Brksec-2240 Ces PDF

#CiscoLiveLA
Cisco Email Security

Technical Deep Dive on version 12.0, Domain
Protection and Advanced Phishing Protection
Usman Din, Sr. Product Manager

BRKSEC-2240
#CiscoLiveLA
Agenda • Introduction
• Quick Review: Email Pipeline
• Anti-Spoofing : Domain Reputation and
Protection
• Anti-Phishing: URL Analysis and Advanced
Phishing Protection
• Threat Hunting with Cisco Threat Response
and ESA
• External Threat Feeds & APIs
• Next Steps & Conclusion
#CiscoLiveLA BRKSEC-2240 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Introduction…
Usman Din
• Joined Cisco through IronPort acquisition in 2007
• Global Lead for the Email Security Advisory Group
• Cisco Live Speaker in US, LATAM and EU
• 3 time Distinguished Speaker
• Joined the Email Product Manager Team in 2016
• Based out of Toronto, Canada
Quick Review: Email Pipeline
Reputation Connection File File Graymail Outbreak Adv. Phishing
CASE Anti-Virus Content Filtering
Filtering Filtering Reputation Analysis Detection Filtering Protection
70-80% Throttling Multi- Block 100% SHA based Over 300 Control Business & 9-12 hr lead Behavioral
Block SPF, DKIM & Verdict of known file blocking Behavioral marketing, Security time Analytics
rate DMARC scanning viruses Indicators social and Rules Outbreaks
DP
bulk
Connection and Content Filtering Virus & Malware Filtering Content Filtering Anti-Phishing
Anti-Spoofing URL Analysis 0-Day Malware URL Analysis
0-Day
Post Delivery Interactions

Domain Envelope Data Loss File Rep &
Anti-Virus CASE
Protection Encryption Prevention Analysis
Graymail URL Rewrite and AMP Retrospection &
Unsubscribe Tracking Remediation
Brand Protect Inspect Outbound Block 100% Multi- Link validation Track user clicks Alert on verdict
Protection Sensitive sensitive malware of known Verdict and and report on changes and
Data content scanning viruses scanning unsubscribe URLS Auto-delete from
O365
Anti-Spoofing Content Filtering Virus & Malware Filtering Filtering URL Analysis URL Analysis 0-Day Malware
Anti-Spoofing
Putting together the anti-spoofing puzzle
Envelope SPF Domain

Controls DKIM Reputation
Data
Domain
Header DMARC
Protection
Matching
Putting together the anti-spoofing puzzle
Envelope SPF Sender

Controls DKIM Reputation
Data
Domain
Header DMARC
Protection
Matching
Understanding the types of Spoofs
Type Who are they Spoof Target Description
spoofing?
Simple Spoof External Parties Your Users Simple spoof is where the attacker attempts to change or manipulate the
envelope from in the headers of an email, or change the reply-to to
redirect email.
Cousin Domain / Your Brand Your Customers Attacks become more sophisticated by relaying on minor changes to the
Typo Squatting suffix and / or prefix of the email addresses to trick users. High probability
of success and hard to detect due to large number of variations
Display Name Your Executives Financial Controllers Also called Business Email Compromise (BEC) is the most complex attack
Modification involves the use of legitimate domains (either hijacked or created) with the
manipulating message headers to show an accurate Display Name and a
Cousin domain/typo in the email address to trick targets into releasing
information. This is the most common attack today with a high success
rate.
Sources of spoofs
• The advent of shared services such as Office 365 and G-Suite

has made it easy to use mail servers that have a “good”
reputation
• Compounding the issue, these services will mix free mail with
corporate / paid services, making it harder to distinguish threat
messages based on source
Envelope Spoofing (for owned domains)
• There are 2 types of headers in an email, envelope and data headers
• Envelope spoofing is one of the simplest and easiest ways to trick users by
manipulating the headers to show whatever is desired
Info: ICID 1840489 ACCEPT SG ACCEPT match 45.55.251.155 SBRS None country United States
Info: Start MID 3481407 ICID 1840489 Envelope spoof of a domain that you
Info: MID 3481407 ICID 1840489 From: <usman@encoresol.com> own
Info: MID 3481407 ICID 1840489 RID 0 To: <usman@encoresol.com>
Info: MID 3481407 ready 653 bytes from <user@encoresol.com> Recipient is of the same domain
Info: MID 3481407 matched all recipients for per-recipient policy DEFAULT in the inbound table
Info: MID 3481407 queued for delivery
Info: Delivery start DCID 0 MID 3481407 to RID [0]
From header inherits Envelope if not specified
Info: Message done DCID 0 MID 3481407 to RID [0] [('from', 'usman@encoresol.com')]
Protection against own domain spoofs
• By leveraging the Sender Verification table, you can stop effectively stop
envelope spoofing of your domain
• If there are known / allowed spoofing sources you can set them to bypass
the check
Info: ICID 1840469 ACCEPT SG ACCEPT match 45.55.251.155 SBRS None country United States
Info: ICID 1840469 Address: <user@encoresol.com> sender rejected, envelope sender matched domain exception
Sender Domain Reputation (SDR)
Includ
ed in
v 12
• Like SBRS, SDR will be able to combine multiple pieces of

intelligence to come up with a verdict
• Envelope domain, From domain, Reply-to domain, SPF, DKIM,
DMARC, RDNS and HELO are all sent as part of the query
• Actions can be taken inside a message or content filter to
drop, quarantine, mark, etc.
SDR flow Mail Flow
Policy
Host Access RAT
Concurrent Connection Check Access

START Reputation Query SBRS to HAT Mapping TCP_REFUSE -> REJECT
Limit Check
HELO \ Concurrent Connection Check Access

Reputation Query SBRS to HAT Mapping TCP_REFUSE -> REJECT
EHLO Limit Check
MAIL Max Messages per Envelope Sender

FROM TLS / SMTPAUTH
connection verification
RCPT Rate Limiting

TO Delayed Reject RAT Check (max recipients per hr, etc)
Accept and
DMARC mark values
DATA SPF Check DKIM Data Size, Subject size
for AS, AV,
S/MIME
SDR Data Query
SDR Verdicts
• Evaluate domain information of Envelope Sender, From and reply-to as well as domain age
• 7 reputation verdicts possible to action on inside a content filter or based on age
Reputation Action Description

Awful Block (w/FN) Always Block domains with this reputation
Poor Block Recommend blocking level
Tainted Allow / Throttle / Quar Continue scanning, use other factors to make verdict
Weak Allow / Throttle / Quar Continue scanning, use other factors to make verdict
Unknown Allow / Throttle / Quar Continue scanning, use other factors to make verdict
Neutral None Neutral (fair) reputation
Good None Good Reputation
Enabling SDR
• Sender Domain Reputation is enabled

globally
• The default query includes IP, envelope
header, and HELO information
• Additional Attributes can be sent during the
data phase to help increase the telemetry to
SDR
What is sent to Talos?
q Sender IP q Marketing headers

q HELO q List-Unsubscribe header
q PTR q Message-ID
q Envelope From q SPF result & alignment
(domain or full address)
q From headers q DKIM result & alignment

q DMARC result
q Reply-To header
Configuring SDR Actions
• Though SDR queries during the
conversation phase, actions are
configured at the filter level
• Message Filters and content
filters can use either the domain
age or reputation to take an
action
SDR in logs and message tracking
• Evaluates domains in the envelope-from, from and reply-to headers, will
display the “worst” verdict, along with domain age
• Verdicts and domain age can be used in a filter
Sending domain identified by SPF

Spoofed address
Verdict and Age
SDR Reporting
• 2 reporting widgets
available for SDR
• Breakdown of SDR
categories
• Breakdown of Threat
Category
• Spam
• Malware Sites
• Phishing
Data header manipulation
• Detecting envelope spoofing is relatively simple to detect and block
• Bad actors are aware of this too
• Data Headers (from, reply-to) are harder to detect as it’s common practice
to have different from or reply-to addresses
SMTP address vs internal username
SPF and DKIM
• Sender Policy Framework, specified in RFC4408
• Allows recipients to verify sender IP addresses by looking up DNS records listing authorized Mail Gateways for a
particular domain
• Uses DNS TXT Resource Records
• Can verify HELO/EHLO and MAIL FROM identity (FQDN)
• Upon evaluation of SPF records, the following can these results:
Result Explanation Intended action

Pass The SPF record designates the host to be allowed to send accept
Fail The SPF record has designated the host as NOT being allowed to send reject
SoftFail The SPF record has designated the host as NOT being allowed to send but is in transition accept but mark
Neutral The SPF record specifies explicitly that nothing can be said about validity accept
None The domain does not have an SPF record or the SPF record does not evaluate to a result accept
PermError A permanent error has occurred (eg. badly formatted SPF record) unspecified
TempError A transient error has occurred accept or reject
SPF and DKIM
• Domain Keys Identified Mail, Specified in RFC5585
• In a nutshell: Specifies methods for gateway-based cryptographic signing of outgoing messages,
embedding verification data in an e-mail header, and ways for recipients to verify integrity of the
messages
• Additional RFCRFC6376 (DKIM Signatures), RFC5863 (DKIM Development, Deployment and
Operation), RFC5617 (Author Domain Signing Practices (ADSP))
• Uses DNS TXT records to publish public keys
20120113._domainkey.gmail.com IN TXT “k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabg
bFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD
0""7y2+07wlNWwIt8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz
8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/
wIDAQAB”
Enable SPF Verification
• When SPF is enabled, the ESA will stamp
headers in the message
• Use the results inside message or content

filters to determine the action
• PRA identities are evaluated in the
message filters only
• SPF vs SIDF, an interesting read:

http://www.openspf.org/SPF_vs_Sender_
ID
BRKSEC-2240 24
Enable DKIM Verification
1 2
1. Create profile for action on DKIM (Default is

Monitor)
2. Enable DKIM Verification in Mail Flow Polices
3. Act on failures via a content filter. Use an action to

Policy quarantine to be able to review spoofs
BRKSEC-2240 25
After enabling SPF
Mon Jun 26 16:48:31 2018 Info: New SMTP ICID 238970 interface Data 1 (216.71.129.13) address 72.142.13.157 reverse dns host
unallocated-static.rogers.com verified no
Mon Jun 26 16:48:31 2018 Info: ICID 238970 ACCEPT SG SUSPECTLIST match sbrs[none] SBRS None country Canada
Mon Jun 26 16:48:54 2018 Info: Start MID 137251 ICID 238970
Mon Jun 26 16:48:54 2018 Info: MID 137251 ICID 238970 From: <ceo@dinconsulting.com>
Mon Jun 26 16:49:09 2018 Info: MID 137251 ICID 238970 SMTP Call-Ahead bypass applied to <bob@dinconsulting.com>
Mon Jun 26 16:49:09 2018 Info: MID 137251 ICID 238970 RID 0 To: <bob@dinconsulting.com>
Mon Jun 26 16:49:18 2018 Info: MID 137251 SPF: helo identity postmaster@dinconsulting.com Fail (v=spf1)
Mon Jun 26 16:49:18 2018 Info: MID 137251 SPF: mailfrom identity ceo@dinconsulting.com Fail (v=spf1)
Mon Jun 26 16:49:40 2018 Info: MID 137251 SPF: pra identity None headers None
Mon Jun 26 16:49:40 2018 Info: MID 137251 Subject 'Re: Please pay this...'
Mon Jun 26 16:49:40 2018 Info: MID 137251 ready 202 bytes from <ceo@dinconsulting.com>
Mon Jun 26 16:49:40 2018 Info: MID 137251 matched all recipients for per-recipient policy DINCONSULTING in the inbound table
<scan results> …
SPF Record: TXT="v=spf1 include:spf.protection.outlook.com -all"

• By enabling SPF, you gain additional intelligence on the sender
• We still accepted the message, but can use the verdict later to make a decision to convict the message
• Effectiveness is bound by participation – you need to invest time to ensure SPF records are up to date
BRKSEC-2240 26
DMARC
• Both DKIM and SPF have shortcomings, not because of bad design, but because of different
nature of each technology
• Thus, DMARC was born:
• Leveraging great existing technologies, providing a glue to keep them in sync, and allowing senders to
mandate rejection policies and have visibility of offending traffic
• Domain-based Message Authentication, Reporting And Conformance

• Defined in RFC 7489
• Provides:
• DKIM verification
• SPF authentication
• Synchronization between all sender identities (Envelope From, Header From)
• Reporting back to the spoofed entity
Forged Email Detection – Header Fuzzy Matching
1 2
MID 143464 Forged Email Detection on the From: header with score of 100
Info: Message done DCID 1570 MID 143464 to RID [0] [('From', ‘Angry Bossman <angryboss@gmail.com>']
• The idea behind Forged Email Detection is to provide a method to match the Display Name in the
From Message header to Executives or High Value Personnel
• This feature can help narrow down targeted spoofs, that can leverage any action inside a content
or message filter and can also strip the From header to expose the envelope from.
• Using it alone is prone to false positives! Use in conjunction with other conditions
What are we matching?
• Forged Email Detection focuses on matching the Header From (RFC5322) and
specifically the Display Name (i.e First Last <user@domain.com>)
• There were issues with efficacy in earlier releases, addressed in v10.0.3+ and
v11.0.1+
• Fuzzy Matching samples:
Amgry Bossman -> Forged Email Detection on the From: header with score of 93
Angerry Bossman -> Forged Email Detection on the From: header with score of 92
Angry Bosman -> Forged Email Detection on the From: header with score of 96
Angry B0ssman -> Forged Email Detection on the From: header with score of 93
Angry Bossm4n -> Forged Email Detection on the From: header with score of 92
Andry Bossman -> Forged Email Detection on the From: header with score of 92
Getting Started with FED
• FED will only create a log entry for a score that is the same or higher than what is configured
• Start by creating a filter with a low threshold (50) and log the results for each score above that
threshold
• Enable logging of From and Reply-To headers
1 3
Example Forged Email Detection Filter
Before fed() After fed()
Strip From header

Insert Disclaimer
• In this example we added the

reputation score of the sender
to focus the matches on
untrusted senders
• By leveraging Forged Email

Detection we can take an
action to strip the headers
and any additional actions
that may be required
• Use in combination with a

User Training program
BRKSEC-2240 32
How to enable DMARC
1
• DMARC is configured via by
creating a profile and then applying
the profile to a Mail Flow Policy
• By default the profile is set to
Monitor for DMARC violations,
2 however it needs to be applied to a
policy for it to evaluate DMARC
records
• Monitor and Tune settings and
SenderGroups and move to
blocking when ready
Blocking with DMARC
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_rua@yahoo.com

Tue Jun 27 00:09:24 2018 Info: MID 140370 ICID 242100 From: root@cannon.teamnorthwind.com
Tue Jun 27 00:09:24 2018 Info: MID 140370 ICID 242100 RID 0 To: usman@dinconsulting.com
Tue Jun 27 00:09:24 2018 Info: MID 140370 SPF: helo identity postmaster@cannon-master None
Tue Jun 27 00:09:24 2018 Info: MID 140370 SPF: mailfrom identity root@cannon.teamnorthwind.com None
Tue Jun 27 00:09:25 2018 Info: MID 140370 SPF: pra identity gguy@yahoo.com None headers from
Tue Jun 27 00:09:25 2018 Info: MID 140370 DMARC: Message from domain yahoo.com, DMARC fail, (SPF
aligned False, DKIM aligned False) DMARC policy is reject, applied policy is reject
Tue Jun 27 00:09:25 2018 Info: MID 140370 DMARC: Verification failed.
Tue Jun 27 00:09:25 2018 Info: MID 140370 DMARC: Message rejected by DMARC policy.
Tue Jun 27 00:09:25 2018 Info: MID 140370 rejected by DMARC policy
Tue Jun 27 00:09:25 2018 Info: Message aborted MID 140370 Receiving aborted
Participation is key
• In order to take advantage of DMARC for your own domains you need to
create and maintain your SPF records
TXT Record for Domain amazon.com Version of DMARC Action on Auth Failure % of messages to apply policy
_dmarc.amazon.com IN TXT “v=DMARC1\; p=quarantine\; pct=100\;

rua=mailto:dmarc-reports@bounces.amazon.com\; ruf=mailto:dmarc-
reports@bounces.amazon.com
Aggregate Feedback report URI Forensic Feedback report URI
Cisco Domain Protection (CDP)
Protect your brand

• Easily analyze, update and take action against those misusing your domain to send
malicious email
• Validate those who use your domain appropriately
Automate DMARC authentication
• Compliant with new US Department of Homeland Security Regulations
• Drive to DMARC Enforcement with proven tools and services
• Keep records up to date with hosted records
CDP – Monitoring your senders
• If you have not created SPF or DMARC records, you’ll need to implement
them in monitoring mode to get an idea of who is sending as your domain
CDP - Approved & Unapproved Senders
• In order to effectively stop spoofing
attacks using DMARC , understanding
which 3rd parties that send email on your
behalf is mandatory
• CDP automates that process by
identifying, tracking and managing all 3rd
party senders.
• In addition, CDP maintains governance
and helps to identify 3rd party sender risk
Email Posture
• Because of the feedback
loop provided by DMARC,
analytics on the number of
legitimate vs spoofed email
can be displayed
• This information is valuable as
the majority of information
seen is from external
recipients sending aggregate
reports
Anti-Phishing
Phishing Types
• Phishing can be broadly broken up into 2 types:
• URL or File: Credential Take Over, Ransomware, etc.
• Payload is delivered in a file or URL prompting the user to enter information into
a fake site and/or execute an exploit
• Scams: Money Mule, Dating, Wire Transfers, etc.
• No payload (url, document), focusing on the social engineering aspects to fool
users in to making an transaction
• Blended threats will use spoofing of addresses and phishing
payloads to trick the user into an action
#CiscoLiveLA © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Looking for URLs
• URLs can be searched in the email body,
subject and with version 11.1 in
attachments
• URLs can be triggered by Reputation
score, Category or External Threat Feed
match
• When URLs are extracted from
attachments, no modification is done to
the attachment New in
v11.1
Managed URL Expansion
New in
v11.1
• This feature will allow for URLs that are using a Malicious URL behind a shortener service
shortening service will be pre-expanded to get base http://bit.ly/xyz123s34

the URLs
• The ESA will query the service directly to get the base http://www.badsite.com
URL
Services supported (23):
• Up to 10 redirections / queries will be supported • post.ly
• bit.ly • tl.gd
before the URL is marked as malicious • tiny.cc
• tinyurl.com • plurk.com
• Must be enabled via the CLI • ow.ly • url4.eu • ustre.am

• tumblr.com • j.mp • tr.im
websecurityadvancedconfig > Do you want to enable URL filtering for shortened URLs? [Y]> Y
• formspring.me • goo.gl • ur.ly
• ff.im • yfrog.com • fb.me
• youtu.be • su.pr • alturl.com
• chatter.com • wp.me
Actions to take on URLs
http://ihaveabadreputation.com
Defang Remove Rewrite Sandbox
https://secure-web.cisco.com/1adjW1InNsH83UFDjLDFTjer5nJId9J- https://secure-web.cisco.com/1adjW1InNsH83UFDjLDFTjer5nJId9J-
YYihaveabadrepution_comYY [URL REMOVED] HjqKlbAcaLQ74EH5ViYEStC5jPZqvg_weQJeocAQeEryL5b1JR6T0JgzXkjk1P
UMCBb_eQApCXS6ZsoujzgNvwt9UqN27SN1zcMVjmIpWQN__lTmALmHd
HjqKlbAcaLQ74EH5ViYEStC5jPZqvg_weQJeocAQeEryL5b1JR6T0JgzXkjk1P
UMCBb_eQApCXS6ZsoujzgNvwt9UqN27SN1zcMVjmIpWQN__lTmALmHd
GMZ_PaFf9FTUvmMc7UjRZBhvHzDvGJ0Lm5uh9evj_C_OemBAy44xbXw GMZ_PaFf9FTUvmMc7UjRZBhvHzDvGJ0Lm5uh9evj_C_OemBAy44xbXw
mYuA3uRPqKrf7T6ZNepA0MlcszDFPwufWUB7bbmS8Ziqh_- mYuA3uRPqKrf7T6ZNepA0MlcszDFPwufWUB7bbmS8Ziqh_-
CyjG8KI6fJU33qjnInxHsjOBq98VxQUT- CyjG8KI6fJU33qjnInxHsjOBq98VxQUT-
vMf_2U_OlpguXStzGTlj3U__yBZlLZsS9W1xLZpcGUKpdUp8Q_SBBq9HknQ vMf_2U_OlpguXStzGTlj3U__yBZlLZsS9W1xLZpcGUKpdUp8Q_SBBq9HknQ
/http%3A%2F%ihaveabadreputation.com /http%3A%2F%ihaveabadreputation.com
Click! Click!
Web Reputation Check Sandbox
Cisco Advanced Phishing Protection (CAPP)
Who is sending the email?
What Identity is being claimed here?

Who does this sender claim to be?
The science behind it – a phishing attack
The science behind it – a legitimate email
CAPP Policies
• Policies can be used to report
and take actions on messages
that been found to be
malicious
• Multiple policies based on
Subject, To / From addresses,
and verdicts of the email can
be created
• Actions such as move or
delete, can be taken
CAPP Enforcement
• Enforcement is done through
API calls
• Office 365 is supported
through the Graph API and
on-prem Exchange through
the EWS API
• Message trajectory is found
through journaling of emails
which allows for metadata to
be collected on the message
Separating the trees from the forest
cisco.com
Separating the trees from the forest
Cisco Threat Response
Security components must work together
Security Operations Technologies and Intelligence
Is this bad?
Endpoint
Has it affected us? Threat Intel Security SIEM Next-Gen
IPS
???
How?
Email
Where? Malware Secure Internet Web
Detection Gateway Security Security
What do we do?
How long will it take? Third party Network Next-Gen Identity

Sources Analytics Firewall Management
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Threat Response for Email Security
Includ
ed in
v 12
AMP/TG External TALOS

• CTR provides customers the ability to
correlate global threat telemetry with
local data from multiple sources
CTR Dashboard + Case Book
• V12.0 of the SMA will have the ability
to allow CTR to query tracking data to
API Interface provide additional details of files and
URLs
SMA 12.0 (CES / On-Prem)
Global and Local Intelligence
Cisco Threat Response Integration
External Threat Feeds and
APIs
External Threat Feeds: STIX over TAXII
Includ
ed in
v 12
• Opens up Cisco Email STIX TAXII or Structured Threat Information Expression™ and
Security to consume external Trusted Automated eXchange of Indicator Information™
feeds
• Consume company and
industry specific threat
information and take actions
• 5 IoCs supported:
• IP
• Domain
• Host
• URL
• SHA/MD5
Using External Threat Feeds
Tracking, Reporting and Quarantine APIs
Includ
ed in
v 12
Sample Response
• The new API opens up data on the {
"data": {
"messages": {
SMA for off-box queries as well as "attachments": [

"unknown",
"test.vofauto",
taking actions on quarantines "test.vofmanual"

],
"direction": "incoming",
"hostName": "esa10.0.2 (10.76.71.63)",
"isCompleteData": true,
"mailPolicy": [
"DEFAULT"
],
"messageSize": "1.83 (KB)",
"messageStatus": "Delivered",
"mid": [
1145,
1418
Sample Request ],
"midHeader": "<20050408173904.000050d1@example.com>",
GET /sma/api/v2.0/message-tracking/details?endDate=2018-03- "recipient": [
08T23:00:00.000Z&icid=101&mid=1145&startDate=2014-10- "5896@example.com"
01T12:00:00.000Z&serialNumber=848F69E85625-4C77PW1 ],
HTTP/1.1 "sender": "user123@example.com",
cache-control: no-cache "senderGroup": "RELAYLIST",
Authorization: Basic YWRtaW46Q2lzY28xMjMk "sendingHostSummary": {
"ipAddress": "10.76.68.38",
Accept: */*
"reverseDnsHostname": "m170q01.ibqa (verified)",
Host: sma.example.com:6080 "sbrsScore": "not enabled"
accept-encoding: gzip, deflate },
Connection: keep-alive "showDLP": false,
"showSummaryTimeBox": true,
"showURL": false,
"smtpAuthId": "",
"subject": "auto and manual",
"summary": [
{
"description": "Protocol SMTP interface Management (IP 10.76.71.63) on incoming connection…
Next Steps & Conclusion
Upgrade!
• As attack vectors evolve, new ways to evaluate and decide on

how to handle threats must be developed
• There is no single checkbox or silver bullet, a combination of
verdicts and indicators must be used to make defensive actions
• Upgrading to latest version of AsyncOS will help identify threats
and mitigate against breaches
Complete your online session evaluation
Give us your feedback to be entered into a

Daily Survey Drawing.
Complete your session surveys through the
Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing on
demand after the event at www.CiscoLive.com/Online.
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
Thank you
#CiscoLiveLA
#CiscoLiveLA
Cybersecurity Cisco education offerings
Course Description Cisco Certification
Understanding Cisco Cybersecurity The SECFND course provides understanding of cybersecurity’s CCNA® Cyber Ops
Fundamentals (SFUND) basic principles, foundational knowledge, and core skills needed to
build a foundation for understanding more advanced
cybersecurity material & skills.
Implementing Cisco Cybersecurity Operations This course prepares candidates to begin a career within a Security CCNA® Cyber Ops
(SECOPS) Operations Center (SOC), working with Cybersecurity Analysts at
the associate level.
Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s latest
security products, including NGFW, ASA, NGIPS, AMP, Identity
Services Engine, Email and Web Security Appliances, and much
more.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth
Cybersecurity Cisco education offerings
Course Description Cisco Certification
CCIE Security 5.0 CCIE® Security
Implementing Cisco Edge Network Security Configure Cisco perimeter edge security solutions utilizing Cisco CCNP® Security
Solutions (SENSS) Switches, Cisco Routers, and Cisco Adaptive Security Appliance (ASA)
Firewalls
Implementing Cisco Threat Control Solutions
(SITCS) v1.5 Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER NGIPS
(Next Generation IPS), Cisco AMP (Advanced Malware Protection), as
well as Web Security, Email Security and Cloud Web Security
Implementing Cisco Secure Access Solutions
(SISAS) Deploy Cisco’s Identity Services Engine and 802.1X secure network
access
Implementing Cisco Secure Mobility Solutions
(SIMOS) Protect data traversing a public or shared infrastructure such as the
Internet by implementing and maintaining Cisco VPN solutions
Implementing Cisco Network Security (IINS Focuses on the design, implementation, and monitoring of a CCNA® Security
3.0) comprehensive security policy, using Cisco IOS security features
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth

Brksec-2240 Ces PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Brksec-2240 Ces PDF

Caricato da

Copyright:

Formati disponibili

#CiscoLiveLA

Cisco Email Security

Usman Din, Sr. Product Manager

Post Delivery Interactions

Envelope SPF Domain

Envelope SPF Sender

• The advent of shared services such as Office 365 and G-Suite

• Like SBRS, SDR will be able to combine multiple pieces of

Concurrent Connection Check Access

HELO \ Concurrent Connection Check Access

MAIL Max Messages per Envelope Sender

RCPT Rate Limiting

SDR Data Query

• 7 reputation verdicts possible to action on inside a content filter or based on age

Reputation Action Description

• Sender Domain Reputation is enabled

q Sender IP q Marketing headers

q From headers q DKIM result & alignment

Sending domain identified by SPF

Verdict and Age

SMTP address vs internal username

Result Explanation Intended action

• Use the results inside message or content

• SPF vs SIDF, an interesting read:

1. Create profile for action on DKIM (Default is

3. Act on failures via a content filter. Use an action to

SPF Record: TXT="v=spf1 include:spf.protection.outlook.com -all"

• Domain-based Message Authentication, Reporting And Conformance

Strip From header

• In this example we added the

• By leveraging Forged Email

• Use in combination with a

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_rua@yahoo.com

_dmarc.amazon.com IN TXT “v=DMARC1\; p=quarantine\; pct=100\;

Protect your brand

shortening service will be pre-expanded to get base http://bit.ly/xyz123s34

• Must be enabled via the CLI • ow.ly • url4.eu • ustre.am

Defang Remove Rewrite Sandbox

Web Reputation Check Sandbox

Who is sending the email?

What Identity is being claimed here?

How long will it take? Third party Network Next-Gen Identity

AMP/TG External TALOS

SMA for off-box queries as well as "attachments": [

taking actions on quarantines "test.vofmanual"

• As attack vectors evolve, new ways to evaluate and decide on

Give us your feedback to be entered into a

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Potrebbero piacerti anche