How-To Configure Mailbox Auto Remediation for Office 365 on Cisco Email Security Beginning with AsyncOS 10.0 1 2017 2017 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved.
Contents About This Document 3 Introduction to Office 365 Mailbox Auto Remediation 3 Verifying Feature Keys in Cloud Email Security 4 Building a Public and Private Certificate and Key Pair 5 Register Your CES Cluster as an Application in Azure 6 Modify the Manifest to Reference the RSA Certificate 8 Upload Private Key and Other Certificate Parameters to the CES Cluster 10 Configuring Remedial Actions on Delivered Messages 11 Troubleshooting Mailbox Remediation 12 2
About This Document Microsoft Exchange has become the standard email system used by midsize to large-scale organizations globally. With the rise of cloud applications, Microsoft has introduced Office 365. Cisco Email Security has been protecting Exchange from spam, phishing attacks and viruses for over a decade and recently has enhanced malware protection with Advanced Malware Protection (AMP). While the email security portfolio encompasses other protections, this guide explains how Microsoft Office 365 customers can protect their mailboxes from malicious zeroday attacks such as ransomware. It steps the reader through the details of setting up Office 365 Mailbox Auto Remediation integrated with AMP. This document is for Cisco engineers and customers who will deploy Cisco Cloud Email Security using AsyncOS 10.0 or higher. This document covers: Overview of Office 365 Mailbox Auto Remediation Creating a certificate Registering Cisco Cloud Email Security (CES) as an Azure app Troubleshooting Note: The graphics present the most recent version of the Azure Active Directory user interface. As that changes over time, customers will need to consult Microsoft tech articles to supplement the tasks described here. However, other details need to be considered that address how Cisco CES gains access to a user s Office 365 mailbox to remediate the message. Cisco CES uses Azure Active Directory to gain access to the Office 365 mailboxes. After CES receives the retrospective update about the malicious file (Figure 1), it requests an access token from Azure. If communication is secured between CES and Azure, and CES is granted permission to access the Office 365 application, then an access token is provided (Figure 2). At that point the remediation action is allowed to proceed as indicated in step 5 of Figures 1 and 2. This guide is to cover how to integrated ESA/CES with O365 for auto remediation only. The reader of this guide is required to know how to setup AMP on Email Security. For more details, see the chalk-talk Cisco Email Security Malware Auto-Remediation for Office 365 or reference the How-to Guide Protect Against File-Based Attacks. Additionally, this link will direct you to the Security Chalk Talk Cisco Email Security Malware Auto-Remediation for Office 365. Figure 1. Retrospection Mailbox Auto Remediation in Action ACME.com AMP Threat Grid Introduction to Office 365 Mailbox Auto Remediation Overview of Operation 2 Files Reputation? A file can turn malicious anytime, even after it has reached a user s mailbox. Cisco Advanced Malware Protection (AMP) can identify this development as new information emerges and will push retrospective alerts to an on-premises appliance or Cisco Cloud Email Security (CES) cluster. With AsyncOS, you get more than just alerting. If your organization is using Office 365 to manage mailboxes, you can configure CES to perform auto-remediation actions on the messages in a user s mailbox when the threat verdict changes. This process is briefly illustrated in Figure 1 below. 1 Cisco Cloud Email Security SMA ESA Cluster DLP, A/V, A/S, Encryption 3 4 Good Reputation A later update: Bad Reputation 5 Remediate Message @bce-acme.com Microsoft Office 365 3
Figure 2. Remediation Requesting Access to O365 Mailbox Authenticating Access with Azure Microsoft Azure Access Token AMP Threat Grid Step Modify the manifest to reference your RSA certificate Purpose Configures Azure to recognize the public key sent from the CES cluster when it requests Office 365 permissions. Certificate-topublic-key references are put in manifest. The modified manifest is uploaded to Azure. SMA @bce-acme.com Upload the private key and other certificate parameters to the CES cluster The private key is uploaded to CES. Configures client ID, tenant ID, and thumbprint. ESA Cluster Cisco Cloud Email Security DLP, A/V, A/S, Encryption Access Token 5 Remediate Message Microsoft Office 365 Verifying Feature Keys in Cloud Email Security 1. Log in to your Cloud Email Security account. 2. Click: System Administration > Feature Keys. 3. Verify that File Reputation and File Analysis are active. This document addresses setting up the Azure service as follows: Figure 3. Verifying Feature Keys Step Verify feature keys for Cisco AMP analysis and AMP reputation Create a certificate and a key pair Register your CES cluster as an application on Azure Active Directory Purpose Mailbox Auto Remediation relies on AMP s intelligence for making a remediation. Secures communication between Azure and CES. Specifies the permissions that CES has in Office 365 mailboxes. Permissions carried in token (Figure 2). Manifest is downloaded. 4
Building a Public and Private Certificate and Key Pair 1. Download the Certificate and Key generating tool. We are using a tool called XCA Note: If you already have an x509 certificate and private key pair, then skip to the section. Register Your CES cluster as an Application in Azure in this guide. 2. Create a certificate and private key pair. 3. As shown in Figure 4, fill out the Distinguished name fields. 4. Click the Extensions tab. 5. In the section called X509v3 Basic Constraints, specify the certificate type as Certification Authority. 6. Also on the Extensions tab (not shown), specify the time range for which the certificate is valid. 7. Select Local time for the time zone that the Cisco CES cluster is hosted in. 8. Click: Apply. 9. Click the Key usage tab. 10. As shown in Figure 5, on the Key usage tab, choose the following three options: Digital Signature Key Encipherment E-mail Protection 11. Click: OK. Your certificate and private key pair will be created. Figure 5. Choosing Key Usage Options Figure 4. Filling Out the Distinguished Name Fields 12. Click the Certificate tab and highlight the certificate name (Figure 6). 13. Click: Export. Download the certificate to a directory that is convenient to access with Microsoft PowerShell. Note: Avoid long directory paths to make PowerShell use easier. 14. Click the Private Keys tab, highlight the private key name, and click: Export. 15. Download the private key to the same directory. 5
Cisco Email Security How to Guide Figure 6. Downloading the Certificate and Private Key Register Your CES Cluster as an Application in Azure 1. Access the Azure user interface: https://portal.azure.com/ 2. Click: More Services > App Registrations (Figure 8). Figure 8. Accessing the Registration Form 16. Using WordPad, verify that the structure of the certificate and private key pair as shown in Figure 7. Figure 7. Verifying the Certificate and Private Key Pair Structure 3. Click: +Add (Figure 9). 4. Specify the App Name. 5. For application type: Web app/api. 6. Sign-on URL in the form: https://<company_domain.com>/manualregistration Note: This is the URL where users can sign in and use your appliance. 6
Figure 9. Adding the Application Figure 11. Selecting Permissions 7. Click: Create. 8. Under API Access, click: Required permissions (Figure 10). 9. In the API listing, select Office 365 Exchange Online. 10. At the bottom of the page click: Select. Figure 12. Delegating Permissions Figure 10. Selecting the API 11. As shown in Figure 11, for Application Permissions select: Use Exchange Web Services with full access to Send Mail as any user Read mail in all mailboxes Read and write mail in all mailboxes 12. As shown in Figure 12, for Delegated Permissions select: Send mail as a user Read and write user mail Read user mail Access mailboxes as the signed-in user via Exchange Web Services 7
13. After completing the creation of the API with its Delegated Permissions return to the top of the API panel and select Grant Permissions. Acknowledge the permissions popup, to grant the permissions. Figure 13. Downloading the Manifest 14. Click: Select. 15. Click: Done. 16. Download the Manifest (Figure 13). a. In the tool bar beneath the app name, click: Manifest. b. In the Edit Manifest menu click: Download. c. Save the manifest to the directory containing your certificate. Modify the Manifest to Reference the RSA Certificate Note: Additional references to these steps are in Chapter 21 of the User Guide, Automatically Remediating Messages in Office 365 Mailboxes (http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa10-0/ ESA_10-0_User_Guide.pdf). 1. Secure the communication between the Office 365 services and the CES cluster by updating the application manifest with the key credentials from the public key certificate. As shown in line 12 of Figure 14, the parameter keycredentials must be updated to include the JSON shown below: JSON (referenced from Chapter 21 of the User Guide) 12 keycredentials : [ { customkeyidentifier : $base64thumbprint _from_step_2, keyid : $keyid_from_step2, type : AsymmetricX509Cert, usage : Verify, value : $base64value_from_step2 } ], Do this by opening the manifest in WordPad and copying the JSON as described above. Figure 15. Updating the Key Credentials Figure 14. Downloading the Manifest 8
2. Derive keycredentials from your RSA certificate by using PowerShell. When they are derived, retrieve them by using PowerShell commands. a. Log in to PowerShell and change to the directory that contains your certificate and private key pair. 3. Derive keycredentials by running the following commands: $cer = New-Object System.Security.Cryptography. X509Certificates.X509Certificate2 $cer.import( C:\Users\kbfloyd\Cert_Demo\bce-acme.crt ) $bin = $cer.getrawcertdata() $base64value = [System.Convert]::ToBase64String($bin) $bin = $cer.getcerthash() $base64thumbprint = [System. Convert]::ToBase64String($bin) $keyid = [System.Guid]::NewGuid().ToString() Note that the parameter for $cer.import points to the directory in our example. (See Figure 15.) Figure 16. $cer.import Figure 17. Retrieving the Key Credentials 4. Copy the key credentials into your manifest. Note: Remove any automatic carriage returns that may be included when pasting the $base64 value. 5. Upload the manifest to your Azure account (Figure 17). If you get an error on upload, check for carriage returns as described in the previous step. Figure 18. Uploading the Manifest b) Retrieve the key credentials by running the following in PowerShell (Figure 16): $base64thumbprint $keyid $base64value Note: Copy the $base64thumbprint value to WordPad for later reference. 9
Upload Private Key and Other Certificate Parameters to the CES Cluster 1. Retrieve the Client ID from your account. This value is stored as the Application ID in the Azure Active Directory. Click: App Registrations > App_Name > Settings Copy the Client ID as shown in Figure 18. In our example Client ID = 1c5f70b9-a305-48a8-98aa-ede69edcb2e6 Figure 19. Retrieving the Client ID Figure 20. Retrieving the Tenant ID 3. Gather these three values together to be uploaded to your CES cluster: Client ID: 1c5f70b9-a305-48a8-98aa-ede69edcb2e6 Tenant ID: 688a9cf0-b444-4768-890d-168fc921d268 Thumbprint: 1kRRZsGNn8NlGEZhX11zrHphcE7= 4. Log in to your cluster. Click: System Administration > Mailbox Settings > Edit Settings. Enter the Client ID, Tenant ID, and Thumbprint (Figure 20). 2. Retrieve the Tenant ID. Click: App Registrations > Endpoints. Under Federation Metadata Document, any of the URLs can be copied. (See Figure 19.) The number string needs to be copied from the full URL string. In our example: 5. Upload your Certificate Private Key. 6. Click: Submit and Commit Changes. 7. You should be prompted with: Certificate Private Key Successfully Uploaded. https://login.windows.net/688a9cf0-b444-4768-890d- 168fc921d268/federationmetadata/2007-06/federationmetadata.xml Tenant ID = 688a9cf0-b444-4768-890d-168fc921d268 10
Figure 21. Entering the Client ID, Tenant ID, and Thumbprint Configuring Remedial Actions on Delivered Messages 1. On the ESA or CES portal, log in with the correct credentials and select Mail Policies > Incoming Mail Policies. 2. For the Email Policy required, edit the Advanced Malware Protection (AMP) section as shown in Figure 22 Figure 23. Incoming Mail Policies Figure 22. Verifying Auto Remediation Functionality 3. Click the link in the Advanced Malware Protection column of the mail policy to modify. 4. Scroll to the bottom of the configuration options and select Enable Mailbox Auto Remediation. 5. As shown in Figure 23, choose the Action to be taken on message(s) in user s mailbox : Forward to Delete Forward to and Delete (Recommended) Figure 24. Configuring Remedial Actions 8. Office 365 Mailbox Auto Remediation should be functional at this time. Verify this by: Clicking: Check Connection Enter a valid Office 365 mailbox address Click: Test Connection Your results should be the same as in Figure 21. 11
Monitoring Mailbox Remediation Results 1. You can view the details of the mailbox remediation results using the Mailbox Auto Remediation report page. a. Log in to your CES Security Management Appliance b. Click: Email > Reporting > Mailbox Auto Remediation as shown in Figure 24. From here you can view details such as: A list of recipients for whom the mailbox remediation was successful or unsuccessful Remedial actions taken on messages The filenames associated with a SHA-256 hash Figure 25. Viewing the Results Troubleshooting Mailbox Remediation Problem While trying to check the connection between your appliance and Office 365 services on the Mailbox Settings page (System Administration > Mailbox Settings), you receive an error message: Connection Unsuccessful. Solution Depending on the response from the server, do one of the following: Error Message The SMTP address has no mailbox associated with it. Reason and Solution You have entered an email address that is not part of the Office 365 domain. Enter a valid email address and check the connection again. Application with identifier <client_id> was not found in the directory <tenant_id>. No service namespace named <tenant_id> was found in the data store. Error validating credentials. Credential validation failed. You have entered an invalid Client ID. Modify the Client ID on the Mailbox Settings page and check the connection again. You have entered an invalid Tenant ID. Modify the Tenant ID on the Mailbox Settings page and check the connection again. You have entered an invalid certificate thumbprint. Modify the certificate thumbprint on the Mailbox Settings page and check the connection again. 12
Error Message Error validating credentials. Client assertion contains an invalid signature. Reason and Solution You have entered an incorrect certificate thumbprint or you have uploaded an invalid or incorrect certificate private key. Verify that: You have entered the correct thumbprint. You have uploaded the correct certificate private key. The certificate private key is not expired. The time zone of your appliance matches the time zone in the certificate private key. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) C07-738370-01 11/17