Cisco Email Security Appliance C370 - security appliance
Mfg # ESA-C370-K9
CDW # 2883833
Know your gear
The Cisco IronPort C370 Email Security Appliance is built on the foundation of the Cisco IronPort AsyncOS operating system to provide power for today's mail volumes and high-performance scanning for tomorrow's threats. The Cisco IronPort C370 delivers industry-leading protection from inbound spam and virus attacks and outbound data loss possibilities, in an easy-to-use appliance.
Today's email-borne threats consist of virus attacks, spam, false positives, distributed denial-of-service (DDoS) attacks, spyware, phishing (fraud), regulatory compliance violations, and data loss. The Cisco IronPort C370 incorporates preventive and reactive security measures that are easy to deploy and manage.
Today's email-borne threats consist of virus attacks, spam, false positives, distributed denial-of-service (DDoS) attacks, spyware, phishing (fraud), regulatory compliance violations, and data loss. The Cisco IronPort C370 incorporates preventive and reactive security measures that are easy to deploy and manage.
Enhance your purchase
Cisco Email Security Appliance C370 - security appliance is rated
4.50 out of
5 by
12.
Rated 5 out of
5 by
Enrique Diaz Jolly from
Protects our customers with URL and Reputation Filtering
What is our primary use case?
I have experience as an SE for IronPort as well as a private consultant. I have used this solution in multiple environments.
How has it helped my organization?
I have been able to help customers improve their email security, both new customers purchasing Cisco ESA, as well as long-time users.
What is most valuable?
The most valuable features are Advanced Malware Protection, URL filtering, and of course Reputation Filtering.
What needs improvement?
The reporting functionality needs to be improved.
For how long have I used the solution?
I have been using Cisco Email Security for nearly 15 years.
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2020-02-19T00:00:00-05:00
Rated 5 out of
5 by
PhillipCollins from
Stops the vast majority of email from getting in, across our multiple email domains
What is our primary use case?
The main use case is simply as a point of contact for all the emails to go through first, before they ever get into the Office 365 environment, so they can be scanned and checked for malware and spam, all before Office 365 even sees it.
We're currently on version 12. Our instance is in the cloud and we don't actually upgrade it, they do it for us. It should be upgraded to 13 in the next month or two.
How has it helped my organization?
The last time I checked, which was about a month ago, when I looked at all the emails sent to any of our domains — because we have about 10 email domains, and they all go through the appliance — by looking at a report the solution has, I saw that 84 percent of the email sent to those domains never got to our Office 365, because it was spam, malware, phishing, or there was something wrong with it. So it stopped 84 percent which was bad email. Based on my experience and talking to users, 99.8 or 99.9 percent of those emails that were stopped were spam or malware. There might've been 0.1 percent that was caught by the mistake. But that's 84 percent of email not even getting into our systems.
It has prevented downtime. The simple fact that 84 percent of them were stopped keeps people from having to look at those in their mailbox. If you take 1,000, out of that number 840 didn't even come through. That's less wasted time going through your mailbox and reviewing your messages. It also frees up the users, when they do see something that's not anywhere near normal, to clue in that there might be something wrong. We have had emails get through, phishing emails and things like that — it has happened — but I would say we probably get one through about twice a month, at most. The users will immediately shoot it right to the help desk. "Is this real? Is this spam? Is this something I should do?" There's no way to really put a number on it, because I've never really looked into it, but if nothing is coming through that you didn't want to see, then there's no downtime.
Only in a couple of cases have we had a user actually do something they shouldn't have done before they notified us, but that's training. You never have a perfect solution. Two a month is our average, over the last year, of emails that got through that we wished hadn't gotten through, but no harm came of it because the user notified us, and we just told them, "Delete it." We make sure everything is working right and that there was no malware involved and we let it go.
Also, as far as the IT department goes, it's made our lives a lot easier. We get emails if anything does happen. We've chosen to see any event. We only get notified of exceptions that we want to investigate or we want to look into. That makes things easier because we're not out looking all the time. We can wait for the email to come in.
We can look at the updates and the different changes Cisco makes to the system to see if any of those things is going to help us. We think about whether we want to invest any time in configuring those? And once it's configured, you're done. The most difficult part of that is remembering what you did. So we've learned to do our documentation that much better because we need to be able to go back and read what we did before, what we configured.
Our company might buy another company, so we have another domain to add our list of domains for email. In less than an hour we have all that set up and the whole system working, with emails going through the appliance. It's saved us a tremendous amount of time daily, just in terms of keeping track of things.
What is most valuable?
Their trajectory feature is the most valuable. What I mean is that it has the ability to tell us, after an email has been delivered, where else it went, once it got inside. Maybe it's something we wanted it to stop and it didn't stop it, but it notified us later that it was something that it should have stopped. It can give us a trajectory of all the other places that it went internally and it can tell us what files were transferred as well.
It does a great job of preventing spam, malware, and ransomware. I can only go by what people have told me and what I've seen, but I have not seen spam in a year and a half to two years in my own company mailbox. And there are not a lot of catches where it's catching something that should have gotten through, either. We have an email going out daily of everything it puts into quarantine for a user, so the user can release it if it was caught accidentally. In the last six months, I have probably have had to release six or seven emails. It's not catching them. It's doing a good job of striking a good balance.
That is partly due to how you configure it, but we used the standard, best practices when we configured it. We do go back to Cisco, when they offer a free evaluation to review our configuration every nine to 12 months. That helps us make sure that it's set up right and, if there are any new features, that we're aware of them. We do take them up on that every time they offer it.
What needs improvement?
When it comes to phishing, I would not give this appliance a perfect score by any means. It's hard to get a perfect score on phishing with any solution. But typically, in a phishing email, they try to use a name everybody's going to recognize, like the CEO's name or the CFO's name. They might spell it wrong, but they will try to get your attention so that you'll do something.
With this appliance, the way it's designed at the moment, for us to really stop that with any level of confidence, we have to build a dictionary of all the names of the people we want it to check, and all the ways they could be spelled. My name would be in there as Phillip Collins, Phillip D. Collins, Phillip Dean Collins, Phil Collins, Phil D. Collins. There could be eight or 10 variations of my name that we'd have to put in the dictionary. There's no artificial intelligence to say "Phil Collins" could be all these other things, and to stop phishing from coming through in that way. It is stopping a lot of phishing when we do use that dictionary. We essentially let the email come in, but we put a header at the top, in red, telling the user to be very careful, this may not be a real email, and let the user decide at that point, because it's looking at whether or not it came from a domain outside our domains.
If I have to send myself an email from my personal domain at home, it has my name in it, Phillip Collins. We want it to notice that Phillip Collins is a name that's in the company directory, but it's not coming from one of our domains. We want the user to understand that that is how they get around it. Phishing emails will come from the attacker's own email address, but they will set the display name, what you'll see, as something familiar. That's why I wouldn't give it anywhere near a perfect score, because the artificial intelligence just isn't there yet. You have to manually put these things. As you have people come and go in your organizations, you have to decide if you want these people in that dictionary or not. If they leave then you've got to take them out. There's a lot of work to doing that with this solution at the moment.
Another minor thing is the interface that you work with as an administrator. It is not as intuitive as I would like it to be. It's all there, if you understand what you're doing; what email is doing and how you detect certain things. It is not difficult at all to work with, but it could be more intuitive for somebody starting out.
Finally, they separate the email security appliance from the reporting appliance. It's the ESA and the SMA; they are two separate appliances. The reporting appliance just gets information from the email security appliance and helps you formulate reports. To me, that should all be one. It doesn't bother me that it's not, but sometimes I have to think, "Do I need to go to this appliance or this appliance to get that information?" It should all be in one place, but those are minor things.
For how long have I used the solution?
I have been using Cisco Email Security for two-and-a-half years.
What do I think about the stability of the solution?
It's extremely stable. It hasn't gone down on us since we've had it. They made a major move, moving their appliances out of the AWS cloud into Cisco's cloud. They notified us they were moving and we talked about it. We really didn't have to do much of anything, and there was no downtime at all when that happened.
We do have two security appliances in the cloud, so if one went down, the other would pick up. There is redundancy at the hardware level, but we've never gone down.
What do I think about the scalability of the solution?
It's extremely scalable, especially with it being a cloud appliance, because you're not bound by the hardware like you might be if you bought from an on-prem installation. If we need to go from 500 to 1,000 users, they can just tweak the hardware settings on their end and we're ready to go. I don't think scalability is an issue at all with it being in the cloud.
There are approximately 425 email accounts that it's monitoring and when I last looked at the report about a month ago, there were 25,000 emails a day, on average, that it was analyzing for those 425 users. We're about to add another 50 to 60 new users from a company we just bought. We'll go up to nearly 500 in the next month or two, but I don't see any issues with that . We'll be adding their domain to our system and then adding the users.
How are customer service and technical support?
I've worked with Cisco support tw...
Disclaimer: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Date published: 2020-06-23T00:00:00-04:00
Rated 5 out of
5 by
Andrew Fisher from
The amount of traffic that it stops is massive
What is our primary use case?
It is used as the primary perimeter gateway for our organization before you can access our environment. Being hosted with Cisco, it goes through Email Security. Spam, marketing, malicious or virus-enabled emails are not delivered to us 90 to 91 percent of the time because they are stopped external to the organization. That is a massive win for us. We don't have to worry about having to deal with all those emails going through our email servers.
How has it helped my organization?
Cisco Email Security (CES) has allowed our users to be able to concentrate on the emails that they do receive. Previously, our users had to deal with nine million additional emails across the organization, which is nearly 1,000 emails per user to have to deal with a month. That's a massive amount for our staff to deal with and probably several hours of their time. We have a lot of clinical staff, being a hospital. We want to make our staff as productive as possible. By removing a lot of that spam and phishing type emails, this allows them to do their job. A lot of our staff who are our cleaners don't necessarily use email as often as some of our clinical staff. Therefore, the numbers are worse with our clinical staff who probably end up getting double the amount of these emails.
From a user's point of view, if we're stopping them getting spam, they're happy.
The threat intelligence that we receive from Cisco Talos is good. We don't have the staff or SecOps to do it ourselves. We have one cybersecurity analyst who complements the rest of our IT support for communications, network, and server infrastructure. Things like Talos give us the ability to leverage what Cisco is doing without having to invest the money, infrastructure, and people.
Without it, we tend to be in our little bubble/ecosystem. We're not seeing the number of attacks. Whereas, with Talos being connected to so many organizations around the world, it gives us early warning that we wouldn't have normally had. Because we don't have many applications externally available to the organization, it's good that there's something out there looking out for our best interests. We're able to easily apply that to our infrastructure and without any effort. A lot of it's automated, so it's just applied.
It is a great benefit that we're able to run 24/7. With the help of Cisco and Talos, it helps keep our organization safe. We are very much on top of any sort of zero-day events that we hopefully don't see ourselves. So, we're able to leverage the misfortune of other organizations who have experienced events, in some instances, to our benefit.
What is most valuable?
The bulk of the email stopped would be marketing. Spam-related email tends to be our biggest issue. The most dangerous contain malicious content, and those tend to be the worst.
The biggest issues are the social engineering and phishing. A lot of the spammers are actually quite good at spear phishing attacks and social engineering our emails. We obviously do checks. We run some simulations for our staff, where we try and train them so they are aware of what not to click on. Also, we have installed Umbrella and had it for a long time as well. Therefore, if something was malicious, and one of our users had clicked on it, Umbrella would usually stop anything outgoing. The combination of the two solutions has really helped secure our organization.
What needs improvement?
I would like more functionality and how to use it for Level 2 type staff. The biggest issue is it needs to be easier to use and navigate. I know there are a lot more documents in the later versions about how to do things. This is a great improvement from a few years ago when you would have to call a tech to get them to assist you, which they're more than happy to do, but now there are a lot more how-to guides. If they could continue to do that, then it would make the product even more usable. Also, it needs more detail/documentation around what different features do. That would be valuable for the product. That way, when you do have lower level staff who are using it, they will actually know what it can do. E.g., having help icons for each section, and even each setting, does make it easier for the users. As they can click on the question mark for that setting, then they can then see what it does or have it take them to a how-to page on what it does.
The reporting could be improved, especially at a senior management level. The reporting side of things is a big component of what people, especially executives, want to see. In that way, it can justify its use ongoing. The executives want to know the volume of traffic that it's stopping. While users have to deal with the potential loss of income and hours. With reporting, it becomes a no-brainer. It's one of those things on an IT budget that you need to have.
For how long have I used the solution?
Probably five years.
What do I think about the stability of the solution?
We really haven't seen any issues on the stability side of it being cloud-based. We also have three virtual hosts that run in our environment. in the event that we lose one, there are two others. We have never seen any issues with the environment, which Cisco proactively monitors. They'll come back to us and indicate if there are any hardware performance issues and schedule appropriate restarts to appliances, if required. This happens occasionally.
Given a lot of people target hospitals, we tend to be attacked more than other corporations because there are health records, health information, financial information, and research information. CES and some other products have definitely allowed us not to have the downtime that we may have had if our previous products and solutions were in place. As far as I'm aware, we haven't had any downtime since we put in CES and Umbrella several years ago, which has been fantastic.
We have our security analyst who gets feeds out of CES into our other products. We also get feeds into AMP for Endpoints, so we see what happens because we have our CES integrated with AMP for Endpoints. That goes into our Threat Grid and Threat Response.
Our server team might get queries about messages that might have been quarantined or someone having trouble receiving external emails. That's usually where a domain might be rated above our parameters and gets blocked. With something like 3,000 mailboxes, we spend at most an hour a day checking on the CES environment.
What do I think about the scalability of the solution?
Our environment is scalable, and we monitor that with Cisco. When we do our periodic health checks, we look at the performance of the appliances and how they're doing. They're handling the 10 to 12 million emails that we do receive through CES a month. There are about 90 percent which are not even forwarded onto us. Therefore, it's handling the capacity that we have at the moment. At this stage, there's no need for any increase in our hardware.
It's an invisible service where every piece of email going in and out of the organization goes through CES.
We are doing more integrations with other security products, like Threat Grid, Threat Response, and AMP, along with SecureX that is Cisco's new beta program. Getting the CES feed into that and have one pane of glass to see the threats of the organization through both emails, firewalls, routers and VPN is fantastic.
How are customer service and technical support?
We have a team of resources at Cisco that we can call on, if we need things escalated. Having great customer-centered service and support is one of the reasons why going with Cisco has been such a fantastic decision for both organizations that I've been at.
Which solution did I use previously and why did I switch?
Prior to using Cisco Email Security and my being at the organization, they had a Qbot massive issue. I don't know a lot of the detail, but at the time, we had a lot of machines that had to run certain versions of software. Because of it being older software, legacy-type applications, they were more susceptible to issues. Qbot just went through the organization and took out a lot of that equipment/machines. Cisco actually came in and assisted to get rid of all the issues that we saw with Qbot, etc. It took several weeks spent by Cisco and other organizations trying to resolve our issues with Qbot to get things operational and back to normal. That was really the catalyst to get Cisco Email Secuity into the organization.
We were previously using McAfee for both their Endpoint Protection as well as for Email Servers. The difference was the volume of emails hitting our email servers. The servers had to deal with 10 million emails a month. Having to process those additional emails and pushing them onto users took a massive amount of infrastructure and resources at a server level. Whereas, at the moment, our servers are not having to deal with that because we have CES right outside of our perimeter.
One of the reasons that we switched away from McAfee is that we moved to an enterprise agreement with Cisco. Under that, we get the Cisco Advanced Malware Protection (AMP) for Endpoints. Once we went down that path and install it, there was no point in having McAfee as well when the AMP for Endpoints already has some of the different engines. Plus, there was a duplication of costs and applications, such as the support costs as well as to maintain multiple antivirus and endpoint protection software.
At my previous organization, we were using the standard Office 365 controls and Email Gateway before ...
Disclaimer: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Date published: 2020-06-25T00:00:00-04:00
Rated 5 out of
5 by
reviewer1378053 from
Brings issues to our attention enabling us to remediate threats; provides all the information regarding why something was caught
What is our primary use case?
We're using it to collect data. We haven't fully implemented any of the features to stop any attacks. At this point we're using it for informational purposes, until we get a better grasp on everything. It's gathering any spam messages or malicious email messages that come through.
It's in the cloud and hosted by Cisco.
How has it helped my organization?
I can't provide a detailed example of how the product has improved our organization but only because I don't want to give out too much information. In broad strokes, being able to go in there and see where stuff is coming from and who it's going to, and being able to see, hour-by-hour, where threats came in, we can help pinpoint when issues started, who an issue started with and who it's going to, to best remediate issues.
Because the user interface is very intuitive and doesn't require specialized training, less time is needed to dive in to get to the basics of it before a deep-dive ever happens.
What is most valuable?
The most valuable feature that I have found so far is that it actually works within our tenant. If we have anybody that we serve the email that it would go to, and someone else that we serve the email to, it will find that; it will go through that filter as well. And it will do it quickly and efficiently for us. It's not something that we need to push out to then have it circle back in so that our email filters or spam filters will catch things.
On ease of use, it rates very high. It's something that I was able to get into without really looking at any documentation. I wanted to see what it felt like before I started looking at any documentation on how to use it, and it was very easy to use. It works very smoothly. The user experience is very intuitive. They did an amazing job on that.
The solution also provides a diversity of intelligence, the way that we have it implemented. Since it's not taking anything out, it can bring stuff to our attention and we can remediate it if there is actually a threat. And it shows us the links, and all the information regarding why it caught something.
What needs improvement?
The search area has room for improvement. When you go to the next page, it remains at the bottom of the current page that you're on.
Also, under the reports section, it allows you to see any "convictions," but if you want to search for those convictions you have to remember when they all came in and go back and edit the search accordingly. You cannot click on the list of convictions to actually see if you had a spike at a certain time.
For how long have I used the solution?
We've been using it for at least four weeks.
What do I think about the stability of the solution?
So far, we haven't seen any issues with it. It seems very stable.
What do I think about the scalability of the solution?
It appears to be doing a very good job in terms of scalability. With the transition from one mailbox to all mailboxes, we really didn't see an impact on the time that it was processing information.
We have about 3,000 to 5,000 mailboxes covered under CMD.
How are customer service and technical support?
We haven't used technical support yet.
Which solution did I use previously and why did I switch?
We have used other Cisco items to accomplish some of the same tasks we're using CMD for, so we're beta-testing CMD.
How was the initial setup?
Our initial deployment of the solution took well under an hour, and that includes the configuration because we had to go into Office 365 and set it up and then actually deploy it. That time, altogether, was very short and it was very smooth.
When it came to the deployment process for CMD in our Office 365 environment, I had to read the document again because I couldn't believe that the initial setup was that easy. The concern that we have is the amount of rights that it needs. It doesn't seem like it should need that many rights to be able to do what it does. But overall, just implementing it was very smooth and very easy.
Our implementation strategy was that we did it on a single mailbox as a proof of concept, and from there we expanded it to our tenant.
In terms of staff involved in deployment and maintenance of this solution, two of us, as systems administrators, have been the focus on this, along with a security person, who is involved in security analysis.
What about the implementation team?
We did it ourselves.
Which other solutions did I evaluate?
We didn't evaluate any other products. Cisco reached out to us to have us test this.
What other advice do I have?
Lock down who has access to the product, for the purpose of being able to see all email coming in and out; seeing who it's to, who it's from, and the subject. To best protect data, you would want to limit who has access to that data.
In terms of the solution's ability to prevent phishing and business email compromise, it's kind of hard to evaluate because we haven't fully implemented it. It will show us what it catches, and the implementation will actually take it out of the user's mailbox. I feel like that would be good. It seems to still catch some stuff as spam that may not be spam, according to the user.
We're using Cisco AMP on our desktops and it seems to be doing fine as a virus scanner. The only issue I have seen is that on a few machines it spikes the CPU utilization for the whole time that it's scanning.
I would give the solution an eight out of 10, just because we haven't implemented everything yet. The parts that we have implemented have been very smooth and very easy to use. There are small portions that we haven't fully implemented yet.
Disclaimer: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Date published: 2020-09-03T00:00:00-04:00
Rated 5 out of
5 by
reviewer1376670 from
Can quickly identify, track, tag, and categorize internal emails. Reporting accessibly via the main dashboard would be a great addition.
What is our primary use case?
Our primary use case is the ability to see email activity in the east-west traffic. It does internal email tracking as well as leveraging it as another layer of email defense. We utilize Microsoft 365 (enterprise service) and its Advanced Threat Protection solution, which networks inline with Cisco Cloud Mailbox Defense Email Security. Then, Cisco Cloud Mailbox Defense does an additional layer of detection and protection against malicious email.
Business email compromise is the internal user use case, then phishing and malware delivery are certainly others. They are pretty common and definitely answered by Cisco Cloud Mailbox Defense (CMD).
How has it helped my organization?
Having Cisco's solution gives us a fast way to track and identify. We haven't seen any specific events yet, but certainly having another layer that's able to give us visibility and detect malicious email from an insider is definitely useful. Insiders are typically the hardest to detect, including in an email environment.
So far, we haven't had any detections, which is a good thing. This just means that our traditional use cases of egress-ingress type monitoring work pretty well. However, we have seen some spam being detected. Even internal email forwarding, where an internal enterprise account will forward a spam message to another internal account. This speaks to the system's ability to detect these and fairly quickly categorize them as spam, which is good. Luckily, it wasn't malware. CMD seems to be working well.
Our administrative overhead costs are low, both for time and dedicating human resources. We set the solution, then check it daily. Because we haven't had any detections, which is a good thing, we don't really need to dedicate any additional resources in terms of generating an incident response process.
What is most valuable?
The ability to see east-west traffic is its most valuable feature. Traditionally, email defense focuses on north-south, inbound-outbound, egress-ingress traffic. With Cisco Cloud Mailbox Defense, it's able to quickly identify, track, tag, and categorize emails that are internal. That can typically give us visibility into if there's an internal compromised account (for example). Someone can then use that internal compromised account to email additional accounts with either malicious software or links, but internal within that Office tenant. Effectively, that email message never leaves the tenant. Any of the mail gateways really do not have any method or way of seeing this traffic since it's not leaving the environment.
The solution is very easy to use. It's just a single pane of glass, single screen web page that you access. Then, there are a small number of clicks necessary to get at the information you need. Reporting is easily generated. Likewise, the search capability is easily accessed and usable as well as provides the first initial information that you need about messages identified, categorized, and total volumes. All that information is easily identifiable and quickly accessible as soon as you log in. It is an easy to use, single web page, SaaS application.
CMD’s user interface is intuitive. We didn't need any training. There was a quick deployment document that you skim through, and it's fairly easy to both deploy as well as start using.
Threat Grid is a capability which allows for running or executing software in a special sandbox environment where it's not affecting your enterprise or corporate systems. For that particular use case, Threat Grid works really well. It also ties in with various threat intelligence sources, e.g., detonating/testing our particular software or file in the sandbox can immediately identify indicators of compromise and share them with other clients that leverage Threat Grid. Likewise, the software that I uploaded for sandboxing is immediately validated and checked against all other client submissions as well as open source and Cisco Talos Threat Intelligence Sources. I find that really valuable. While there are other sandboxing solutions out there, I use Threat Grid quite a bit and I find it to be extremely useful and very usable.
Threat Grid also gives us a sense of safety because I don't have to test it or build out custom virtual machines to do the testing. I don't have to test it on enterprise systems. From that perspective, Threat Grid is definitely a very good solution. Its ability to integrate with other Cisco portfolio tools is helpful because then you can tie in and quickly view what malicious files might've been found in your environment regardless of what Cisco security solution you are using, whether it's AMP, Email Security, CMD, or anything else.
AMP for Endpoints is something that I've used extensively. We have also used AMP for Network and Email. Collectively, it seems to be doing a pretty good job, especially when combined with Threat Grid because it's quickly able to identify files by hashing them and figuring out within the databases that Cisco owns, as well as open source threat intelligence databases, whether that particular hash is found in those databases. If it is, then it is malicious. It takes corresponding action pretty quickly.
If it's an unknown hash (after it identifies the file by hash value), and if it's unknown and not found in the databases, then it automatically uploads that file to Threat Grid for sandboxing and analysis. That layered approach with respect to treating the files as they come in works well, whether via email, network, or found on an endpoint, especially as an ecosystem solution that integrates with other Cisco components and security tooling that one may have in the enterprise. This works well because the information found on a single endpoint, for example, can then immediately take action on an email by blocking that identified malicious file. Likewise, if there is a file that's coming in via email and it's found to be malicious by AMP or Threat Grid, then the information about that file is immediately known by the endpoints. The endpoint solution can then take action on that malicious file. As an ecosystem, it works really well.
What needs improvement?
If Cisco could continue to develop integrations, whether it's internal tooling, Threat Grid, or AMP reporting which could be accessible via a single web page, that would be helpful. This would essentially add additional context on messages as well as files or links being detected. Potentially adding additional context on why certain messages are tagged as spam or malware. In our case, malware hasn't been detected yet, but spam certainly has been. Knowing what engines or which components of the message make it identifiable as spam, that could be useful. Additional context and reporting accessibly via the main dashboard would be great.
There is still room for improvement in terms of integrations with other Cisco tools and non-Cisco tools. There is also some room for improvement needed in terms of the reporting.
For how long have I used the solution?
About two months.
What do I think about the stability of the solution?
The solution is set and forget in our experience. It seems to be working pretty well. In our experience, we don't require any dedicate resources for maintenance.
So far, we have had no issues with stability. I could see how if there was an issue with Microsoft 365 tenant, then CMD would not work, but so far we have had zero issues.
What do I think about the scalability of the solution?
We are a fairly large company who sees a sizable number of email messages daily. CMD is able to keep up with the messages and message classifications, along with capturing and sending files to Threat Grid. The solution has the potential to be scalable to extremely large organizations as well as serve small to medium-sized businesses as well.
We have two individuals who are both members of the security team: one is a senior security analyst and the other is a security director.
How are customer service and technical support?
We did experience a false positive match where an email exhibiting spam behavior was actually legitimate. I had to escalate this issue with technical support to make sure to get it whitelisted or the engine tuning changed.
Our experience has been pretty good so far.
Which solution did I use previously and why did I switch?
We previously used Microsoft native ATP, which is a built-in Microsoft email protection solution. We added added Cloud Mail Defense because it gives us another layer of protection for east-west traffic.
How was the initial setup?
The ease of the deployment process of CMD is extremely simple. The methodology that Cisco uses to scan email is extremely usable and very simple. Likewise, to set it up, the only requirement is to have administrative level privileges for the Microsoft 365 tenant. Having those rights and permissions, that's really all an organization will need to add CMD into its tenant.
The deployment took us five minutes or less.
What about the implementation team?
There was no effect on our administrative costs at all. In terms of configuration, we didn't have to do anything. The system comes preconfigured by Cisco, so we didn't have to do any configuration or setup. It's a set and forget kind of thing.
What was our ROI?
In our case, downtime certainly arrives from a detection of malicious software, like malware being delivered via email or identifying internal compromised users. Given the extra visibility that we have wit...
Disclaimer: My company has a business relationship with this vendor other than being a customer:Partner.
Date published: 2020-09-03T00:00:00-04:00
Rated 5 out of
5 by
Charles Nana from
Good support, integrates well with SMA, and does what it is designed to do
What is our primary use case?
It is our email gateway. We have the Exchange Servers, but the Exchange Servers don't relay directly with the internet. We have ESA in-between, and every incoming and outgoing email must pass through ESA before it gets to the internet.
We are using Email Security Appliance C690, and we have three of them in a cluster. They are on-premise. We have decided not to go to the cloud. It is primarily because most of our clients are government agencies and the government, and they have this suspicion about the cloud. So, right now, we are still on-premise.
Currently, we are on version 13.8. There is a newer version, but we are yet to migrate to that version.
How has it helped my organization?
We use ESA with Security Management Appliance (SMA). We have SMA M690. The integration of ESA and SMA makes the whole work easier. SMA is the central content appliance, and we have three ESAs. The SMA is able to collaborate with the clustered ESAs for log management and other things. It gives some stability in terms of what is happening. ESA keeps a lot of logs, so SMA is able to move through ESA and get those logs out. This integration has really helped us to drive our operation in the email platform.
It does a lot in terms of preventing phishing and business email compromise with DP and Advanced Phishing Protection. DMARC gives visibility for preventing spoofing and social engineering attacks. ESA has been able to help and protect us from those attacks. It is doing a lot of work. Gartner has always rated Cisco's ESA appliance as one of the major players.
It is doing a lot to prevent spam, malware, and ransomware. Everything is also tied to how you have configured it. Some of the spam emails don't get to the customers. We can quarantine a spam email, which gives us the visibility to look at it and see if it is actually spam or not. It is doing its work. It is. There are no false positives. It is working perfectly.
Email service is one of the services that we offer at Galaxy. ESA has improved our business. Our customers want to maintain their business with us for email security. We have over 500 domains on our email platform. It has improved our profitability in everything.
What is most valuable?
They have a lot of features such as Advanced Malware Protection, Email Protection, Advanced Phishing Protection, Antispam, Antivirus, and Outbreak Filters. They are very important.
It is doing its work. It is doing what it was actually designed to do. It has ensured we don't have business email compromises, and it has also ensured that our brand Galaxy is unique all year round.
What needs improvement?
The area of license renewal should be improved. We normally renew our license every year. There is a feature called smart licensing, and I switched from the legacy mode to the smart licensing mode because of what I thought smart licensing does. I thought it would make licensing renewal seamless and very swift, but ever since I've switched to smart licensing, each time I want to renew my license, it is a whole lot of headache. The process is not smooth, and I had to keep calling Cisco TAC to see how the issue can be resolved. At one point, I wanted to revert back to the legacy mode, but I can't revert. Once you switch from the legacy mode to the smart licensing mode, you can't revert. They should improve on the visibility of the smart licensing mode so that it can indeed be smart and easier to use for the license renewal every year. That is one challenge.
Another challenge is that there is no way for me to know my level of utilization. For example, if I have a subscription of 2,000, there should be a way for me to know my level of utilization. Currently, I don't know my level of utilization. So, if my license is renewed on 20,000 subscribers and I'm using less than 20,000, I wouldn't know. It doesn't improve my ROI. If I'm using less than the subscription I've applied for, there should be a way the system should tell me, rather than me going to find out manually. When I go to the smart licensing profile, I should be able to see my utilization. I should be able to see that I've subscribed for 20,000 but I'm only using 12,000. This means that if I'm going to renew, I should reduce my licensing mode from 20,000 to maybe 15,000. This kind of information should be given to the customers, but right now, we don't have that.
For how long have I used the solution?
I've been using this solution since 2017. My organization has been using it before that. It has always been in use as our email security gateway.
What do I think about the stability of the solution?
It is very stable. They have AsyncOS, which is the OS that runs on the appliance. They've released different versions. There is a general version, a limited version, etc. They keep coming with more services just to improve the platform.
We never experienced downtime. We have ESAs, and they are in a cluster. If one ESA fails, there is no downtime. The remaining two can handles email communication and relay. We have high availability and redundancy. So, we don't experience any downtime.
We do ESA health checks with OEM during which they connect with us virtually. They connect to the device and then check if all security features are still well configured and if there is any other way to improve. Doing this quarterly has really helped to make sure that the appliances are up to date.
What do I think about the scalability of the solution?
It is scalable.
How are customer service and technical support?
They are very good. I would rate them a nine out of 10. If possible, I would rate them a 10, but I just want to be a little bit reserved.
They've really been very knowledgeable and very patient, and they've always ensured that for any issue, any ticket, or any case that is opened with them, they are prompt. They are quick to ensure that they resolve an issue as soon as possible.
Which solution did I use previously and why did I switch?
It has always been ESA from the onset.
How was the initial setup?
I wasn't part of the team from the beginning to the end. I came when they were almost done. It was complex but also very interesting. It took two weeks or so if I'm not mistaken.
For the setup, you need to look at the low-level design and the architecture, and then you look at the network interfaces, listeners, routes, default routes, etc. If there is a way they can come up with step-by-step information about configuring it, that would really be nice. The guide right now is too cumbersome and bulky. If there is more straight-to-the-point and procedural information, it would be better.
What about the implementation team?
Cisco service engineers were the ones in charge.
What was our ROI?
We have seen an ROI.
What's my experience with pricing, setup cost, and licensing?
At times, we feel the pricing is a bit too high, but then, there is also room for discounts. We enjoy a lot of discounts, and that is why we are still with them. There are no costs in addition to the standard licensing fees.
Which other solutions did I evaluate?
We have evaluated other solutions, such as FortiMail from Fortinet, but we stuck with Cisco ESA. ESA's pricing and licensing were what led to us trying to see how we can bring it all together.
What other advice do I have?
It is stable and credible. I would always tell someone else to try it out. Of course, before you try it out, you can look at what Gartner is saying. Gartner has always placed the Cisco Email Security Appliance up there along with Mimecast and other top players.
It is well-secured. Security is everyone's concern, so I will always tell people to go for it. It is very secure. Its pricing has been a little bit high, but you can always ask for a discount from your account managers, country manager, or whoever is in charge in your region.
I would rate this solution an eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-08-29T00:00:00-04:00
Rated 5 out of
5 by
reviewer1626717 from
Don't need to invest in physical hardware, location, physical connections, and an on-premise data center
What is our primary use case?
We migrated from Cisco ESA to Cisco CES, we went from the on-premise solution to the cloud solution.
Our primary use case is for email security. Every email is scanned by an antivirus engine and every attachment is also sandboxed before it gets back to the real person. This is an additional Cisco CES module.
On top of this module, we have also subscribed for the Cisco Cloud Secure Email Encryption Service (CRES).
Our other use cases are all about the functionality of the Cisco Email. We are using it as a relaying system for incoming and outcoming mail. External exposed webservices are using the Cisco CES in order to send mails out as our domains.
Another feature we use is the possibility to combine the Cisco CRES together with Cisco CES. All our documents are labelled and are obliged to be sent either through TLS (encrypted channel) or either through Cisco CRES (encrypted mail) for GDPR-compliancy. If the destination domain doesn't support TLS, it is sent by Cisco CRES, otherwise we use TLS. This conditional check isn't (yet) available at Microsoft.
How has it helped my organization?
We already used this system on-premise. So there is no real difference except for the encryption plugin that is used. That's beneficial value. You also don't need to invest in physical hardware, location, and physical connections, and an on-premise data center.
The added value of it is that every migration to a new version is initiated by the Cisco personnel, so that is a bunch of work that you don't have to do on the Cisco ESA system on-premise. As it becomes a SAAS-platform, you don't need to invest anything in your own data center or in your upgrade path.
There was no downtime involved in the migration from Cisco's on-premise to the Cloud Secure Email. It was important to have this business continuity going on and not to lose any emails. We have implemented everything first in a test environment. We had the test Cisco CES in the cloud together with the test exchange system and so forth. Such a smooth transition was possible because we could test everything in a test environment.
If you have the knowledge of the Cisco on-premise solution, it was more like a copy-paste of the settings on the Cisco cloud solution. So the learning curve is rather low if you have the knowledge already of the Cisco system on-premise.
The pricing is more or less the same, but you have to take into consideration all the work that the people have to do. If they need to patch the new system, if they need to do the patching cycle on the ESA itself, and so forth, that's where the money goes.
It's not out-of-pocket money that you gain, but you gain time from people to focus on other systems.
What is most valuable?
The most valuable features of the Cisco ESA have to do with the intelligence they provide us. They respond quickly to any phishing attacks and threats on the system.
I also like the pay module, sandbox, and attachments.
The vendor's free migration services ensure that your on premise licenses are transferred when you migrate. It's just a matter of money at that moment. It's good to know that they take into account your old key and give you the new keys on the new machine.
What needs improvement?
We have Microsoft and we have the E5 licenses, they have more EDR responses on certain emails. That's something that Cisco ESA on the cloud doesn't have. They don't do anything about MITRE attacks. They only detect if there is a malicious email or a threat and they remove it.
If there is an email that has passed through, there is no way to have a global system delete that email from every mailbox. You have to look up the malicious files yourself.
With Microsoft, you can look it up, you can hunt for that in their compliance dashboard. You can hunt that email and then delete that email in one step. That's something that Cisco doesn't have.
For how long have I used the solution?
I have been using Cisco Secure Email for more than ten years.
What do I think about the stability of the solution?
The solution has proven that it's very stable. I only recall three real problems with the system. And I've been working at the same company for 15 to 16 years. It is very stable.
What do I think about the scalability of the solution?
The scalability is fine.
We have around 1500 users.
There are two system engineers that support it right now.
Emails grow in numbers. So sometimes we need to alter our system to hold that amount of emails or to grab all those emails and transfer them.
How are customer service and support?
I don't think we have opened a call at Cisco itself. For the encryption plugin, we opened several support tickets for the implementation. Their support was helpful. It was more technical advice.
I would rate their support an eight out of ten. They are very responsive and they quickly come up with the right answer, which is important. I never give nine and 10. So sometimes they are, sometimes they come quick with responses, but within all the years, sometimes it takes a while until they find a good response. Like that book is something that took a while to find out.
How was the initial setup?
The initial setup was simple and easy. You open one screen of your on-premise Cisco ESA configuration and you copy-paste it to the other screen of your Cisco ESA system in the cloud. So the transition was very easy.
It took around one month to implement.
The strategy was to get rid of the physical servers and move to the cloud.
What about the implementation team?
We worked with Cameo to do the integration.
What's my experience with pricing, setup cost, and licensing?
Pricing is okay. There are no additional charges.
Which other solutions did I evaluate?
We looked at some competitors, like Proofpoint but in comparison, we chose Cisco ESA because we kept the same technology. We knew that the migration path would be less effort than the migration part if we went to another solution or Barracuda.
Proofpoint was very good at creating general DLP policies, in that you could create policies and you apply them on different platforms, like Teams.
Cisco is a state-of-the-art product. I think Microsoft is catching up really quickly when you take the E5 license builder with it. I think Microsoft can take over the competition from Cisco but it could take a while.
What other advice do I have?
It's a very mature product.
I would rate it a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-10-03T00:00:00-04:00
Rated 5 out of
5 by
Enrique Diaz Jolly from
You can know exactly and accurately where an email came from and for which specific device
What is our primary use case?
It is like a gateway for email. They receive all your email traffic. They send over your email traffic, and it is the first incoming point and the last outgoing point. They deliver the traffic to the destination. Whatever it is, you want to be informed of what is happening. Depending on the site's deployment, if you have a single device, then you have all the information on the device. And if you have several devices, you have all the information on every single device for each device. However, for consolidation, you need another device called Security Management Appliance (SMA).
It has no real interaction with other stuff. It does not interact with a gateway beyond the networking level. You have a router and that router provides IP addresses for a switch, etc. You don't have to integrate Cisco Secure Email with something specific since it is standalone and only requires basic essential networking. You can integrate it with a firewall, like ASA, but that firewall has to allow traffic. To do that, you would open port 25.
It is available to be deployed as on-premises, on the cloud, and hybrid cloud.
How has it helped my organization?
The solution is valuable if you are looking for a security email gateway that provides you with the most services possible. It has anything that you may be looking for in an email deployment, except for the endpoint which should be supported by something else, like Exchange. It doesn't have mailboxes because it is a gateway.
There are some methods to authenticate email, i.e., putting a stamp or seal of trust on an email, where one method is DKIM and another is SPF.
* For SPF in the DNS, where you have records that list the different devices or IP addresses that can send email from a specific domain, a security device can consult that DNS and check if the mail coming from that domain is coming from an authorized source.
* DKIM is a cryptographic signature of an email. It is usually what you announce is the public key of that system's PKI and verify the signature in the headers. You have a checksum of all the contents so it is possible to define or identify whether the message has been tampered with in route.
They are mutually exclusive in a way, so DMARC consolidates both. It provides alignment with the IP address, domain name, etc., and has to match at least one, being properly aligned. It has become something very important for compliance.
When you are receiving, you use all this information to decide whether an email is legitimate. Or, if you also need to deploy your DKIM, DMARC, and SPF infrastructure, that lets the rest of the world know where you are sending email from and how you are authenticating your email.
It can honor all SPF, DKIM, and DMARC rule sets and apply rules based on the results of these tests as well as sign the DKIM. Therefore, your email can comply with whatever you are announcing on your DNS for the rest of the world to know that you know about the signed domains. It has perfect, robust integration on that.
What is most valuable?
The most valuable feature is reputation filtering. In the beginning, it was based on just the IP source. but it has now evolved to domain reputation. It allows you to classify different IP sources and different sender groups, where you can reject to throttle to whitelist from any IP sources, domains, etc. Based on the reputation gathering, the reputation is powered by Talos security. It is a super powerful feature. That alone gets rid of more than 50% of the crap from the traffic flow, before even hitting the anti-spam or antivirus.
If you have some knowledge about email, it is a pretty simple solution that has many controls on different levels, from the gateway part to accepting messages from certain sources to stringent filtering. It is state of the art with anti-spam, antivirus, and different threat prevention features.
SecureX is powered by Talos, Sourcefire, etc. Today, it is the largest, richest threat intelligence on the market. SecureX is quite standalone in regards to integration since you put it into the network, whether it is on your own cloud or a third-party cloud.
If you go to the filtering level, you can have very accurate features or filters since it is programmatic. At a certain point, you can define sets of rules, such as where the email is coming from, whether it has this content, or to apply this policy. For example, if it has the same considerations, but the content is different, apply this another policy. It is super flexible and very customizable to your needs. It is not difficult to use.
It provides information, reporting, logging, and tracking. It has powerful tracking, so you can know exactly and accurately where an email came from, for which specific device, etc. It shows the emails which were:
* Dropped
* Rejected
* Quarantined
* Accepted by which policies.
It also shows the rule sets applied for that email and considers
* The source
* The Offender
* Anything else that you may consider in an email.
It has an intuitive, clear graphical interface where you can deploy your policies and understand the overall flow. There are a lot of things that you cannot handle on the graphic interface, like message filters. For this, you need to go to a lower level where you have more power, like command line interface. So, this solution has the best of both worlds. There are not a lot of bells and whistles. It is more practical with access to most features that you can configure.
What needs improvement?
You can consolidate on SMA if you want to spam or threats quarantined for multiple devices. It is not advisable for a single device, because if it fails, you are left without any email.
I would like to see a few changes to the UX.
There is space for improvement with data loss prevention, particularly with third-parties integration. Data loss prevention is quite important, though most customers have some third-party or other elements in their network doing data loss prevention, specifically for email. However, if it could be possible to integrate with other solutions, not only on the email flow, but on analysis for a connector or something like that, then that would be ideal.
The Forged Email Detection feature needs improvement, particularly with domain. The sensors are not that good and the rules sets are unclear.
For how long have I used the solution?
I have been using it since 2004.
What do I think about the stability of the solution?
It does not add anything to the potential downtime for a corporation, unless everything fails. If all your email exchanges fail, then you don't have email, but this solution does not affect the performance of your whole network.
At the minimum, you need two devices. If you have two devices and one fails, then the other one can handle the work, though you might have some email delays.
You should keep track of what is going on. It does need some daily administration, fixes, and policy changes.
How are customer service and support?
In general, their technical support is really good. There are a few who are still learning, e.g., not providing enough help, but there is always the option to escalate.
Which solution did I use previously and why did I switch?
It was the IronPort before Cisco acquired it in 2007. It is the same appliance and software. This solution has been upgraded by several versions, but it is basically the same, they just changed the name.
What about the implementation team?
I have done the architecture for a company in China.
What's my experience with pricing, setup cost, and licensing?
It is a super big router that costs a few hundred thousand dollars.
Which other solutions did I evaluate?
These days, the first tiers of this market have good enough anti-spam, antivirus, etc. These have become routine. There are some other not-so-good solutions, like Barracuda and Fortinet, but it depends on how much you are willing to pay as this solution is not cheap.
The best other solution is Proofpoint. They have been long-time competitors who have also been evolving. The big difference is it is more fancy because it has more bells and whistles. The solution is good as well. However, they are super expensive, not cheap.
If you want a multi-tiered deployment, you could perhaps have Secure Email on the cloud and Proofpoint on-premises. Then, you have the two best solutions in the market working together. I have customers who have done this and are satisfied. Very few solutions can compete with Secure Email and Proofpoint outside of the price. If your budget is a problem, then you have a problem.
Along with Proofpoint, this is the best solution in terms of preventing spam, malware, and ransomware.
Check Point has fancy graphics and an interface where you can do a lot. The Cisco Secure gateway has both, though not as fancy as Check Point, but a big majority of the tasks can be done on the graphical interface level.
What other advice do I have?
It is not so difficult to us, but neither is it easy, particularly if you don't have some knowledge about email.
Whatever you are looking for with an email security appliance or device, you mostly have it, though nobody is perfect.
The solution’s ability to prevent phishing and business-email compromise is fairly good. DKIM, DMARC, and SPF integration are the best way to prevent phishing, spoofing, etc. However, they still have room to work in this area.
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-06-08T00:00:00-04:00
Rated 5 out of
5 by
Marian Melniciuc from
Advanced Malware Protection feature works very well, and the solution provides SDF, DKIM, DMARC, and encryption
What is our primary use case?
We are an internet service provider with over 1,000 customers. All our customers need a reliable solution for email security and this solution from Cisco helps us to implement the customers' needs and to offer the security the customers want.
We are using all the appliances on premises. They are virtual appliances only. We are not using the cloud because we own our data center.
How has it helped my organization?
With Talos threat intelligence we are protected. I cannot guarantee, 100 percent, that the protection will always be there because something new can appear on the market, something that Talos doesn't know, but we are confident that Talos assures us of all the security we need. We are happy to be using it.
We have a customer who was looking at our product catalog, what we offer, and he said, "I don't need this email security appliance because at my company things are secure without that." The prices are quite expensive for the security appliance and the customer wanted to manage his business without it. After some weeks, the customer came to us and said, "Help me please. We have received malware in our company and now all the data is compromised." After that, the customer chose to buy this email security appliance because his security was as important as anything else. We have more examples like that, that have happened in the last year. You are never secure without some solution from Cisco.
When it comes to preventing downtime, the Cisco Security Email appliance protects our customers so that they don't lose their information and can continue working. I am sure that many of our customers have been attacked with ransomware and with malware and this solution protects them.
What is most valuable?
* I love the Advanced Malware Protection feature. It works very well.
* Our customers are very happy to use the AMP sandboxing solution.
* The appliance has more security such as SDF, DKIM, DMARC, and encryption.
There are a lot of security features that we can implement.
All the appliances are connected with Cisco Talos and they check, in real time, with Cisco Talos. AMP is using Cisco Talos, and we have other products from Cisco, such as web security and AMP for Endpoints, that are using Cisco Talos too. Talos is a very important tool that speaks with all Cisco products.
What needs improvement?
We have been struggling in the last month with Cisco encryption and with the S/MIME encryption. I don't know if it is an issue on our side or if these features of the solution are not working very well. The documentation is good but I'm not sure if the functionality in these areas of the solution is implemented very well. We are evaluating the situation.
For how long have I used the solution?
I've been using Cisco Secure Email for between eight and 10 years.
What do I think about the stability of the solution?
The stability of the solution has made a very good impression. In the last two or three versions, I haven't found bugs or anything that could affect the stability.
What do I think about the scalability of the solution?
The scalability has been fine so far. We are very happy to use the cluster functionality in the ESA.
The same type of clustering in the ESA has not been implemented for Cisco web security and we have been waiting for years for that functionality for the web security. But in the Secure Email it's working very well and we are happy with it.
How are customer service and technical support?
Sometimes the customer support for Germany is good and sometimes it's very bad. We have over 200 technicians and we have been working with Cisco products for 15 to 20 years. We have a lot of knowledge. If someone in customer support knows less than us, it is difficult to get them to understand what we are looking for or what our needs are. Sometimes we need to escalate, to ask for another technician who can help us. There are times when it takes days or weeks until we receive good customer support from Cisco or from this company that supports Cisco. And when there is an issue for our customer, a few days or a few weeks could result in a disaster.
How was the initial setup?
I have deployed some 100 email security appliances, so from my side the deployment is very intuitive and simple. We don't have difficulty deploying it in our data center.
We create our own template in our virtual environment, and from this template we are deploying further security measures. To deploy it virtually takes about 30 minutes and after that the customization for our customer could take from half an hour to a few hours, depending on how complex it is.
We have five to 10 people involved in deployment of the solution. The people who work with it are technicians, the system administrators, administrators, and people in IT SecOps.
Which other solutions did I evaluate?
We tested only two other solutions, the Trend Micro product and the Check Point product, so I can't compare Cisco with all the solutions out there, but it's all the solution we need. For phishing and malware it's doing a good job.
We didn't like the instability with Trend Micro. Check Point was complicated to use; it was a very complex system. The Cisco system is intuitive, simple to use and simple to understand. I am a technician in our company, so I don't know which solution is cheap or which is expensive. But for the functionality we stay with Cisco because Cisco is our partner and this email appliance can connect with other Cisco products. They work together and that gives us confidence in using Cisco Secure Email.
What other advice do I have?
When it comes to preventing phishing and business-email compromise, in the last year the efficacy has been improved. For four or five years this solution didn't work as well, but last year and this year we have seen that with every new version, the efficacy is there, and the solution is working better and better. Our customers are happy to use it. It has made a great impression in this area.
Similarly, regarding spam, malware, and ransomware, in the last few years the solution was not so good but there was not so much malware. However, these days, the email solution from Cisco does a real good job of preventing malware.
About half of our customers use Office 365. A lot of customers, if they are migrating to Office 365 from an on-premises Exchange server, choose to increase their security with Cisco. The combination of Cisco Secure Email and Office 365 is working very well. Since this migration to Office 365 started, over the last two to three years, we have had no complaints from our customers.
We have trusted Cisco's email security for eight or nine years and we are going to use it in the future. We recommended it to our customers. We are happy with how it works, with the stability, features, and functions.
Which deployment model are you using for this solution?
On-premises
Disclaimer: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer:Partner
Date published: 2021-02-21T00:00:00-05:00
Rated 5 out of
5 by
Ray LaCasse from
Filters out links and spam, stopping junking from getting through
What is our primary use case?
We are using it for our email gateway security for all our inbound and outbound email. We use a lot of the URL filtering and spam filtering as well as the dictionaries, e.g., if they try to spoof employee names.
How has it helped my organization?
We didn't have an email gateway initially. As spam was ramping up, the junk was getting through. So, we needed a gateway. We then worked with a local company who sold us this product and some training as well as how to get it up and running, configuring it. Over the years, they have been constantly changing it.
What is most valuable?
We use a lot of their search features to search for emails that have come through. Our end users come through it. They say, "This didn't email didn't arrive," or "How did this email get through?" So, I am constantly searching through message tracing and using that all the time.
What needs improvement?
I use the search all the time. Sometimes, it is hard to search for things and things are hard to find. People come to me all the time, saying, "This email didn't get through." Then, I go searching and don't find it on the first search. You have to think about alternative searches. I don't know if there is an easier way that they could help to find things. I don't know how they could simplify it, because now everybody else is using the cloud and everything is coming from Office 365, or whatever. It is just not the same environment from years ago where everybody had their own server and you could search easier.
When you run a trace and you are in the cloud, it's harder. You run a trace and it generates trace results. I haven't figured out how to get those off of the cloud. I don't know if there is a path to open up a ticket on that.
For how long have I used the solution?
Before it was purchased by Cisco, we had already been using IronPort since 2005 or earlier.
What do I think about the stability of the solution?
It is very stable. We have never had any problems.
The way we are using it now, it does require maintenance. I decided to take a zero trust for URL links coming in emails or unknown links. Then, if there is a link that somebody wants to get through, then I have to add that to the list to allow it. So, there are some dictionaries and things to maintain the way we are running it now that we didn't have in the past. For many years, we got it running, then forgot about it. It just ran and ran. Now, I think it is just a different environment due to the level of phishing emails, etc.
The way that we are running it now, there is more to maintain, like the dictionaries and the list of employees, so somebody doesn't spoof an employee's name. It takes maybe an hour or so a week to update the dictionaries and things like that.
Right now, I'm the only one maintaining it.
What do I think about the scalability of the solution?
The scalability is good. It seems like it still has capacity in the cloud. It is hard to tell in the cloud. However, the ones that we had on-prem were running real close to their limit for whatever reason: memory swapping and CPU utilization. So, we had to do something there. Right now, it seems like there is capacity/room to grow.
The solution protects 450 users. We plan to gradually increase users.
How are customer service and technical support?
They have always been good when helping with problems. They are responsive and always come up with an answer.
Which solution did I use previously and why did I switch?
We migrated from Cisco ESA to Cisco Cloud Email Security.
The appliances were getting close to the end of life. They were using a lot of CPU, so it was time to do something with them. IT management seems to be going more to the cloud now, so it made sense to go to the Cisco Cloud solution. The machines that we had on-prem were really slow. For whatever reason, they were getting real slow. When we went to the cloud, we got away from that problem.
How was the initial setup?
For the initial deployment, we might have spent a week getting it up and running. Then, we went for a day or two to training.
There wasn't really any downtime involved during the migration from our on-prem to Cisco Cloud Email Security, which was important to us. We didn't want to interrupt email flow. So, we prepared it, then there was a cutover.
The migration from the vendor’s on-prem to Cloud Email Security wasn't too difficult.
What about the implementation team?
A few times, we needed Cisco's expertise in the migration process to solve some problems for free. Because it is in the cloud, you can't get to the command line interface to access and download/upload files. So, I had to rely on Cisco for that.
What was our ROI?
There is a huge return compared to if we didn't have a gateway appliance, as far as blocking malicious emails.
What's my experience with pricing, setup cost, and licensing?
The licensing was all transferred. A fair amount of the configuration had to be done by hand. We didn't transfer the people safe list and block lists. There were a number of things that we didn't transfer because they were in the cloud. It was a matter of going through and reconfiguring.
Which other solutions did I evaluate?
The familiar user interface was important in our decision to migrate from Cisco’s on-prem to Cloud Email Security. We have a lot of other projects going on. Being able to migrate to something that we were already familiar with versus migrating to Proofpoint or something else was a major decision factor. I didn't have to invest that much time, resources, and learning in a whole new product.
If you compare it over Proofpoint, it was a big savings. It was very competitive. It saved us from buying new appliances. Though, I don't know that would have been a big expense, because I didn't do a cost analysis of staying on-prem and replacing the appliances. We were more comparing the solution to Proofpoint, and the cost was considerably less than Proofpoint. It was already in place and working for us on-prem. So, I didn't want to move to Proofpoint because there would have been much more to learn.
Some of the things that we were doing in Cisco, we can't do it the same way in Proofpoint, from as much as I have looked at it. I know there is a difference. They have different solutions. They have some solutions that aren't configurable at all, such as, the lower price ones. They have another one where you are just like a tenant and everybody gets the same thing, then for it to be customizable, it is a lot more expensive. In orders of magnitude, it is more expensive than Cisco, which didn't make sense. With all the little tweaks and customizations that we're doing, I couldn't see how to do that based on the time I spent looking at Proofpoint. It might be doable, but I didn't figure out how to do it. So, I think Cisco is a little more configurable than Proofpoint for tweaking. I could be wrong, but that is my impression.
What other advice do I have?
There wasn't much of a learning curve involved in migrating from Cisco’s on-prem to Cloud Email Security because they are very similar. There were just a few things that were different.
It is a good product. Be prepared to invest time in learning it, like anything. You need to have somebody who is a key administrator, like any enterprise-level product that you would bring in. Even if you will have Salesforce or whatever, you need to have an administrator who knows how to keep it running.
Email threats just keep getting worse and worse, so you need to keep on your toes.
I would rate this solution as a nine (out of 10).
Disclaimer: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Date published: 2021-02-02T00:00:00-05:00
Rated 5 out of
5 by
Mark Rodrigue from
Low rate of false positives, good support, and it integrates well with other Cisco security products
What is our primary use case?
All of our inbound and outbound emails flow through the CES environment and we leverage it for spam filtering, phishing filtering, malicious URL detection, attachment scanning, and data leak protection. It basically covers all of the security layers for email.
How has it helped my organization?
It's cut down quite a bit on the amount of false-positive spam that we get. The spam engine that's utilized by CES, we found to be pretty effective. It's rare that things end up in a quarantine when they aren't supposed to be there, which is very beneficial. I believe that was one of the reasons that we moved from the previous hosted solution that we were utilizing to CES.
What is most valuable?
The malicious URL scanning, as well as the anti-malware features, have been really useful for us in our environment. Specifically, the URL scanning has helped to knock down quite a few phishing attempts that come into the organization. The broader blanket automated attempts get knocked down pretty quickly since those URLs typically get flagged early on, and then the appliance just picks up on those URLs and knocks them down. It is the same with malicious attachments. The malware scanning that's done via AMP, which is deployed elsewhere in the organization as well, just grabs all of that before it hits the inboxes.
We have our email security feeding into the SecureX solution and it's nice to have all of our security platform statistics in one place. We leverage quite a bit of the Cisco security stack and having all of that feed into the SecureX dashboard is great. The dashboard continues to evolve, but it is at least nice to be able to see everything at once.
Integrating this product with SecureX was pretty quick and easy. Both of the solutions are cloud-hosted and the SMA, which is the reporting module that feeds the data into SecureX, was done via the API. The documentation on the SecureX portal walks you through exactly how to add the various integrations.
We leverage the AMP functionality that exists in CES, and it also ties into threat response, which is the threat-hunting platform that Cisco has. The benefits of these integrations were pretty important in the decision to stay within the Cisco product family. The threat hunting and threat response are really nice because we're able to see if something malicious makes it into the environment. Once that happens, we are able to trace that back and find out if that was done via an email, and then grab the information for that specific message. This will tell us if there have been any other indications of compromise on any other hosts. When it comes to being able to do that, having it all in a uniform environment is pretty important.
What needs improvement?
The UI is definitely one area of improvement because it doesn't match other interfaces and the navigation can be a little clunky. Generally speaking, it is just dated, and I know that they're working on enhancing it for later versions.
They should continue to develop their integration with Office 365 or Hosted Exchange since a lot of organizations, ours included, are moving primary Exchange services to the Microsoft Cloud. Being able to integrate tighter with that environment is important.
For how long have I used the solution?
I have been using Cisco Secure Email since joining the company.
What do I think about the stability of the solution?
We haven't had any issues at all with the stability of the platform.
What do I think about the scalability of the solution?
With it being cloud-hosted, it can scale as wide as you need to.
We have roughly 1,000 employees and all of our inbound and outbound emails go through this system. This means that there are several tens of thousands of messages a day flowing through it. We haven't had any sort of performance issues at all with our environment.
How are customer service and technical support?
Cisco's technical support is very good. We've just recently had a couple of tech cases that we needed help with. We were researching why some of our partner's messages weren't getting through intact. Because this is a hosted solution and they have quite a bit of visibility, it has always been great.
We've never had any issues with support on this platform.
Which solution did I use previously and why did I switch?
In previous organizations, we've leveraged Postini, which was a cloud-based solution that was acquired by Google. I've also worked in environments that have leveraged Microsoft's Office 365 email spam filtering, and they've been good, but generally, usability is sometimes a problem. It goes back to the UI and then the accuracy.
The amount of spam that is stopped has not always been great. As such, I feel that CES has a pretty good balance in that regard.
What about the implementation team?
As this solution is hosted on Cisco's cloud, we don't manage the underlying infrastructure.
We probably have about eight individuals who work with it. Some of them are within our support organization, there are messaging or Exchange admins, and there are network engineers.
What was our ROI?
Return of investment is something that is difficult to measure because you're essentially trying to prove a negative. It is difficult to say what it has prevented or what has been stopped from happening. That said, I think the overall satisfaction, at least from the user perspective, is good.
When you consider the spam and anti-phishing components, in addition to the IT benefit of the anti-malware and antivirus, I think we definitely get an appropriate return. Nobody questions the expenditure on the solution as being ineffective.
What's my experience with pricing, setup cost, and licensing?
With respect to transferring policies and licenses, Smart Licensing has really improved the overall licensing model for Cisco. We've been really happy with Smart Licensing.
There are additional fees for adding features. For example, things like AMP are additional licenses. Because it's all done via the Smart Licensing portal, when new licenses are acquired they're dropped in our bucket, so to speak, and then the solution just grabs those licenses. There is no back and forth required. The license ends up in the bucket and then the solution syncs with Smart Licensing and we're good to go.
What other advice do I have?
For the future, we are looking at moving to newer versions that allow for additional advanced phishing protection. That's something that we're targeting. Also, we're trying to figure out how to streamline our mail flow with the majority of our inbound and outbound email that is now flowing through Office 365. Essentially, we're figuring out how we can tighten up that integration and lessen our dependence on on-premises Exchange for our mail flow.
With respect to versioning, it is controlled by Cisco. I believe that version 13.5 is when they introduced the advanced phishing protection. We're notified when new versions are released and we can ask for earlier versions, but we get adopted once those versions become generally available.
My advice for anybody who is implementing this product is to leverage the Cisco Validated Design (CVD) documents that exist. They're super helpful. Cisco has done a lot of work with Microsoft in figuring out integrations and documenting those. There is quite a bit of really good documentation, both within Microsoft and Cisco on building those integrations and configuring them.
We have also leveraged Cisco's adoption services around renewal times to make sure that we're using the platform to the fullest extent. They offer health checks for their hosted solutions, so on a yearly basis, you can sit down with an engineer and walk through and make sure you're on a good version of the code. You can make sure that you've again implemented from a high level, those feature sets correctly, and that you're leveraging things properly. Cisco does a lot of things to make sure that it's an easy renewal conversation to have, specifically with leadership.
The biggest lesson that I have learned from working with this product is to make sure that you're engaged with your Cisco teams to guarantee that you're getting the most benefit out of the platform. Again, you should be taking advantage of the health check services and adoption services because they're really unique.
In summary, this is a good solution but I think there's always room for improvement. I don't think that anything is perfect and they've definitely got some work to do on tightening up the UI and the configuration presentation. From a functionality perspective, the platform is great.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclaimer: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Date published: 2021-05-02T00:00:00-04:00
Rated 5 out of
5 by
Daniel-Martinez from
Very configurable technology that combines AMP, Threat Grid, and Sandboxing
What is our primary use case?
We are using it as our email firewall. It's our first line of email defense.
How has it helped my organization?
Overall, the ease of migration to Cisco's cloud email security from the on-prem solution was a positive experience. We are very happy with the change. It makes security easy. The cloud solution is doing a great job. We are stopping more emails, and in a better way, than we did in the past. It's also not stopping as many good emails, but I think this is because Talos has gotten better, rather than something to do with the cloud technology. But the numbers over the past year are significantly better compared to the past.
What is most valuable?
We like
* AMP
* Threat Grid
* Sandboxing
The spam protection is also very good and the solution is very configurable. It has enabled us to configure some specific filters to stop emails that general configurations didn't stop.
It's a powerful solution. It can analyze a lot of emails simultaneously, with no problems in terms of capacity or system load. It seems that machines on the cloud are more powerful than the ones that we had, in the legacy solution, on-premises.
What needs improvement?
They can do it better with web links, with the URLs. They have a technology called Outbreak but it doesn't work as well as we would like. It does have a new feature called Cloud URL Analysis, but we can see enough information about detection, information that helps us to properly configure the technology.
For how long have I used the solution?
We have been using the cloud solution for one year, but before that we were using it on-premises for three years.
What do I think about the stability of the solution?
It's very stable. We haven't had any issues with the stability. It hasn't gone down, and it has managed the flow of our email volume really well.
How are customer service and technical support?
The technical support is excellent. They are proactive. They are monitoring things and helping us every step of the way. The technical support is at an excellent level.
How was the initial setup?
The migration to the cloud email security was complex because we have a lot of customization. We needed to reevaluate some of the policies that we were applying via the email security. But technically we had more difficulty previously because we didn't have the premium support. We had to read a lot of documentation and experiment. Now, with the premier support, it's easier.
We re-created everything in the cloud solution. We re-evaluated everything when we migrated. There were some things we didn't migrate, while some new things were created.
It took us nearly one year for all the integrations and the migration to be complete, from the initial evaluation of the new product to the end of the migration to CSE, when it assumed all the email traffic for our organization. We didn't have any particular problems with downtime during the migration. That time includes analyzing, configuring, and improving things in production.
Our team that works directly with Secure Email consists of five people who are configuring the tool.
What about the implementation team?
We used consulting from Cisco the whole time during our migration. With the premium support we now have one person who knows our configuration, our needs, and who can help us more than in the past when we didn't have that level of support.
What was our ROI?
ROI is difficult to determine. We think we have seen ROI, but we need to have an incident to evaluate whether the investment has really paid off. But no incidents means it's a good investment.
We haven't saved money by moving from on-prem to the cloud email security because we acquired the premium support. But we are happy with it, as they help us not only with issues that have happened, but also with configuration and with learning the technology. This is a very important factor, which we value.
What's my experience with pricing, setup cost, and licensing?
Cisco Secure Email and the support are priced well. It's not cheap, but there are other solutions that offer less and cost so much. For example, Microsoft is more expensive than Cisco.
Which other solutions did I evaluate?
We know there are some solutions that have a higher level of protection for email, but we're very happy with the price of this one and with the way it is working.
We have Microsoft email security too, but not as the first line of defense. Microsoft's email security has its advantages but it is less secure, less configurable, and less powerful than Cisco's solution.
What other advice do I have?
It's a great solution for big enterprises that need a higher level of security than is offered by Microsoft solutions. Other solutions are targeted at smaller enterprises, that are without a security administrator and without people monitoring and supervising the technology. But for a big enterprise, Cisco Secure Email is a great option.
We have integrated the solution with SecureX and Threat Grid, and we already had Talos, of course. The Sandboxing is needed, it's a basic functionality for us. As for the rest of the integrations, they are less important. We integrate with some external feeds, but Talos is good enough for the technology not to need additional feeds.
When migrating from on-prem to the cloud email security, the interfaces are basically the same. The new interface was developed only for the cloud solution, but the classic interface, when it comes to the configuration of the machine, is basically the same for both the on-premises and cloud solutions.
Overall, it's a very configurable technology. We think it has all the weapons we need to fight against threats.
Disclaimer: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Date published: 2021-03-22T00:00:00-04:00