What is Cisco Umbrella and How it Protects You

Overview

Cisco Umbrella is the first line of defense against cyber threats for all City computers, whether you are working in the office or remotely.

Think of Umbrella as a Cloud Security Gateway that inspects your internet requests before a website even loads or a file is downloaded. It uses global threat intelligence to instantly block connections to malicious websites, preventing malware, ransomware, and phishing attacks before they can reach your computer.

Because it is installed on your City device, your protection is always on, providing a consistent security layer wherever your work takes you.

Key Benefits of Cisco Umbrella for You

Blocks Threats Early: Umbrella works at the DNS level (the system that translates website names like https://www.google.com/search?q=Google.com into computer addresses). If you click a bad link, Umbrella checks the address against a global list of known threats and blocks the connection instantly.
Stops Phishing & Malware: It prevents your computer from connecting to websites known for phishing (stealing passwords) or hosting malware/ransomware. This stops the attack before your screen has time to display the malicious content.
Protects Remote Work: The protection is tied to your City device, not the office network. Whether you are at home, a coffee shop, or a conference, you receive the same level of security against threats.
Enforces City Policy: Umbrella helps the City maintain security standards by blocking access to sites that are categorically known to be high-risk or inappropriate for work use, ensuring a safe and productive environment.
Zero Impact on Speed: Because the check happens in the cloud quickly, you should not notice any delay in your internet browsing performance.

System Visibility and Security Logging

Cisco Umbrella is a critical security tool that enhances the City's overall security posture. To perform its function and protect against advanced threats, the system must maintain logs of network activity.

Why Logging is Necessary

Detect Compromise: If a threat (like ransomware) slips past the initial block, the system logs allow our IT Security team to trace the source of the infection and the commands it tries to execute, allowing us to contain the threat quickly.
Policy Enforcement: The system records when a connection is blocked due to malware or content policy. This ensures the security policies are working as intended and provides proof for compliance purposes.
Incident Response: In the event of a security incident, the logs provide an essential digital trail that helps the IT team understand what happened, which systems were affected, and how to prevent it from happening again.

What Activity is Logged

Cisco Umbrella monitors and logs metadata related to your internet requests when using a City device:

Destination/Domain: The website or address you tried to connect to (e.g., google.com, malicious-site.net).
IP Address: The network location of the destination and the computer making the request.
Action Taken: Whether the connection was Allowed, Blocked, or sent to a secure proxy for deeper inspection.
Date and Time: The timestamp of the network request.
Internal Identity: The information that links the request to your City computer or user account.

Important Note on City Device Usage

Please be aware that any activity on City-owned devices is subject to the City's Acceptable Use Policy and is logged for security and compliance purposes. These tools are used exclusively to maintain the security and integrity of the City's network and data.

What Happens When a Site is Blocked?

If you attempt to visit a website that Cisco Umbrella has identified as malicious or a policy violation, the connection will be blocked instantly.

Instead of the website loading, you will see a $\text{Block Page}$ in your browser. This page clearly states that the site has been blocked by Cisco Umbrella (or "Web Protection") and provides a reason for the block (e.g., "Malware," "Phishing," or "Policy Violation").

I Believe a Legitimate Site Was Blocked (False Positive)

If you are certain that the blocked website is legitimate and necessary for your City duties:

Note the exact URL ($\text{web address}$) from your browser.
Take a screenshot of the Block Page showing the reason for the block.
Submit a ticket to the IT Help Desk with the URL and screenshot.

The IT team will review the request and, if appropriate, add the site to a secure Allow List to grant you access.

Do not attempt to use personal devices or workarounds to access a site that has been blocked by the security system. Always report it to IT.