Cisco Cisco Email Security Appliance C170 Betriebsanweisung
10-9
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter 10 Outbreak Filters
Types of Rules: Adaptive and Outbreak
Two types of rules are used by Outbreak Filters to detect potential outbreaks:
Adaptive and Outbreak. The Outbreak Filters feature uses these two rule sets to
provide the highest efficacy and the most focused set of criteria for threat
detection to ensure that filters can be laser focused on a particular outbreak. The
Outbreak Filters rules and actions are visible to the administrator, not hidden
away behind the scenes, providing instant access to quarantined messages and the
reason why they were quarantined.
Adaptive and Outbreak. The Outbreak Filters feature uses these two rule sets to
provide the highest efficacy and the most focused set of criteria for threat
detection to ensure that filters can be laser focused on a particular outbreak. The
Outbreak Filters rules and actions are visible to the administrator, not hidden
away behind the scenes, providing instant access to quarantined messages and the
reason why they were quarantined.
Outbreak Rules
Outbreak Rules are generated by the Cisco IronPort Threat Operations Center
(TOC), which is a part of the Cisco Security Intelligence Operations, and focus
on the message as a whole, rather than just attachment filetypes. Outbreak Rules
use SenderBase data (real time and historical traffic data) and any combination of
message parameters such as attachment file type, file name keywords, or
anti-virus engine update to recognize and prevent outbreaks in real time. Outbreak
Rules are given a unique ID used to refer to the rule in various places in the GUI
(such as the Outbreak quarantine).
(TOC), which is a part of the Cisco Security Intelligence Operations, and focus
on the message as a whole, rather than just attachment filetypes. Outbreak Rules
use SenderBase data (real time and historical traffic data) and any combination of
message parameters such as attachment file type, file name keywords, or
anti-virus engine update to recognize and prevent outbreaks in real time. Outbreak
Rules are given a unique ID used to refer to the rule in various places in the GUI
(such as the Outbreak quarantine).
Real-time data from the global SenderBase network is then compared to this
baseline, identifying anomalies that are proven predictors of an outbreak. The
TOC reviews the data and issues a threat indicator or Threat Level. The Threat
Level is a numeric value between 0 (no threat) and 5 (extremely risky), and
measures the likelihood that a message is a threat for which no other gateway
defense is widely deployed by Cisco IronPort customers (for more information,
see
baseline, identifying anomalies that are proven predictors of an outbreak. The
TOC reviews the data and issues a threat indicator or Threat Level. The Threat
Level is a numeric value between 0 (no threat) and 5 (extremely risky), and
measures the likelihood that a message is a threat for which no other gateway
defense is widely deployed by Cisco IronPort customers (for more information,
see
). Threat Levels are published as Outbreak Rules by
the TOC.
Some example characteristics that can be combined in Outbreak Rules include:
•
File Type, File Type & Size, File Type & File Name Keyword, etc.
•
File Name Keyword & File Size
•
File Name Keyword
•
Message URL
•
File Name & Sophos IDE