cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
186
Views
0
Helpful
1
Replies
Beginner

ESA URL Reputation & Talos | Reputation Change Workflow Feedback

This post is directed to anyone that is using URL Reputation content filters to weed out emails that contain potentially malicious URLs. Setting up content filters on the ESA using WBRS scores is simple. However, the pain point in URL scanning is the URL reputation intelligence and the workflow to report false positives and URLs that show reputation noscore "No Score".

 

The directive from Cisco is that Talos is now the place to report URL reputation changes and category changes. (Props for finally getting rid of securityhub, it was painful to use). Here's the issue with Talos Reputation workflow for ESA administrators. The ESA is heavily customizable and designed for engineers that have a variety of needs to fulfill. This requires the ability to tune the ESA to meet the environment needs. ESA admins like to have control over their email security environment and know that the configuration they are applying is going to work as designed. When it comes to URL reputation intelligence... there seems to be some gray areas.

I'll explain...

The ESA uses WBRS for rating URLs with scoring system of -10 to +10. URLs that don't have a reputation are No Score. Talos displays URL reputation information in very simplistic terms. (POOR, NEUTRAL, GOOD). When creating a content filter and using the URL Reputation condition, the options are displayed using ANOTHER set of terminology.

Malicious (-10 to -6)

Neutral (-5.9 to 5.9)

Clean (6.0 to 10)

(Feature request; use the same terminology across your product lines... not doing so creates confusion)

 

The main issue is this: URLs within an email receive a WBRS score which is visible (once the URL reputation content filter is created and applied to a mail policy) in the message tracker URL Details tab. In many cases, one wonders why a particular URL received the WBRS rating that is reflected in the ESA logs. In some cases, when doing a URL lookup on the URL in Talos, the reputation doesn't seem to line up like you would think... so ESA admins start to question Talos.

Example:

https://researchondisability.org

ESA WBRS: "no score"

Talos shows Web Reputation for this URL as Neutral.

OK...

Another Example

http://www.peteramayer.com/

ESA WBRS: -3.0

Talos Reputation: Neutral

The main thing to point out here is this... Why would a URL have a "no score" reputation on the ESA? How does someone request that the site be reviewed so that an actual score can be assigned?

In my correspondence with Talos on this topic, they will say something to the effect of... our scoring does not align with WBRS. If you don't like the WBRS score, you should modify your filter.

You can tell that Talos gets a lot of feedback about their simplistic reputation scores because they added a response to the FAQ section. https://talosintelligence.com/reputation_center/support#faq3

 

The question is... if Cisco is going to use Talos as their source of Intel... why wouldn't Talos provide the actual WBRS score that the ESA shows? There seems to be a disconnect here. I understand Talos is their own entity that provides intel for anyone that is looking. However, at a minimum, Talos should provide enhanced access to information for paying Cisco ESA customers. Filing reputation changes with Talos.

 

I am glad that Talos now provides a tracking portal for reputation changes. This is good. However, the responses I have received have been less than ideal especially when reporting phish's. Yes, I do understand that in many cases phishing sites go offline a few hours or days as they are taken down and by the time Talos looks at the site, it's down or the phish has been removed. One suggestion would be to offer a more aggressive SLA for paying Cisco customers. The response I get from Cisco on this is that if you need to report something quickly, open a TAC case. The issue with that is, you're asking the customers to use a different process to modify reputations. Why not use the Talos as this is the standard for reputation reporting?

 

Anyone else want to share their experience?

Everyone's tags (3)
1 REPLY 1
Cisco Employee

Re: ESA URL Reputation & Talos | Reputation Change Workflow Feedback

Hi,

To answer your query on the value of "none" for the SBRS score, I hope below information is able to clarify the same.

Some IP addresses have a SenderBase score of "none." If the ESA is unable to contact the SBRS servers, the connecting IP address receives a score of "none". SBRS data is very timely and the appliance does not cache SBRS scores beyond approximately 30 minutes. If there were an intermittent connection problem to the SBRS servers, it is possible that a previously "scored" IP address will show up as a "none" score.

For more details on the same, you can refer to the below article:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117903-qa-sbrs-00.html

I hope the above information is helpful.

Regards,
Pratham