Cisco Cisco Email Security Appliance C160 Mode D'Emploi
14-3
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 14 Outbreak Filters
How Outbreak Filters Work
•
URLs pointing to URL shortening services.
All of these characteristics make these messages more difficult to detect as spam. The Outbreak Filters
feature provides a multi-layer defense from these non-viral threats to prevent your users from
downloading malware or providing personal information to suspicious new websites.
feature provides a multi-layer defense from these non-viral threats to prevent your users from
downloading malware or providing personal information to suspicious new websites.
If CASE discovers URLs in the message, it compares the message to existing Outbreak Rules to
determine if the message is part of a small-scale non-viral outbreak and then assigns a threat level.
Depending on the threat level, the Email Security appliance delays delivery to the recipient until more
threat data can be gathered and rewrites the URLs in the message to redirect the recipient to the Cisco
web security proxy if they attempt to access the website. The proxy displays a splash page warning the
user that the website may contain malware.
determine if the message is part of a small-scale non-viral outbreak and then assigns a threat level.
Depending on the threat level, the Email Security appliance delays delivery to the recipient until more
threat data can be gathered and rewrites the URLs in the message to redirect the recipient to the Cisco
web security proxy if they attempt to access the website. The proxy displays a splash page warning the
user that the website may contain malware.
Cisco Security Intelligence Operations
Cisco Security Intelligence Operations (SIO) is a security ecosystem that connects global threat
information, reputation-based services, and sophisticated analysis to Cisco security appliances to
provide stronger protection with faster response times.
information, reputation-based services, and sophisticated analysis to Cisco security appliances to
provide stronger protection with faster response times.
SIO consists of three components:
•
SenderBase. The world’s largest threat monitoring network and vulnerability database.
•
Threat Operations Center (TOC). A global team of security analysts and automated systems that
extract actionable intelligence gathered by SenderBase.
extract actionable intelligence gathered by SenderBase.
•
Dynamic Update. Real-time updates automatically delivered to appliances as outbreaks occur.
SIO compares real-time data from the global SenderBase network to common traffic patterns to identify
anomalies that are proven predictors of an outbreak. TOC reviews the data and issues a threat level of
the possible outbreak. Cisco Email Security appliances download updated threat levels and Outbreak
Rules and use them to scan incoming and outgoing messages, as well as messages already in the
Outbreak quarantine.
anomalies that are proven predictors of an outbreak. TOC reviews the data and issues a threat level of
the possible outbreak. Cisco Email Security appliances download updated threat levels and Outbreak
Rules and use them to scan incoming and outgoing messages, as well as messages already in the
Outbreak quarantine.
Information about current virus outbreaks can be found on SenderBase’s website here:
http://www.senderbase.org/
The SIO website provides a list of current non-viral threats, including spam, phishing, and malware
distribution attempts:
distribution attempts:
http://tools.cisco.com/security/center/home.x
Context Adaptive Scanning Engine
Outbreak Filters are powered by Cisco’s unique Context Adaptive Scanning Engine (CASE). CASE
leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis, based on
real-time analysis of messaging threats.
leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis, based on
real-time analysis of messaging threats.
For virus outbreaks, CASE analyzes the message content, context and structure to accurately determine
likely Adaptive Rule triggers. CASE combines Adaptive Rules and the real-time Outbreak Rules
published by SIO to evaluate every message and assign a unique threat level.
likely Adaptive Rule triggers. CASE combines Adaptive Rules and the real-time Outbreak Rules
published by SIO to evaluate every message and assign a unique threat level.
To detect non-viral threats, CASE scans messages for URLs and uses Outbreak Rules from SIO to
evaluate a message’s threat level if one or more URLs are found.
evaluate a message’s threat level if one or more URLs are found.