Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3187
Views
0
Helpful
7
Replies

Cisco ESA and Umbrella integration

Pravar
Level 1
Level 1

‎03-29-2017 05:03 AM

Hi

We have ESA C670 appliances with AMP and Cisco Umbrella. Would like to integrate the ESA with Cisco Umbrella in order to enhance the protection in all possible ways and utilize the service offerings from Umbrella.

Is there any guide/document or URL reference for such integration?

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Ken Stieers
VIP
VIP

‎03-29-2017 07:15 AM

Umbrella is 2 things... DNS, and a cloud proxy... there isn't an email relay that I can see...

I guess you could point the ESA to look at Umbrella's dns servers.... but really, why? 

The ESA's core is based on the Senderbase data, which ought to be more or less synced with the Umbrella data. 

The "data protection services" that Umbrella provided are all already on the ESA (AV, AMP, antispam, yada yada...)

0 Helpful

exMSW4319
Level 3
Level 3
In response to Ken Stieers

‎03-30-2017 01:47 AM

I thought that Senderbase was purely for SMTP sending reputation, and that the URL database for WSA and AMP customers was something else?

We see a lot of malware spam using URL shorteners (bit.ly, tinyURL et al). I've followed some of these and have seen two or three hops through neutral web sites until a landing zone is reached.

There's also similar mail with links to booby-trapped documents in OneDrive, Dropbox et al.

In both of those scenarios, to what extent does a sandbox like AMP traverse these redirections?

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to exMSW4319

‎04-07-2017 06:32 AM

Senderbase is SBRS and WBRS.  WBRS feeds the URL scoring for ESA.

AMP is separate.  File Reputation (AMP) and File Analysis (Threat Grid).  On the roadmap for AMP is the ability to take URL scoring into account, but currently AMP on ESA is not capable of scanning a document for a URL that takes end-user interaction in order to detonate a malicious URL.

URL filtering taking into account URL shortened links is also roadmap for ESA.

-Robert

Cheers,
Robert Sherwin
0 Helpful

exMSW4319
Level 3
Level 3
In response to Robert Sherwin

‎04-07-2017 07:47 AM

Thanks for the info, Robert. Good to see you back on the forum again!

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to exMSW4319

‎04-07-2017 10:00 AM

:)  Libin and Dennis do such a good job, I have lost my position!

Cheers,
Robert Sherwin
0 Helpful

Pravar
Level 1
Level 1
In response to Robert Sherwin

‎04-11-2017 10:34 PM

Hi All,

Thanks for your responses. Umbrella Team had informed us that there is no integration available for any MTA including ESAs and it is not best practice.

0 Helpful

Pravar
Level 1
Level 1
In response to Ken Stieers

‎03-30-2017 04:54 AM

Looking at an additional protection by leveraging the Cisco Umbrella by pointing the DNS from ESA as well as any other protection it can complement on ESA.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents