The Security Categories are categories of security defense that Cisco Umbrella provides. We've categorized security threats to give you more control over exactly what you'd like to enable and report. This article will help you gain an understanding about the threat type each category will block.

To access security settings, navigate to Policies > Security Settings.

Security Category Overview

The information below should be cross-referenced against the Security Settings under Policies > Security Settings in your Umbrella dashboard.

The security categories are, at a minimum, the ones listed below:

There is also a sub-category that's available for certain packages, named Integrations. The Integrations security category consists of domains that have been added to Umbrella through individual integrations. For more about integrations, read here.

Security Categories Explained

By default, no security categories are enabled. In general, we suggest that you find the right combination for your organization's policies—some identities may require a more strict security posture than others. However, there are some categories we recommend enabling for most or all identities, unless you are simply testing to see what Umbrella would have blocked.

NOTE

This does not mean you shouldn't use those categories in your policy, just that you should monitor your reports to see if these categories make sense to apply to your identities.

Categories

  • Malware—Block requests to access servers hosting malware and compromised websites through any application, protocol, or port. Recommended to be ON by.
  • Phishing—Protect users from fraudulent hoax websites designed to steal personal information Recommended to be ON.
  • Command Control Callbacks—Prevent compromised devices from communicating with hackers' command and control servers via any application, protocol or port and help identify potentially infected machines on your network. Recommended to be ON. Note: this category was previously called 'botnet' in earlier versions of Umbrella. We've changed the name to better reflect what this security category prevents; the blocked destinations are the command and control for the botnet itself.
  • Dynamic DNS—Block sites that are hosting dynamic DNS content. Off by default.
  • Newly Seen Domains—Detect domains that have been seen being queried for the first time very recently. For more important information on this category, read here. Off by default.
  • DNS Tunnelling VPN—VPN services that allow users to disguise their traffic by tunnelling it through the DNS protocol. These can be used to bypass corporate policies regarding access and data transfer. Off by default.
  • Potentially Harmful Domains—Domains that exhibit suspicious behavior and may be part of an attack. This category has a higher risk of unwanted detections. Read more here. Off by default.

All of these security categories are important in understanding our other Umbrella reports, starting with the Security Overview Report.