Cisco Email Security versus Office 365

General Criteria Cisco CES + AMP Microsoft Office 365 E3 + ATP

Anti-Spam Reputation is the key strength for Cisco, now we are adding Sender Domain
Reputation (SDR) a cloud service that rates email messages based on the domains
age, behavior and other attributes (Base product) Spam SLA 1 /106
Low efficacy rate on Anti-Spam engine, few administrative controls
Many suspicious messages, that would have been stopped by Cisco, are sent to the end user’s junk folder. They
are neither false positive or false negative. The recipient has access to this potentially hazardous material for 30
days. As MS states in their video: “Around 25% of all malicious messages are blocked at the edge.”
White-listing ANY domain, including your own, allows spoofing on that domain.

Anti-Virus Scanning Sophos, McAfee can be used individually or together. (McAfee feature Key) Exchange Online Protection Against Malware multiple anti-malware engines, venders not
Signature pull every 5 min published. Signature pull once per day.
Email encryption Cisco Registered Envelope Service (CRES) Office 365 Message Encryption
SaaS, Policy based encryption (DLP), User controls: revoke, expire, or • Send messages as encrypted HTML attachments outside of Office 365
restore access to encrypted email messages. Only push encryption. • Bring Your Own Key in Azure Information Protect
Zix Encryption is EOL. See PM for coming encryption improvements • End User initiated encryption for all platforms supporting Outlook
• End User initiated “do not forward” “reply-all restriction
• Encryption can be triggered based on admin assigned DLP policies
DANE SMTP DNS-based Authentication of Named Entities Not Available. MS has no protection against Man in the Middle Attack over TLS
See: Will DANE for SMTP solve all of your GDPR problems?
Central management Next Gen Security Management Appliance (Base product) Security & Compliance Dashboard (Most features limited to E5)
More Message Tracking Details delivered faster than Microsoft’s Message Trace How long does it take to see results when running a Message Trace?
Anti-Malware AMP and Threat Grid integration Overview of Office 365 ATP Safe Attachments (E5 or ATP license)
• Blocking of Known Malicious Files. • Checks email attachments for people in your organization.
• Behavior Analysis of Unknown Files. • Attachment policies can be applied to individuals
• Retrospective Alerting Upon Disposition Change. • A policy applies to: email, SharePoint, OneDrive & MS Teams resources
• Mailbox Auto-Remediation doesn’t require on premise HW. The NoRelationship Attack Bypasses Office 365 Email Attachment Security
• Cross platform telemetry: Email, web, endpoint, NGFW & NGIPS
STIX/TAXII Consuming external threat information (Feature Key) Not Available by Microsoft
in the Cisco Email Security Gateway, helps an organization to: The Critical Need for Threat Intelligence (CSO)
• Proactively remediate: ransomware, phishing, and targeted attacks. As networks expand, they create new opportunities for threats to infiltrate your network. However, because
• Subscribe to local and third-party threat intelligence sources. different network environments, such as virtual networks or public cloud environments, usually run separate, and
often isolated networking and security tools, it is essential that you set up a process for the centralized collection
• Improve the efficacy of the Cisco Email Security Gateway.
and correlation of these different intelligence threads.

HTTPS scanning / 3 levels of URL Detection with URL extraction in Anti-Spam Engine, Content Office 365 ATP Safe-Links (E5 or ATP license)
URL Filtering Filtering, and Outbreak Filtering. Custom content filters for blocking on Safe Links for Office Documents. (Available with license upgrade to Microsoft 365
selected web reputation or URL categories on both incoming & outgoing mail. Enterprise)
User click tracking provided. Imbedded URLs in attachments, tiny URL. The application is more distributive into office apps but lacks to control such as blocking or
modifying links based on category or reputation, or granular user controls.
(Base product) • Safe-links misses a Credential Attack
• BaseStriker bypasses ATP Safe-links

Underlined Titles hyper-linked to datasheets

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner and Internal use only. Not for public distribution. 1
 Cisco Email Security versus Office 365
General Criteria Cisco CES + AMP Microsoft Office 365 E3 + ATP
Data Loss Prevention Cisco Email Security Data Loss Prevention Office 365 DLP (E3 or E5)
(DLP) • DLP engine in Gartner Leader’s Quadrant • 40 + Policy templates • User Notifications & Overrides
• Compliance policies applied to Data in Motion (outbound) • GDPR templates & Sensitive types • Admin Incident report (email) on
• DLP Reporting drill-down to Incidents in Message • System generated insights violations: Exch, Shpnt, 1-Drive
Tracking • Message encryption on policy match • Exact data match scanner
Reporting Available in SMA & ESA appliances. (Base product) Drill-down capabilities only with MS Threat & Compliance Center E5.
Sandboxing ThreatGrid / AMP Technology ATP Safe Attachments (No file details available in ATP upgrade alone. Must implement Threat Intelligence in E5
purchase. Including endpoint telemetry requires upgrade to Microsoft 365 Enterprise license. )
Internal Email Not available Zero-hour Auto Purge (ZAP)
Protection Operates similar to Cisco MAR but will also respond to internally delivered malicious content. However, ZAP moves malicious
contents from the recipient inbox to the junk folder where it can remain accessible to the user for 30 days!
Authentication Two Factor Authentication ESA (SSO available with SMA) Multi-factor authentication
Cisco Adaptive Multi-Factor Authentication • Users hit by multi-factor authentication issue
The NCSC urges organizations to implement multi-factor authentication (MFA) on • Microsoft Azure multi-factor authentication bug strikes again, causing issues for Office 365 users
• Multi-Factor Auth Bypassed in Office 365 and G Suite IMAP Attacks
all user accounts to protect the unfortunate re-use of passwords.
• Responding to a Compromised Email Account in Office 365 | Microsoft ...
• Massive data breach exposes ages, addresses, income on 80 million U.S. families
Data Redaction Content Filter / Message Filter edit-body-text Not available
Document Sanitization Not available Not available
Reputation Filtering Senderbase / Talos Largest threat telemetry database Microsoft Security Graph
Not as effective as Cisco Talos: quote from MS video: “Around 25% of all malicious messages are blocked at the edge.”
DMARC Supported & Leveraged in CAPP DMARC Filtering Supported But no method for moving your sender’s to DMARC Reject.

Anti-Spoofing Cisco FED Filter on Exec list (Base product) Anti-spoofing protection (Base product) ”As of October, 2018 we extended this protection for E5 customers to
organizations that have Exchange Online Protection (EOP)”
Graymail Cisco Graymail (Base product) Spam Filter Policies Difficult to implement. Documentation has no “Recommended” or “Best Practices” for tuning.
Safe Unsubscribe Cisco Graymail Safe-unsubscribe Not available; It can be argued that graymail is also collected into the Outlook “Other” mail category. But so is phishing
mail disguised as common graymail.
Anti-phishing, anti- Cisco Advanced Phishing Protection ATP anti-phishing capabilities in Office 365. (ATP license or E5)
spear phishing, anti- • Identity Intelligence • Executive List for applying policy options
whaling and (BEC) • Best-in-class BEC protection • Learns patterns of email exchange between internal users & execs
defense for email • Account Takeover ID • Listing of Spoof Allow domains (i.e. employee mailers, 401k etc)
• Email Forensics and Enforcement • Policy Matching Actions:
Dark Reading: 25% of Phishing Emails Sneak into Office 365
Ø Quarantine
Ø Send to Users Junk Mail
Ø Don’t apply any action
Underlined Titles hyper-linked to datasheets
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner and Internal use only. Not for public distribution. 2
 Cisco Email Security versus Office 365
General Criteria Cisco CES + AMP Microsoft Office 365 E3 + ATP
Sender Domain Cisco Domain Protection Not Available
Protection • Prevents brand abuse • Block unauthorized senders
• View your 3rd party & internal senders • Alerts on newly launched domains
• Correlate sender data into easy-to-read reports using your brand

User Submission of Spam Submission and Tracking Portal (Base Product) Report Message
Phishing & Spam Administrators can: • Enables submission of misclassified email, whether safe
Samples • Submit missed spams directly via the ESTP. (Only .eml format type is currently supported.) or malicious, to Microsoft and its affiliates for analysis.
• View the dashboard for all submissions and track the submission status in a single pane
• View table listing each submission, their status, and filter them based on time stamp, Administrators can track their user submissions only if they
submission ID, submitter and other parameters subscribe to: Office 365 Advanced Threat Protection Plan 1
• Download reports or Plan 2
Threat Intelligence Cisco Threat Response Office 365 threat investigation and response
Platform
Demo Demo
CTR is Cisco’s threat intelligence platform that Provides: Aggregated Threat Intelligence ATP P2 Provides:
• Context of an attack • An easy platform to identify, monitor and understand
• Intuitive Visualizations attacks
• Incident Tracking • Quickly addresses threats in Exchange Online,
• Seamless Drill-Down SharePoint Online, OneDrive for Business and Microsoft
• Direct Remediation Teams
• Provides insights and knowledge to help prevent attacks
CTR is FREE with purchase of Cisco CES or Umbrella or AMP4 Endpoint or NGIPS. A perfect wrapper for an ELA against their organization
• Automated investigation and response for critical email
based threats
Note: MS branding just changed the definition of ATP to target their Threat
Intelligence platform. Threat Intelligence not available to E3 customers.

Underlined Titles hyper-linked to datasheets

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner and Internal use only. Not for public distribution. 3

General Criteria
Threat Intelligence
File / Behavior Analysis
Retrospective Remediation of
delivered files designed to foil
sandboxes
Forensics Reporting / Incident
Response
Cisco Email Security versus Office 365
Cisco CES + AMP
Senderbase / Talos Larger telemetry database
Cisco’s Talos data analysis is broader and deeper. Monthly stats:
• 45 Million unique malware samples. • 2.4 Million Virus blocks
• 12 Trillion SPAM samples • 5.4 Billion Spyware blocks
• 24.5 Billion blocked web pages • 250 Full Time Threat Analysts
ThreatGrid analyzes against more than 900 behavioral indicators and a
malware knowledge base sourced from around the world. These are stored
for any AMP device, such as in CES, requesting information on a file. AMP
can be applied to both inbound and outbound mail flows.
Attachments that become rogue after delivery will be
• Detected globally by AMP on endpoint
• Have their reputation updated
• Removed from inbox with Cisco O365 Mailbox Auto Remediation (MAR)
Cisco AMP Unity Blog. AMP Unity Demo
Global Trajectory
• See File & Device trajectory from all your AMP enabled devices
• AMP Appliances (FMC 6.2 supported)
• AMP for Content (ESA/ESAv/CES 11.1 & WSA/WSAv 11.5)
• AMP on Firepower Appliances (FMC 6.2 supported)
Global Outbreak Control
• Simple Custom Detections (Blacklisting)
• Whitelisting
AMP Unity is superior to MS Threat Intelligence only if tracking file attacks
across the enterprise; endpoint, web security, email security etc. MS Threat
Intelligence is superior SOC tool for tracking / correlating and identifying
different email campaigns.
Underlined Titles hyper-linked to datasheets
© 2019 Cisco and/or its affiliates. All rights reserved.
Microsoft Office 365 E3 + ATP
Microsoft Security Graph Monthly Security Stats
• 400 billion emails • 1 Billion items deleted
• 18+ billion Bing web pages • 5 Billion Phish emails blocked
• 450 billion authenicates
ATP detonates unknown files in their sandbox. MS claims the
reputation of the detonated file can be shared across the Office
365 infrastructure. Mutual sharing of Windows Defender and
Office 365 file detonation reputations.
Any malicious attachments delivered to Exchange Online and later
deemed malicious, based on reputation, can be removed with
Zero Hour Auto Pull. (ZAP). will also respond to internally delivered malicious
content. However, ZAP moves malicious contents from the recipient inbox to the
recipient’s junk folder where it can remain accessible for 30 days!
Advanced Threat Protection (Purchasing Licensing)
•Threat protection policies: Define threat-protection policies to set the
appropriate level of protection for your organization.
Ø ATP Safe Attachments:
Ø ATP Safe Links:
Ø ATP for SharePoint, OneDrive, and Microsoft Teams:
Ø ATP anti-phishing protection
•Reports: View real-time reports to monitor ATP performance in your
organization.
•Threat investigation and response capabilities: Use leading-edge tools
to investigate, understand, simulate, and prevent threats.
•Automated investigation and response capabilities: Save time and
effort investigating and mitigating threats.
This document is Cisco Confidential. For Channel Partner and Internal use only. Not for public distribution. 4
 Cisco Email Security versus Office 365
Added Features Cisco Microsoft
Email Continuity During an Office 365 outage, CES can queue messages for High Availability and Business Continuity
72 hours or full disk. No user access during outage. Microsoft Exchange Online offers extensive retention and recovery support. This includes mailbox
replication at data centers and the ability to restore deleted mailboxes and deleted items.
Security Education DUO Insight. a free phishing assessment tool by Duo Office 365 Phishing Attack Simulator. Simulates the following:
Platform Security that allows you to find vulnerable users and devices • Display name spear-phishing attack
in minutes and start protecting them right away. • Password-spray attack
• Brute-force password attack

Data Discovery & Not available Overview of Advanced eDiscovery (Preview) in Microsoft 365
Compliance • Case management for Exchange, OneDrive, and Teams Integration
• Custodian management
• Custodian communications
SaaS Defense Cloud Lock Microsoft Cloud App Security
• User Security Policies allow you to define the way you want your users to behave in the cloud. They enable you
• Data Security to detect risky behavior, violations, or suspicious data points and activities in your cloud
environment.
Protection of Webmail can be protected with either: MS’s web security solution is limited to safe-links in Office applications and ATP for email, and
Employee Personal Windows Defender ATP.
Email Cisco Umbrella or Web Security Appliance No Web Security Gateway
These solutions offer a more comprehensive protection
than web isolation technology.
Mobility Cisco Meraki Systems Manager Microsoft Device Management
• Track Updates: Keep track of the latest app and profile • Support a diverse mobile environment and manage iOS, Android, Windows, and macOS
changes and monitor how many devices have been devices securely.
updated • Make sure devices and apps are compliant with your organization's security requirements.
• Sync Status: Quickly view sync status with Apple and • Create policies that help keep your organization data safe on company-owned and personal
Google services (VPP, DEP, ASM, Android Enterprise) devices.
• Security Compliance: Easily monitor security policy • Use a single, unified mobile solution to enforce these policies, and help manage devices, apps,
compliance to track devices users, and groups.

Added Features extend beyond email security to address these exceptions made by specialized vendors
Underlined Titles hyper-linked to datasheets
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner and Internal use only. Not for public distribution. 5