Email continues to be both the number one way business people across the globe communicate, as well as the number one threat vector that can endanger the very thing it is trying to enable, getting business done.  However, our global economy means now, more than ever, senders and receivers of email can be anywhere in the world. Email policies, controls and requirements need to be easily configurable and controllable to meet the demands of today’s global business requirements.

These requirements include the ability to control email from senders based on geographical location, while not restricting the requirements so tightly that an unknown senders critical email from a previously unknown region isn’t automatically blocked. The ability to make intelligent decisions about email from certain geographies to allow valid emails even if most email from a geography is considered suspect. Controls, content filters and detailed reporting and message tracking are critical to ensure best practices for a secure global email security strategy.

The Talos Email and Web Traffic Reputation Center

Email Controls Based On Your Sender’s Geographical Location

First, companies need to control email from senders based on their geographical location.  If an organization doesn’t have a business requirement to communicate with senders from a region, that administrator needs full control of how email from that region is received. It is time consuming and difficult to manually set up processes for each country’s requirements and also doesn’t easily allow that business to adapt to a business that may change.

New combined configuration options available in Cisco Email Security allow administrators full control as well as the ability to set more flexible policies for their entire organization. Profiles can be created and senders assigned that control aspects such as message size, recipients per hour, messages per hour or when to enforce SPF, DKIM and DMARC. This enables flexibility for companies to engage in new markets while still complying with email security requirements.

Balance Enabling Known and Unknown Senders Based on Geographic Location

Second, there needs to be a balance between enabling communication with unknown senders from a company with good intentions, while restricting potential malicious email from that same geography. Since senders change with frequency, it is very difficult for an administration to create and set static relationships for authorized senders. White lists and black lists are not sufficient due to this fast turnover of senders, and instead, granular control, is what is needed, outlining that certain internal groups are allowed to communicate while others should not.

Many organizations need to take this control to a more granular level. The polices that are created at a global basis for an organization can be further tuned at the “mail from” and/or “recipient to” pairings. Based on business policies, administrators can now interrogate all aspects of an email in conjunction with Geographical IP information to enforce granular requirements.  In general, content filters define:

    • conditions that determine when the appliance uses a content filter to scan a message
    • actions that the appliance takes on a message
    • action variables that the appliance can add to a message when modifying it

Now with the integration of Geo IP into “Content Filters” administrators can look deeper into the body and attachments of an email to decide how to process the email in question based on their geographical location. Actions such as Subject line modification, BCC’ing another recipient, attachment analysis and quarantining can be now enforced, based on business policies around geographical characteristics.

Sender Visibility – Correlating Profile and Email Together From Geographic Locations

Lastly, administrators working in a global business need to be able to gain better visibility into senders from geographies by correlating inbound email with sender profiles from geographically diverse sources. Geographic Distribution reports are necessary to give deep information of all TCP connections as well as email messages that have been processed by the gateway. Administrators can immediately see what geographies are send the most valid “clean” email while which have a much more malicious intent. Taking this one step deeper into message tracking, administrators or the help desk staff can now leverage the geographical source of email in the tracking queries.

Businesses are global and policies must be configured to align with email flow and threat exposure potential without hampering business productivity. Administrators must be able to combine very complex business requirements in a very simple intuitive interface and email controls must be granular enough to get down to the smallest increment of sender/recipient pairings while powerful enough to control all inbound email.

To learn more about Cisco Email Security go to www.cisco.com/go/emailsecurity

To gain a global understanding of email threats around the world go to www.talosintelligence.com


Scott Bower

Technical Marketing Engineering and Business Development Manager

Security Business Group