine database. But there are other legitimate websites which are not listed in the web search engine index (hidden) and these cannot be accessed without having the URL.

Deep Web is a term mostly used in the IT industry to refer websites which are not listed in the web search engine index [3]. Most people have a misconception that Deep Web sites are related to bad business similar to Dark Web (or Dark Net) which is incorrect. For example, wordpress.com is a famous blogs site has setting to avoid the page from search engines. Clicking this option will keep that user’s webpage in Deep Web category — means hidden, out from search engines. That doesn’t mean that the user’s webpage is associated with criminal or anti-social activities.

Search engine companies use web crawlers (automated program) to browse WWW and download the webpages and its URLs in a database. Web administrations can make settings in robots.txt files to allow or disallow a search engine crawler from indexing. Also if a webpage is password protected, then crawlers cannot access the web page and cannot add the page to search engine database [4].

Similar to Deep Web, on a high-level Dark Web is an industrial term used to represent a part of Internet which is not indexed in web search engines and needs special applications to access its webpages. Dark Web are anonymity overlay networks in the Internet which are built for privacy reasons, mainly to avoid surveillance of Government or National agencies. There are couple of famous anonymous networks active today in the Internet.

Freenet Project is a free and open source based anonymous network started by Ian Clark [5]. A dynamic peer-to-peer style with decentralised network architecture where nodes are encrypted and routed via multiple nodes to make it difficult to trace. Every computer (node) has to install the application to access the resources in Freenet. Each node provides the network and some storage space. Every file added into the Freenet peer-to-peer network has a Global Unique Identifier (GUID). File maybe stored in few nodes in a distributed way and in the files lifetime, the file might copy or be migrated to other nodes. A user can access a file via the freenet application by requesting the file’s GUID.

The Invisible Internet Project (I2P) create anonymous network layer. I2P applications has to install on the computer to access the I2P network. During installation, I2P application generate unique cryptographic identity (node identity) for each computer. I2P application use the anonymous network layer to exchange messages between the cryptographic identifiers.

I2P uses garlic routing, which can carry multiple encrypted messages in a bundle called “clove” along with layered encryption of messages. Every message are exchanged between the node identities using unidirectional tunnels. Inbound tunnel to receive message and an outbound tunnel to send message back. I2P website are called “Eepsite” with .i2p extension similar to .com and can access only via I2P applications/ network. Example elgoog.l2p

The Tor Project is one of the famous anonymous networks. Initially created as part of U.S Navel Research Lab (NRL) project to access Internet with privacy [6]. The main purpose of the project is to keep the communication between the user (Originator) and the destination (Responder) anonymously. Tor can access simply by installing a Tor browser.

Tor uses onion routing concept, which encrypts the data at each step of the routing. To avoid tracing, traffic is routed through multiple Tor nodes. Onion routing is designed to hide the header information and makes it extremely hard for anyone to identify the originator’s source, traffic pattern, location information etc. Tor grew from few nodes to thousands of nodes run by volunteers today. The users to access Tor grew to millions [7].

The Tor is more popular and has large user base may be the reason it attracts more anti-social elements and criminals. The anonymity it provides to access the hidden services inside the Tor network is exactly what bad actors want. There is no doubt that Dark Web has large online black market. Silk Roadsite (silkroad6ownowfk[.]onion) was one of the famous black market in Tor. As per FBI, Silk Road hidden service used by hundreds of drug dealers and others to sell unlawful goods and services. There are Movies, TV shows, News about the harmful and negative side of the Dark Web. But is not always true that Dark Web is only associated with bad business.

Arguably there are legitimate purposes to use anonymous network. For the whistle-blowers, who can share secret stories anonymously or can submit a confidential tip to a news agency. For investigate journalists to share and exchange information. For countries where Internet is forbidden or strictly controlled, helps to thwart the website ban.

Most news agencies and online media has created secure drop sites in Tor network to collect confidential information from whistle-blowers. Wired UK is a magazine company has Tor site (k5ri3fdr232d36nb[.]onion) hosted in the Dark web. Aiming to help people to share confidential information anonymously. Anyone can send information using the link without revealing one’s identity.

For investigation journalism, companies like BrightPlanet use Deep Web and Dark Web to perform investigation for their client’s fraudulent trademark usage, or to combat pharmaceutical fraud or to analyze news focusing on terror group[8].

To fight media censorship, famous online website names such Facebook (www.facebookcorewwwi[.]onion) launched Tor website in 2016. In 2017, New York Times launched their news website (www.nytimes3xbfgragh[.]onion) on Tor. BBC (www.bbcnewsv2vjtpsuy[.]onion) has International news website since last year.

Even the service providers are slowly starting to support the Tor services. Recently Cloudflare has announced that they are starting DNS service for Tor onion network. They are providing a privacy-first DNS resolver service for Tor network. This is first of its kind and a welcome move for the people who are looking forward to use Tor[9].

[1] “First URL active once more,” [Online]. Available: https://first-website.web.cern.ch/blog/first-url-active-once-more.

[2]Internet Live Stats, “Total number of Websites,” [Online]. Available: https://www.internetlivestats.com/total-number-of-websites/#ref-2.

[3] Google, “Introduction to robots.txt,” [Online]. Available: https://support.google.com/webmasters/answer/6062608?hl=en.

[4] The Journal of Electronic Publishing, “White Paper: The Deep Web: Surfacing Hidden Value,” [Online]. Available: https://quod.lib.umich.edu/cgi/t/text/idx/j/jep/3336451.0007.104/–white-paper-the-deep-web-surfacing-hidden-value?rgn=main;view=fulltext.

[5]Freenet Project, “What is Freenet?,” [Online]. Available: https://freenetproject.org/pages/about.html.

[6]Tor Project, “History,” [Online]. Available: https://www.torproject.org/about/history/.

[7]Tor Project, “Tor Metrics,” [Online]. Available: https://metrics.torproject.org/userstats-relay-table.html.

[8]https://brightplanet.com/2018/03/05/visualizing-terror-groups-named-entity-tagging/

[9]CloudFlare, “Introducing DNS Resolver for Tor,” [Online]. Available: https://blog.cloudflare.com/welcome-hidden-resolver/.

Abstract:

In today’s world most human carry at least one electronic computing device, which has a connection to the internet. Internet starting to have influence in our everyday life. Other than computers and mobile devices, traditionally standalone equipment and devices are too now connected to the internet to make them smart. Critical infrastructure of cities, healthcare and other industries (SCADA) has been connected to internet to make it smarter. Growth of internet helps to make human life easier to live. But at the same time malware and cybercrime rate is also increasing along with that. In 2016, United States council of Economic Advisers mentioned that the estimated cost of malware cost the U.S economy between $57 billion and $109 billon [1]. In this paper work, we review most common types of malware in the internet, their impact in our society, what are the motives to create a malware and the future…read full article

Unlike proxying all web traffic, Cisco Umbrella DNS-Layer protection use “selective” proxy mechanism to intercepts the web traffic, in Cisco terms this feature is called “Intelligent” proxy.

Umbrella classify all domains into three category — Good, Bad and Grey.

The classification is based on domain’s reputation. Each domain is assigned with a score based on in-depth research and the information received. The research data mainly come from Cisco Umbrella research team, Talos and more than 50 partners including researchers, academics institutions etc[1].

For example purpose, I am using Cisco Talos Reputation Center web tools to verify the reputation of three domains https://talosintelligence.com/reputation

Umbrella Intelligent proxy will allow Cisco.com domain and block yr9n47004g[dot]com domain.

putlockers.cr domain is neither Trusted nor Untrusted. Based on Talos domain reputation site, the domain putlockers.cr may host “Illegal Downloads” is the reason the domain is not fully trusted.

Grey domains reputation are similar (not exactly) to our above example and subjected to proxy all the web traffic. That means the end point will not make direction web connection to a grey domain. Grey domains are accessed via Umbrella proxy, this helps Umbrella to gain visibility into web traffic to scan embedded malicious-files and enforce content filtering (based on policy).

There are two ways we can enable Intelligent proxy, either with SSL Decryption enabled or without SSL Decryption enabled.

There are three main scenarios with Intelligent proxy feature.

1. Intelligent proxy is disabled, no web traffic will be send through Umbrella proxy. Umbrella DNS resolve the domain name and return the IP address of good & grey domain to the end device. End devices can establish web connection directly to the good and the grey domains.
2. Intelligent proxy is enabled, without SSL decryption then all web traffic to grey domain will be forwarded to Umbrella proxy. Port 80 (HTTP) web traffic will get security enforcement as per policy. But Umbrella won’t get any visibility into web traffic of port 443 (HTTPS). Hence not able to perform malware & anti-virus scanning or content filtering.
3. Intelligent proxy is enabled, with SSL decryption then all web traffic to grey domain will forward to Umbrella proxy. Both port 80 & 443 web traffic will get security enforcement as per policy.

Note: File Inspection should be enabled along with Intelligent proxy with SSL decryption to scan files for malicious content hosted on grey domains before those files are downloaded.

The Cisco Umbrella root certificate is needed when Intelligent proxy with SSL decryption is enabled, to access the intended grey website. Otherwise the browser will show certificate error. Yes, we may able continue to access the website by clicking “I accept the risk” option in the browser. but this is not a best practice and not recommended.

[1] https://support.umbrella.com/hc/en-us/articles/230903908-Finding-out-More-About-Websites-that-Umbrella-has-Blocked-for-Security-

Industrial Revolution 4.0 (IR4.0) is catching up rapidly than previous three revolutions. The speed and agility are not only forcing us to change the way we live and work, it is a disruption for many industries traditional approach and business models.

The first Industrial revolution began with the invention of steam engines in circa 1780, the second revolution took place roughly after a century by the invention of electricity and the third revolution with the birth of Internet, electronics and digital computing.

In less than half-century, the fourth industrial revolution is already here with emerging technologies like Artificial Intelligence, quantum computing, biotechnology, Internet of Things (IoT) etc.

Technology has become the integral part of our daily life. Day-to-day activities are much dependent on many electronic devices and gadgets around us. In IR4.0 the technology is blurring the boundaries between electronic devices and humans.

Technology is merging more and more into the biological world. Currently there are various small wearable devices and apps available to monitor your heart rate, steps walked, sleep pattern etc to even more advanced electronics like brain controlled gadgets.

Brain controlled gadgets mostly use BCI (Brain Computer Interface) with electroencephalography (EEG) to make real time interaction by just using the brain directly. Commercial brain controlled products are available in market today for personal research purpose and wellness including stress level management, to improve concentration etc[1] [2].

Other than brain controlled gadgets, prosthetic industry is integrating BCI to revolutionise new and advanced way to add senses [3]. The integration is not limiting to legs, foot or arms but extending it into visual prostheses (artificial vision) as well.

Visual neural prostheses is an approach, provides hope to millions of blind people to generate visual perception in their brain using direct stimulation in their visual pathway. Though it is no way near to the level of vision provided by a human eye, but it may help to read large prints for a totally blind human[4] [5].

In our lifetime one creates lots of visual memories. Memory is created by binding neurons together. When electrical impulses traverse through the bonded neuron again, we can retrieve the visual experience from past [6].

The question is whether we are advanced enough today to fetch the information from brain’s visual memory region ? Can we sense the electrical impulses of neurons in the visual memory region to artificially create an image? May be not today, but IR4.0 seems very promising.

Imagine the possibilities if we can capture the visuals from a human brain. How much knowledge we can capture digitally from smart brains around the world. We can take prints of our imagination or of our cherished childhood events. isn’t that cool.

[1]“NextMind,” [Online]. Available: https://www.next-mind.com/

[2]“EMOTIV,” [Online]. Available: https://www.emotiv.com/workplace-wellness-safety-and-productivity-mn8/

[3] T. Abate, “An artificial nerve system developed at Stanford gives prosthetic devices and robots a sense of touch,” 31 May 2018. [Online]. Available: https://news.stanford.edu/2018/05/31/artificial-nerve-system-gives-prosthetic-devices-robots-sense-touch/

[4] N. P. Soroush Niketeghad, “Brain Machine Interfaces for Vision Restoration: The Current State of Cortical Visual Prosthetics,” 07 Sep 2018. [Online]. Available: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6361050/

[5] NIDEK CO. LTD, “Keys to Visual Prostheses,” [Online]. Available: https://www.nidek-intl.com/aboutus/artificial_sight/about_artificial_sight/point.html

[6] The Conversation, “An electronic chip that makes ‘memories’ is a step towards creating bionic brains,” 16 Jul 2019. [Online]. Available: https://theconversation.com/an-electronic-chip-that-makes-memories-is-a-step-towards-creating-bionic-brains-119741