Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Improving Security with Automated Email Analysis

Published: July 2018

Email is the largest infection vector for transmitting malware. Cisco can receive thousands of malicious messages in a day, making it difficult for our security analysts to manually review specific messages quickly enough to detect and stop threats.

It’s vital for any information security team to have an effective solution for detecting and mitigating threats that arrive via email. Our Computer Security Incident Response Team (CSIRT) uses the Cisco® Email Security Appliance (ESA) to automate much of the effort for analyzing messages. This automation gives us significant reductions in remediation costs, saves the high-value time of our security analysts, and strengthens our overall cyber protection measures.

Automating Threat Detection and Blocking

To monitor and respond to cybersecurity threats, the CSIRT team operates 24/7 in multiple security centers around the world. Security analysts continually monitor email patterns and alerts generated automatically by our systems and can launch immediate response and remediation steps when they detect an active threat. Later, the analyst reviews the incident to identify how we can improve our detection and response capabilities.

Previously, much of this analysis was performed manually by an analyst. We had only limited capabilities to automatically detect and analyze malware sent by email. “Some users open and respond to their emails quickly, so identifying malicious messages within minutes can make a difference for blocking a threat,” says Caitlin Gravel, CSIRT analyst.

Today, the Cisco ESA uses a multidimensional approach to inspect all incoming email messages as they arrive on the corporate network:

  • Verifying the sender and reputation of the sending domain
  • Reviewing a new message against the experience of similar, previously received messages
  • Checking for known malicious hashes, embedded web links, and attachments

The appliance also performs automated file-reputation scanning and malware analysis by using Cisco technologies such as advanced malware protection (AMP) and Cisco ThreatGrid® as well as integrations with intelligence from our Cisco Talos™ research team and external sources.

When Cisco ESA detects a threat within a particular email message, it drops or quarantines that message from delivery. “A problem message many get through some of these checks, but it only needs to fail one of them to be dropped by Cisco ESA,” says Robert Semans, CSIRT investigator. The rate of dropped messages varies over time, reflecting changes in the level of threat activity, such as seasonality.

Reducing Response Time and Remediation Costs

Because the Cisco ESA solution drops many messages that contain threats, we have improved our metrics for both response time and remediation cost.

We are now able to respond much faster to email threats: Cisco ESA has helped us reduce the time to detect threats by nearly two-thirds, from 60 hours to 23 hours. More importantly, our time to contain threats has dropped dramatically, from 368 hours to 2.5 hours on average.

Faster detection and containment of malicious emails also significantly reduces our overall cost for remediating threats that do make it through our defenses. For example, we estimate savings of $1.3 million per month for costs of remediating viruses and other malware activated when a user clicks on a phishing email.

Saving Analyst Time, Improving Protection Measures

“I don’t always have time to take a deep look into issues that may or may not be an actual threat,” says Gravel. “But the ESA helps to overcome the limits on my time by catching threats early and automatically.”

Cisco security analysts indicate they save approximately 10 percent of their time due to the increased threat awareness and blocking capabilities of Cisco ESA. For example, when a phishing email is sent to multiple Cisco email addresses, the ESA can block it once, which reduces the time required for CSIRT to alert users and Cisco IT teams to resolve any associated problems.

“We can use the time saved to focus on advanced actors who are trying to steal Cisco intellectual property such as design plans, trade secrets, and supply chain information,” says Semans. “These threats require more investigation because they may send only a small number of messages and send them very infrequently in order to escape detection.”

The time freed from routine analysis also allows CSIRT team members to:

  • Perform in-depth research into specific types or sources of threats
  • Improve communications within the team about current threats and strategies for response and remediation
  • Recognize and adapt to emerging changes in the threat landscape
  • Educate users about the importance of good email security practices

“Email security will remain a high priority for CSIRT and we are constantly looking for ways to improve our protections,” says Gravel. “We will continue to enhance security monitoring capabilities with automation, stricter rules sets, and our relationship with the Cisco IT teams that are responsible for email infrastructure.”

For more information