cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Email Security Telemetry and Data Sharing with Cisco via SenderBase Network Participation

946
Views
0
Helpful
0
Comments
Cisco Employee

 

 

(Source: Talos Email & Spam Data)

 

For the above example, the average daily spam volume handled by Cisco for July 2018 was 305.95 billion.  (That is 305,000,000,000!)  The average total daily legitimate email volume that Cisco saw is over 52+ billion each day.  With that email traffic, Cisco Email Security and Cisco Talos utilize the telemetry provided to drive efficacy and help reduce spam emails that reach all end-users.  How can you help?  Simple - assure your appliances are configured and participating in our SenderBase Network Participation.

 

SenderBase Network Participation

What is SenderBase Network Participation (SBNP)?  This is our data sharing program that provides critical telemetry data back to Cisco Email Security and Cisco Talos that can ONLY be seen by Cisco devices in the field.  This data contributes to the efficacy of many of our detection and reputation systems, such as:

  • Senderbase Reputation Scoring (SBRS): sender IP reputation blocking based on -10.0 to 10.0 scale
  • Sender Domain Reputation (SDR): domain reputation scoring based on Awful, Poor, Tainted, Weak, Unknown, Neutral, Good
  • Context Adaptive Scanning Engine (CASE): Antispam (IPAS), Graymail, Virus Outbreak Filters (VOF)
  • Web Security Service (SDS): URL Filtering

Imagine your organization is one of the first to be targeted by a new global email attack.  With SBNP enabled, the telemetry data shared with Cisco will dramatically improve the speed and accuracy with which we are able to react to a new threat.

Cisco anonymizes and aggregates the telemetry data with reporting from other sources to help identify and stop email-based threats.  Data collected is only based on heuristics of the email itself and not the full body of the email.

 

Telemetry and Data Sharing Value

  • Visibility
    • Into attacks
  • Tuning (improve performance of services and systems)
    • Efficacy
    • Load
  • Feedback
    • Easiest way to inform Cisco of how customers use our systems
    • Critical information for Cisco to understand every customer better
  • Support
    • Data received via telemetry helps Cisco support ALL customers

 

Enabling SBNP

You can help by reviewing your email security configuration and enabling SBNP if you are not already participating. It is simple:

1. Go to *Security Services > SenderBase*
2. Click *Edit Global Settings...*
3. Mark the box to "Enable sharing limited data..."
4. Click *Submit*
5. Finally, click *Commit Changes* in the upper right corner of the GUI

Note: Checking this box enables the feature globally for the appliance. When enabled, CASE is used to collect and report the data. You can configure the same settings using the *senderbaseconfig* command in the CLI.

 

Once enabled, you will see the following:

 

Additional Options To Share Data From Email Security

Cisco Email Security also allows for full data sharing, which would include sharing unhashed filenames with Talos via SBNP.  This is configured and enabled only via CLI using the fulldatasharing command.

 

Example:

myesa.local> fulldatasharing

Share unhashed filenames with SenderBase Information Service: Disabled

Choose the operation you want to perform:
- SETUP - Configure sharing of unhashed filenames with SenderBase
[]> setup

Enable sharing of unhashed filenames with the SenderBase Network? N> y

Share unhashed filenames with SenderBase Information Service: Enabled

Choose the operation you want to perform:
- SETUP - Configure sharing of unhashed filenames with SenderBase
[]>

myesa.local> commit

Please enter some comments describing your changes:
[]> fulldatasharing enabled

Do you want to save the current configuration for rollback? Y> y

Changes committed: Fri Jun 01 08:22:45 2018 EDT

Performance Impact

There is minimal-to-no performance impact for most customers. The email security appliance records data that already exists as part of the email delivery process. This data is aggregated on the appliance and sent to Talos in batches, typically every 5 minutes.

 

Spam Reporting

Does SBNP replace spam reporting?  No!  SBNP is telemetry data only.  If you are still seeing missed spam or other email traffic, please continue to report false positives and false negatives to Cisco.  (*Read here for further information on submitting email to Cisco for additional examination.)

 

Telemetry and data sharing is a customer decision!  Sharing can be disabled at any time via the GUI or CLI.

 

Have questions regarding SBNP or reputation? Ask Talos! Or, feel free to open a Cisco Support Case and we can answer you directly!