Re: Cisco ETD (Email Threat defense) query

xianfu · ‎02-07-2024

Hello All,

I have some question about Cisco Email Threat Defense, thanks in advance !

1) if customer has ESA already, do we need ETD as well ? or it depends on the customer requirement ? Per my understanding customer could deploy ESA only, or ETD only, or ESA + ETD, is it correct ?

2) I understand ETD do the OCR scan the image , are we able to scan from a random gmail account with an image of a fake bill ?

3) If customer deploy both ESA & ETD, I guess the traffic flow should be

O365 > ESA > Local Exchange

O365 <> ETD (O365 send copy of message journaling to ETD, ETD analysis any bad message and API back O365 for remediation)

is it correct ?

4) From ESA 15.0 I could see Security Services > Threat Defense Connector > enable, is it ETD connector? will ESA send copy of message or only message header ?

5) what features are available on ETD ? does it also have Anti-Spam, Anti-Virus, AMP, Graymail, Content Filters, Outbreak filters ? same as ETD ?

thank you !

Ken Stieers · ‎02-07-2024

1. It depends upon the customer requirement. ETD is another license... but you can do any of the combos you mentioned.
2. Yes, I think that has been delivered.
3. Flow depends on how you have O365 configured... if you use Centralized Delivery you can deliver to the ESA first... and you might want to do that because there's a TON of just trash that the ESA will drop. That's why you'd keep an ESA in place to begin with.

Otherwise you're correct.

1. It sends the whole message.
2. It is NOT the same as ESA... it does much of the same job, but differently, I feel like its got a different point of view.

ETD has a gateway mode coming which sort of means an ESA, or really Cloude ESA out front... though built as a cloud service instead of vms. Some day.

Ken

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

xianfu · ‎02-07-2024

Hello Ken,

thank you very much for your quick reply !!

1) do we have use case for the optical scanning of images, for example we could only look for QR codes in the message body, jpgs jpgs, jpegs, pngs ? Or we could look for particular JPEG image and DLP block it ?

2) Another question, if O365 or ESA send copy of all message to ETD, from customer perspective, how could customer protect the email message privacy ?

3) To configure O365 for Centralized Delivery, do you mean have ESA integrated with ETD and need SecureX/XDR integration for remediation ? not O365 integrated with ETD ?

O365 > ESA > Local Exchange

ESA > ETD > XDR > ESA (XDR for any bad message remediation)

thank you !

Ken Stieers · ‎02-07-2024

1. QR codes and checking the URL they point to is coming... I'm not sure what other image processing they're doing.
2. You have to trust Cisco... or use something that encrypts the contents for mail that hits that threshold.
3. No... when you use the Hybrid AAD connect tool there's an option for Centralized Delivery so that mail all goes on-prem, and then out and all mail comes inbound to your on-prem system and then sent to O365. In that case you'd put your ESA (cloud or on-prem) in that flow to filter mail.

At the moment you still have to use XDR/SecureX to remediate on-prem mail marked as bad by ETD, XDR doesn't see the mail... it gets a note that a mail is bad and tells something to pull it.
Honestly I think its an unacceptable solution.

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

xianfu · ‎02-15-2024

Hi Ken,

thanks a lot for your reply !

Per your reply ETD will also do Anti-Spam, Anti-Virus, AMP, Graymail, Content Filters, Outbreak filters in different way, maybe in a more advantage way, do you have any details about it ?

For example I know some Cisco product could do modeling and create baseline, so analysis any abnormal behavior. So in term of ETD, will it do any modeling like collecting sender email & receipt information to do modeling and create baseline, then analysis any abnormal behavior ?

Do you have any guide for it ? or if you could not share me here, would you mind to ping me from webex and share me there ? my Cisco name is same name here.

thank you !

Ken Stieers · ‎02-15-2024

As far as modeling, baselines etc, Cisco used to OEM Agari, and that ETD is the replacement for those features, butnI don't know how far along that is.

The ETD guide is here: https://www.cisco.com/c/en/us/td/docs/security/email-threat-defense/user-guide/secure-email-threat-defense-user-guide.html

Marwa Abdallah · ‎05-21-2024

does cisco ETD integrate with Vivantio ticketing system and if please support with official document confirm on ?