Integrating the Cisco Secure Email Gateway with Cisco Secure Awareness Cloud Service

The Cisco Secure Awareness cloud service allows you to effectively deploy phishing simulations, awareness training, or both to measure and report results. It empowers the security operations team to focus on real-time threats and not end-user mitigation.

The Cisco Secure Awareness cloud service provides reports of Repeat Clickers - users who repeatedly click on any URL or attachment sent through emails. These users are identified via a phishing simulation campaign defined by the Cisco Secure Awareness cloud service.

The ability to integrate your email gateway with the Cisco Secure Awareness cloud service helps an organization to:

• Improve user awareness towards real-world phishing attacks.

• Allow email administrators to configure stringent policies for set of users identified as “Repeat Clickers” by the Cisco Secure Awareness cloud service.

For more information, see Integrating Email Gateway with Cisco Secure Awareness Cloud Service.

Improved Phishing Detection in Email Gateway

The following are the enhancements made to improve phishing detection in your email gateway:

• Sender Domain Reputation Filtering Enhancement

• Default Scanning of URLs in Message Attachments

Sender Domain Reputation Filtering Enhancement: You can configure your email gateway to block messages based on the SDR (Sender Domain Reputation) verdict at the SMTP conversation level.

You can enable or disable SDR verification using the Mail Flow Policy configuration settings.

Default Scanning of URLs in Message Attachments: By default, the email gateway scans URLs in message attachments for any malicious content early in the email pipeline (before the Anti-Spam engine).

For more information, see Sender Domain Reputation Filtering and Defining Which Hosts Are Allowed to Connect Using the Host Access Table.

Scanning Password-Protected Attachments in Messages

You can configure the Content Scanner in your email gateway to scan the contents of password-protected attachments in incoming or outgoing messages.

The ability to scan password-protected message attachments in the email gateway helps an organization to:

• Detect phishing campaigns that use malware as attachments in messages with password-protection to target limited cyber-attacks.

• Analyze messages that contain password-protected attachments for malicious activity and data privacy.

The following languages are supported for this feature - English, Italian, Portuguese, Spanish, German, and French.

For more information, see Using Message Filters to Enforce Email Policies.

Simple Network Management Protocol (SNMP) Enhancementss

The following are the enhancements made to the SNMP configuration settings:

• Added new SNMP MIBs for additional monitoring.

• Support for SNMPv3 traps:

  • SNMPv3 supports all the three security levels – noAuthNoPriv, authNoPriv and authPriv.

  • When both SNMPv3 and SNMPv2 are enabled, you need to select the required version for traps.

  • A new option is added under snmpconfig CLI command to select the trap version when both SNMPv2 and SNMPv3 are enabled.

For more information, see Managing and Monitoring Using the CLI .

New Report for mail policy details

A new report – Mail Policy Details is added in the new web interface of your email gateway. Use this report to view the number of messages that match a configured mail policy.

For more information, see Using Email Security Monitor.

New Message Tracking Filter for mail policy details

A new message tracking filter -Mail Policy is added in the Message Tracking > Advanced Search > Message Event option in the new web interface of your email gateway. Use this option to search for incoming or outgoing messages that match the configured mail policy name entered in the ‘Mail Policy Name’ field.

Enhanced Overview and Incoming Mail reporting pages

The following are the enhancements made to the Overview and Incoming Mail reporting pages in the legacy web interface of your email gateway:

Overview report page:

• Added new message category – Stopped by Domain Reputation Filtering in the Incoming Mail Summary section.

• Changed Stopped by Reputation Filtering message category name to Stopped by IP Reputation Filtering in the Incoming Mail Summary section.

Incoming Mail report page:

• Added new column – Stopped by Domain Reputation Filtering in the Incoming Mail Details section.

• Changed Stopped by Reputation Filtering column name to Stopped by IP Reputation Filtering in the Incoming Mail Details section.

For more information, see Using Email Security Monitor.

The following are the enhancements made to the Mail Flow Summary and Mail Flow Details reporting pages in the new web interface of your email gateway:

Mail Flow Summary report page:

• Added new category – Stopped by Domain Reputation Filtering in the Threat Messages graph section.

• Changed Stopped by Reputation Filtering category name to Stopped by IP Reputation Filtering in the Threat Messages graph section.

• Added new column – Stopped by Domain Reputation Filtering in the Threat Detection Summary section.

• Changed Stopped by Reputation Filtering column name to Stopped by IP Reputation Filtering in the Threat Detection Summary section.

Mail Flow Details report page:

• Added new column – Stopped by Domain Reputation Filtering in the Incoming Mails section for IP Addresses, Domains, and Network Owners.

• Changed Stopped by Reputation Filtering column name to Stopped by IP Reputation Filtering in the Incoming Mails section for IP Addresses, Domains, and Network Owners.

Support for Internationalized Domain Name (IDN)

Cisco Secure Email Gateway can now receive and deliver messages with email addresses that contain IDN domains.

Currently, your email gateway provides support of IDN domains for the following languages only:

• Indian Regional Languages: Hindi, Tamil, Telugu, Kannada, Marati, Punjabi, Malayalam, Bengali, Gujarati, Urdu, Assamese, Nepali, Bangla, Bodo, Dogri, Kashmiri, Konkani, Maithili, Manipuri, Oriya, Sanskrit, Santali, Sindhi, and Tulu.

• European and Asian Languages: French, Russian, Japanese, German, Ukrainian, Korean, Spanish, Italian, Chinese, Dutch, Thai, Arabic, and Kazakh.

For more information, see System Administration.

Security Enhancements

AsyncOS 14.0 includes the following security enhancements:

• The email gateway now sends the Cisco Technical Support requests over TLS. If your SMTP server is not using TLS, the requests are sent as plain text.

• You can now configure your email gateway to send alerts over TLS. Use the following subcommand in the CLI to configure this functionality:

  alertconfig > SETUP > Do you want to enable TLS support to send alert messages?.

For more information, see the CLI Reference Guide associated with this release.

New Remediation Report Status Widget

A new widget - ’Remediation Report Status’ is added when you search and remediate messages in the Message Tracking page of the new web interface of your email gateway.

Use this widget to check the status of the Remediation Report generation. For more information, see Remediating Messages in Mailboxes

Support for New Content Matching Classifiers - National Identification Numbers for Southeast Asian countries

You can create a DLP policy using any one of the following new content matching classifiers - National Identification Numbers for Southeast Asian countries:

• Indonesia KTP

• Malaysia MyKad

• Thailand ID

• Philippines UMID

• Singapore NRIC

You can select the new content matching classifiers in the following pages of the web interface in your email gateway:

• Go to Mail Policies > DLP Policy Manager > Add Custom Policy page > Predefined Custom Classifiers > Policy Matching Details option.

• Go to Mail Policies > DLP Policy Manager > Add Custom Policy page > Create Custom Classifier > Entity rule option.

• Go to Mail Policies > DLP Policy Manager >Add DLP Policy page > Privacy Protection template option.

• Go to Mail Policies > DLP Policy Customizations > Add Custom Classifier page > Entity rule option.

Bias-Free Terminology Usage in Product and Related Documentation

We have removed the bias terms in the product and related documentation.

The following are the list of bias terms replaced with the new bias-free terms:

• whitelist' term replaced with 'allowed list' term

• blacklist' term replaced with 'blocked list' term

• master' term replaced with 'primary' term

• slave' term replaced with 'secondary' term

• blackhole' term replaced with 'sink hole' term

Rebranded Product and Related Documentation

AMP Upstream Proxy Settings for File Analysis

You can now configure an upstream proxy for file analysis.

For more information, see File Reputation Filtering and File Analysis

Performing Remedial Actions on Messages in Cisco SecureX Threat Response

In Cisco SecureX Threat Response, you can now investigate and apply the following remedial actions on messages processed by your email gateway:

• Delete

• Forward

• Forward and Delete

For more information, see Integrating with Cisco SecureX Threat Response

Content Filter - Attachment File Info condition and Strip by Attachment File Info action Enhancements

A new option - File Hash List is added in the Content Filters - “Attachment File Info” condition and “Strip by Attachment File Info” action.

Use this option to configure a content filter to take action on message attachments that match a specific file SHA-256 value in the selected file hash list.

For more information, see Content Filters and Using Message Filters to Enforce Email Policies.

Smart Software Licensing Enhancements

AsyncOS 14.0 includes the following smart software licensing enhancements:

• In a clustered configuration, you can now enable smart software licensing and register all the machines simultaneously with the Cisco Smart Software Manager.

• After you enabled smart software licensing and registered your email gateway with the Cisco Smart Software Manager, the Cisco Cloud Services portal is automatically enabled and registered on your email gateway.

• If the Cisco Cloud Services certificate is expired, you can now download a new certificate from the Cisco Talos Intelligence Services portal using the cloudserviceconfig > fetchcertificate sub command in the CLI.

• You can view details of the smart account created in the Cisco Smart Software Manager portal using the smartaccountinfo command in the CLI.

For more information, see System Administration and Integrating with Cisco SecureX Threat Response.

No Support for Sender Domain Age functionality post AsyncOS 14.0 Release

There will be no support for the Sender Domain Age functionality post the AsyncOS 14.0 release. The Sender Domain Age functionality will be replaced with the Sender Maturity feature.

Sender Maturity represents the Cisco Talos view of how mature a domain is as an email sender. The maturity value is tuned to enable threat detection regarding emails and generally does not reflect the domain age represented in “Whois-based domain age.” Sender Maturity is set to a limit of 90 days, and beyond this limit, a domain is considered mature as an email sender, and no further details is provided.

Sender Maturity is used to calculate the sender reputation. Immature domains are assigned lower reputation. Cisco Talos recommends you rely on sender reputation only for determining policy actions. Sender Maturity is exposed to fine-tune filters for specific, non-standard scenarios.

Alert or Notification Banner for End-of-Life (EOL) or End-of-Service (EOS) AsyncOS Version or Hardware Model

You will now receive an alert or notification banner message on your email gateway web interface or CLI, if your email gateway is running on an End-of-Life (EOL) or End-of-Service (EOS) AsyncOS version or hardware model.

Office 365 or Hybrid (Graph API) Remediation Account Profile Configuration Enhancement

You can now validate the client credentials for the Office 365 or Hybrid (Graph API) remediation account profile using the Client Secret value of the application generated on the Azure Management Portal.

For more information, see Remediating Messages in Mailboxes

Virtual Email Gateway Support for Amazon Web Services (AWS)

You can deploy Cisco Secure Email Virtual Gateway on Amazon Elastic Compute Cloud (EC2) on Amazon Web Services (AWS).

Contact your Cisco sales representative with your AWS account details (username and region) to provision an AMI image.

Consolidated Event Logs Enhancement

Following are the enhancements made to the 'Consolidated Event Logs' log type:

• A new log field - Message Size is added in the Consolidated Event Logs log type to view the message size in the single log line output.

• You can now view the size of the attachment in the message in a single log line output

  Steps:

  1. Select the 'File(s) Details' log field when configuring the log subscription for the Consolidated Event Logs.

  2. Configure a message filter rule as follows :

     Custom_ Log_Entry: if (true) { log-entry("$filesizes"); }

     OR

     Configure the Add Log Entry content filter action by adding the customized text as ‘$filesizes.'

Support for Cloud Connector Logging

The email gateway now supports a new type of log subscription - Cloud Connector Logs. Use this log subscription to view information about Web Interaction Tracking data from Cisco Aggregator Server. Most of the information is present at the Info or Warning Level

Enhancement for Request Retry Method of File Reputation Service

You can now set the reputation query timeout value within the range of 20–30 seconds while configuring the file reputation and analysis services (Security Services > File Reputation and Analysis). The default value is 20, which is the minimum value.

During the configured query timeout, the email gateway sends the file reputation queries to the AMP server. If the email gateway fails to receive response from the AMP server, it retries by sending the query again to the AMP server. The query timeout includes the time taken for the first query request and the retry request.

The retry method enables the email gateway to receive responses when there are network latencies, issues related to the AMP server, and so on.

New Cisco Talos Email Status Portal

The Cisco Talos Email Status Portal replaces the legacy Cisco Email Submission and Tracking Portal.

The Cisco Talos Email Status Portal is a web-based tool for monitoring the status of email submissions from end-users.

Authentication Logs Enhancement

You can now view the user privilege role details (for example, ‘admin,’, ‘operator,’ and so on) of the logged-in user in the authentication logs.

New Passphrase Rule for defining login passphrases

A new passphrase rule is added in your email gateway to define your login passphrase:

Avoid usage of passphrases that contain three or more repetitive or sequential characters, (for example, ‘AAA@124,’ ‘Abc@123,’ and so on.)

You can configure this passphrase rule in any one of the following ways:

• System > Administration > Users > Local User Account & Passphrase Settings > Reject three or more repetitive or sequential characters in passphrases check box in the web interface.

• userconfig > POLICY > PASSWORDSTRENGTH > Reject passphrases that contain three or more repetitive or sequential characters? [Y]> command in the CLI

Creating system-generated passphrases

In addition to creating a login passphrase manually, you can now also create a system-generated passphrase to log in to your email gateway.

You can configure the system-generated passphrase in any one of the following ways:

• Options > Change Passphrase page in the web interface.

• System Administration > System Setup Wizard page in the web interface.

• System Administration > Users > Add Local User page in the web interface.

• passphrase or passwd commands in the CLI

For more information, see Setup and Installation.

Performing FQDN Validation for Certificates

You can configure your email gateway to perform FQDN validation for certificates in the following scenarios:

• Importing a custom certificate.

• Creating a self-signed S/MIME certificate.

• Creating a self-signed certificate.

• Importing a custom Certificate Authority (CA) list.

For more information, see S/MIME Security Services and Encrypting Communication with Other MTAs.

Performing FQDN Validation for Peer Certificate during SSL Communication

You can configure your email gateway to perform FQDN validation for peer certificate in System Administration > SSL Configuration page in the web interface.

The FQDN validation is applicable for the following services:

• Outbound SMTP

• LDAP

• Updater

• Alert over TLS

For more information, see System Administration.

Performing x509 Validation for Peer Certificate during SSL Communication

You can configure your email gateway to perform x509 validation for peer certificate in System Administration > SSL Configuration page in the web interface.

The x509 validation is applicable for the following services:

• Outbound SMTP

• LDAP

• Updater

• Alert over TLS

For more information, see System Administration.

Configuring Email Gateway to consume SecureX Threat Response Feeds

You can configure your email gateway to consume threat feeds from the Cisco SecureX Threat Response portal.

The Cisco SecureX Threat Response portal allows you to create custom feeds for the continuous gathering of observables and to consume them in your email gateway using the feed URL. A feed is a simple list of observables in JSON format. The feeds are created and managed in the Intelligence > Feeds page in the SecureX Threat Response portal.

For more information, see Configuring Email Gateway to Consume External Threat Feeds.

Landing Page

Reports Drop-down

My Reports Page

Mail Flow Summary Page

The Mail Flow Summary page includes trend graphs and summary tables for incoming and outgoing messages.

The Incoming Mail includes graphs and summary tables for the incoming and outgoing messages.

Advanced Malware Protection Report Pages

The following sections are available on the Advanced Malware Protection report page of the Reports menu:

• Summary

• AMP File Reputation

• File Analysis

• File Retrospection

• Mailbox Auto Remediation

The email gateway has the following Advanced Malware Protection report pages under Montior menu:

• Advanced Malware Protection

• AMP File Analysis

• AMP Verdict Updates

• Mailbox Auto Remediation

Outbreak Filters Page

The Past Year Virus Outbreaks and Past Year Virus Outbreak Summary are not available in the Outbreak Filtering report page of the new web interface.

The Monitor > Outbreak Filters page displays the Past Year Virus Outbreaks and Past Year Virus Outbreak Summary.

Spam Quarantines (Administrative and End Users)

Click Quarantine > Spam Quarantine > Search in the new web interface.

The end users can access the spam quarantine using the URL:

https://example.com:<https-api-port>/euq-login

where example.com is the appliance hostname and <https-api-port> is the AsyncOS API HTTPS port opened on the firewall.

You can view spam quarantine from the Monitor > Spam Quarantine menu.

Policy, Virus and Outbreak Quarantines

Click Quarantine > Other Quarantine in the new web interface.

You can only view Policy, Virus and Outbreak Quarantines in the new web interface.

You can view, configure and modify the Policy, Virus and Outbreak Quarantines on the email gateway using the Monitor > Policy, Virus and Outbreak Quarantines.

Select All Action for Messages in Quarantine

You can select multiple (or all) messages and perform a message action such as delete, delay, release, move, etc.

You cannot select multiple messages to perform a message action.

Maximum Download Limit for Attachments

The maximum limit for downloading attachments of a quarantined message is restricted to 25 MB.

-

Rejected Connections

To search for rejected connections, click Tracking > Search > Rejected Connection tab on the .

-

Query Settings

The Query Settings field of the Message Tracking feature is not available on the .

You can set the query timeout in the Query Settings field of the Message Tracking feature.

Message Tracking Data Availability

Click the gear icon on the upper right side of the page the web interface to access Message Tracking Data Availability page.

You can view the missing-data intervals for your email gateway.

Show Additional Details of Messages

You can view additional details of a message such as Verdict Charts, Last State, Sender Groups, Sender IP, IP Reputation Score and Policy Match details.

-

Verdict Charts and Last State Verdicts

Verdict Chart displays information of the various possible verdicts triggered by each engine in your email gateway.

Last State of the message determines the final verdict triggered after all the possible verdicts of the engine.

Verdict Charts and Last State Verdicts of the messages are not available.

Message Attachments and Host Names in Message Details

Message attachments and host names are not displayed in the Message Details section of the message on the email gateway.

Message attachments and host names are displayed in the Message Details section of the message.

Sender Groups, Sender IP, IP Reputation Score and Policy Match in Message Details

Sender Groups, Sender IP, IP Reputation Score, and Policy Match details of the message is displayed in the Message Details section, on the email gateway.

Sender Groups, Sender IP, IP Reputation Score, and Policy Match of the message is not available in the Message Details section of the message.

Direction of the Message (Incoming or Outgoing)

Direction of the message (incoming or outgoing) is displayed in the message tracking results page, on the email gateway.

Direction of the message (incoming or outgoing) is not displayed in the message tracking results page.