How to make spam your best friend on your appliance

Size: px

Start display at page:

Download "How to make spam your best friend on your appliance"

Percival Whitehead
5 years ago
Views:

2 How to make spam your best friend on your appliance Nicole Wajer Consulting Systems Engineer BRKSEC-2325

3 Abstract Spam has plagued the Internet pretty much since its inception. For a while it appeared like the spam problem was more or less under control. However, in the meanwhile spammers have developed new techniques and the problem is as bad as ever which we call today Ransomware. This intermediate session will provide an overview of Best Practises to mitigate the problem. It will provide an overview of the techniques that can be used to fight spam and how to configure them on your appliance. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 3

A note about Best Practices Throughout the material we will present options for tuning your environment These are meant to be general guidelines, and as each environment is unique, it is recommended

6 A note about Best Practices Throughout the material we will present options for tuning your environment These are meant to be general guidelines, and as each environment is unique, it is recommended that settings be set in monitor mode first After a determined time, perform analysis and tuning of rules and settings to achieve the desired result BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

8 For Your Reference There are (many...) slides in your print-outs that will not be presented. They are there For your Reference For Your Reference BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

10 Agenda HAT / IPAS / Graymail Advanced Malware Protection URL Filtering Attachment Control and Defense Tips & Tricks

12 The Pipeline

Per-Policy Scanning The Email Pipeline SMTP SERVER WORKQUEUE SMTP CLIENT Host Access Table (HAT) Received Header Default Domain Domain Map Recipient Access Table (RAT) Alias Table LDAP

Routing LDAP RCPT Accept SMTP Call-Ahead DKIM / SPF Verification DMARC Verification S/MIME Verification Advanced Malware (AMP) Graymail, Safe Unsubscribe Content Filtering Outbreak

13 Per-Policy Scanning The Pipeline SMTP SERVER WORKQUEUE SMTP CLIENT Host Access Table (HAT) Received Header Default Domain Domain Map Recipient Access Table (RAT) Alias Table LDAP RCPT Accept (WQ) Masquerading (Table / LDAP) LDAP Routing Message Filters Anti-Spam Anti-Virus Encryption Virtual Gateways Delivery Limits Received: Header Domain-Based Limits Domain-Based Routing LDAP RCPT Accept SMTP Call-Ahead DKIM / SPF Verification DMARC Verification S/MIME Verification Advanced Malware (AMP) Graymail, Safe Unsubscribe Content Filtering Outbreak Filtering DLP Filtering (Outbound) Global Unsubscribe S/MIME Encryption DKIM Signing Bounce Profiles Message Delivery BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 HAT, Blacklist/WhiteList

15 Host Access Table (HAT) Structure HATs are associated per listener, defined as being Public or Private. Once a listener is defined they cannot be changed. Private listeners have no Recipient Access Table - best used for outbound facing mail traffic. No restrictions for domains The structure of the HAT is defined by the listener type, once created a default configuration is loaded. Mail Flow Policies (MFP) are also created based on the listener type, thus a MFP such as Relayed would not be created until a Private Listener is defined, or created manually SMTP SERVER Host Access Table (HAT) Received Header Default Domain Domain Map Recipient Access Table (RAT) Alias Table LDAP RCPT Accept SMTP Call-Ahead DKIM / SPF Verification DMARC Verification S/MIME Verification BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Host Access Table Structure IPs and Hosts are evaluated in the HAT Top Down, First Match SenderGroups are containers that define the policy based on match

16 Host Access Table Structure IPs and Hosts are evaluated in the HAT Top Down, First Match SenderGroups are containers that define the policy based on match Inclusion into a SenderGroup is defined by Reputation Score, DNS, or explicit match BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

SenderGroup Options SenderBase score can be attached to the SenderGroups, ensure that the neutral and no score ranges are addressed Within the settings you define the Name, Mail Flow Policy

17 SenderGroup Options SenderBase score can be attached to the SenderGroups, ensure that the neutral and no score ranges are addressed Within the settings you define the Name, Mail Flow Policy Nomenclature is important as it will be displayed in logs and reports SBRS scores can be assigned to the group Thu Jun 9 13:40: Info: New SMTP ICID 8 interface Management ( ) address Thu Jun 9 13:40: Info: ICID 8 ACCEPT SG SUSPECTLIST match sbrs[-3.0:-1.0] SBRS -2.1 Thu Jun 9 13:40: Info: Start MID 410 ICID 8 Note that SBRS uses multiple sources including honeypots and DNSBLs BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 SenderGroup Options Connecting host PTR record does not exist in DNS. Connecting host PTR record lookup fails due to temporary DNS failure. Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A). BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Understanding Reputation Spam Traps Complaint Reports IP Blacklists and Whitelists Geo-Location data Breadth and quality of data makes the difference Message Composition Data Global Volume Data Compromised Host Lists Domain Blacklist and Safelists Website Composition Data Other Data Host Data DNS Data Real-time insight into this data that allows us to see threats before anyone else in the industry to protect our customers IP Reputation Score BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 HAT Host Access Table Systems are added to the various Sender Groups manually by adding the sender s IP address, host name, or partial host name, or they fall into a particular sender group due to their reputation score. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

How to Configure Block/White List just 1 Sender?

Block/Whitelist FULL Domain/IP = HAT BRKSEC-2325 2017 Cisco

26 DNS / Relay Considerations

Reputation: DNS and caching DNS is the most critical external service for the ESA By default there are 4 DNS lookups per request: Reverse DNS, 2 SBRS lookups and a Number of requests per connection

27 Reputation: DNS and caching DNS is the most critical external service for the ESA By default there are 4 DNS lookups per request: Reverse DNS, 2 SBRS lookups and a Number of requests per connection default With SPF, DKIM and DMARC 3 or more DNS TXT record lookups At least 7 possible DNS lookups per connection (excluding any caching) Now factor in outbound destination DNS resolution, LDAP, internal hosts, etc. More resolvers in high connection environments So what if I use the Cisco Umbrella DNS Resolvers? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 ESA Relay host Not First Hop If you allow another MTA to sit at your network s perimeter and handle all external connections, then the Security appliance will not be able to determine the sender s IP address The solution is to configure your appliance to work with incoming relays. You specify the names and IP addresses of all of the internal MX/MTAs connecting to the Cisco appliance, as well as the header used to store the originating IP address BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Relay Host Configure Network Incoming Relays BRKSEC-2325 2017

30 Receive header for Relay List Received: from <hop5> Received: from <hop4> Received: from <hop3> Received: from <hop2> Received: from <hop1> <snip> Received: from mail.spaansekubus.net ([ ]) by alln-inbound-m.cisco.com with ESMTP/TLS/AES256-GCM-SHA384; 19 Feb :36: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Anti-Spam (IPAS)

Spam Options Positively-Identified spam is email that is known spam.

Emails identified as positively identified spam and suspected spam can be delivered, dropped, sent to spam

34 Spam Options Positively-Identified spam is that is known spam. Suspected Spam is that has characteristics of spam, but has not been confirmed as spam yet. s identified as positively identified spam and suspected spam can be delivered, dropped, sent to spam quarantine, or bounced with an additional option to send to an alternate host. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Cisco IronPort Anti-Spam (IPAS) Conservative: Unchanged

Suspect Spam = 45 Always Scan 1MB or Less Never Scan 2MB or

Always Scan 2MB or Less Never Scan 2MB or More BRKSEC-2325

36 Cisco IronPort Anti-Spam (IPAS) Conservative: Unchanged always scan set at least to 1M Moderate: Positive Spam = 85 Suspect Spam = 45 Always Scan 1MB or Less Never Scan 2MB or More Aggressive: Positive Spam = 80 Suspect Spam = 39 Always Scan 2MB or Less Never Scan 2MB or More BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Graymail (Detection)

Graymail BRKSEC-2325 2017 Cisco and/or its

41 Graymail Marketing Message Detection is off by default. Recommendation for each incoming mail policy, Mark the message subject line with the text [MARKETING], and deliver it to the end user is company policy permits. Marketing messages make up a large percentage of the complaints regarding missed spam. Tagging them allows administrators to do what they feel is best for their organisation: drop, quarantine, or deliver marketing messages. Alternatively, the administrator could create a rule to place such messages in the user s Outlook Junk Mail folder or simply allow the end users to create their own rules for handling those messages. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Spam vs Graymail - 1 Spam is an that the recipient didn t opt to choose (unsolicited) and generally has embedded links, pictures and other documents that may be disguised to look legit, but are actually malicious in nature. Spam s are intended to fool the recipient and cause harm to the end users environment. For more information on Spam, please refer to the CAN-SPAM Act of BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Spam vs Graymail - 2 In short: Graymail is an that the recipient opted to receive, but don t really want them in their inbox. A good example is when you go shopping and provide your address to receive coupons/discounts and other notifications from that vendor. These s are known as graymail, you opted to receive them, but after a while you grow tired of how much of the annoying s the vendor sends and thus ends up being reported as spam, which it isn t at all. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Graymail Tunning Checklist Enable Graymail Detection Tick Box Marketing in Graymail Settings Set to Delivery If business allows prepend [MARKETING] to subject BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Advanced Malware Protection

AMP on ESA with Threat Grid Public Cloud Detailed Flow Chart Reputation Filtering Anti SPAM Anti Virus AMP Content Filters Mail attachments send to AMP Queue Mail for Delivery Calculate SHA256 SPERO

47 AMP on ESA with Threat Grid Public Cloud Detailed Flow Chart Reputation Filtering Anti SPAM Anti Virus AMP Content Filters Mail attachments send to AMP Queue Mail for Delivery Calculate SHA256 SPERO Disposition = good Disposition = malware analysis completed Send File Reputation Check Check Disposition Drop or Deliver Mail Disposition Upload Action = unknown Check Upload Action = 1 Upload Action 1 Quarantine & Track Upload to Threat Grid Poke File in AMP Cloud Threat Score >= 95 quaratine timer expired yes, analysis running yes, analysis no Query TG completed File known? Pre Class. Yes No Outbreak Filters Poke File in AMP Cloud = Threat Grid cloud marks the SHA256 of the file with disposition = malicious almost instantaneous 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

48 AMP on ESA Pre-Classification Before an unknown file is submitted there is a pre-classification engine to select only files with active or suspicious content Pre-classification signatures Byte code rules that detect suspicious indicators such as Embedded Macros, EXE s, Flash. PDF within PDF, Corrupt Headers, Invalid XREF etc. Signatures provided and hosted by Talos Product checks for new updates once every 30 minutes This is relevant for any deployment of AMP on ESA and WSA 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

on the ESA Provides the ability for File

phishing detection BRKSEC-2325 2017 Cisco

49 Advanced Malware Protection (AMP) Advanced Malware Protection is integrated on the ESA Provides the ability for File Reputation, File Sandboxing, and File Retrospection Combined with native URL filtering ESA provides full malware and phishing detection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

50 AMP on ESA with Threat Grid Public Cloud Considerations If the file was submitted to Threat Grid cloud and got a Threat Score >= 95 then the Threat Grid cloud will update the file disposition in the AMP cloud for this SHA256 instantaneously ESA does not act on a Threat Score from Threat Grid Cloud directly ESA only waits for the analysis to finish and then sends the file through AV and AMP again Malware will be convicted by AMP due to the adjusted disposition!! Thus ESA heavily relies on Threat Grid poking file dispositions into AMP cloud 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

52 Web Reputation Filters and URL Filtering

URL Filtering Security Services -> URL Filtering By default, the URL Filtering goes across all URL, but you have the possibility to whitelist certain URL.

53 URL Filtering Security Services -> URL Filtering By default, the URL Filtering goes across all URL, but you have the possibility to whitelist certain URL. This can be useful for internal domains and URL, that will of course not have a reputation score or a URL Category BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

54 URL Rewriting Outbreak Filter has the option to rewrite a URL. URL is no longer pointing directly to the destination but will now be redirected over the Cisco Cloud Web Security Proxy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56

If the user clicks on the URL he will be redirected to the Cloud Web Security Proxy:

56 URL Rewriting - continued It is recommended to rewrite only URLs that are not signed. If a URL is digitally signed, the rewriting would make the signature no longer valid. If the user clicks on the URL he will be redirected to the Cloud Web Security Proxy: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

57 URL with Content Filter - Condition URL filtering in two places (CASE & Outbreak Filter) but can also pro-actively be scanned by Content Filter BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

URL with Content Filter - Action BRKSEC-2325 2017 Cisco

Mallicious URL - Outbreak Filters in action Outbreak Filter can still stop Malicious URL s no

60 Turn on URL scores in Message Tracking Default no URL score in Message Tracking On CLI this must be turned ON <hostname-esa> outbreakconfig BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

<hostname-esa> outbreakconfig BRKSEC-2325 2017 Cisco

61 Turn on URL scores in Message Tracking Default no URL score in Message Tracking On CLI this must be turned ON <hostname-esa> outbreakconfig BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

62 URL Filtering Checklist Enable URL Filtering on the ESA Enable Web Interaction Tracking (if permitted by policy) Enable certain admin users URL visibility in Message Tracking if permitted by policy) Enable Threat Outbreak Filtering and message modification warn your users! Whitelist your partner URLS, use the scores to create filter for others Combine the reputation rules and leverage language detection as part of the logic Use the policies to define the level of aggression for rule sets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

63 Spoofing (FED)

Display Name and the prefix of the email address in the From

names that are exact or some form of typo squatting i.

64 Forged Detection (New for 10.0) Forged Detection will look for permutations in the Display Name and the prefix of the address in the From Header Use this rule to look for matches against a dictionary of names that are exact or some form of typo squatting i.e: Han S0lo, Han Slo, Han So1o BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66

Forged Email Filters In this example, we took the from header and stripped it from the message if the match was 70 or above Combined with a warning disclaimer this would

is legitimate, it won t disrupt mail flow If all else fails, warn the user of a potential issue by using a disclaimer text on top of the message Info: MID 2089 Forged

65 Forged Filters In this example, we took the from header and stripped it from the message if the match was 70 or above Combined with a warning disclaimer this would expose the bad sender while warning the end user Idea here is that for names that are low threshold matches, you can use the strip header to expose envelope sender if it is legitimate, it won t disrupt mail flow If all else fails, warn the user of a potential issue by using a disclaimer text on top of the message Info: MID 2089 Forged Detection on the From: header with score of 100, against the dictionary entry Han Solo BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67

66 Spoofing Checklist Know who your allowed external spoofs are by tracking them via filters and policies Build the list as the exception, trap all others With 10.0 use the Forged Detection Feature to look for matches on the display name, if too close to call, drop the From header Send a copy of suspected spoofs to a quarantine for review and then tune your rules to start blocking messages Make a plan to enable SPF, DKIM and DMARC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

68 Attachment Control and Defense

Overview Macro Enabled Attachment Handling While macros enable extended functionality in documents, spreadsheets, and more, they are of concern to customers since they can be an infection vector.

69 Overview Macro Enabled Attachment Handling While macros enable extended functionality in documents, spreadsheets, and more, they are of concern to customers since they can be an infection vector. This feature gives customers the ability to identify macros in PDF, Office, and OLE file types and several options for handling them including: Strip Attachment with Macro Quarantine message Drop message Change Recipent Send Copy (BCC) And more BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71

Macro Detection New Content Filter Detection The Content Filter Condition sets the file types to be scanned for macros and can include: Adobe PDF Microsoft Office files

70 Macro Detection New Content Filter Detection The Content Filter Condition sets the file types to be scanned for macros and can include: Adobe PDF Microsoft Office files OLE file types This Condition is available for both inbound and outbound Content Filters BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72

Strip Attachment with action Many of the other Content Filter Actions can be taken on messages containing macros, including: Drop Message Quarantine Change

71 Strip Attachment with action Many of the other Content Filter Actions can be taken on messages containing macros, including: Drop Message Quarantine Change Recipient Send Copy (BCC) Add Disclaimer Text Prepend subject with warning message BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

Macro Detection Using Message Filters This feature is also available in Message Filters using the new Message Filter rule: macro-detection-rule() And the new Message Filter action:

72 Macro Detection Using Message Filters This feature is also available in Message Filters using the new Message Filter rule: macro-detection-rule() And the new Message Filter action: drop-macro-enabled-attachments() Similar to the Content Filter version, other actions can be taken on the messages to drop the message, redirect it, and more. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 74

73 Tips and Tricks

74 The use of Telemetry

give more details to Talos - "fullsenderbaseconfig" BRKSEC-2325

76 Why is Telemetry important Give Talos insight on targeted attacks By Enabling in GUI you give Limited Service Hidden CLI command to give more details to Talos - "fullsenderbaseconfig" BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 78

77 Telemetry What it send to Talos? When enabled, the Context Adaptive Scanning Engine (CASE) is used to collect and report the data (regardless of whether or not Cisco anti-spam scanning is enabled) The data is summarized information on message attributes and information on how different types of messages were handled by Cisco appliances. We do not collect the full body of the message Network-Participation-W.html#anc5 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

79 Downloading Log files using your browser

80 Use your browser to get the log files Log into the ESA/CES instance Check System Administration -> Log Subscriptions the name of the log file casesensitive Change the <ESA_or_CES_URL> to your instance in the URL below Paste the URL into the browser mp Change the log_type if you want mail logs replace amp with mail_logs BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82

82 The New Protocol

84 IPv6 HAT RAT Routes Filters Destination Controls Trace NIC Pairing Outbreak Filters TLS SMTP Routes SMTP Callahead Admin ACL Tracking Reporting Http(s)/Ssh BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86

86 In Summary The days of set it and forget it are long gone continuous monitoring and tuning are required to keep up with todays threats Understand what your organizations security posture is and apply it to your appliances Keep your appliances updated we are constantly introducing new features that require upgrades / updates Check out our Chalktalks on Youtube and Guides on Cisco.com to help with tuning and setup new features on Cisco Security Enable Senderbase Participation especially useful for targeted attacks BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 94

87 Summary of Recommendations Security Services IronPort Anti-Spam Always scan 1MB and Never scan 2MB URL Filtering Enable URL Categorization and Reputation Enable Web Interaction Tracking Graymail Detection Enable and Maximum Messages size 1 MB Outbreak Filters Enable Adaptive Rules, Max Scan size1 MB Enable Web Interaction Tracking Advanced Malware Protection Enable additional file types after enabling feature Message Tracking Enable Rejected Connection Logging (if required) System Administration Users Set password policies If possible leverage LDAP for authentication Log Subscriptions Enable Configuration History Logs Enable URL Filtering Logs Log Additional Header From CLI Level Changes Web Security SDS URL Filtering websecurityadvancedconfig > disable_dns=1, max_urls_to_scan=20, num_handles=5, default_ttl=600 URL Logging outbreakconfig> Do you wish to enable logging of URL's? [N]> y Clean URL Rewrites websecurityadvancedconfig > Do you want to rewrite all URLs with secure proxy URLs? [Y]> n Anti-Spoof Filter _ _detection_with_cisco_ _security.pdf Header Stamping Filter addheaders: if (sendergroup!= "RELAYLIST") { insert-header("x-ironport-remoteip", "$RemoteIP"); insert-header("x-ironport-mid", "$MID"); insert-header("x-ironport-reputation", "$Reputation"); insert-header("x-ironport-listener", "$RecvListener"); insert-header("x-ironport-sendergroup", "$Group"); insert-header("x-ironport-mailflowpolicy", "$Policy"); } BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 95

88 Summary of Recommendations Host Access Table Additional SenderGroups SKIP_SBRS Place higher for sources that skip reputation SPOOF_ALLOW Part of Spoofing Filter PARTNER For TLS Forced connections In SUSPECTLIST Include SBRS Scores on None Optionally, include failed PTR checks Aggressive HAT Sample BLACKLIST [-10 to -2] POLICY: BLOCKED SUSPECTLIST [-2 to -1] POLICY: HEAVYTHROTTLE GRAYLIST[-1 to 2 and NONE] POLICY: LIGHTTHROTTLE ACCEPTLIST [2 to 10] POLICY: ACCEPTED Mail Flow Policy (default) Security Settings Set TLS to preferred Enable SPF Enable DKIM Enable DMARC and Send Aggregate Feedback Reports Incoming Mail Policies Anti-Spam thresholds Positive = 90, Suspect = 39 Anti-Virus Don't repair, Disable Archive Message AMP Add "AMP" to Subject Prepend for Unscannable, Disable Archive Message Graymail Scanning enabled for each Verdict, Prepend Subject and Deliver Add x-header for Bulk header = X-BulkMail, value = True Outbreak Filters Enable message modification. Rewrite URL for unsigned message. Change Subject prepend to: [Possible $threat_category Fraud] Outgoing Mail Policies Anti-Virus Anti-Virus Virus Infected: Prepend Subject: Outbound Malware Detected: $Subject. Other Notification to Others: Order form admin contact Anti-virus Unscannable don't Prepend the Subject Uncheck Include an X-header with the AV scanning results in Message BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 96

89 Summary of Recommendations Policy Quarantines Pre-Create the following Quarantines Inappropriate Inbound Inappropriate Outbound URL Malicious Inbound URL Malicious Outbound Suspect Spoof Malware Other Settings Dictionaries Enable / Review Profanity and Sexual Terms Dictionary Create Forged Dictionary with Executive Names Create Dictionary for restricted or other keywords Destination Controls Enable TLS for default destination Set lower thresholds for webmail domains Content Filters Inappropriate Content Filter Conditions Profanity OR Sexual dictionary match, send a copy to the Inappropriate quarantine. URL Malicious Reputation Content Filter Send a copy to the URL Malicious (-10 to -6) to quarantine. URL Category Content Filter with these selected Adult, Pornography, Child Abuse, Gambling. Send a copy to the Inappropriate quarantine. Forged Detection Dictionary named "Executives_FED" FED() threshold 90 Quarantine a copy. Macro Enabled Documents content filter if one or more attachments contain a Macro Optional condition -> From Untrusted SBRS range Send a copy to quarantine Attachment Protection if one or more attachments are protected Optional condition -> From Untrusted SBRS range Send a copy to quarantine BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 97

Cisco Spark Ask Questions, Get Answers, Continue the Experience Use Cisco Spark to

Spark app from itunes or Google Play 1. Go to the Cisco Live Berlin 2017 Mobile app 2.

Enter the room, room name = BRKSEC-2325 5. Join the conversation!

90 Cisco Spark Ask Questions, Get Answers, Continue the Experience Use Cisco Spark to communicate with the Speaker and fellow participants after the session Download the Cisco Spark app from itunes or Google Play 1. Go to the Cisco Live Berlin 2017 Mobile app 2. Find this session 3. Click the Spark button under Speakers in the session description 4. Enter the room, room name = BRKSEC Join the conversation! The Spark Room will be open for 2 weeks after Cisco Live BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 98

Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday)

91 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 99

Continue Your Education Demos in the World of Solutions Security Area Meet the Engineer 1:1 meetings Meet Nicole Wajer Tweet

0 LALSEC-2005 - Lunch and Learn - Cisco Email Security - Wednesday 22 February 13:00-14:30 BRKSEC-2890 - AMP Threat Grid

92 Continue Your Education Demos in the World of Solutions Security Area Meet the Engineer 1:1 meetings Meet Nicole Wajer #CLEUR BRKSEC I wonder where that Phish has gone Today at 16:45 LTRSEC Lab Security ESA 10.0 LALSEC Lunch and Learn - Cisco Security - Wednesday 22 February 13:00-14:30 BRKSEC AMP Threat Grid integrations with Web, and Endpoint Security - Thursday 11:30 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 100

93 Thank You

Security Hands-On Lab

Email Security Hands-On Lab Ehsan A. Moghaddam Consulting Systems Engineer Nicole Wajer Consulting Systems Engineer LTRSEC-2009 Ehsan & Nicole Ehsan Moghaddam Consulting Systems Engineer @MoghaddamE EMEAR