Cisco Secure Email Review

Stops the vast majority of email from getting in, across our multiple email domains


What is our primary use case?

The main use case is simply as a point of contact for all the emails to go through first, before they ever get into the Office 365 environment, so they can be scanned and checked for malware and spam, all before Office 365 even sees it.

We're currently on version 12. Our instance is in the cloud and we don't actually upgrade it, they do it for us. It should be upgraded to 13 in the next month or two.

How has it helped my organization?

The last time I checked, which was about a month ago, when I looked at all the emails sent to any of our domains — because we have about 10 email domains, and they all go through the appliance — by looking at a report the solution has, I saw that 84 percent of the email sent to those domains never got to our Office 365, because it was spam, malware, phishing, or there was something wrong with it. So it stopped 84 percent which was bad email. Based on my experience and talking to users, 99.8 or 99.9 percent of those emails that were stopped were spam or malware. There might've been 0.1 percent that was caught by the mistake. But that's 84 percent of email not even getting into our systems.

It has prevented downtime. The simple fact that 84 percent of them were stopped keeps people from having to look at those in their mailbox. If you take 1,000, out of that number 840 didn't even come through. That's less wasted time going through your mailbox and reviewing your messages. It also frees up the users, when they do see something that's not anywhere near normal, to clue in that there might be something wrong. We have had emails get through, phishing emails and things like that — it has happened — but I would say we probably get one through about twice a month, at most. The users will immediately shoot it right to the help desk. "Is this real? Is this spam? Is this something I should do?" There's no way to really put a number on it, because I've never really looked into it, but if nothing is coming through that you didn't want to see, then there's no downtime.

Only in a couple of cases have we had a user actually do something they shouldn't have done before they notified us, but that's training. You never have a perfect solution. Two a month is our average, over the last year, of emails that got through that we wished hadn't gotten through, but no harm came of it because the user notified us, and we just told them, "Delete it." We make sure everything is working right and that there was no malware involved and we let it go.

Also, as far as the IT department goes, it's made our lives a lot easier. We get emails if anything does happen. We've chosen to see any event. We only get notified of exceptions that we want to investigate or we want to look into. That makes things easier because we're not out looking all the time. We can wait for the email to come in.

We can look at the updates and the different changes Cisco makes to the system to see if any of those things is going to help us. We think about whether we want to invest any time in configuring those? And once it's configured, you're done. The most difficult part of that is remembering what you did. So we've learned to do our documentation that much better because we need to be able to go back and read what we did before, what we configured.

Our company might buy another company, so we have another domain to add our list of domains for email. In less than an hour we have all that set up and the whole system working, with emails going through the appliance. It's saved us a tremendous amount of time daily, just in terms of keeping track of things.

What is most valuable?

Their trajectory feature is the most valuable. What I mean is that it has the ability to tell us, after an email has been delivered, where else it went, once it got inside. Maybe it's something we wanted it to stop and it didn't stop it, but it notified us later that it was something that it should have stopped. It can give us a trajectory of all the other places that it went internally and it can tell us what files were transferred as well.

It does a great job of preventing spam, malware, and ransomware. I can only go by what people have told me and what I've seen, but I have not seen spam in a year and a half to two years in my own company mailbox. And there are not a lot of catches where it's catching something that should have gotten through, either. We have an email going out daily of everything it puts into quarantine for a user, so the user can release it if it was caught accidentally. In the last six months, I have probably have had to release six or seven emails. It's not catching them. It's doing a good job of striking a good balance.

That is partly due to how you configure it, but we used the standard, best practices when we configured it. We do go back to Cisco, when they offer a free evaluation to review our configuration every nine to 12 months. That helps us make sure that it's set up right and, if there are any new features, that we're aware of them. We do take them up on that every time they offer it.

What needs improvement?

When it comes to phishing, I would not give this appliance a perfect score by any means. It's hard to get a perfect score on phishing with any solution. But typically, in a phishing email, they try to use a name everybody's going to recognize, like the CEO's name or the CFO's name. They might spell it wrong, but they will try to get your attention so that you'll do something.

With this appliance, the way it's designed at the moment, for us to really stop that with any level of confidence, we have to build a dictionary of all the names of the people we want it to check, and all the ways they could be spelled. My name would be in there as Phillip Collins, Phillip D. Collins, Phillip Dean Collins, Phil Collins, Phil D. Collins. There could be eight or 10 variations of my name that we'd have to put in the dictionary. There's no artificial intelligence to say "Phil Collins" could be all these other things, and to stop phishing from coming through in that way. It is stopping a lot of phishing when we do use that dictionary. We essentially let the email come in, but we put a header at the top, in red, telling the user to be very careful, this may not be a real email, and let the user decide at that point, because it's looking at whether or not it came from a domain outside our domains.

If I have to send myself an email from my personal domain at home, it has my name in it, Phillip Collins. We want it to notice that Phillip Collins is a name that's in the company directory, but it's not coming from one of our domains. We want the user to understand that that is how they get around it. Phishing emails will come from the attacker's own email address, but they will set the display name, what you'll see, as something familiar. That's why I wouldn't give it anywhere near a perfect score, because the artificial intelligence just isn't there yet. You have to manually put these things. As you have people come and go in your organizations, you have to decide if you want these people in that dictionary or not. If they leave then you've got to take them out. There's a lot of work to doing that with this solution at the moment.

Another minor thing is the interface that you work with as an administrator. It is not as intuitive as I would like it to be. It's all there, if you understand what you're doing; what email is doing and how you detect certain things. It is not difficult at all to work with, but it could be more intuitive for somebody starting out.

Finally, they separate the email security appliance from the reporting appliance. It's the Cisco Secure Email Gateway and the SMA; they are two separate appliances. The reporting appliance just gets information from the email security appliance and helps you formulate reports. To me, that should all be one. It doesn't bother me that it's not, but sometimes I have to think, "Do I need to go to this appliance or this appliance to get that information?" It should all be in one place, but those are minor things.

For how long have I used the solution?

I have been using Cisco Email Security for two-and-a-half years.

What do I think about the stability of the solution?

It's extremely stable. It hasn't gone down on us since we've had it. They made a major move, moving their appliances out of the AWS cloud into Cisco's cloud. They notified us they were moving and we talked about it. We really didn't have to do much of anything, and there was no downtime at all when that happened.

We do have two security appliances in the cloud, so if one went down, the other would pick up. There is redundancy at the hardware level, but we've never gone down.

What do I think about the scalability of the solution?

It's extremely scalable, especially with it being a cloud appliance, because you're not bound by the hardware like you might be if you bought from an on-prem installation. If we need to go from 500 to 1,000 users, they can just tweak the hardware settings on their end and we're ready to go. I don't think scalability is an issue at all with it being in the cloud.

There are approximately 425 email accounts that it's monitoring and when I last looked at the report about a month ago, there were 25,000 emails a day, on average, that it was analyzing for those 425 users. We're about to add another 50 to 60 new users from a company we just bought. We'll go up to nearly 500 in the next month or two, but I don't see any issues with that . We'll be adding their domain to our system and then adding the users.

How are customer service and technical support?

I've worked with Cisco support two or three times in the two-and-a-half years we've had it and it's been wonderful. Most of what I've done is through email because it hasn't been an issue where the system is down. It was just that I wanted to understand something better or I wanted to implement something and needed to know if it was included. And if it was included, how would I work with it and could they send me the documentation? Always, within two or three hours, I've gotten a response, which is very acceptable to me considering we're not down. They've always gotten back rather quickly, and resolved almost everything within one or two emails.

Which solution did I use previously and why did I switch?

Before this, we really didn't have a comprehensive email solution. We were simply using the antivirus on the machines. We didn't have anything to stop it from ever getting in, in the first place. Comparing it to other products I used before I came to this company, just about four years ago, it's done much better than any other product I've ever used.

I don't have any way to compare it to anything my current company had before because it didn't have much of anything before. When I came in, that was one of the tasks I was given —securing the email — along with moving us to Office 365. The company had been hit with ransomware before I got here. It had that experience of being attacked and being caught with ransomware, and it didn't have an IT department before I got there. I was the IT department for the first year. We've grown tremendously since then.

How was the initial setup?

On a scale of one to 10, with 10 being complex, the initial setup is about a four. It's not that complex. But that's what I meant about the interface. You've got to jump around from place to place to do it. It does have some good menus, but a quick wizard is something that would be nice, where you could just walk through it, and not have to jump between different sections of the menu.

The original deployment took about half a day, if that long. There were probably another eight hours' worth of work on my part going into it, getting familiar with it, and finishing some things here and there.

When they went through it with us, we hit the high points and the main things. I did most of the connecting it to Office 365. Once you do the main things, you always need to go back and you look for those little things that might help you. A little tweak here, a little tweak there — sensitivity settings. So I spent about another eight hours going back and reviewing everything and making myself feel comfortable that it was actually doing what it was supposed to do. There were probably another eight hours over the next couple of months after that, watching the reports and spending enough time with the reports to make sure that it was operating the way we wanted it to.

In terms of our staff involved in deploying and maintaining CES, it's me and there's a junior infrastructure engineer who works with me.

What was our ROI?

The simple fact that users don't get trashed by email means we're working a fraction of the time that we used to work on emails and dealing with the results. It's paid for itself twice over, in my opinion. It has to have done so, based on the time we were spending on it.

What's my experience with pricing, setup cost, and licensing?

You're going to get what you pay for. If you're not willing to pay the price of Cisco, you're not going to get a product that's as good as Cisco. I don't think Cisco is overpriced, because for the last two years I've been comparing it to Microsoft and Cisco has been cheaper and given us more features.

It really comes down to analyzing what you are actually getting. You might find something at half the price, but what are they not giving you that Cisco's giving you, and do you think that that matters to your company or not? It's an individual thing, but that was what we looked at. Does that make a difference to Revolution as a company or is it something we can do without? Cisco gave us the best overall package.

Which other solutions did I evaluate?

The only other vendor we really looked at seriously at the time was going with a Microsoft solution and Office 365. Even back then they had something, not that it was very good. But it's simply that we were a Cisco shop, in the sense that we've had Cisco firewalls and Cisco switches for the infrastructure. At that point we had already committed to their Firepower option on the firewalls that collected the information. We had been doing that for about a year. I went to one of their events in Little Rock and that's where they talked about it. I was intrigued and did some more research on my own and determined that this was something we couldn't pass up. 

We were a Cisco AMP shop for our antivirus already, which is part of Firepower in a sense. Everything was going to Talos already. The email just made sense because they would all talk to each other and they would get all the information from all the different angles, even across to web access through their Umbrella system. We used that for about a year. When we got our new SD-WAN, it had a lot of the same features the Umbrella system had and we dropped it at that point.

You can put all your eggs in one basket and that can be bad, but in this case it wasn't. It actually worked out well for us.

Everything goes through Cisco so we don't really see anything happening in Office 365. We do have the basic settings for this or for that set in Office 365, but we haven't gone in and fine tuned it the way we did Cisco, because Cisco's the main point of blocking things. When we chose the Cisco solution, there was no way Microsoft's Office 365 solution could have done what we needed it to do. There was no way it would have had any of these major capabilities we needed. It wouldn't have blocked a fraction of the email that the Cisco appliance does. I try to keep up on this and it could be that Microsoft's new ATP might be a game-changer. What I've read sounds a lot like the Cisco appliance. But Microsoft has thrown a kicker in there by adding artificial intelligence. With Microsoft, I wouldn't have had to put in all the name combinations because it would interpret all the names I need it to interpret, even with characters and symbols. I haven't tried it, and I don't have plans at the moment to do so, but from what I've read, Microsoft is catching up.

There are some issues with Microsoft with their integration, simply because you pretty much have to go all-in with Intune, Autopilot — all those features and tools they have to get Microsoft ATP to work. And then you've got to buy the Microsoft 365 E5 license to get all of those security features.

If things are similar, it all comes down to cost and we look at that every year when we renew. What are we paying Microsoft in subscription fees and what is Cisco costing us? So far, Cisco's been cheaper than upgrading Microsoft to the license level we need. Our contract renews in November, so we'll look at it again. That's when we really delve into Microsoft's capabilities. We would want to make sure it would do everything Cisco is doing, before we would make a change, if Microsoft were price-competitive.


What other advice do I have?

Take Cisco up on the offer to walk you through the implementation. It's not that it's a necessity, but it certainly gives you a good feeling, when you're done, that you've covered all your bases. It gave me a good feeling that we covered this and we covered that and they showed me where things were. They give you a copy of the recording where you were on with them and went through everything. You can go back and watch it again later to review it. The same thing is true with their reviews every nine to 12 months. They record them and send you a copy of the recording so you can go back and look at it.

Take them up on that and be willing to sit there and just ask pertinent questions and make sure you understand as you go through it.

As far as the threat assessment analysis goes, what they analyze is what that the appliance decides to send them. That is part of the way it works. When it thinks it has found something and it's not certain, it sends that to Talos first. We don't even know it happened. They get a chance to review it and make a decision of yes or no: this should be stopped or we should go ahead and let it through. We have not leveraged anything other than that from the Talos threat management. We lean on them to help us make sure the right things come through. There have been several times that I have gotten an email as an administrator — you get these emails about statuses — that says, "This has been quarantined in the cloud until we can make a decision," and it will hold it. And once they make the decision, it either stops it or lets it go.

Something else that we're going to begin this year is a training solution to help our users understand what to look for.

I would give Cisco Email Security a nine out of ten. I would give it a 10 if it had a more intuitive interface and the artificial intelligence so we didn't have to do some of that manual stuff.

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
More Cisco Secure Email reviews from users
...who work at a Energy/Utilities Company
...who compared it with Sophos Email Appliance [EOL]
Add a Comment
Guest