Under the hood: Why you need AMP on ESA
With 95 percent of breaches starting with a malicious email campaign, it’s more important than ever for organizations to be prepared and to be certain that their email security solution will truly protect their data, assets and users.
In a recent blog post we discussed the need for advanced threat protection at the email gateway and the smartest and safest way to approach email security. In this blog post we’ll take a look under the hood and examine Cisco’s solution for protecting from today’s stealthy email attacks: Cisco AMP for Email.
Let’s start with an example: The HR department at Acme, Co. gets an email from a potential employee with a resume attached. No problem, right? HR receives messages like this regularly, so they open the attachment. However, the attachment contains an executable file that downloads malware in the background. The malware begins to harvest information: passwords, credentials, and company access authorizations have all been compromised and unknowingly gave hackers the ability to steal sensitive company and customer information. These kinds of scenarios are happening every day, so how are you supposed to determine which attachments are real and which ones are malicious? What do you do if a malicious email evades your front line defenses?
So how could Cisco AMP for Email help the HR team at Acme? Cisco Email Security offers multiple layers of protection to block email-based threats. This includes blocking emails from senders with bad reputations, anti-spam engines, anti-virus scanning, AMP and others. Everything that isn’t caught by anti-spam is processed through multiple anti-virus engines that protect against known and emerging threats. For more advanced threats, Cisco Advanced Malware Protection performs additional automated analysis using Cisco threat intelligence.
You may ask yourself, why invest in AMP on Email, if the solution already provides anti-virus scanning with engines from multiple security vendors? The answer to this is simple: most AV tools perform signature-based detection, which means if a piece of malware was specifically crafted to invade your organization and consecutively not yet known to AV vendor – it can be easily bypassed by bad actors. While AV engines will still catch a subset of known threats, we need to ensure protection against more sophisticated or even targeted attacks. AMP for Email adds an additional layer of valuable defense by combining point-in-time detection with continuous analysis. One example of efficacy improvement was observed by Cisco’s own IT department – after enabling AMP functionality on ESA, the overall malware catch rate was improved by approximately 50%. That’s due to the fact that around 31% of encountered malware attacks were zero-day threats blocked by AMP.
AMP for ESA doesn’t just improve your initial blocking and detection. AMP takes your ESA to the next level by continuously tracking disposition changes for files that have crossed your email gateway, being initially classified as clean. If malicious behavior is spotted down the line, AMP sends a retrospective alert allowing you to investigate, contain and remediate the malware.
So how does AMP for Email do it? Let’s now look under the hood.
- Global threat intelligence from Cisco Talos – security starts with strengthening your defenses using the best global threat intelligence so you can block malware as new threats emerge. Cisco’s team of threat researchers continuously feed threat intelligence into AMP services.
- File Reputation Lookup – ESA calculates SHA256 hash of the attachment and queries the file reputation service. The service responds with a verdict, either clean, malicious or unknown. Based on the verdict, an action can be taken accordingly – either to deliver, block or quarantine a message. For executable files, ESA also uses machine-learning based technology, that identifies unknown threats using active heuristics to gather execution attributes and produce a Spero fingerprint, which is sent to the service to determine probability of a file being malware.
- File Analysis – for files with unknown verdict or those that were not seen at all, ESA performs an additional layer of inspection by sending an attachment to Threat Grid, Cisco’s advanced sandboxing solution. While analysis is performed, the message is typically quarantined and not delivered to end user. Threat Grid performs automatic static and dynamic analysis, producing human readable behaviour indicators for each file submitted as well as a threat score. Before an unknown file is submitted the pre-classification engine scans it to select only files with suspicious content (embedded macros, exes, flash, etc), reducing the need to quarantine emails containing benign file attachments.
- File Analysis Quarantine – a differentiating capability of AMP on ESA, when compared to other AMP integrations, is the ability to hold a message, while the attachment is analysed by Threat Grid and before we ensure if it’s malicious. The average analysis time is 7 to 15 minutes and based on the analysis results, ESA can either release a message to the recipient, release a message without malicious attachment or remove the message completely.
- Mailbox Auto Remediation – if a file is not detected as malicious the first time through the gateway, but is later determined to be malicious, a retrospective event is generated. Microsoft Office 365 allows the ESA to reach in and quarantine the message with malicious attachment from the mailbox. At the time of this writing, without O365, the ESA will alert the administrator of a file that was delivered to a user.
Still asking yourself if that’s really worth to invest in AMP on ESA? Consider the results of a recent trial – in two weeks of AMP evaluation in an organization with 25,000 email users, there were roughly 195,000 files extracted from emails for analysis. Out of those more than 1200 were convicted and dropped by AMP, meaning those files were not known to the AV engines running on ESA. At least 18 files were dropped due to ESA convicting a file based on Threat Grid sandboxing results, preventing malware from ever getting to the end user inbox. Cisco AMP for Email is a critical first step that helps protect your organization from the number one attack vector.
For more information:
- Cisco Live: Threat Grid integrations with Web, Email and Endpoint Security
- AMP for Email Security
- Cisco Threat Grid