How to Protect from the Worst Threat Vector · • What are the details surrounding Message ID Header x? And with Cisco Unity (ESA/CES integration with AMP for Endpoints console:

How to Protect from the Worst Threat VectorCisco Email SecurityPresenter: Abdalla Taha, Technical Solutions Specialist – Email Security

Panelist: Jesper Rathsach, Technical Solutions Specialist

November 2019

• Over 90% breaches start with email• 92.4% for Malware

• 96% for Phishing

Email was not built with security• It’s easy for attackers to exploit

https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf

https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Cybersecurity Series

• Great insight on prevailing cybersecurity threats

• Guidance on detection and prevention

• Statistics and surveys

• https://www.cisco.com/c/en/us/products/security/security-reports.html

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

https://www.cisco.com/c/en/us/products/security/security-reports.html

Radicati Market Quadrant for Secure Email Gateways

3rd year in a row! Cisco is the top vendor in Radicati'sSecure Email Gateway (SEG) report

https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/1864683/secu-email-gate-mark-quad.pdf

https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/1864683/secu-email-gate-mark-quad.pdf

Sender Analysis File Analysis URL Analysis

Monitors 600 billion emails per day to provide more broad visibility

Talos on Cisco Email Security


Content Analysis

Overview of Cisco Email Security

Cisco Email Security: Email pipeline

Virus & Malware Filtering0-Day Malware

AMP Retrospection & Remediation

Alert on verdict changes and

auto-delete from O365 & Exchange

Graymail Unsubscribe

Link validation

and unsubscribe

URL Rewrite and Tracking

Track user clicks and report on

URLS

Connection and Content FilteringAnti-Spoofing URL Analysis

Anti-Phishing

URL Analysis

Content Filtering

URL Analysis

Post Delivery Interactions

0-Day Malware

0-Day

File Reputation

SHA based file blocking

CASE

Multi-verdict

scanning

Connection Filtering

Throttling SPF, DKIM & DMARC

Graymail Detection

Control marketing, social and

bulk

FileAnalysis

Over 1900 behavioral indicators

Outbreak Filtering

Stop viral zero-day threats

Spam, Virus & Malware Filtering

CASE & Anti-Virus

Block outgoing spam & known viruses

File Rep & Analysis

Outbound malware scanning

Data LossPrevention

Inspect sensitivecontent

Content Filtering

Reputation Filtering

70-80%blockrate

-10+10

Cisco Adv. Phishing

Protection

Behavioral analytics

CiscoDomain

Protection

Brand protection,SPF, DKIM& DMARC

Anti-Spoofing

= external to main ESG

Content Filtering

Business & Security

Rules

FED

Envelope Encryption

Protect sensitive

data

CRES

SDR

DomainReputation

Filtering

DANE

DNSSECChecksTLSA

Encryption

Anti-Virus

Block 100% of known viruses ETF

ETF

Safeprint

Cisco Threat Response

DetectionInvestigationRemediation

Threat Mgmt.

Antispam

ETF


Easily Integrate with O365 & Exchange

Inbound Traffic

Outbound Traffic

Cisco EmailSecurity

External DomainCurrent Email Domain

Cisco Advanced Phishing Protection

O365 EOP or Exchange

API

Cisco Domain Protection

DMARC, SPF, DKIM

BCC

API


Easily Integrate with G Suite

Inbound Traffic

Outbound Traffic

Cisco EmailSecurity



G Suite

API


DMARC, SPF, DKIM

BCC


Easily Integrate with any MTA

Inbound Traffic

Outbound Traffic

Cisco EmailSecurity



MTA


DMARC, SPF, DKIM

BCC on inline


Don’t compromise on features when making a choice

Cloud Virtual Hybrid On-Premises

Cloud Email Security (CES) Global Coverage!

Tokyo

Melbourne

London AlmereKamloops, BC

Santa Clara, CA

Las Vegas, NV

Toronto, ON

Existing CES Datacenter

NEW CES Datacenters

Frankfurt


New features

Email security roadmap 2019

Thought Leadership Threat Efficacy

External Threat Feeds (ETF) Using STIX – TAXII standard

Sender Domain Reputation (SDR) Domain reputation and age based filtering

Japan, Australia CES DC Launch

GDPR Compliance for CES

Cisco Threat Response Integration

ThreatGrid Cluster support

DANE Support

Smart Licensing

How-To’s

New UI

SMA APIs

AsyncOS v12.0 - January

Infrastructure Expansion Cisco on Cisco IntegrationPlatform

Enhancements

v12.0 - Jan

v13.0 - Sep

v12.5 - Jun



Threat Efficacy

Enhanced Intelligent Multi-scan (IMS): Better Antispam efficacy

New EU DC in Frankfurt Germany Multiple region support for Cisco Threat Response (US, EU)

AsyncOS v12.5 - June

Infrastructure Expansion Cisco on Cisco Integration

v12.0 - Jan

v13.0 - Sep

v12.5 - Jun

New platform x95

CRES Easy open –mobile friendly

Platform Enhancements



Thought Leadership Threat Efficacy

Mailbox Auto Remediation on Exchange Enhanced Antispam & Outbreak filter – better phishing detection

Site-to-Site VPN for APJC customers

Cisco Threat Response: Casebook and Pivot menu

CEF logs

AWS S3 push

New GUI for ESA

SSO for admin access via SAML2.0

AsyncOS v13.0 - September

Infrastructure Expansion Cisco on Cisco IntegrationPlatform

Enhancements

v12.0 - Jan

v13.0 - Sep

v12.5 - Jun

Safe Print – Document disarm


Mailbox Auto Remediation Enhancements

Cisco Email Security

Office 365(main tenant)

Office 365(Secondary tenant)

Graph API

MS Exchange 2013, 2016

Appliance (HW/VM) Cloud

EWS API

Graph API supports Exchange 2013/2016 Hybrid Deployments

EWS API supports Exchange 2013/2016 Standalone

Deployments

Multiple Tenants can use a single MAR action with Chained Profiles


• Safe Print (content disarm) allows for attachments to be converted into a jpg and embedded in a PDF

• JPG provides a full disarm (no cut/paste, clickable link) while keeping original in a quarantine

• Watermark & cover page are optional

Safe Print


• CEF allows for standardized log format so that SIEM vendors can easily ingest logs

• All data / verdicts / actions on the email are logged into a single entry after the final action of the email is taken

• CEF uses reduces disk consumption in SIEM applications, with faster indexing

• AWS S3 Buckets will be supported for log transfers

CEF Formatted Logs

Mon Jul 22 17:24:07 2019: CEF:0|Cisco|C300V Email Security Virtual Appliance|13.0.0-226|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|ESASerialNo=420D4F36AAEBC0093B4F-B9E72189A021 ESAMID=2363 ESAAMPVerdict=NOT_EVALUATED ESAASVerdict=POSITIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NOT_EVALUATED endTime=Mon Jul 22 17:24:06 2019 ESADKIMVerdict=permfail ESADLPVerdict=NOT_EVALUATED ESADMARCVerdict=fail ESADataIP=139.138.39.175 [email protected] ESAGMVerdict=NOT_EVALUATED ESAICID=17597 startTime=Mon Jul 22 17:24:04 2019 ESAListenerName=IncomingMail deviceDirection=inbound ESAMailFlowPolicy=ACCEPT [email protected]=DEFAULT ESASenderCountry=United States ESAMFVerdict=MATCH ESAFinalAction=DROPPED ESAFinalActionDetails=By IMS ESAExternalMsgID='<CADHp1Nw_gzn8P_Le76xZ8hnOXwUu9CRSHDCVBFZyPGMNddpKLw@mail.gmail.com>' ESAOFVerdict=NOT_EVALUATED [email protected] ESAHeloDomain=esa2.hc3033-47.iphmx.com ESAHeloIP=139.138.32.156 [email protected] ESASBRSScore=0.9 ESASDRDomainAge=10 years 9 months 19 days ESASDRThreatCategory=N/A ESASDRRepScore=Neutral sourceHostName=esa2.hc3033-47.iphmx.com ESASenderGroup=GREYLIST ESASourceAddress=139.138.32.156 ESASubject='[Wireshark-users] Improve Generic Netlinkfamily id to name mapping' ESATLSInCipher=ECDHE-RSA-AES128-GCM-SHA256 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2


• SAML for administration allows for the ability to use an SSO provider for authentication with the option to map roles to groups via SAML 2.0

• SAML will be verified against ADFS, Azure AD and

• This will be available on both the ESA and SMA

SAML for Administrative Authentication


Advanced Phishing Protection Domain Protection

Protect your brand Drive to DMARC enforcement

Protect your users Leverage Local Intel on Authenticity and Reputations

Protect Your Brand

DMARC Authentication

Domain Protection

• Easily analyze, update and take action against those misusing your domain to send malicious email

• Validate those who use your domain appropriately

• Compliant with new US Department of Homeland Security Regulations

• Drive to DMARC Enforcement with proven tools and services

Stopping Phishing and Brand Abuse

1

Cisco Domain Protection (DMP)

2 3


Brand Indicators for Message Identification (BIMI) An industry-wide standards effort that will use brand logos as indicators to help people avoid fraudulent email, while giving marketers a huge new opportunity to put their brands in front of consumers for free.

BIMI is limited to domains/organizations at p=quarantine or p=reject only.

Brand Indicators for Message Identification


Advanced Intelligence

Reduces Business Email Compromise

Advanced Phishing Protection

• Learns and authenticates identities and behavioral relationships for enhanced protection

• Better understand which emails carry targeted phishing attacks so only legitimate emails are in inboxes

Identity Mapping Behavioral Analytics

JO

HN

MARYBEN

SEAN DA

N

TINA

ED

WA

RD

LYNSEY

M E LW I L S O NRO

NN

YEVA J

OH

N

MARYBEN

SEAN DA

N

TINA

ED

WA

RD

LYNSEY

M E LW I L S O NRO

NN

YEVA

Trust Modelling (between sender & recipient)


Cisco Advanced Phishing Protection (APP)


Cisco Advanced Phishing Protection (APP)


Compromised EmployeeTrusted Partner or Vendor

Coworker

Alert security operations center of threats targeting trusted partners, vendors, and coworkers

Automatically remove malicious emails from coworker inboxes

Alert partner or trusted vendor of a potential threat

Advanced Phishing Protection sensor

Insider Impersonation Protection Stops Internal Threats


Cisco Threat Response Integration

Security Operations

Threats are becoming more complexUnderstanding what happened requires stitching information together

Is it bad?

How?

Has it affected us?

Why?

SIEM

Email Security

MalwareDetection

Next-Gen IPS

Endpoint Security

Third partySources

NetworkAnalytics

Threat Intel

Identity Management

Secure Internet Gateway

Technologies and Intelligence

Web Security

Next-Gen Firewall


Cisco Threat Response is complimentary...with select Cisco Security product licenses

Cisco Email Security

Cisco Threat Grid

Cisco NGFW/ NGIPS

Cisco AMP for Endpoints

Cisco Umbrella

You’re entitled to Threat Response if you own Get Started with Threat Response right now at visibility.amp.cisco.com

AMP for Endpoints / Threat GridUse your existing admin

credentials to log in (AMP customers login at “Cisco Security”)

Umbrella / Email SecurityCreate your account to get started. We’ve created these quick start guides to help you:• Umbrella: cs.co/ctr_umbrella• Email Sec.: cs.co/email_security


https://visibility.amp.cisco.com/

http://www.cs.co/ctr_umbrella

http://www.cs.co/email_security

CTR integration with Email Security (SMA 12.0)

Questions the SOC can answer from within CTR:• Which email messages have seen this filename?• Which email messages have seen this file hash?• Which email messages have been affected by this sender IP?• Which email messages have been affected by this sender domain?• What are the details surrounding Cisco Message ID x?• What are the details surrounding Message ID Header x?

And with Cisco Unity (ESA/CES integration with AMP for Endpoints console:• SOC or CTR user can implement a block of a specific file hash, via A4E that takes

effect in the ESA (this function is available today)


SOC

Cisco Threat Response in the SOCComplements existing investments and supports the SecOps team

Other Existing Productsand Intel/Identity Context

IR Team

ExistingSIEM

Stand-alone SOAR (optional)

Multiple Cisco Products and Intel/Identity Context

Cisco Threat Response

Detect Investigate Remediate


Documents

How to Protect from the Worst Threat Vector · • What are the details surrounding Message ID Header x? And with Cisco Unity (ESA/CES integration with AMP for Endpoints console: