Cisco Email SecurityBest Practices and Fine Tuning
Usman Din, Product Manager Email SecurityBRKSEC-2131
• Introduction• Terminology and understanding the Email Pipeline• Configuration and Best Practices for Anti-Spam Tuning• Configuration and Best Practices for Spoofing and Phishing detection• Attachment Control and Defence• Summary & Checklists
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introductions
• Joined Cisco through IronPort acquisition in 2007. • Global Lead for the Email Security Advisory Group• Cisco Live Speaker in US, LATAM and EU,
Distinguished Speaker, Cisco Live Berlin (2016)• Now part of the Product Management team for
Email Security• Based out of Toronto, Canada
BRKSEC-2131 4
Usman Din
The Email Pipeline
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Email Pipeline
Encryption
Virtual Gateways
Delivery Limits
Received: Header
Domain-Based Limits
Domain-Based Routing
Global Unsubscribe
S/MIME Encryption
DKIM Signing
Bounce Profiles
Message Delivery
LDAP RCPT Accept (WQ)
Masquerading (Table / LDAP)
LDAP Routing
Message Filters
Anti-Spam
Anti-Virus
Advanced Malware (AMP)
Graymail, Safe Unsubscribe
Content Filtering
Outbreak Filtering
DLP Filtering (Outbound)
Per-P
olic
y Sc
anni
ng
Host Access Table (HAT)
Received Header
Default Domain
Domain Map
Recipient Access Table (RAT)
Alias Table
LDAP RCPT Accept
SMTP Call-Ahead
DKIM / SPF Verification
DMARC Verification
S/MIME Verification
SMTP SERVER WORKQUEUE SMTP CLIENT
BRKSEC-2131 6
Anti-Spam Tuning : HAT, Mail Flow Policies and Workqueue settings
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
A note about Best Practices…
• Throughout the material we will present options for tuning your environment
• These are meant to be general guidelines, and as each environment is unique, it is recommended that settings be set in monitor mode first
• After a determined time, perform analysis and tuning of rules and settings to achieve the desired result
BRKSEC-2131 8
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Email Reputation
-10
IP Reputation Score
Spam Traps Complaint Reports
IP Blacklists and Whitelists
Message Composition
Data
Compromised Host Lists
Website Composition
Data
Global Volume Data
Domain Blacklist and
SafelistsOther Data
Geo-Locationdata
Host Data
DNS Data
0 +10
• Breadth and quality of data makes the difference
• Real-time insight into this data that allows us to see threats before anyone else in the industry to protect our customers
BRKSEC-2131 9
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• HATs are associated per listener, defined as being Public or Private. Once a listener is defined they cannot be changed.
• IPs and Hosts are evaluated in the HAT Top Down, First Match
• SenderGroups are containers that define the policy based on match
• Inclusion into a SenderGroup is defined by Reputation Score, DNS, or explicit match
Host Access Table Structure
BRKSEC-2131 10
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• SenderBase score can be attached to the SenderGroups, ensure that the neutral and no score ranges are addressed
• Within the settings you define the Name, Mail Flow Policy
• Nomenclature is important as it will be displayed in logs and reports
• SBRS scores can be assigned to the group
• RBLs can be leveraged if required.
SenderGroup Options
Thu Jun 9 13:40:34 2016 Info: New SMTP ICID 8 interface Management (10.10.10.90) address 94.46.249.12
Thu Jun 9 13:40:34 2016 Info: ICID 8 ACCEPT SG SUSPECTLIST match sbrs[-3.0:-1.0] SBRS -2.1Thu Jun 9 13:40:34 2016 Info: Start MID 410 ICID 8
Note that SBRS uses multiple sources including honeypots and DNSBLs
BRKSEC-2131 11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Connecting host PTR record does not exist in DNS.
• Connecting host PTR record lookup fails due to temporary DNS failure.
• Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A).
SenderGroup Options
BRKSEC-2131 12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13BRKSEC-2325
Why is Telemetry important
• Provides Talos insight on targeted attacks
• Hidden CLI command to give more details to Talos - "fullsenderbaseconfig"
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14BRKSEC-2131
What is sent to Talos?• When enabled, the Context
Adaptive Scanning Engine (CASE) is used to collect and report the data (regardless of whether or not Cisco anti-spam scanning is enabled)
• The data is summarisedinformation on message attributes and information on how different types of messages were handled by Cisco appliances. We do not collect the full body of the message
Item Sample DataMessage count at various stages within the appliance Seen by Anti-Virus engine: 100
Seen by Anti-Spam engine: 80
Sum of Anti-Spam and Anti-Virus scores and verdicts 2,000 (sum of anti-spam scores for all messages seen)
Number of messages hitting different Anti-Spam and Anti-Virus rule combinations
100 messages hit rules A and B50 messages hit rule A only
Number of Connections 20 SMTP Connections
Number of Total and Invalid Recipients 50 total recipients10 invalid recipients
Hashed Filename(s): (a) A file <one-way-hash>.pif was foundinside an archive attachment called<one-way-hash>.zip.
Obfuscated Filename(s): (b) A file aaaaaaa0.aaa.pif was found inside a file aaaaaaa.zip.
URL Hostname (c) There was a link found inside a message to www.domain.com
Obfuscated URL Path (d) There was a link found inside a message to hostname www.domain.com, and had path aaa000aa/aa00aaa.
Number of Messages by Spam and Virus Scanning Results 10 Spam Positive10 Spam Negative5 Spam Suspect4 Virus Positive16 Virus Negative5 Virus Unscannable
Number of messages by different Anti-Spam and Anti-Virus verdicts 500 spam, 300 ham
Count of Messages in Size Ranges 125 in 30K-35K range
Count of different extension types 300 “.exe” attachments
Correlation of attachment types, true file type, and container type 100 attachments that have a “.doc” extension but are actually “.exe”50 attachments are “.exe” extensions within a zip
Correlation of extension and true file type with attachment size 30 attachments were “.exe” within the 50-55K range
Number of attached files uploaded to the file reputation service (AMP cloud)
1110 files were uploaded to the file reputation service
Verdicts on files uploaded to the file reputation service (AMP cloud) 10 files were found to be malicious100 files were found to be clean1000 files were unknown to the reputation service
Reputation score of files uploaded to the file reputation service (AMP cloud)
50 files had a reputation score of 3750 files had a reputation score of 571 file had a reputation score of 619 files had a reputation score of 99
Names of files uploaded to the file reputation service (AMP cloud) example.pdftestfile.doc
Names of malware threats detected by the file reputation service (AMP cloud)
Trojan-Test
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Customising Reputation on the ESA
• Reputation Score determined when connection initiated
• Sender Groups and actions are defined by the administrator
• Reputation can block 80-90% connections on the ESA
Default Settings: Moderate Blocking
Custom Settings: Aggressive Throttling
BRKSEC-2131 15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Before tuning, it is recommended to use the default (moderate) settings to understand the mail flow for your environment.
• Objective of tuning is to block or throttle more messages at the connection level, saving resources for processing legitimate mail.
• The first step is to create content filters to flag messages that are being passed through the default reputation filters with the SBRS and any scanning verdict info
• Evaluate reporting of Content Filters and adjust HAT settings are required
OK, that's nice. How do I figure out what to set?
BRKSEC-2131 16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• DNS is the most critical external service for the ESA
• By default there are 4 DNS lookups per connection: Reverse DNS, 2 SBRS lookups and ASN Number (informational)
• With SPF, DKIM and DMARC – 3 or more DNS TXT record lookups
• At least 7 possible DNS lookups per connection (excluding any caching)
• Now factor in outbound destination DNS resolution, LDAP, internal hosts, etc.
• More resolvers in high connection environments
• Look into logs for “SBRS Not Available” to identify possible issues with DNS timeouts
Reputation: DNS and caching
BRKSEC-2131 17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Delayed HAT Rejection allows for additional logs for Reputation based blocks
• 2 additional log lines are added to each connection with details of from and to addresses
Reputation: Delayed HAT Rejection
esa.teamnorthwind.com> listenerconfig
Currently configured listeners:
1. SMTP-AGRESSIVE (on Management, 10.10.10.20) SMTP TCP Port 25 Public
[]> setup
By default connections with a HAT REJECT policy will be closed with a banner message at the start of the SMTP conversation. Would you like to do the rejection at the
message recipient level instead for more detailed logging of rejected mail? [Y]>
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117960-qa-esa-00.html
BRKSEC-2131 18
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Global limits: Total IPv4 and IPv6 entire appliance, maximum should not exceed 400 concurrent connections (default is 300)
• Per listener limits: Each listener on the appliance should be configured to match your maximum global limit
• Mail Flow Policy limits: Per policy limits are used to rate limit senders, use concurrent connections in conjunction with host and sender rate limits
Understanding Connections
BRKSEC-2131 19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Limit guidance per model – Model type makes no difference in the number of connections per appliance. Connection limits are based on OS, throughputs between appliances do vary
• In environments that require high number of concurrent connections, recommendation is to increase the number of appliances
Understanding Connections
Enter the global limit for concurrent connections to be allowed across all listeners.
[300]>
Listener SMTP-POV Policy $RELAYED max concurrency value of 600 will be limited to 300 by this concurrency setting.
BRKSEC-2131 20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• By default the only MFP that has any Host limiting is the throttle policy
• By default, there are no Envelope Sender Limits set on the ESA
• It is recommended to use Sender Limits in suspect ranges
MailFlow policies: Host vs Sender Throttling
BRKSEC-2131 21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• DHAP is set high on the ESA, recommend to tune it to be lower on suspect ranges
• LDAP enhances DHAP by performing rejection in conservation
MailFlow policies: Security Settings
BRKSEC-2131 22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• TLS Settings are not by default for incoming or outgoing mail• Three levels of checking, preferred can be set on the default mail flow
policy• Mandatory can be setup as a list or as it’s own SenderGroup
MailFlow policies: Security Settings
BRKSEC-2131 23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Per domain policies take place after message filtering and LDAP rewrites
• Triggering Inbound and Outbound policies via Mail Flow policies• A message is determined to be outbound because of relay mail flow
policies (think of the HAT)• SMTP authentication also triggers outbound regardless of accept
policy set.
Per Policy Scanning
BRKSEC-2131 24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Engine And Splintering• If a single message matches multiple policies, it will be splintered
• Splintering only occurs if multiple policies are matched
Host Access Table (HAT)
Recipient Access Table (RAT)
…
SMTP SERVERLDAP RCPT Accept (WQ)
Masquerading (Table / LDAP)
LDAP Routing
Message Filters
WORKQUEUE
Anti-Spam
Anti-Virus
Advanced Malware (AMP)
Graymail, Safe Unsubscribe
Content Filtering
Outbreak Filtering
DLP Filtering (Outbound)
Per-P
olic
y Sc
anni
ng
WORKQUEUE
Anti-Spam
Anti-Virus
Advanced Malware (AMP)
Graymail, Safe Unsubscribe
Content Filtering
Outbreak Filtering
DLP Filtering (Outbound)
Per-P
olic
y Sc
anni
ng
WORKQUEUE
Encryption
Virtual Gateways
Delivery Limits
Received: Header
Domain-Based Limits
Domain-Based Routing
…
SMTP CLIENT
Encryption
Virtual Gateways
Delivery Limits
Received: Header
Domain-Based Limits
Domain-Based Routing
…
SMTP CLIENT
MAIL FROM: [email protected] TO: [email protected] TO: [email protected]
MAIL FROM: [email protected] TO: [email protected] TO: [email protected]
MAIL FROM: [email protected] TO: [email protected]
MAIL FROM: [email protected] TO: [email protected]
MAIL FROM: [email protected] TO: [email protected]
MAIL FROM: [email protected] TO: [email protected]
BRKSEC-2131 25
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Use policies to leverage message splintering to apply rule and scanning as required
• Top down / first match wins, order is very important
Per Policy Scanning
BRKSEC-2131 26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Complex conditions inside a policy using AND/OR/NOT
• Multiple conditions can be used inside the same policy
• Move your logic from the filter into the policy and reduce resource consumption
• After upgrading to 10.0 , when you match a message to a mail policy, the envelope sender and the envelope recipient have a higher priority over the sender header.
BRKSEC-2131 27
Policy Match Conditions
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Customer often use Dictionaries to match senders / recipients for Blacklists / Whitelists
• By applying a block via content filter + dictionary causes all messages to be scanned, thus using more resources
• Using Policies to splinter and apply actions quickly
BRKSEC-2131 28
Using Policies vs Dictionaries
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• CASE stands for Context Adaptive Scanning Engine, which is a combination of the Anti-Spam, Graymail and Outbreak engines
• Each engine can provide a verdict and depending on the action of the engine will either pass or drop the message
• A non-final action (i.e Quarantine) will allow a message to continue to process down the workqueue. A final action such as drop will cause an “early exit” condition
• Other scanning blades may take precedence if another engine determines a positive condition
Understanding CASE
BRKSEC-2131 29
Sender Reputation
80-90%Block Rate
ConnectionControl
Throttling, DHAP, SPF,
DKIM, DMARC
CASE(AS,GM,OF)
Multi-Verdict scanning
File Reputation
SHA based file blocking
File Analysis & Retrospection
Over 300 BehaviouralIndicators
Graymail Detection
Control marketing,
social and bulk
Content Filtering
Business and Security rules
Outbreak Filtering
9-12 hr lead time on
Outbreaks
Connection Filters Spam Filter Anti-Malware Defence
Anti-Virus(Sophos,McAfee)
Block 100% of known viruses
Marketing Filter Rules 0-day Malware
Spoof Analysis Anti-Phishing and URL AnalysisAdvanced Malware Protection (AMP)URL Analysis
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• You can adjust the thresholds for Suspect / Positive spam to increase or decrease sensitivity
• Don’t do it, unless you really have to
• As we tune spam rules, we use the default thresholds as a baseline, so this may result in undesired results
Adjusting Thresholds
BRKSEC-2131 30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enable Graymail Scanning
• Graymail has 2 components: Detection and Unsubscribe
• Detection is free. It comes as part of the base email subscription license
• The graymail engine will provide verdicts to IPAS (final decision), which leads to a better overall email efficacy
BRKSEC-2131 31
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enabling Outbreak Filters• By default, only Virus Outbreak
is enabled• Enabling Threat Outbreak
(Message Modification) you get additional intelligence being fed into CASE
• In order to use URL functionality (covered later) Outbreak Filters must be turned on and configured
BRKSEC-2131 32
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Upgrade, Enable, and Tune!
1
2
3
Enable Antispam – and if possible (based on hardware) increase scanning thresholds to 1M for always scan, 2M for never to scan more
Enable Graymail – it’s a free engine which helps with Anti-Spam efficacy. Introduced in 9.5 so upgrade!
Enable Outbreak Filters – and if possible (based on hardware) increase scan size to 1M
BRKSEC-2131 33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anti-Spam Tuning Checklistq Assess your Host Access Table – still
using the defaults? Time to adjust the scores
q Create more SenderGroups and get gradually more aggressive in your settings
q Check you WhiteLists - entries could be years old, ip changed, etc. Use the comments to keep track and prune regularly
q Check you Mail Flow Policies and turn on Sender limits, Sender Verification, etc.
q Use the new granular policies to create better Incoming Mail Policies
q Move the logic from the filter to the policy to create more efficient settings
q Turn on Graymail, Threat Outbreak Filtering to get more insight and better efficacy
q Check your file size limits: Defaults are low and could potentially allow threat messages through
q Upgrade, Upgrade, Upgrade!
BRKSEC-2131 34
Anti-Phishing : Content Filters and Outbreak Filtering
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding where URLs are evaluated• As of version 8.5.6 the ESA can evaluate URLs inside a
message – both for Reputation and Categorisation
• URL filtering is not enabled by default, you must enable the service and have a valid Outbreak Filter license to perform URL inspection
• Once enabled, URLs are evaluated in three scanning blades:1. During IPAS Scan, a URL is used to factor into SPAM scores2. Inside a Content Filter for Reputation Score and Category3. As part of the Threat Outbreak Filter URL Rewrite function
• 9.7 introduced Web Interaction Tracking for Clicked URLs, which must be enabled after upgrade
LDAP RCPT Accept (WQ)
Masquerading (Table / LDAP)
LDAP Routing
Message Filters
Anti-Spam
Anti-Virus
Advanced Malware (AMP)
Graymail, Safe Unsubscribe
Content Filtering
Outbreak Filtering
DLP Filtering (Outbound)
Per-P
olic
y Sc
anni
ng
WORKQUEUE
BRKSEC-2131 36
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Enable URL Filtering globally under security settings:
• The Web Reputation Score (WBRS) uses the same -10 to +10 score, however it means something very different than SBRS
URL Evaluation and options
-10 -6 0 +6 +10
Malicious Neutral Good
• Based on you organisations security posture you can determine how aggressive you wish to be with URL entering your organisation
BRKSEC-2131 37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• URL Reputation is assessed inside of the CASE engine and used as part of the decision for Anti-Spam
• If not stopped as Spam the URL can be evaluated inside a content filter for both Category and Reputation
URL Evaluation and options
BRKSEC-2131 38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommendations:• Block URL: -10 to -6
• URL Remove: -5.9 to -5.8
• Leave the rest for Outbreak Filters
• Use in condition when you want to take an action on the whole message
• Use in action to act on URL only
URL Evaluation and options
BRKSEC-2131 39
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• URL Categorisation on the ESA leverages the same data as the Web Security Appliance (WSA) and Cloud Web Security (CWS)
• Use this to compliment Acceptable Use Policies to prevent inappropriate URLs in email
URL Categorisation
BRKSEC-2131 40
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Logging of URLs can be seen in the mail logs and only if the outbreakconfig command is run
URL Logging & Tracking
BRKSEC-2131 41
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• With the 10.0 release, URL information can be shown in message tracking if enabled by role
URL Evaluation and options
BRKSEC-2131 42
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Graymail Unsubscribe is an additional license
• It provides protection against malicious threats masquerading as unsubscribe links
• A uniform interface for all subscription management to end-users
• Better visibility to the email administrators and end-users into such emails
Graymail Unsubscribe
BRKSEC-2131 43
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Graymail Unsubscribe
End-user clicks on the rewritten un-subscription link
in the banner
Click-time check of the rewritten link. If found safe
redirect to Un-Subscribe service
Cisco executes un-subscription on behalf of the
end-user
BRKSEC-2131 44
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• On box reporting (batch) can provide valuable insight into who clicked on certain URLs
• More valuable as a training tool and understanding who is being targeted inside your environment
• Reporting and Tracking pages will show the URLs (Tracking in 10.0 for URL details)
Web Interaction Tracking & Reporting
BRKSEC-2131 45
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Other scams such as Banking, Money Mules, Dating, 419, etc are also used to get information from targets
• Blended threats combine spoofing and phishing in an attempt to look more legitimate to the target
• Threat Outbreak Filters must be enabled in order to help detect and stop these threats
Phishing is not just URLs
BRKSEC-2131 46
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Enable Threat Outbreak Filters (not enabled by default) by enabling Message Modification
• URL Rewriting allows for suspicious urls to be analysedby Cisco Cloud Web Security (Reputation, AV/AM, AMP)
Threat Outbreak Filters
BRKSEC-2131 47
Anti-Spoofing : HAT, Filters and Forged Email Detection
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anti-Spoofing OverviewSimple Spoof Simple spoof is where the attacker attempts to change or manipulate the envelope from in the headers
of an email. This spoof is relatively easy to detect using SPF or DMARC as well as other header validation checks
Reply-To Spoof Reply-To spoof is where the sending address does not match the reply-to address. This is a low spoof indicator and can lead to high false positives.
Cousin Domain / Typo Squatting Attacks become more sophisticated by relaying on minor changes to the suffix and / or prefix of the email addresses to trick users. High probability of success and hard to detect due to large number of variations
Display Name Modification Also called Business Email Compromise (BEC) is the most complex attack involves the use of legitimate domains (either hijacked or created) with the manipulating message headers to show an accurate Display Name and a Cousin domain/typo in the email address to trick targets into releasing information. This is the most common attack today with a high success rate.
BRKSEC-2131 49
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Impact of Social Engineering • Social Engineering has added to the success
rate for spoofing attacks. Attackers will follow targets for months, on social media, news, etc.
• Will craft messages with “history” to add legitimacy to the request being made
• They will look for an event – i.e travel abroad, large deals, vendor agreements and use it to express urgency
• Along with technical controls, user education is key to prevent financial lost, brand damage, or legal ramifications.
BRKSEC-2131 50
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• During connection, the HAT can be configured to validate SPF, DKIM and DMARC records
• No checks are enabled by default in the Mail Flow Policies• DMARC has the ability to stop / block mail via policy settings, SPF
and DKIM mark headers for further action via Content Filters or Message Filters
MailFlow policies: DKIM/SPF/DMARC
BRKSEC-2131 51
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SPF,DKIM and DMARC Header LoggingThu Jan 26 06:08:34 2017 Info: New SMTP ICID 21779 interface Data 1 (216.71.132.15) address 50.58.115.68 reverse dnshost mail.palmbeachletter.com verified yesThu Jan 26 06:08:34 2017 Info: ICID 21779 ACCEPT SG UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 4.1Thu Jan 26 06:08:34 2017 Info: ICID 21779 TLS success protocol TLSv1 cipher DHE-RSA-AES256-SHAThu Jan 26 06:08:34 2017 Info: Start MID 2744 ICID 21779Thu Jan 26 06:08:34 2017 Info: MID 2744 ICID 21779 From: bounces-mcpaid-6-8d6-238c-9f4-9b501-1538f@mail2.palmbeachgroup.comThu Jan 26 06:08:34 2017 Info: MID 2744 ICID 21779 SMTP Call-Ahead bypass applied to [email protected] Jan 26 06:08:34 2017 Info: MID 2744 ICID 21779 RID 0 To: [email protected]
Thu Jan 26 06:08:34 2017 Info: MID 2744 SPF: helo identity [email protected] Pass (v=spf1)Thu Jan 26 06:08:34 2017 Info: MID 2744 SPF: mailfrom identity bounces-mcpaid-6-8d6-238c-9f4-9b501-1538f@mail2.palmbeachgroup.com Pass (v=spf1)Thu Jan 26 06:08:34 2017 Info: MID 2744 SPF: pra identity [email protected] None headers fromThu Jan 26 06:08:34 2017 Info: MID 2744 DKIM: pass signature verified (d=palmbeachgroup.com s=mgsys-201410-1024-9art43rd [email protected])Thu Jan 26 06:08:35 2017 Info: MID 2744 DMARC: Message from domain palmbeachgroup.com, DMARC pass (SPF aligned True, DKIM aligned False)Thu Jan 26 06:08:35 2017 Info: MID 2744 DMARC: Verification passed
52BRKSEC-2131
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How it works: SPF• Sender Policy Framework, specified in RFC4408
• Allows recipients to verify sender IP addresses by looking up DNS records listing authorised Mail Gateways for a particular domain
• Uses DNS TXT Resource Records
• Can verify HELO/EHLO and MAIL FROM identity (FQDN)
• Upon evaluation of SPF records, the following can these results:Result Explanation Intended actionPass The SPF record designates the host to be allowed to send acceptFail The SPF record has designated the host as NOT being allowed to send rejectSoftFail The SPF record has designated the host as NOT being allowed to send but is in transition accept but markNeutral The SPF record specifies explicitly that nothing can be said about validity acceptNone The domain does not have an SPF record or the SPF record does not evaluate to a result acceptPermError A permanent error has occurred (eg. badly formatted SPF record) unspecifiedTempError A transient error has occurred accept or reject
BRKSEC-2131 53
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SPF Record Semantics
acmilan.com IN TXT v=spf1 ip4:77.92.66.4 -all
SPF version
Verification mechanisms
BRKSEC-2131 54
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How it works: SPF• Mechanisms: all, ip4, ip6, a, mx, ptr, exists, include
• Qualifiers: "+" Pass, "-" Fail, "~" SoftFail, "?" Neutral
• Modifiers: redirect, modifier
• Examples:• “v=spf1 mx –all” is allow MX to send mail, but no other domain• “v=spf1 +all” Nullifies any usefulness of SPF• “v=spf1 ip4:192.168.0.1/16 –all” Allow any IP address between 192.168.0.1 and
192.168.255.255• “v=spf1 mx/24 mx:offsite.domain.com/24 -all” Domain's MX servers receive mail on
one IP address, but send mail on a different
BRKSEC-2131 55
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Taking action on SPF• When SPF is enabled, the ESA will
stamp headers in the message
• Use the results inside message or content filters to determine the action
• PRA identities are evaluated in the message filters only
• SPF vs SIDF, an interesting read: http://www.openspf.org/SPF_vs_Sender_ID
BRKSEC-2131 56
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How it works: DKIM• Domain Keys Identified Mail, Specified in RFC5585
• Additional RFCRFC6376 (DKIM Signatures), RFC5863 (DKIM Development, Deployment and Operation), RFC5617 (Author Domain Signing Practices (ADSP))
• In a nutshell: Specifies methods for gateway-based cryptographic signing of outgoing messages, embedding verification data in an e-mail header, and ways for recipients to verify integrity of the messages
• Uses DNS TXT records to publish public keys20120113._domainkey.gmail.com IN TXT “k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD0""7y2+07wlNWwIt8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB”
BRKSEC-2131 57
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DKIM on the ESA
• DKIM Settings in the HAT can be set to verify signatures
• Use a content filter to enforce policy based on DKIM auth result
• Use an action to Policy quarantine to be able to review spoofs
BRKSEC-2131 58
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How it works: DMARC• Both DKIM and SPF have shortcomings, not because of bad design, but
because of different nature of each technology
• Thus, DMARC was born:• Leveraging great existing technologies, providing a glue to keep them in sync, and
allowing senders to mandate rejection policies and have visibility of offending traffic
• Domain-based Message Authentication, Reporting And Conformance• Defined in RFC 7489• Provides:
• DKIM verification• SPF authentication• Synchronisation between the two and all sender identities (Envelope From, Header From)• Reporting back to the spoofed entity
BRKSEC-2131 59
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2131 60
DMARC OperationSPF (or TXT) DNS
RRPublish SPF
Outgoing msg
Publish DMARC
InsertDKIM-Signature
Check SPF
Check SPF on Header From
Fetch DMARC Policy
Publish DKIM
AlignIdentifiers
Apply DMARC PolicyCheck DKIMDKIM (TXT) DNS
RR
DMARC (TXT) DNS RR
Send DMARC Report(s)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How it works: DMARC Record Structure
_dmarc.amazon.com IN TXT “v=DMARC1\; p=quarantine\; pct=100\; rua=mailto:[email protected]\; ruf=mailto:[email protected]
TXT Record for Domain amazon.com Version of DMARC Action on Auth Failure % of messages to apply policy
Aggregate Feedback report URI Forensic Feedback report URI
BRKSEC-2131 61
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How to enable DMARC (inbound)
• DMARC is configured via by creating a profile and then applying the profile to a Mail Flow Policy
• By default the profile is set to Monitor for DMARC violations, however it needs to be applied to a policy for it to evaluate DMARC records
• Monitor and Tune settings and SenderGroupsand move to blocking when ready
BRKSEC-2131 62
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMARC Policy• Policies requested by senders:
• None• Quarantine• Reject
• Receivers MAY deviate from requested policies, but SHOULD inform the sender why (through Aggregate Report)
• Sampling rate (“p” tag) instructs the receiver to only apply policy to a fraction of messages
BRKSEC-2131 63
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Before you begin to block any messages, determine who is allowed to spoof; external marketing firms, vendors, SaaS tools and notifications
• Use a filter to mark and track addresses that match your domains or copy messages into a quarantine for review
• In your HAT create a SPOOF_ALLOW (or similar) to add the host addresses for vendors that are allowed. Use the SPOOF_ALLOW as part of the filter to ensure that those messages are not flagged or stopped
• The Sender Verification Table is enabled within the Mail Flow Policy and can be used to evaluate the mail from is exists and resolvable
• Use the SVT table to set your domains to block and apply to the policies
Allowed Spoofing & Sender Verification Table
BRKSEC-2131 64
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Quick Review: Message Filters• High-performance scriptable filtering capability
• Accessible from CLI only (filters command)
• Allowing complex logical operators between conditions
• All Message Filters are evaluated for all messages
• Executed serially
• Apply to entire mail flow, incoming and outgoing!
• Message Filters occur before Policy Engine! Filter matches if any recipient matches, and all actions are executed for all recipients!
BRKSEC-2131 65
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Message Filters
myFilter:if (body-contains('word',1)) AND \(attachment-filetype == 'Document') {
quarantine('Policy'); }
Name
Condition(s)
Action(s)
Logical Operator(s)
BRKSEC-2131 66
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Filter Conditions• Can be combined using AND, OR, NOT
• != equals NOT if condition result can be evaluated(not (attachment-filetype == 'Document’)) equals (attachment-filetype != 'Document’)
• Mostly support regular expressions
• Least expensive conditions evaluated first
• Unneeded tests are not evaluated
• Inactive filters are evaluated!
BRKSEC-2131 67
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Actions are executed in order specified
• Final actions: skip-filters, drop, bounce, encrypt, smime-gateway• Just exit message filters and continue down the pipeline (except drop)
• All filter actions across all matching filters are cumulative• If a message matches multiple filters which execute the same action, only the last
specified action is executed
Message Filter Actions
BRKSEC-2131 68
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Above is an example of a message filter that will look to see if the IP is not in the RELAYLIST and is trying to send a message that matches a dictionary of names in the dictionary
• It will duplicate the message and place in quarantine for review
• Modify to include SPOOF_ALLOW list and domains in the From headerhttp://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/whitepaper_C11-737596.html
Filtering & Quarantine Spoofsquarantine_spoof_copy:if sendergroup != "RELAYLIST" AND (
mail-from-dictionary-match("No_Spoof_Domains", 1) ORheader-dictionary-match("No_Spoof_Domains","From", 1) OR
header-dictionary-match("Execs","From", 1)){duplicate-quarantine("All_Spoofs");notify-copy (“[email protected]");}
BRKSEC-2131 69
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Detecting Reply-To Mismatch
BRKSEC-2131 70
Reply-To Header
From Header
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Forged Header Detection will look for permutations in the Display Name and the prefix of the email address in the From Header
• Use this rule to look for matches against a dictionary of names that are exact or some form of typo squatting
• i.e: Han S0lo, Han Slo, Han So1o
Forged Email Detection (New for 10.0)
BRKSEC-2131 71
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• In this example, we took the from header and stripped it from the message if the match was 70 or above
• Combined with a warning disclaimer this would expose the bad sender while warning the end user
• Idea here is that for names that are low threshold matches, you can use the strip header to expose envelope sender – if it is legitimate, it won’t disrupt mail flow
• If all else fails, warn the user of a potential issue by using a disclaimer text on top of the message
Forged Email Filters
Info: MID 2089 Forged Email Detection on the From: header with score of 100, against the dictionary entry Han Solo
BRKSEC-2131 72
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Phish & Spoofing Checklistq Enable URL Filtering on the ESA
q Enable Web Interaction Tracking (if permitted by policy)
q Enable certain admin users URL visibility in Message Tracking if permitted by policy)
q Enable Threat Outbreak Filtering and message modification – warn your users!
q Whitelist your partner URLS, use the scores to create filter for others
q Combine the reputation rules and leverage language detection as part of the logic
q Use the policies to define the level of aggression for rule sets
q Make a plan to enable SPF, DKIM and DMARC
q Know who your allowed external spoofs are by tracking them via filters and policies
q Build the list as the exception, trap all others
q With 10.0 use the Forged Email Detection Feature to look for matches on the display name, if too close to call, drop the From header
q Send a copy of suspected spoofs to a quarantine for review and then tune your rules to start blocking messages
BRKSEC-2131 73
Attachment Handling
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Block the unwanted file types• Within either a content or message filter
an organisation can define how to handle attachments on a per policy basis.
• Commonly customers will create a content filter to block unwanted file types
• Using the predefined libraries simplifies the process
• The system will detect changed extensions or attempts to hide files within multiple zip levels in order to evade file blocking
BRKSEC-2131 75
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Blocking early in the pipeline• If files are being outright dropped (i.e Executables) then doing
it earlier in the pipeline would save on AV, AMP and OF cycles
• A non-final action such as quarantine will allow the file to continue processing the file and any other verdict will apply
LDAP RCPT Accept (WQ)
Masquerading (Table / LDAP)
LDAP Routing
Message Filters
Anti-Spam
Anti-Virus
Advanced Malware (AMP)
Graymail, Safe Unsubscribe
Content Filtering
Outbreak Filtering
DLP Filtering (Outbound)
Per-P
olic
y Sc
anni
ng
WORKQUEUE
strip_all_exes: if (true) { drop-attachments-by-filetype ('Executable', “Removed attachment: $dropped_filename”);}
BRKSEC-2131 76
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Macro Detection (Version 10.0.1)Macro enabled document detection allows the Email Administrator set Content Filter policies around email attachments containing macros and take the actions of:
• Quarantine the message
• Strip the attachment
• Strip the attachment and add notification text to the message body
• Modify the subject
• Add header
• Forward to another address
77BRKSEC-2131
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Block known viruses
• Sophos comes bundled with the licenses, enable and block known viruses
• Encrypted => Password Protected, Signed
• Unscannable => Too large to scan, malformed
• Do you still repair? Most customers today do not have the repair option enabled for virus infected messages.
• 10.0.1 introduces new Sophos CxMail engine
BRKSEC-2131 78
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco TG Sandboxing
How AMP works
SBRSCASE
AV
Local AV Scanners
File Reputation Query
Qualified File, upload for Sandboxing
AMP feedback loop only for Malicious Files
Retrospective Heartbeat
Disposition QueryUpdate the Cache with
disposition value
Sandbox connector
AMP Connector
Local Cache
Pre-Classification
AMP Cloud
BRKSEC-2131 79
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enabling AMP
• AMP is an additional license on the ESA and CES
• 4 components to AMP:• File Reputation• File Analysis• File Retrospection• Mailbox Auto Remediation (New)
BRKSEC-2131 80
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP Configuration – Check your file types!
81BRKSEC-2131
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP Quarantine
82BRKSEC-2131
• Use the quarantine to delay files and wait for analysis results
• Typically file results are returned in under 10 minutes, default setting is to wait up to 1 hrbefore releasing
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 83BRKSEC-2131
AMP Retrospection Alerts
The Info message is:
Retrospective verdict received.
SHA256: 7c48eb3b1fea5705fc70539f2a0539a3be794d6b70408a31c9ea461855657cd0Timestamp: 2016-09-19T19:39:13ZVerdict: MALICIOUSReputation Score: 0Spyname: W32.Auto:7c48eb3b1f.in05.Talos
Version: 10.0.0-124Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTimestamp: 19 Sep 2016 14:39:13 -0500
The Info message is:
Retrospective verdict received for NEW SAMPLE ORDER 1.doc.
SHA256: ce49d65659304dcb7ae63182e17aa4b6f09740caaf77f1565a682bd2bb4e2bf4Timestamp: 2016-09-19T19:39:12ZVerdict: MALICIOUSReputation Score: 0Spyname: RTF.CE49D65659.agent.tht.Talos
Total users affected: 1----------- Affected Messages ---------------
Message 1MID : 20045Subject : Sample Pictures and Letter of Intent as shown on attached files (3)From : [email protected] : [email protected] name : NEW SAMPLE ORDER 1.docParent SHA256 : ,Parent File name : ,Date : 2016-09-19T05:35:48Z
---------------------------------------------------
Change in disposition, message not delivered Change in disposition and message delivered 2 styles of alerts now generated by AMP for retrospective events:
Users affected section provides details as to who the potentially infected users are as well as message details making it easier to track down
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mailbox Auto Remediation
O365
CES
TALOS
1
2
31
2
3
Original message delivered with non-malicious verdict
Retrospective alert of file that is now deemed malicious received by CES
API call to O365 to remove message from the mailbox, or forward to specific mailbox
!
• API integration with Office 365 / Azure for Malware Remediation
• When a retrospective alert is received, the ESA can remove the email from the mailbox automatically
BRKSEC-2131 84
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enable Virus Outbreak Filters
• VOF is enabled by default
• Provides a significant catch rate for outbreaks over traditional scanning engines
• It’s the human element, after signature, heuristics and hash based scanning
http://www.senderbase.org/static/malware/#tab=0
BRKSEC-2131 85
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
File Handling Checklistq Create a filter to block, quarantine or
strip attachment that are deemed risky for the organisation
q Use AV to block the known viruses. Cleaning / Repairing viruses from files may be something you want to turn off
q Ensure Virus Outbreak is turned on all your policies, it provides an average 10+ hr lead time on 0-day attacks
q Upgrade to 10.0.1 and use the Macro Filter to detect and take an action on unwanted files
q Evaluate AMP is you don’t have it already
q AMP will hash all files and ask for file reputation
q Set the File Analysis Pending action to Quarantine to hold the message until a verdict is available
q Macro inspection is performed by File Analysis on AMP along with other file types
q Remediation is now available with Office 365 with the Azure API
BRKSEC-2131 86
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
In Summary• The days of set it and forget it are long gone – continuous monitoring and tuning
are required to keep up with todays threats
• Understand what your organisations security posture is and apply it to your appliances
• Keep your appliances updated – we are constantly introducing new features that require upgrades / updates
• Check out our Chalktalks on Youtube and Guides on Cisco.com to help with tuning and setup new features on Cisco Email Security
BRKSEC-2131 87
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary of Recommendations
88BRKSEC-2131
CLI Level Changesq Web Security SDS URL Filtering
q websecurityadvancedconfig > q disable_dns=1 , max_urls_to_scan=20 , num_handles=5 , default_ttl=600
q URL Loggingq outbreakconfig> Do you wish to enable logging of URL's? [N]> yq http://www.cisco.com/c/en/us/support/docs/security/email-security-
appliance/118775-technote-esa-00.html
q Clean URL Rewritesq websecurityadvancedconfig > Do you want to rewrite all URLs with secure proxy
URLs? [Y]> n
q Anti-Spoof Filterq https://supportforums.cisco.com/sites/default/files/attachments/discussion/forged
_email_detection_with_cisco_email_security.pdf
q Header Stamping FilteraddHeaders: if (sendergroup != "RELAYLIST"){
insert-header("X-IronPort-RemoteIP", "$RemoteIP");insert-header("X-IronPort-MID", "$MID");insert-header("X-IronPort-Reputation", "$Reputation");insert-header("X-IronPort-Listener", "$RecvListener");insert-header("X-IronPort-SenderGroup", "$Group");insert-header("X-IronPort-MailFlowPolicy", "$Policy");
}
Security Servicesq IronPort Anti-Spam
q Always scan 1MB and Never scan 2MB
q URL Filteringq Enable URL Categorisation and Reputationq Enable Web Interaction Tracking
q Graymail Detectionq Enable and Maximum Messages size 1 MB
q Outbreak Filtersq Enable Adaptive Rules, Max Scan size1 MB q Enable Web Interaction Tracking
q Advanced Malware Protectionq Enable additional file types after enabling feature
q Message Trackingq Enable Rejected Connection Logging (if required)
System Administrationq Users
q Set password policiesq If possible leverage LDAP for authentication
q Log Subscriptionsq Enable Configuration History Logsq Enable URL Filtering Logsq Log Additional Header ‘From’
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary of Recommendations
89BRKSEC-2131
Incoming Mail Policiesq Anti-Spam thresholds
q Positive = 90, Suspect = 39
q Anti-Virusq Don't repair, Disable Archive Message
q AMPq Add "AMP" to Subject Prepend for Unscannable, Disable Archive Message
q Graymailq Scanning enabled for each Verdict, Prepend Subject and Deliverq Add x-header for Bulk email header = X-BulkMail, value = True
q Outbreak Filtersq Enable message modification. Rewrite URL for unsigned message.q Change Subject prepend to: [Possible $threat_category Fraud]
Outgoing Mail Policiesq Anti-Virus
q Anti-Virus Virus Infected: Prepend Subject: Outbound Malware Detected: $Subject.
q Other Notification to Others: Order form admin contactq Anti-virus Unscannable don't Prepend the Subjectq Uncheck Include an X-header with the AV scanning results in Message
Host Access Tableq Additional SenderGroups
q SKIP_SBRS – Place higher for sources that skip reputationq SPOOF_ALLOW – Part of Spoofing Filterq PARTNER – For TLS Forced connections
q In SUSPECTLISTq Include SBRS Scores on Noneq Optionally, include failed PTR checks
q Aggressive HAT Sampleq BLACKLIST [-10 to -2] POLICY: BLOCKEDq SUSPECTLIST [-2 to -1] POLICY: HEAVYTHROTTLEq GRAYLIST[-1 to 2 and NONE] POLICY: LIGHTTHROTTLEq ACCEPTLIST [2 to 10] POLICY: ACCEPTED
Mail Flow Policy (default)q Security Settings
q Set TLS to preferredq Enable SPFq Enable DKIMq Enable DMARC and Send Aggregate Feedback Reports
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary of Recommendations
90BRKSEC-2131
Content Filtersq Inappropriate Content Filter
q Conditions Profanity OR Sexual dictionary match, send a copy to the Inappropriate quarantine.
q URL Malicious Reputation Content Filter q Send a copy to the URL Malicious (-10 to -6) to quarantine.
q URL Category Content Filter with these selectedq Adult, Pornography, Child Abuse, Gambling. q Send a copy to the Inappropriate quarantine.
q Forged Email Detection q Dictionary named "Executives_FED" q FED() threshold 90 Quarantine a copy.
q Macro Enabled Documents content filterq if one or more attachments contain a Macroq Optional condition -> From Untrusted SBRS rangeq Send a copy to quarantine
q Attachment Protectionq if one or more attachments are protectedq Optional condition -> From Untrusted SBRS rangeq Send a copy to quarantine
Policy Quarantinesq Pre-Create the following Quarantines
q Inappropriate Inboundq Inappropriate Outboundq URL Malicious Inbound q URL Malicious Outboundq Suspect Spoofq Malware
Other Settingsq Dictionaries
q Enable / Review Profanity and Sexual Terms Dictionaryq Create Forged Email Dictionary with Executive Namesq Create Dictionary for restricted or other keywords
q Destination Controlsq Enable TLS for default destinationq Set lower thresholds for webmail domainshttp://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118573-technote-esa-00.html
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Resources• ESA ChalkTalks: https://www.youtube.com/playlist?list=PLFT-9JpKjRTANXKBmLbQ611TPYLXbUL_0
• URL Best Practices: http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html?referring_site=RE&pos=2&page=http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/white_paper_c11-684611.html
• Anti-Spam Tuning Guide:http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/white-paper-c11-732910.html
• Other Guides:http://www.cisco.com/c/en/us/products/security/email-security-appliance/white-paper-listing.html
• Knowledge base:http://www.cisco.com/c/en/us/products/security/email-security-appliance/q-and-a-listing.html
BRKSEC-2131 91
Q & A
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark Ask Questions, Get Answers, Continue the Experience
Use Cisco Spark to communicate with the Speaker and fellow participants after the session
Download the Cisco Spark app from iTunes or Google Play
1. Go to the Cisco Live Melbourne 2017 Mobile app 2. Find this session3. Click the Spark button under Speakers in the session description 4. Enter the room, room name = BRKSEC-21315. Join the conversation!
The Spark Room will be open for 2 weeks after Cisco Live
93
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
94BRKSEC-2131
Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.CiscoLiveAPAC.com
Give us your feedback and receive a Cisco Live 2017 Cap by completing the overall event evaluation and 5 session evaluations.
All evaluations can be completed via the Cisco Live Mobile App.
Caps can be collected Friday 10 March at Registration.
Thank you
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Joins the Customer Connection ProgramCustomer User Group Program
19,000+Members
Strong• Who can join: Cisco customers, service providers,
solution partners and training partners
• Private online community to connect with peers & Cisco’s Security product teams
• Monthly technical & roadmap briefings via WebEx
• Opportunities to influence product direction
• Local in-person meet ups starting Fall 2016
• New member thank you gift* & badge ribbon when you join in the Cisco Security booth
• Other CCP tracks: Collaboration & Enterprise Networks
Join in World of SolutionsSecurity zone à Customer Connection stand
Ø Learn about CCP and Join Ø New member thank-you gift*Ø Customer Connection Member badge ribbon
Join Onlinewww.cisco.com/go/ccp
Come to Security zone to get your new member gift* and ribbon
* While supplies lastBRKSEC-2131 97
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Cisco Education OfferingsCourse Description Cisco Certification
CCIE Security Expert Level certification in Security, for comprehensive understanding of security architectures, technologies, controls, systems, and risks.
CCIE® Security
Implementing Cisco Edge Network Security Solutions (SENSS)
Implementing Cisco Threat Control Solutions (SITCS)
Implementing Cisco Secure Access Solutions (SISAS)
Implementing Cisco Secure Mobility Solutions (SIMOS)
Configure Cisco perimeter edge security solutions utilising Cisco Switches, Cisco Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email Security and Cloud Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure network access
Protect data traversing a public or shared infrastructure such as the Internet by implementing and maintaining Cisco VPN solutions
CCNP® Security
Implementing Cisco Network Security (IINS 3.0) Focuses on the design, implementation, and monitoring of a comprehensive security policy, using Cisco IOS security features
CCNA® Security
Securing Cisco Networks with Threat Detection and Analysis (SCYBER)
Designed for security analysts who work in a Security Operations Centre, the course covers essential areas of security operations competency, including event monitoring, security event/alarm/traffic analysis (detection), and incident response
Cisco Cybersecurity Specialist
Network Security Product Training For official product training on Cisco’s latest security products, including Adaptive Security Appliances, NGIPS, Advanced Malware Protection, Identity Services Engine, Email and Web Security Appliances.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.comQuestions? Visit the Learning@Cisco Booth or contact [email protected]
BRKSEC-2131 98