With any IT system, there are bound to be problems.
Cisco Umbrella minimizes the risk of clicking on dangerous links, but it’s still prone to issues of its own.
As a DNS security system, Umbrella helps you reduce the chances of a user accessing a malicious website and opening your IT environment up to security threats.
By identifying unsafe domains, Umbrella and other DNS filters alert and prevent users from accessing ones that Umbrella determines may be hijacked or malicious.
The KR Group uses Cisco Umbrella in multiple areas. Our managed IT services customers are required to use it. We deploy it during our security risk assessments, and we sell it to customers looking for additional ways to secure their data.
Here are some of the problems we like to give customers a heads up about:
- Data is slow to load after initial deployment.
- Getting the wrong subscription will hold you back.
- Not all data is accessible from the dashboard.
- Umbrella works best with Roaming Client.
- Not all features are configured automatically.
- Old OpenDNS accounts remain registered even if inactive.
All of these problems have simple solutions and shouldn’t prevent you from considering Umbrella as one of your security tools.
Problem #1: Data doesn’t show up immediately on Umbrella’s dashboard
As a security adviser, one of the ways we deploy Umbrella is to check for any active attack during our security assessments. However, you don’t need to sign up for a security risk assessment to use Umbrella this way.
Either way, an active attack can be identified by looking at the data Umbrella provides on the user dashboard. The problem is it might take a few hours for Umbrella to acquire enough data to show up.
This is especially problematic if you’re deploying Umbrella to troubleshoot for incident response and are expecting immediate insight.
For example, if you’re looking to identify if an advanced persistent threat is making a command-and-control callback you won’t get it right away.
Solution: Deploy Umbrella proactively
This problem actually has two solutions.
First, you can simply wait for the data to be displayed on the portal.
However, if you are deploying Umbrella in response to a threat, the quicker you get the insight you’re looking for, the sooner you can start addressing the active attack.
This is why the best solution is to deploy Umbrella proactively, so you already have a baseline of data if an attack occurs. And of course, Umbrella could help prevent an attack, to begin with.
Problem #2: The wrong Umbrella subscription won’t meet your needs
Cisco Umbrella has multiple tiers that include different features.
This gives you the option to purchase the tier that only provides what you need and no extras.
It also means you’ll need to make sure the tier you choose is the one that meets your needs. This is especially true if you’re looking for advanced reporting and data retention metrics.
For example, if you want to pull a report on DNS traffic historic information, not all Umbrella tiers allow you to pull old reports.
Solution: Investigate your needs
To make sure Umbrella meets all of your needs, we recommend you make a list of what you want Umbrella to do within your environment. Then, you can look at the different options to find the tier that best matches what you need.
If you are still unsure, you can bring in your IT consulting company and/or security adviser to help you get the right tier for your needs.
Problem #3: Not all data is easily accessible from Umbrella’s dashboard
Even with the right subscription, you might run into the problem of not being able to view all of the data that’s important to you on the dashboard.
Cisco Umbrella’s dashboard provides a general overview of your network activity, including total DNS requests, total blocks, and security blocks.
This provides a general and easily accessible way to view the most important things Umbrella is analyzing.
However, this isn’t the end of Umbrella’s analysis capabilities.
Solution: Dive deeper into the dashboard
By navigating within the dashboard you can see some of the other areas Umbrella is analyzing, such as malware blocks, phishing blocks, command-and-control blocks, and cryptomining blocks.
It is also possible to create customized reports with Umbrella to give you insight on what metrics are important to your business. You’ll need to take extra time to set up these reports, but it is possible.
Problem #4: Umbrella works best with Roaming Client
As we mentioned at the beginning of this article, one of Umbrella’s use cases is to identify active threats. It also goes a step further and helps you identify where those threats are coming from.
This is how you get the most value out of Umbrella.
The problem is this information is limited if you don’t pay for Roaming Client seats for each of your users.
Without this additional feature of Cisco Umbrella, the threat source identification is limited to the network address, which will be the same for all of your users.
Solution: Acknowledge Roaming Client is worth the investment
The solution, of course, is to deploy Umbrella with Roaming Client.
This feature allows you to take identifying an active threat a step further by identifying what device the threat originated from, as opposed to a general alert that only identifies your organization’s WAN IP address.
The best way to use this solution is to deploy it on every user’s device because it can only identify the threat source if it is deployed on the device.
Problem #5: Not all of Umbrella’s features are configured automatically
Once integrated into your network, Cisco Umbrella starts protecting your IT environment. However, the features of Umbrella go beyond what Cisco configures automatically. 
Two of the most common features users need to configure are:
1. Content Filtering
Umbrella isn’t a content filter, per se, but by monitoring DNS queries, you can prevent users from accessing potentially malicious websites, as well as unauthorized sites.
You can even sync it with Active Directory to allow some users to access sites while prohibiting others. For example, you can configure Umbrella to allow your marketing team to access social media, but not the rest of your company.
2. Malware Policies
Umbrella automatically works to prevent malware attacks. By taking the time for additional configuration with other features (such as content, malware, and advanced security), you can get even more granular with your Umbrella deployment to best meet the security needs of your IT infrastructure.
Solution: Reserve time for configuration
If these are features you want, the solution is to take the time to make sure you configure them correctly.
While it will take extra time, it’s just another way you can get the most value out of Cisco Umbrella.
Problem #6: Any old trials or accounts will still be registered
When we use Cisco Umbrella during security risk assessments, one problem we find is old Umbrella or even OpenDNS (Umbrella’s predecessor) profiles still exist, but you might not remember your login information.
Or if you do, the expired version isn’t providing any helpful insight.
Solution: Delete old accounts
To start a new Cisco Umbrella trial or purchase a new full version, you need to recover your login information and remove or delete your account. This makes it possible to create a new one and start enjoying the features of Cisco Umbrella.
Deploying Cisco Umbrella in your environment
By being proactive, you won’t have to wait for data to show up on your dashboard, and you can ensure Roaming Client is installed on all user devices.
Whether you deploy Umbrella proactively or reactively, spending a little extra time with the technology will allow you to make sure you have the right subscription, know how to access the data that’s important to you, and configure any additional features you want.
As long as you’ve done proper planning the problems with Cisco Umbrella are manageable and pale in comparison to how powerful this tool is at monitoring security threats within your environment.
If you want to try Cisco Umbrella before you commit to a paid subscription, you can sign up for a free trial here.
