Contributor.
Contributor.
1633 views

Cisco IronPort E-Mail Security Use Cases

Hi,

I've thought about some use cases for Cisco Ironport E-Mail Security. The code is pseudo code and not transferable 1:1 to a rule. So if I'm waiting for various conditions like devEventClassID = "ACCEPT" && message = "antivirus positive" I'm waiting for different events. In that example those two event fields will never are in one event.

UC #01: Detect possible SPAM wave

if

  message = "verdict negative" && <Email sumbmitted> && devCustStr1 != TRUSTED

then

  AddToList("Possible_SPAM_Wave_SrcIP",SrcIP) //Field "Count" automatically +1

if

  Possible_SPAM_Wave_SrcIP.Count > X //X must be significantly higher than normal email traffic //To detect "Count < X" use ArcSight internal events

then

  SendMail "Possible SPAM Wave detected"

A further improvement could be a comparisson between an external reputation DB like projecthoneypot.org. So if the Src IP is not trusted by Ironport OR by ext. DB, put it on a list.

UC #02: Source spreads virus

if

  DevEventClassID = "ACCEPT" && message = "antivirus positive"

then

  AddToList("Virus_via_E-Mail_from_accepted_Source",SrcIP) //Field "Count" automatically +1

if

  Virus_via_E-Mail_from_accepted_Source.Count > 5 //To detect "Count > X" use ArcSight internal events

then

  SendMail "Possible Virus spread via E-Mail detected"

A further improvement could be to use a combination between SrcIP and Email Address. PRO: Reduce false positives if this type of email comes from Gmail. CONTRA: If emails are sent by 1000 of various email addresses from one source the counter wont becomes higher than 5.

UC #03: Attachment deleted by endpoint antivirus, but virus not detected by IronPort

IronPort

if

  devEventClassID = "ACCEPT" && devEventClassID = "Attachment found" && message = "verdict negative"

then

  AddToList("Submitted_attachment",SrcIP,AttachmentFileName)

Endpoint antivirus

if

  name = "Virus detected" && Submitted_attachment.AttachmentFileName == FileName

then

  Report with Output who has all those files too

  Maybe decrease reputation from good to bad

With the last option "Report with Output who has all those files too" you can see, if another endpoint with no AV or old signature has this file too.

These UCs are just ideas at the moment, not yet implemented.

Labels (1)
1 Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Cisco IronPort E-Mail Security Use Cases

Additionally I think you can look for Email that is sent unencrypted, and then go into reporting on total bytes by user or domain.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.