Cisco Email Security Review

Black-listing and white-listing are highly intuitive and easy to do


What is our primary use case?

It's our primary enterprise email gateway. It's the first stop for edge email security.

How has it helped my organization?

One of the things that I like most is that, since we do have a Cisco Enterprise agreement - we have a lot of Cisco products - we're able to consolidate reporting a lot better. Reportability is a lot more end-user accessible, or easier to acquire. The solution overall does what it does, but being able to quantify that, put it into reports that are easy to analyze, is probably the best and the largest gain that we acquired in switching.

What is most valuable?

One of the nicest things is that parts of it are highly intuitive. For instance, black-listing, white-listing, and things of that nature are very easy to do and they're very intuitive. You wouldn't even need any training to be able to perform those actions straight out-of-the-box. 

Even though it's not perfect, it has the IMS engine, Intelligent Multi-Scan engine, and it does a good job, right out-of-the-box, of blocking the vast majority of things that should be blocked. Again, it's not 100 percent, but out-of-the-box I didn't have to touch it, I didn't have to tune it, I didn't have to tweak it. I believe it leverages the threat-intelligence database and does what it needs to do in making sure that the bad stuff stays out and virtually all of the good stuff makes it through.

What needs improvement?

We find bugs, just like anyone else. We bring them to Cisco's attention. 

If there was one area I would like to see improved it might be having someone who can help us when Cisco comes out with a new product. Let's say I'm going to be purchasing and utilizing version two of this product. They assign me an account specialist and a technical specialist to help with the bring-up. It would be nice if the specialist would be able to help foresee some of the issues we might run into, specific to the version we're implementing. I know that's a bit of a loaded issue because sometimes it depends on your particular environment. I know that's very difficult.

But, there have been some instances where particular hiccups could have been avoided if the individual assisting us was slightly more versed in the version that we were going with. Maybe he could have told us that it wasn't the version we should have gone with. Maybe we should have gone with a previous version and then skipped over this version until they came out with a more upgraded version of it. The version we first chose might be a stable version in general, or it might be stable for other environments, but not for our particular environment.

There's one other thing I would like to see. It would be nice to have an easier way to check on the health of the system, how stressed these appliances are. Sure, you can do it, but it would be helpful to have an easier way to do it, maybe even at a glance. That was something that Proofpoint had that I wish I had here. That would be very useful.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It's been stable. I don't have to do anything with my email gateways. They chug along and they do what they do. They don't always get it perfect, but I have never had one fail on me. And I've never had a problematic appliance that I'm aware of. We had Proofpoint for a lot longer, but if I were to compare the percentages, I would have to say that the stability of Cisco appliances is superior to that of our previous Proofpoint environment.

What do I think about the scalability of the solution?

We haven't had to address scalability. The umbrella IronPort is broken down into two halves: email security and web security. I haven't had to deal with the scalability of the email security at all. But since they're both under IronPort, I have had to deal with scalability on the web security end. Relying on some of that experience, my assumption is that the way it worked for the Web Security Appliances is probably pretty similar to how it works for the Email Security Appliances. With that in mind, I can say that scalability is not an issue. It's as easy as just bringing another ESA into the cluster.

In terms of plans to increase usage, if you ask any enterprise they're going to tell you, "Yes, of course, we're going to grow, and as we grow we're going to use more." And the reality is, any growing enterprise is going to utilize email more and more. As the landscape morphs and changes, so do your rule sets and the features available to you on these appliances. Will we be using it more and more? Absolutely. Will it be a daily thing? Absolutely. I'm in these appliances every single day, taking a look and tuning where necessary and trying to find more efficient ways to handle the email traffic flow. It's safe to say that for any enterprise that's going to be the case.

If you previously used a different solution, which one did you use and why did you switch?

We were using Proofpoint and then we switched to Cisco. As I mentioned above, reportability was one of the main reasons we switched, but the biggest one was cost. If you can get an equivalent functionality for a better price it's wise to do so. That's what our primary decision came down to: We could get equivalent functionality at a lower price point.

How was the initial setup?

There were definitely parts that were straightforward. The initial bring-up of the gateways was actually cloud-hosted and was done primarily by Cisco. There were definitely aspects of it that I didn't even have to touch and it was wonderful. They just did it for me and that was great. 

When I took over administration there were aspects that were definitely easy and intuitive like the basics of being able to set blocks and set allowances when you have false-positives and false-negatives. It kept the basics simple. 

Of course, just like with any enterprise technology product, it can get as complicated as you want it to. There are a lot of granular controls that you have the ability to tune, but doing so requires more in-depth knowledge and more in-depth training and making sure you know what you're doing. Otherwise, you can end up doing things you never intended to do.

The initial bring-up, the initial switch from Proofpoint to Cisco, was pretty quick. We had a little bit of redundancy but the overlap was a couple of weeks at most. I would condense it down to about a week, because there was one week where it was mainly status updates. As far as tuning the appliances and tuning the filters go, that's an ongoing process for me. I still do that today.

In terms of implementation strategy, you want to minimize downtime, so it's important tor run in parallel for a little while. Thankfully, we had the ability to point some test traffic to the new appliances before moving the rest of the enterprise over. So it was:

  • run in parallel
  • send test traffic to the new Cisco gateway appliances, to make sure that things are flowing the way we'd expect them to 
  • and then we staged it a little bit more. 

We accept emails from multiple domains and we moved our primary domain last. We started by moving over some of the lesser-used domains to verify things were okay and then moved over the primary domain last. It was a typical implementation that most people have: Run in parallel until you verify, and then move everything over.

Regarding staff for deployment and maintenance, right now it's just me, but it's unwise to have just one. What happens if I get hit by a bus? To do this properly you would need at least two. 

In an enterprise you end up with a myriad of email hiccups. Email hiccups are one of the most common. Being on the information security team, you have to look at it in a multi-faceted way. That means I'm not just looking at the flow of data. I'm also having to analyze the contents of the data and then start to determine whether I need to dig further into it to see if this particular message possibly went to multiple recipients. That's the investigative piece. The administrative piece is a given, but then you also have an investigative piece on top of that. That can be a lot to do, it could be an overwhelming amount for a single person to try to do. That's especially true when something does happen. 

One person is probably going to be consumed with trying to do all that. Is it doable? Sure. Is it advisable? No.

What about the implementation team?

Since we are using Cisco cloud appliances, we had to have Cisco's involvement. They brought up the cloud appliances, where the initial configuration is done, and then we were the ones who started doing the final configurations, the moves and the migrations, as we entered the testing phase. We then moved more toward the final production move.

In terms of our experience with Cisco reps, I can speak on it more broadly as well, not just from a shear email-security perspective. When implementing a Cisco product, they're great in those initial stages. You get that expert help and it's a relatively smooth bring-up. For the things that go wrong, you have a Cisco person working with you who has the answer or knows who to go ping to get the answer. It's really nice.

That changes a little bit as time goes on. Once that expert is no longer helping you with your initial bring-up, then you rely more on the vendor's support matrix to get your solutions further tuned and to work out the little wrinkles as you experience them. Of course, it is universal - I haven't seen an example where this is exception - that this process is less smooth. 

As far as initial bring-up goes with Cisco, it's very smooth. Once that expert is no longer working with you on the bring-up and you run into issues and need to get help, that's less smooth. It's less smooth in that when you call any vendor's support line you get varying degrees of expertise. The same challenges are experienced with any international company where there could potentially be language barriers, based on where your call gets routed for support. That can slow the whole process down a bit.

That's just a reality of today's world, but it's workable. Unfortunately, it's a rather normal thing but there are different skillsets depending on the individual you're talking to, and then, depending on what the issue is and how complex the issue gets, your time to resolution may end up dragging out a lot longer than you had originally anticipated.

Which other solutions did I evaluate?

Our top-three choices were considering staying with Proofpoint, as well as Cisco, and Microsoft. We were looking at the bigger names.

What other advice do I have?

In retrospect, I would probably want to talk to someone like myself. I'm now using Cisco security appliances and I can see how someone like me in another agency would benefit from talking to me about: "Hey what do you see? How's it going? What have your experiences been with the product?" If you can, find someone who is actually using it and talk to them.

In addition, it really depends on where you're coming from. The learning curve is going to be there regardless, because it's a new product. But if you're coming from a smaller email security platform up to this one, the learning curve is going to be steep. You may actually want to invest the time and the money into some additional training. Don't neglect that because if you just try to rely on Cisco support you're going to notice pretty consistent slowdowns. If that's okay, then it won't be an issue. Of course, it's always okay until something urgent comes up. If you're trained up, you can handle it yourself. Nobody knows everything, but it's in your best interest to know as much as possible. 

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
1 visitor found this review helpful
Add a Comment
Guest

Sign Up with Email