08-02-2019 01:56 PM - edited 08-02-2019 04:03 PM
This post is directed to anyone that is using URL Reputation content filters to weed out emails that contain potentially malicious URLs. Setting up content filters on the ESA using WBRS scores is simple. However, the pain point in URL scanning is the URL reputation intelligence and the workflow to report false positives and URLs that show reputation noscore "No Score".
The directive from Cisco is that Talos is now the place to report URL reputation changes and category changes. (Props for finally getting rid of securityhub, it was painful to use). Here's the issue with Talos Reputation workflow for ESA administrators. The ESA is heavily customizable and designed for engineers that have a variety of needs to fulfill. This requires the ability to tune the ESA to meet the environment needs. ESA admins like to have control over their email security environment and know that the configuration they are applying is going to work as designed. When it comes to URL reputation intelligence... there seems to be some gray areas.
I'll explain...
The ESA uses WBRS for rating URLs with scoring system of -10 to +10. URLs that don't have a reputation are No Score. Talos displays URL reputation information in very simplistic terms. (POOR, NEUTRAL, GOOD). When creating a content filter and using the URL Reputation condition, the options are displayed using ANOTHER set of terminology.
Malicious (-10 to -6)
Neutral (-5.9 to 5.9)
Clean (6.0 to 10)
(Feature request; use the same terminology across your product lines... not doing so creates confusion)
The main issue is this: URLs within an email receive a WBRS score which is visible (once the URL reputation content filter is created and applied to a mail policy) in the message tracker URL Details tab. In many cases, one wonders why a particular URL received the WBRS rating that is reflected in the ESA logs. In some cases, when doing a URL lookup on the URL in Talos, the reputation doesn't seem to line up like you would think... so ESA admins start to question Talos.
Example:
https://researchondisability.org
ESA WBRS: "no score"
Talos shows Web Reputation for this URL as Neutral.
OK...
Another Example
ESA WBRS: -3.0
Talos Reputation: Neutral
The main thing to point out here is this... Why would a URL have a "no score" reputation on the ESA? How does someone request that the site be reviewed so that an actual score can be assigned?
In my correspondence with Talos on this topic, they will say something to the effect of... our scoring does not align with WBRS. If you don't like the WBRS score, you should modify your filter.
You can tell that Talos gets a lot of feedback about their simplistic reputation scores because they added a response to the FAQ section. https://talosintelligence.com/reputation_center/support#faq3
The question is... if Cisco is going to use Talos as their source of Intel... why wouldn't Talos provide the actual WBRS score that the ESA shows? There seems to be a disconnect here. I understand Talos is their own entity that provides intel for anyone that is looking. However, at a minimum, Talos should provide enhanced access to information for paying Cisco ESA customers. Filing reputation changes with Talos.
I am glad that Talos now provides a tracking portal for reputation changes. This is good. However, the responses I have received have been less than ideal especially when reporting phish's. Yes, I do understand that in many cases phishing sites go offline a few hours or days as they are taken down and by the time Talos looks at the site, it's down or the phish has been removed. One suggestion would be to offer a more aggressive SLA for paying Cisco customers. The response I get from Cisco on this is that if you need to report something quickly, open a TAC case. The issue with that is, you're asking the customers to use a different process to modify reputations. Why not use the Talos as this is the standard for reputation reporting?
Anyone else want to share their experience?
08-04-2019 05:46 AM
06-21-2021 10:54 PM - edited 06-21-2021 10:55 PM
Hello,
It seems the categories of Talos are now extended but there is still no good integration with their portal in my opinion. However from your post I understand that you do not have problem to see the WBRS score from URL scanning of ESA. Even with the WBRS score are you able to identify which url (body or attachement) triggered it?
In our case we have as per best practices Content filter for URL reputation but have trouble identifying what triggered the filter. Here are more details:
Our organization receives multiple emails with corporate signatures with the local company url. Very often these urls have poor reputation for some reason although the website is legitimate.
Every time we receive such email in the URL quarantine for the content filter which checks for Malicious WBRS we are wondering is it due to the URL in the signature or somewhere in the attachment. We do not see WBRS score in the email when it is opened from the quarantine or in the message tracking.
Do you have any custom filters or X-header to see this score each time?
Appreciate if you can advise.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide