Umbrella, by Cisco, is unlike most other forms of network security. It works at the level of the Domain Name System, or DNS. Every time a connection request is made on your network, Umbrella checks the domain name details and IP address at the other end of the connection to see if there’s anything suspicious or if it’s a known good address.
What does it check the IP address against?
Herein lies the power of the product. Umbrella (and its individual retail version, OpenDNS) is so popular that around 2% of the world’s DNS requests are observed by the product. That huge pool of data means that insights hidden in more than 80 billion IP requests per day can be detected by machine learning and applied to every IP request on your network.
For example: factors like how recently a domain was registered, whether the domain name looks like it was generated by a computer instead of a human, and whether an unusual amount of traffic from more than one location, or at odd times of day is trying to head towards it all combine to create a risk profile for a given IP address. If multiple factors are present, the IP address attracts a high risk score.
If software on your network tries to connect to the suspect IP address, it will be stopped and you will be warned. And just like that, an attack is blunted and your data and network are safer.