New email security release adds spoofing protection, auto-remediation of malware for Office 365 customers, AMP Private Cloud, and more.
There’s been a spike in ransomware and spear-phishing attacks in the last several months. Read any news outlet and you’ll find examples of health records and other valuable data being locked up, employees duped into releasing sensitive information or wire-transferring funds, and more. In fact, in April the FBI released a warning to businesses about a dramatic increase in email scams. It’s no surprise that a recent customer survey revealed that protecting against these types of threats is top of mind. At the same time, given the global shortage of skilled IT security professionals, every organization must do more with less.
At Cisco, we understand that you need effective security – simple, open and automated. Our new Cisco Email Security AsyncOS 10.0 release demonstrates how we’re innovating to meet this need with new threat-focused security capabilities designed to defeat increasingly sophisticated and targeted attacks, along with enhancements to increase operational agility.
Threat-focused Security
Protect Against Spoofing Attacks
From October 2013 to August 2015, the FBI estimated that Business Email Compromise (BEC) had cost companies $1.2B globally. This number was updated to $2.3B through February 2016. Spoofing attacks, a type of BEC, have focused particularly on executives considered high-value targets. AsyncOS 10.0 includes Forged Email Detection to help block these targeted attacks and provides detailed logs on all attempts and actions taken.
Office 365 Customers Can Automate Malware Remediation
When malware does infiltrate the network you need to remediate breaches fast. Office 365 customers can now automatically remediate malware with Cisco Advanced Malware Protection (AMP) retrospective security. The manual process of cleaning up infected mailboxes one by one and submitting tickets is now automated, freeing up resources to focus on running the business. Email administrators can simply set their email security solution to take automatic actions on those infected emails, for example deleting them, and access audit logs to track all actions taken on mailboxes.
AMP Private Cloud for Stringent Privacy Requirements
For customers in industries, markets or regions with stringent privacy mandates, Cisco Email Security now offers a new Advanced Malware Protection private cloud allowing customers to host their AMP file reputation cloud on-premises. This, along with the AMP Threat Grid appliance, brings the entire AMP offering completely on-premise. Simultaneously, customers still benefit from AMP public cloud updates.
Track specific URLs in an email for improved visibility
URL logging and message tracking helps pinpoint the specific URL within an email that caused it to be identified as malicious. This allows email administrators to understand their threat posture specific to malicious URLs and potentially tune their systems to thwart future attacks and remediate possible exposure.
Increased Efficiency and Ease-of-use
Improved AMP reporting
Administrators and management need greater visibility into malware and suspicious files, in a way that is quick to understand. Cisco Email Security now provides more informative AMP reporting providing clearer insight into the threats, the intended recipients of messages, and the files’ disposition.
Language detection
AsyncOS 10.0 detects the language of the email message and enables administrators to set policies and actions based on the detected language. They can then determine which configured content filter action to apply for each language; for example, add a specific disclaimer or bounce message.
Single sign-on to access centralized end-user spam quarantines
Keeping track of multiple user names and passwords takes time and effort. AsyncOS 10.0 eliminates the hassle, allowing Cloud Email Security customers to authenticate end users to their spam quarantine using their corporate credentials with Security Assertion Markup Language, or SAML-based authentication.
Find out more at www.cisco.com/go/emailsecurity.
Hi Claudia,
This is a very nicely written blog.
Great work!
Kevin
These are great new features. But the one feature I’m still waiting for is the possibility to run the SPAM-check while the SMTP-dialog is still open. With that SPAM mails could directly be rejected instead of accepting them.
By default Cisco Email Security does not accept spam emails. They are sent to the ISQ. The recipient can log into the their quarantine and accept messages falsely classified as spam, at which point they will be released and delivered to their inbox. This has nothing to do with an SMTP-dialog.
That’s not what I’m talking about. The way it’s done traditionally (and also on the ESA) could be improved. Some other products (commercial or even postfix can be configured that way) don’t accept the message until the SPAM-check is done. If the message is recognized as SPAM, it’s rejected (with a 500 code) which is possible because the SMTP-dialog is not finished yet.
The actual implementation has some drawbacks. Although the false-positive rate is really low, at least here in Germany, missing the one false positive could have severe legal implications. One actual example was that a lawyer didn’t act on an important mail that he didn’t see in the quarantine and was convicted for compensation.
If the spam check had been done while the SMTP dialog is still open, the SMTP receiver could reject the mail and the SMTP sender would directly recognize that the mail did not reach the recipient.
Karsten
By design of ESA, the SMTP-dialog closes before the content in the message is analyzed. This also applies to attachments. Making an exception to this is a major change. Doing so would benefit the lawyer’s use case that you mentioned (a false positive). But for the vast majority of SPAM messages, we choose to drop the message without reply to the sender. We don’t want to provide information back to the malicious sender. For the cases like that of the lawer’s, we recommend ISQ notifications and use of Safe-list / Block-list.
Thank you,
Kevin
Hi Karsten, thanks for visiting our blog and for the interest in email security. I’d like to encourage you to use the Cisco Security Community (https://communities.cisco.com/community/technology/security) to continue the conversation and pose any future questions. We have a category dedicated to web and email security discussions, and experts from inside and outside of Cisco that participate. Cheers.
Karsten,
I approached Cisco with this feature request several times, but always received the same answer as here in the blog: Moving the message filter checks before the end of the SMTP dialog would require a large rewrite of the code and is a lot of work. There are open tickets about this, but no progress has been made yet.
This is a shame, because the ESA is a fine product otherwise, but to my knowledge the only widespread MTA which doesn’t support rejecting emails based on message filter checks. Most on-premise competitors, be it commercial or free, offer this feature.