Cisco Cisco Email Security Appliance X1050 Libro blanco
© 2016 Cisco and/or its affiliates. All rights reserved.
3
About This Document
This document is for Cisco® engineers and customers who deploy
Cisco Email Security products running AsyncOS for version 9.1 or
greater with a standard inbound license bundle or with Outbreak Filters
license.
Cisco Email Security provides a layered, in-depth approach to detecting
URL-based threats. These solutions use URL-based reputation
information in the Anti-Spam, Content Filters, and Outbreak Filters
engines, rewriting URLs for redirection to a Cisco provided proxy for
click-time scanning, and for reporting on the URLs clicked. It also
provides URL category controls inside Content Filters to address
unwanted incoming URLs. This document covers the configuration of
these features, including:
•
Enabling URL features
•
Enabling Web Interaction Tracking
•
Configuring URL reputation blocks in Content Filters
•
Configuring URL categories in Content Filters
•
Configuring Outbreak Filters
•
Using reporting functions
Introduction
URL features on Cisco® Email Security products provide malicious URL
detection, remediation, and reporting for messages containing malicious
and unwanted URLs. In addition, URLs rewritten by the solution are
tracked, giving email administrators visibility into the users clicking
these URLs and the disposition of the scanning performed by the Cisco
powered proxy.
Powered by Cisco Talos, the Cisco IPAS Anti-Spam engine, Content
Filters engine, and Outbreak Filters engine make use of the same
URL reputation and category information as the Cisco Web Security
Appliance and Cloud Web Security solutions. This allows:
•
The Anti-Spam engine to use URL reputation components in judging
if a message is spam
•
Outbreak Filters to use URL reputation components to determine the
threat level and intention of a message, and
•
Email administrators to use URL reputation and categorization
information to quarantine messages; block, rewrite, or defang URLs;
modify messages; and more
Technical Details
Cisco Email Security products use the URL reputation and categorization
information provided by Cisco Talos in real time. They pull this URL
category and reputation data in real time from the cloud, cache it for
best performance, and use the data in detecting spam, email-borne
threats, and unwanted URLs.
Cisco Anti-Spam uses URL reputation components in scoring messages
and determining disposition. If a message is on the edge of scoring as
spam and contains URL with poor reputation, it will be pushed over the
edge and considered spam. Outbreak Filters target blended threats—
such as email messages that contain a vector outside of email, a URL
for a user to open, or a phone number for them to call and confirm
banking information. Outbreak Filters scans messages, looking for
approximately 20 categories of threats and scams, and will use the
URL reputation components in scoring messages and their intent.
For instance, is this message trying to get a user to confirm banking
information? Send money? Verify credentials?
In AsyncOS 8.5, two new Content Filter conditions were added to
support URL controls: URL Category and URL Reputation. These new
conditions let the email administrator identify messages with specific
reputation score ranges and categories, such as pornography and
hate speech, and take specific actions: quarantine or block messages;
defang, rewrite, or replace URLs; add warning messages to the body or
prepend warnings to subject lines; send copies to another recipient;
and more.
Rewriting URLs is visible to end users. They will see the URL being
scanned in their browser and either a block page or be asked a
question about going to the website if no malware or malicious intent is
found. Wherever possible, Content Filters, Outbreak Filters, and other
options with user-visible impacts on mail flows should be rolled out in a
controlled fashion. Cisco recommends communicating the changes to
the user community and starting with an internal IT group before rolling
out to all users.
Cisco Email Security How-To Guide
How-To Protect Against URL-Based Attacks
Cisco Public