We have made the decision over the last 18 months to further strengthen our email security stack for incoming email by combining the best of bread of multiple security solutions available to us.
Our level 1 security or better boundary controls are done via SMTP packet inspection on our boundary next generation firewalls. At this level we are currently looking mainly for antivirus and external threat feed patterns and drop the SMTP packages before they reach our internal gateways. At this level we already block almost 60% of every incoming SMTP traffic.
Once the first section is cleared email is handed over to the our level 2 security which is large number of virtualized Cisco ESA Ironport appliances, for resilience spread over two DMZ's hosted in two of computer centers. With an all-you-can eat licenses we highly leverage and use the provided key security features like :
- Ironport AntiSPAM and TALOS powered Intelligent MultiScan
- Sophos AntiVirus
- TALOS powered Advanced Malware Protection (AMP) File Analysis and Sandboxing
- External Threat Feeds using STIXX/TAXI
- Graymail Filtering and Detection
- TALOS powered Outbreak Control
We have extended the available security functions with 150+ custom content and message filters to extend the functionality of the email gateways to match our mandated security controls. Compare this to a custom policy on a boundary firewall, new threats, patterns and validation are added to the email gateways prior to being officially detected or supported. Our filtering policy to check for TLS or ARC compliance to name some of the heavy lifters.
Those custom filter usually drive my friends at Cisco TAC crazy as our philosophy is as long it does not say NOT SUPPORTED, they have to deal with it.
The email gateways then use a static SMTP route and hand off the messages to our Office 365 tenant for further processing and end user distribution.
During the introduction I mentioned best of bread, so let me add a few more spices here. Every email delivered to Ofiice365 is, once received, journaled to Agari Advanced Threat Protection (ATP) or how Cisco calls it Agari APP.
Agari APP uses different reputation sources, policies and filters to further classify messages and take immediate action should it be enforced. This action is usually that fast that any suspicious or further identified message will be removed from any O365 end user mailbox prior to an end user noticing its presence.
In addition to this we aligned the O365 included security features like AntiSPAM, ATP, Malware protection to align with our overall architecture.
To summarize our current email process is the following:
So, that is all looking good, so what is left to improve ?
Our open items list as of August 2020:
- TLS/SSL session decryption on boundary firewall for further threat inspections like URL's
- End-to-end availability and service effectiveness dashboard using Splunk
- Integration of ESG Ironport SPAM Quarantine features into O365 Junk and Quarantine
- Further improve mandated message classifications and custom disclaimers and headers
- Better integrate ESG features with O365 email security to avoid false positives
Comentarios