Cisco Email Security: Layered

Protection from Blended Threats

Benefits Email is the number one threat vector for cyberattacks,

• Faster, more according to the 2015 Cisco Annual Security Report. The
comprehensive email
protection, often hours
Cisco® Email Security Appliance keeps your critical business
or days ahead of the email safe and helps eliminate data leakage.
competition
The Cisco Email Security portfolio―including the Cisco Email Security Appliance (ESA; see
• The largest network of Figure 1), Cisco Email Security Virtual Appliance (ESAV), and Cisco Cloud Email Security (CES)
threat intelligence with solutions―delivers inbound protection and outbound data control through advanced threat
Cisco Talos, built on intelligence and a layered approach to security. This approach comprises URL categorization
unmatched collective and reputation filtering, antispam and antivirus filters, Outbreak Filters, and Advanced Malware
security analytics Protection (AMP).
• Outbound message Figure 1. Cisco Email Security Appliance
protection through
on-device Data Loss
Prevention (DLP), email
encryption, and optional
integration with RSA’s
Enterprise DLP solution

• Lower total cost of

ownership with a
Threat-focused
small footprint, easy
implementation, and Advanced Threat Defense
automated administration Cisco Email Security is powered by Cisco Talos Security Intelligence and Research Group
that yield savings for (Talos), the industry’s largest collection of real-time threat intelligence, with the broadest visibility
the long term and largest footprint. Talos discovers where threats are hiding by pulling massive amounts of
global information across multiple attack vectors (see Figure 2). This information gathering
encompasses:
• 100 TB of security intelligence daily
• 1.6 million deployed security devices including firewall, intrusion prevention system (IPS), web,
and email appliances
• 150 million endpoints
• 13 billion web requests per day
• Hundreds of applications and 150,000 microapplications
• 35 percent of the world’s enterprise email traffic

© 2015 Cisco and/or its affiliates. All rights reserved. 1

 Talos delivers early-warning intelligence, threat and vulnerability analysis to help protect
organizations against zero-day advanced threats. It continually generates new rules that feed
updates every three to five minutes, so that Cisco Email Security can deliver industry-leading
threat defense hours and even days ahead of competitors.

Figure 2. Cisco Talos Security Intelligence and Research Group

Cisco Web Security Integration with Threat Intelligence

Built on unmatched collective security analytics

Threat
I00II I0I000 0110 00 I00I III0I III00II 0II00II I0I000 0110 00
Cisco®
I00I III0I III00II 0II00II I0I000 0110 00 Research
I00I III0I III00II 0II00II I0I000 0110 00 I00I III0I III00II 0II00II I00I
I III0I III00II 0II00II I0I000 0110 00 I00I III0I III00II 0II00II I0I000
Intelligence I00I III0I III00II 0II00II I0I000 0110 00 Talos I00I III0I III00II 0II00II I0I000 0110 00 Response

www • 180,000+ file samples per day

Email Endpoints Web Networks IPS Devices • FireAMP™ community
• Advanced Microsoft
1.6 million 35% and industry disclosures
global sensors worldwide email traffic
• Snort and ClamAV open
100 TB 13 billion source communities
of data received per day web requests
WSA • Honeypots
150 million+ 24x7x365 +
deployed endpoints operations • Sourcefire AEGIS™ program
600+ 40+ Advanced
• Private and public threat feeds
engineers, technicians, languages Malware
and researchers Protection
• Dynamic analysis

A Multilayered Defense to Tackle Multiple Threats

Integrated into the Cisco ESA is our Cisco Talos service, which provides a 24-hour view into
global traffic activity (see Figure 4). You can analyze anomalies, uncover new threats, and
monitor traffic trends. Automatic policy updates are pushed to network devices every three to
five minutes.

With Cisco ESA you can also:

• Stop phishing attempts and blended threats
• Satisfy requirements for highly secure messaging with dependable encryption
• Comply with industry and government data loss prevention regulations
• Defend against advanced threats and targeted attacks
• Set and enforce detailed email policies

Advanced Spam Defense

We make it easy to stop spam from reaching your inbox. A multilayered defense combines
an outer layer of filtering based on the reputation and validity of the sender and an inner layer
of filtering that performs a deep analysis of the message. We have 3 engine choices, one of
which is IMS that uses multiple anti-spam engines for the best possible catch rate. And recent
enhancements help defend against snowshoe campaigns using contextual analysis, enhanced
automation, and autoclassification (see Figure 3).

© 2015 Cisco and/or its affiliates. All rights reserved. 2

 Figure 3. Cisco ESA’s SPAM Protection

Anti-spam Defense in Depth

WHAT

WHO WHEN

Cisco Cisco
Talos Anti-Spam

Incoming mail Suspicious mail is

good, bad, and rate limited and WHERE HOW
unknown email spam filtered

• > 99% Catch Rate

• < 1 in 1 Million
False Positives

Known bad mail is blocked

before it enters the network
Choice of scanning engines to
suit every customer’s risk posture

Anti-virus
For multi-layer anti-virus protection, choose to deploy either Sophos or McAfee anti-virus
engines—or both. Run both antivirus engines in tandem to dual-scan messages for the most
comprehensive protection. Use the same license for inbound anti-spam and anti-virus scanning
to check your outbound messages, with intelligent multi-scanning providing the best possible
catch rate. Use all of these features for the visibility to identify needed remediation and keep your
company off of blacklists. Combine this with Outbreak Filters to help stop the threats before they
manifest themselves as an outbound flood of messages (i.e. zero-day outbreaks).

Figure 4. Cisco ESA’s Threat Protection

Antivirus Defense in Depth

Anti-Spam Engines
WHAT Antivirus Engines

WHO WHEN

Cisco
Anti-Spam

WHERE HOW

Complementary
Antivirus Engines

© 2015 Cisco and/or its affiliates. All rights reserved. 3

 Sandboxing and Continuous Analysis
Advanced Malware Protection (AMP) is an additionally licensed feature available to all Cisco ESA
customers. AMP is a comprehensive malware-defeating solution that provides malware detection
and blocking, continuous analysis, and retrospective alerting (see Figure 5). It takes advantage
of the vast cloud security intelligence networks of both Cisco and Sourcefire (now part of Cisco).
AMP augments the malware detection and blocking capabilities already offered in the Cisco
ESA with enhanced file reputation capabilities, detailed file-behavior reporting, continuous file
analysis, and retrospective verdict alerting. New: Customers now have the ability to sandbox PDF
and Microsoft Office files, and archive/compressed files in addition to EXE files supported in the
first AMP release.

Figure 5. Cisco Zero-Hour Virus and Malware Protection

Cisco Zero-Hour Virus and Malware Protection

Reputation
update
File File
Cisco® Dynamic Virus
Reputation Sandboxing Telos Filters
Quarantine

Known File Unknown files

Reputation are uploaded for Virus Outbreak Filters in Action
sandboxing

Advanced Malware Protection Outbreak Filters

Cloud Powered Zero-Hour Telemetry Based Zero-Hour

Malware Detection Virus and Malware Detection

Best Performance
DLP and Compliance
Data loss prevention and compliance are a key part of the Cisco Email Security technology. In
fact, your outbound data loss prevention filters are already onboard your Cisco Email Security
solution.

We partner with RSA, the leader in DLP technology, to provide integrated DLP functionality to
help ensure compliance with industry and government regulations worldwide and help prevent
confidential data from leaving your network.

Instead of Cisco reinventing all of these DLP libraries, we partner with a proven vendor and build
its compliance libraries and lexicons into all of our email security solutions (see Figure 6).

If you are looking to expand beyond email to protect sensitive data in other threat vectors such
as web, endpoints, data center, and so on, we offer direct integration with DLP Enterprise
Manager, the overarching management console for the RSA DLP Suite. With this integration,
RSA Enterprise Manager is your single pane of glass for setting common rules, policies, and
remediation measures across your organization, not just your email.

© 2015 Cisco and/or its affiliates. All rights reserved. 4

 Figure 6. Cisco ESA’s DLP Model

DLP and Compliance

Built-in Comprehensive DLP Solution with RSA: Accurate, Easy, and Extensible

Fast setup Accurate, Easy, and

Extensible

Low administrative overhead Data Loss Prevention

Comprehensive policy creation and modification

Exceptional accuracy Incidents Policies

Direct integration for enterprise wide DLP deployments

Encryption
Satisfy compliance requirements with secure messaging.

Meet encryption requirements for regulatory requirements such as PCI, HIPAA, SOX, and GLBA—
as well as state privacy regulations and European directives—without burdening the senders,
recipients, or email administrators. Offer encryption not as a mandate, but as a service that’s
easy to use.

Give the sender complete control of their content, even after it’s been sent. With Cisco’s email
encryption, senders don’t fear mistyped recipient addresses, mistakes in content, or time-
sensitive emails because the sender always has the option to lock the message.

Take advantage of the most advanced cloud-based encryption key service available today.
Manage recipient registration, authentication, and per-message/per-recipient encryption keys
with Cisco Registered Envelope Service.

Cisco Registered Envelope Service provides all user registration and authentication as a highly
available managed service. There’s no additional infrastructure to deploy. For enhanced security
and reduced risk, message content goes straight from your gateway to the recipient.

© 2015 Cisco and/or its affiliates. All rights reserved. 5

 Figure 7. Cisco Registered Envelope Service

Encyption Key is Stored in the Cloud

Email Sender Encyption Key Decrypted

Prepares an is Requested by Message is
Encrypted Message Recipient to Displayed
For the Recipient
Decrypt Message to Recipient
Recipient Gets
Encrypted Message

Continuous Innovation
Lower Total Cost of Ownership
The Cisco ESA delivers a consolidated solution in a single appliance, unlike other solutions
that often require additional devices for new features and functions. You spend less time
troubleshooting. You save time with automatic updates from Talos and stay tuned against the
latest threats without intervention. Lastly, you can use your existing VMware infrastructure in an
unlimited number of deployments of the Cisco Email Security Virtual Appliance (ESAV).

Flexible Deployments: On Premises, in the Cloud, Hybrid, and Virtual

The Cisco ESA has a flexible set of deployment options (see Figure 8). You can deploy it on
premises with an appliance or a clustered group of appliances, either hardware or virtual. You
can do multiple clusters if needed. You can have some in certain data centers and others in other
data centers for redundancy or for hot or cold standby.

And then we have a cloud approach and a hybrid approach. You can handle all your inbound and
outbound security in the cloud if you don’t want the appliance on premises or if you simply want
someone else to handle it. In the cloud you can have us make changes to policies. Or you can
have full access to the cloud to create the policy changes.

The hybrid approach has a similar co-management situation. You can clean the messages
coming into the cloud but do the control outbound on premises to stop those messages before
they leave your gateway or network border.

We offer these options with support across multiple devices, including desktops, mobile phones,
laptops, and tablets, and for Android, iOS, Mac, PC, and Linux.

© 2015 Cisco and/or its affiliates. All rights reserved. 6

 Figure 8. Cisco ESA Deployment Options

Flexible Deployment Options

Industry-Leading, Best-in-ClassEmail Protection at the Gateway

On Premises Cloud

Deployment
Options

Appliance Virtual Hybrid Hybrid Cloud Managed

Multidevice
Support
Desktop Mobile Laptop Tablet

Models and Options Available

Tables 1 and 2 provide performance and hardware specifications for the Cisco ESA. Table 3
provides specifications for the Cisco ESAV, and Table 4 describes the software components.

Table 1. Cisco ESA Performance Specifications

Deployment Model Disk Space RAID Mirroring Memory CPUs

Cisco ESA 1.8 TB 2x6

Large enterprise Yes (RAID 10) 32 GB
C680 (3 x 600 GB) (2 hexa cores)
Medium-sized Cisco ESA 1.2 TB 1x6
Yes (RAID 1) 16 GB
enterprise C380 (2 x 600 GB) (1 hexa core)
Small to midsize
Cisco ESA 500 GB 1x2
businesses or Yes (RAID 1) 4 GB
C170 (2 x 250 GB) (1 dual core)
branch offices

Note: For accurate sizing, verify your choice by checking the peak mail-flow rates and average
message size with a Cisco content security specialist.

Table 2. Cisco ESA Hardware Specifications

Model Cisco ESA C680 Cisco ESA C380 Cisco ESA C170

Rack units (RU) 2RU 2RU 1RU

© 2015 Cisco and/or its affiliates. All rights reserved. 7

 Model Cisco ESA C680 Cisco ESA C380 Cisco ESA C170

1.67 in. x 16.9 in. x

Dimensions 3.5 x 19 x 29 in. (8.9 x 3.5 x 19 x 29 in. (8.9 x
15.5 in. (4.24 x 42.9 x
(H x W x D) 48.3 x 73.7 cm.) 48.3 x 73.7 cm.)
39.4 cm)
DC power option Yes Yes No
Remote power
Yes Yes No
cycling
Redundant
Yes Yes No
power supply
Hot-swappable
Yes Yes Yes
hard disk
4 Gigabit network
Ethernet
interface cards (NICs), 4 Gigabit NICs, RJ 45 2 Gigabit NICs, RJ 45
interfaces
RJ 45
10/100/1000, 10/100/1000, 10/100/1000,
Speed (Mbps)
autonegotiate autonegotiate autonegotiate
10 Gigabit
Ethernet fiber Yes (accessory) NNo
option

Table 3. Cisco ESAVSpecifications

Email Users
Email users Model Disk Memory Cores

Evaluations only Cisco ESAV C000v 250 GB (10K RPM SAS) 4 GB 1 (2.7 GHz)

Small enterprise
Cisco ESAV C100v 250 GB (10K RPM SAS) 6 GB 2 (2.7 GHz)
(up to 1K)
Medium
enterprise Cisco ESAV C300v 1024 GB (10K RPM SAS) 8 GB 4 (2.7 GHz)
(up to 5K)
Large enterprise
or service Cisco ESAV C600v 2032 GB (10K RPM SAS) 8 GB 8 (2.7 GHz)
provider
Servers

Cisco UCS VMware ESXi 5.0, 5.1 and 5.5 Hypervisor

Table 4. Software Components

Bundles Description
The Cisco Email Security Inbound Essentials bundle delivers protection
Cisco Email Security
against email-based threats, including antispam, Sophos antivirus
Inbound Essentials
solution, virus Outbreak Filters, and clustering.
Cisco Email Security The Cisco Email Security Outbound Essentials bundle guards against
Outbound Essentials data loss with DLP compliance, email encryption, and clustering.

© 2015 Cisco and/or its affiliates. All rights reserved. 8

 The Cisco Email Security Premium bundle combines the inbound
Cisco Email Security and outbound protections included in the two Cisco Email Security
Premium Essentials licenses noted above, for protection against email-based
threats and essential data loss prevention.
A la Carte Offerings Description
Cisco Advanced Malware Protection (AMP) can be purchased à la
carte along with any Cisco Email Security software bundle. AMP is
a comprehensive malware-defeating solution that enables malware
detection and blocking, continuous analysis, and retrospective alerting.
Cisco Advanced
Malware Protection
AMP augments the antimalware detection and blocking capabilities
already offered in Cisco Email Security with file reputation scoring and
blocking, file sandboxing, and file retrospection for continuous analysis
of threats, even after they have traversed the email gateway.

Next Steps
Find out more at http://www.cisco.com/go/esa. Evaluate how the Cisco ESA will work for you
with a Cisco sales representative, channel partner, or systems engineer.

Americas Headquarters Asia Pacific Headquarters Europe Headquarters

Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go
to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (1110R) C02-733901-00 2/15

© 2015 Cisco and/or its affiliates. All rights reserved. 9