Upload
others
View
59
Download
0
Embed Size (px)
Citation preview
How to Protect from the Worst Threat VectorCisco Email SecurityPresenter: Abdalla Taha, Technical Solutions Specialist – Email Security
Panelist: Jesper Rathsach, Technical Solutions Specialist
November 2019
• Over 90% breaches start with email• 92.4% for Malware
• 96% for Phishing
Email was not built with security• It’s easy for attackers to exploit
https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Cybersecurity Series
• Great insight on prevailing cybersecurity threats
• Guidance on detection and prevention
• Statistics and surveys
• https://www.cisco.com/c/en/us/products/security/security-reports.html
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Radicati Market Quadrant for Secure Email Gateways
3rd year in a row! Cisco is the top vendor in Radicati'sSecure Email Gateway (SEG) report
https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/1864683/secu-email-gate-mark-quad.pdf
Sender Analysis File Analysis URL Analysis
Monitors 600 billion emails per day to provide more broad visibility
Talos on Cisco Email Security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Content Analysis
Overview of Cisco Email Security
Cisco Email Security: Email pipeline
Virus & Malware Filtering0-Day Malware
AMP Retrospection & Remediation
Alert on verdict changes and
auto-delete from O365 & Exchange
Graymail Unsubscribe
Link validation
and unsubscribe
URL Rewrite and Tracking
Track user clicks and report on
URLS
Connection and Content FilteringAnti-Spoofing URL Analysis
Anti-Phishing
URL Analysis
Content Filtering
URL Analysis
Post Delivery Interactions
0-Day Malware
0-Day
File Reputation
SHA based file blocking
CASE
Multi-verdict
scanning
Connection Filtering
Throttling SPF, DKIM & DMARC
Graymail Detection
Control marketing, social and
bulk
FileAnalysis
Over 1900 behavioral indicators
Outbreak Filtering
Stop viral zero-day threats
Spam, Virus & Malware Filtering
CASE & Anti-Virus
Block outgoing spam & known viruses
File Rep & Analysis
Outbound malware scanning
Data LossPrevention
Inspect sensitivecontent
Content Filtering
Reputation Filtering
70-80%blockrate
-10+10
Cisco Adv. Phishing
Protection
Behavioral analytics
CiscoDomain
Protection
Brand protection,SPF, DKIM& DMARC
Anti-Spoofing
= external to main ESG
Content Filtering
Business & Security
Rules
FED
Envelope Encryption
Protect sensitive
data
CRES
SDR
DomainReputation
Filtering
DANE
DNSSECChecksTLSA
Encryption
Anti-Virus
Block 100% of known viruses ETF
ETF
Safeprint
Cisco Threat Response
DetectionInvestigationRemediation
Threat Mgmt.
Antispam
ETF
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Easily Integrate with O365 & Exchange
Inbound Traffic
Outbound Traffic
Cisco EmailSecurity
External DomainCurrent Email Domain
Cisco Advanced Phishing Protection
O365 EOP or Exchange
API
Cisco Domain Protection
DMARC, SPF, DKIM
BCC
API
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Easily Integrate with G Suite
Inbound Traffic
Outbound Traffic
Cisco EmailSecurity
External DomainCurrent Email Domain
Cisco Advanced Phishing Protection
G Suite
API
Cisco Domain Protection
DMARC, SPF, DKIM
BCC
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Easily Integrate with any MTA
Inbound Traffic
Outbound Traffic
Cisco EmailSecurity
External DomainCurrent Email Domain
Cisco Advanced Phishing Protection
MTA
Cisco Domain Protection
DMARC, SPF, DKIM
BCC on inline
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Don’t compromise on features when making a choice
Cloud Virtual Hybrid On-Premises
Cloud Email Security (CES) Global Coverage!
Tokyo
Melbourne
London AlmereKamloops, BC
Santa Clara, CA
Las Vegas, NV
Toronto, ON
Existing CES Datacenter
NEW CES Datacenters
Frankfurt
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
New features
Email security roadmap 2019
Thought Leadership Threat Efficacy
External Threat Feeds (ETF) Using STIX – TAXII standard
Sender Domain Reputation (SDR) Domain reputation and age based filtering
Japan, Australia CES DC Launch
GDPR Compliance for CES
Cisco Threat Response Integration
ThreatGrid Cluster support
DANE Support
Smart Licensing
How-To’s
New UI
SMA APIs
AsyncOS v12.0 - January
Infrastructure Expansion Cisco on Cisco IntegrationPlatform
Enhancements
v12.0 - Jan
v13.0 - Sep
v12.5 - Jun
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Email security roadmap 2019
Threat Efficacy
Enhanced Intelligent Multi-scan (IMS): Better Antispam efficacy
New EU DC in Frankfurt Germany Multiple region support for Cisco Threat Response (US, EU)
AsyncOS v12.5 - June
Infrastructure Expansion Cisco on Cisco Integration
v12.0 - Jan
v13.0 - Sep
v12.5 - Jun
New platform x95
CRES Easy open –mobile friendly
Platform Enhancements
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Email security roadmap 2019
Thought Leadership Threat Efficacy
Mailbox Auto Remediation on Exchange Enhanced Antispam & Outbreak filter – better phishing detection
Site-to-Site VPN for APJC customers
Cisco Threat Response: Casebook and Pivot menu
CEF logs
AWS S3 push
New GUI for ESA
SSO for admin access via SAML2.0
AsyncOS v13.0 - September
Infrastructure Expansion Cisco on Cisco IntegrationPlatform
Enhancements
v12.0 - Jan
v13.0 - Sep
v12.5 - Jun
Safe Print – Document disarm
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mailbox Auto Remediation Enhancements
Cisco Email Security
Office 365(main tenant)
Office 365(Secondary tenant)
Graph API
MS Exchange 2013, 2016
Appliance (HW/VM) Cloud
EWS API
Graph API supports Exchange 2013/2016 Hybrid Deployments
EWS API supports Exchange 2013/2016 Standalone
Deployments
Multiple Tenants can use a single MAR action with Chained Profiles
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Safe Print (content disarm) allows for attachments to be converted into a jpg and embedded in a PDF
• JPG provides a full disarm (no cut/paste, clickable link) while keeping original in a quarantine
• Watermark & cover page are optional
Safe Print
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• CEF allows for standardized log format so that SIEM vendors can easily ingest logs
• All data / verdicts / actions on the email are logged into a single entry after the final action of the email is taken
• CEF uses reduces disk consumption in SIEM applications, with faster indexing
• AWS S3 Buckets will be supported for log transfers
CEF Formatted Logs
Mon Jul 22 17:24:07 2019: CEF:0|Cisco|C300V Email Security Virtual Appliance|13.0.0-226|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|ESASerialNo=420D4F36AAEBC0093B4F-B9E72189A021 ESAMID=2363 ESAAMPVerdict=NOT_EVALUATED ESAASVerdict=POSITIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NOT_EVALUATED endTime=Mon Jul 22 17:24:06 2019 ESADKIMVerdict=permfail ESADLPVerdict=NOT_EVALUATED ESADMARCVerdict=fail ESADataIP=139.138.39.175 [email protected] ESAGMVerdict=NOT_EVALUATED ESAICID=17597 startTime=Mon Jul 22 17:24:04 2019 ESAListenerName=IncomingMail deviceDirection=inbound ESAMailFlowPolicy=ACCEPT [email protected]=DEFAULT ESASenderCountry=United States ESAMFVerdict=MATCH ESAFinalAction=DROPPED ESAFinalActionDetails=By IMS ESAExternalMsgID='<CADHp1Nw_gzn8P_Le76xZ8hnOXwUu9CRSHDCVBFZyPGMNddpKLw@mail.gmail.com>' ESAOFVerdict=NOT_EVALUATED [email protected] ESAHeloDomain=esa2.hc3033-47.iphmx.com ESAHeloIP=139.138.32.156 [email protected] ESASBRSScore=0.9 ESASDRDomainAge=10 years 9 months 19 days ESASDRThreatCategory=N/A ESASDRRepScore=Neutral sourceHostName=esa2.hc3033-47.iphmx.com ESASenderGroup=GREYLIST ESASourceAddress=139.138.32.156 ESASubject='[Wireshark-users] Improve Generic Netlinkfamily id to name mapping' ESATLSInCipher=ECDHE-RSA-AES128-GCM-SHA256 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• SAML for administration allows for the ability to use an SSO provider for authentication with the option to map roles to groups via SAML 2.0
• SAML will be verified against ADFS, Azure AD and
• This will be available on both the ESA and SMA
SAML for Administrative Authentication
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Phishing Protection Domain Protection
Protect your brand Drive to DMARC enforcement
Protect your users Leverage Local Intel on Authenticity and Reputations
Protect Your Brand
DMARC Authentication
Domain Protection
• Easily analyze, update and take action against those misusing your domain to send malicious email
• Validate those who use your domain appropriately
• Compliant with new US Department of Homeland Security Regulations
• Drive to DMARC Enforcement with proven tools and services
Stopping Phishing and Brand Abuse
1
Cisco Domain Protection (DMP)
2 3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Brand Indicators for Message Identification (BIMI) An industry-wide standards effort that will use brand logos as indicators to help people avoid fraudulent email, while giving marketers a huge new opportunity to put their brands in front of consumers for free.
BIMI is limited to domains/organizations at p=quarantine or p=reject only.
Brand Indicators for Message Identification
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Intelligence
Reduces Business Email Compromise
Advanced Phishing Protection
• Learns and authenticates identities and behavioral relationships for enhanced protection
• Better understand which emails carry targeted phishing attacks so only legitimate emails are in inboxes
Identity Mapping Behavioral Analytics
JO
HN
MARYBEN
SEAN DA
N
TINA
ED
WA
RD
LYNSEY
M E LW I L S O NRO
NN
YEVA J
OH
N
MARYBEN
SEAN DA
N
TINA
ED
WA
RD
LYNSEY
M E LW I L S O NRO
NN
YEVA
Trust Modelling (between sender & recipient)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Advanced Phishing Protection (APP)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Advanced Phishing Protection (APP)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Compromised EmployeeTrusted Partner or Vendor
Coworker
Alert security operations center of threats targeting trusted partners, vendors, and coworkers
Automatically remove malicious emails from coworker inboxes
Alert partner or trusted vendor of a potential threat
Advanced Phishing Protection sensor
Insider Impersonation Protection Stops Internal Threats
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Threat Response Integration
Security Operations
Threats are becoming more complexUnderstanding what happened requires stitching information together
Is it bad?
How?
Has it affected us?
Why?
SIEM
Email Security
MalwareDetection
Next-Gen IPS
Endpoint Security
Third partySources
NetworkAnalytics
Threat Intel
Identity Management
Secure Internet Gateway
Technologies and Intelligence
Web Security
Next-Gen Firewall
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Threat Response is complimentary...with select Cisco Security product licenses
Cisco Email Security
Cisco Threat Grid
Cisco NGFW/ NGIPS
Cisco AMP for Endpoints
Cisco Umbrella
You’re entitled to Threat Response if you own Get Started with Threat Response right now at visibility.amp.cisco.com
AMP for Endpoints / Threat GridUse your existing admin
credentials to log in (AMP customers login at “Cisco Security”)
Umbrella / Email SecurityCreate your account to get started. We’ve created these quick start guides to help you:• Umbrella: cs.co/ctr_umbrella• Email Sec.: cs.co/email_security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
CTR integration with Email Security (SMA 12.0)
Questions the SOC can answer from within CTR:• Which email messages have seen this filename?• Which email messages have seen this file hash?• Which email messages have been affected by this sender IP?• Which email messages have been affected by this sender domain?• What are the details surrounding Cisco Message ID x?• What are the details surrounding Message ID Header x?
And with Cisco Unity (ESA/CES integration with AMP for Endpoints console:• SOC or CTR user can implement a block of a specific file hash, via A4E that takes
effect in the ESA (this function is available today)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SOC
Cisco Threat Response in the SOCComplements existing investments and supports the SecOps team
Other Existing Productsand Intel/Identity Context
IR Team
ExistingSIEM
Stand-alone SOAR (optional)
Multiple Cisco Products and Intel/Identity Context
Cisco Threat Response
Detect Investigate Remediate
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public