?

Cisco Umbrella + BlueCat: How Financial Services Firms Can Reduce Threat Response Time

With a quick and seamless integration of BlueCat DNS and Cisco Umbrella, one financial services firm cut their threat response time to just seconds.

Dec 18, 2019 3 minute read

From our perspective, visibility (or lack thereof) continues to be a pervasive issue across all of our customers, big or small. 

A powerful solution from BlueCat solves not only the visibility problem but breaks down organizational barriers/silos, such as network and security, and provides that shared visibility over internal and external DNS traffic through a single platform. This provides these teams an opportunity to collaborate more often. 

In addition, with SOAR and tools operationalization being top of every organization's mind, BlueCat’s API enables automation and promotes very good integration with other network systems and tool sets, helping organizations realize the tool's value much faster.  

Let's take a look at one example in particular.

Seamless integration benefits the financial services sector

A large financial services company needed to improve its threat response time.

Using the powerful threat intelligence and insights of Cisco Umbrella, the company already had visibility into a wide range of threats. Their security team used Cisco Umbrella and a SIEM to identify malicious activity like tunneling, command and control, malware and phishing.

Now the company wanted a way to quickly pinpoint the origin of network security problems to mount a more effective defense. Here’s how the company’s head of security put it: "We were hitting some malware domain, but we really couldn’t take any action. We had no way of tying the DNS request in Cisco Umbrella back to an endpoint.” 

The Cisco and BlueCat solution

The company found an answer in the BlueCat DNS management system they had used for years.  Through a new Cisco Umbrella-BlueCat integration, the company was able to add information from endpoints and internal “east-west” DNS traffic into the robust threat detection framework they were already using. 

Here’s how it works: BlueCat DNS sits at the “first hop” of any DNS query, providing complete visibility into network activity right at the device level. That “first hop” is a service point – a lightweight way to collect the source and destination IP address without the operational baggage of on-device agents or physical DNS appliances. The integration feeds endpoint information directly into Cisco Umbrella and/or a SIEM, providing a simple way to drill down into the source of threats.

With this powerful forensic information in hand, the company can then use BlueCat to apply security policies right at the device level. Since it sits on existing network infrastructure, these policies can be applied without the need for on-device agents.

Reaping the rewards

The ability to add more granular, specific data from endpoints and internal DNS pathways dramatically reduced the company’s incident response time. Where they once spent hours or days piecing together log data from endpoints and internal DNS servers, now they can find the source of an alert with just a few clicks.

The head of security told us about the value of seeing DNS patterns across the enterprise: “Before, we might have seen a hundred malicious requests in Cisco Umbrella, and we’d have to trace each of them to a source device individually.With BlueCat, we can see if those are one hundred requests from one hundred machines or one hundred requests from a single machine.”

Learn more in a new integration video from BlueCat, or get started today with our Cisco Umbrella and BlueCat Adaptive DNS lab. 

Share this