The Cisco Web and Email Content Security products can provide telemetry data back to Cisco and Talos to increase the efficacy of web categorization in the Web Security Appliance (WSA) and connecting IP reputation for the Email Security Appliance (ESA).
The telemetry data is provided for the WSA and ESA on an 'opt-in' basis.
The data is transmitted via binary encoded SSL encrypted packets. The attachments provided below will provide insight into the data, specific formatting and descriptions for the data that is being transmitted. WebBase Network Participation (WBNP) and SenderBase Network Participation (SBNP) data is not viewable in a direct log or file format. This data is transmitted in encrypted form. At no time is this data 'at rest'.
WSA - WebBase Network Participation
Cisco recognizes the importance of maintaining your privacy, and does not collect or use personal or confidential information such as usernames and passphrases. Additionally, the file names and URL attributes that follow the hostname are obfuscated to ensure confidentiality.
When it comes to decrypted HTTPS transactions, the SensorBase Network only receives the IP address, web reputation score, and URL category of the server name in the certificate.
For complete information, please review the WSA User Guide for the version of AsyncOS for Web Security currently running on your appliance. Please see "The Cisco SensorBase Network" in the User Guide.
ESA - SenderBase Network Participation
Customers participating in the SenderBase Network allow Cisco to collect aggregated email traffic statistics about their organization, increasing the utility of the service for all who use it. Participation is voluntary. Cisco only collects summary data on message attributes and information about how different types of messages were handled by Cisco appliances. For example, Cisco does not collect the message body or the message subject. Personally identifiable information and information that identifies your organization is kept confidential.
For complete information, please review the ESA User Guidefor the version of AsyncOS for ESA Security currently running on your appliance. Please see the "SenderBase Network Participation" chapter in the User Guide.
General Security Concerns FAQ
Where is the data collected stored?
Appliance telemetry is stored in Cisco US-based data centers.
Who has access to the data collected and stored?
Access is limited to Cisco SBG personnel who analyze/use the data to create actionable intelligence.
What is the retention time of the data collected?
There is no data retention/expiration policy regarding appliance telemetry. Data may be kept indefinitely or may be deleted for various reasons including but not limited to down-sampling/aggregation, storage management, age, relevance to current/future threats, etc.
Are customer serial number(s) or public IP address(es) stored in the Talos categorization database?
No, only URL and categories are retained. The WBNP packet does not contain source IP information.
Below details operation, the type of data (by description), and a sample data to demonstrate the information that would be transmitted:
SBNP - Specific data types (fields) and sample data related to Email Security
WBNP - Specific data types (fields) and sample data related to Web Security
Threat Detection Operation - General overview of Threat Detection from a operational perspective
SenderBase (Email) Network Participation
Statistics shared per Emailappliance
Data from 8 AM to 8:05 AM on July 1, 2005
Software Version Numbers
MGA Version 4.7.0
Rule Set Version Numbers
Anti-Spam Rule Set 102
Anti-virus Update Interval
Updates every 10 minutes
Quarantine Message Count
50 messages currently in quarantine
Virus Score Threshold
Send messages to quarantine at threat level 3 or higher
Sum of Virus Scores for messages entering quarantine
Count of messages entering quarantine
30 (yields average score of 4)
Maximum quarantine time
Count of Outbreak quarantine messages broken down by why they entered and exited quarantine, correlated with Anti-Virus result
50 entering quarantine due to .exe rule 30 leaving quarantine due to manual release, and all 30 were virus positive
Count of Outbreak quarantine messages broken down by what action was taken upon leaving quarantine
10 messages had attachments stripped after leaving quarantine
Sum of time messages were held in quarantine
Statistics shared per IP address
Message count at various stages within the appliance
Seen by Anti-Virus engine: 100 Seen by Anti-Spam engine: 80
Sum of Anti-Spam and Anti-Virus scores and verdicts
2,000 (sum of anti-spam scores for all messages seen)
Number of messages hitting different Anti-Spam and Anti-Virus rule combinations
100 messages hit rules A and B 50 messages hit rule A only
Number of Connections
20 SMTP Connections
Number of Total and Invalid Recipients
50 total recipients 10 invalid recipients
Hashed Filename(s): (a)
A file <one-way-hash>.pif was found inside an archive attachment called <one-way-hash>.zip.
Obfuscated Filename(s): (b)
A file aaaaaaa0.aaa.pif was found inside a file aaaaaaa.zip.
Number of messages by different Anti-Spam and Anti-Virus verdicts
500 spam, 300 ham
Count of Messages in Size Ranges
125 in 30K-35K range
Count of different extension types
300 “.exe” attachments
Correlation of attachment types, true file type, and container type
100 attachments that have a “.doc” extension but are actually “.exe” 50 attachments are “.exe” extensions within a zip
Correlation of extension and true file type with attachment size
30 attachments were “.exe” within the 50-55K range
Number of messages by Stochastic Sampling results
14 messages skipped sampling 25 messages queued for sampling 50 messages scanned from sampling
Number of messages that have failed DMARC verification
34 messages have failed DMARC verification
(a) Filenames will be encoded in a 1-way hash (MD5).
(b) Filenames will be sent in an obfuscated form, with all lowercase ASCII letters ([a-z]) replaced with “a,” all uppercase ASCII letters ([A-Z]) replaced with “A,” any multi-byte UTF-8 characters replaced with “x” (to provide privacy for other character sets), all ASCII digits ([0-9]) replaced.
(c) URL hostnames point to a web server providing content, much as an IP address does. No confidential information, such as usernames and passwords, are included.
(d) URL information following the hostname is obfuscated to ensure that any personal information of the user is not revealed.