What needs improvement with Cisco Secure Email?

The discontinuation of physical hardware solutions is a significant area for improvement in the Cisco Email Security Appliance. This decision has posed challenges as virtual appliances are now the only option, which may not be suitable for all industries. The uncertainty regarding the future of the hardware aspect of the solution is a notable concern.

I would like to see features like AI since it is currently an area that the product lacks. With AI, the tool would learn and know when an email is fraudulent or is coming for the first time to our organization. If a domain, for example, is very new and was created a while ago, and if it has a bad reputation, then it should automatically block it and not allow it to pass. I would like the product to have a self-learning mechanism based on AI, similar to some other tools.

I am not satisfied with the solution's reporting and logging.

There are some concerns in the way the architecture is set up, making it an area where improvements are required. When you set up the tool, the way you put your SMTP routes should be possible through an easier process.

Cisco Email Secure's pricing needs to be less. We have vendors who provide cheaper solutions with the same features.

The pricing needs to be reconsidered or enhanced.

There are some drawbacks, like the pricing. It's not a default version, and the cost can be prohibitive. If you're working on projects where winning the bid is crucial, then the high price tag can be a major obstacle. Partnerships are required to use the solution. So it can be more affordable. In future releases, I would like to see two main improvements come to mind. First, the current solution requires maintaining two separate operating systems for FTD, which can be cumbersome. I'd love to see a single operating system for the FTD box. Second, some improvements could be made in the documentation and reporting.

The scalability must be improved. The product is a bit traditional. There are many vendors in the market. A customer might not always choose Cisco.

Cross-platform is one major pain point. Many of our clients use an open-source Linux system. These components cannot provide for any Ubuntu or any Linux open-source system, and that's where we get stuck most of the time. Previously, we were doing a POC for Cisco Umbrella, and we got stuck at the point where the customer had almost 200 to 300 of his endpoints, almost 80% of his workforce, working on Linux. This was both on the server and roaming user sides, and Cisco has no solution for Ubuntu. We have raised this suggestion many times when interacting with Cisco during seminars and webinars we've attended. However, we only got feedback from them that they will introduce that feature very soon with their Cisco AnyConnect agent. But it's still only available for Windows and Mac.

The product's GUI for the dashboard needs improvement.

It's not just the firewalls themselves, but one thing I think, where certainly firewalls and other products could actually improve, is in the licensing. Licensing is quite complicated for a number of customers, including ourselves. The licensing appears to be changing on a regular basis depending on the product and the software versions, so we are constantly having to keep up to speed with the different licensing types.

It would be beneficial to have additional DLP functionality, particularly in the email DLP aspect. It could be included in the next release of the product.

Scalability has certain shortcomings and needs to be improved because there are service providers who provide better scalability. Our company constantly checks out what the solution needs to improve. We need to be updated with what is available in the market and which application performs better. The solution's UI needs little tweaking because most customers find it to be a very detailed and technically designed UI. If a person does not know email security or how Cisco devices work, he cannot manage it. Other solutions are user-friendly. Even if the admin has a basic knowledge of managing the services, he can use them. Cisco Secure Email needs to work on the security part, but it also needs to work on UI since it makes part of the entire solution.

I have some frustrations with the user experience in the interface, specifically with regard to making a list of people for whom I want to allow email access. Let's say I have ten people, all of them being VIPs. I allow emails for them because they frequently communicate important information. However, working with these lists is quite challenging. It's difficult to rearrange or manipulate the entries once they are added to the list. The interface could definitely benefit from some improvements.

Cisco Secure Email can be improved from the administrator's point of view. Usually, you have to work with different areas, and they can try to make it easy for the administrator to use different functions.

Cisco has already improved this solution with some add-ons to the basic product. Cisco is already providing a very good environment with the IronPort solution, but there could be some more integration with other products. For instance, an integration with the EDR solution could be there to raise an alert.

If you are not a technical guy, it is hard to maneuver, but as soon as you work on it, it gets better and better. If there was a better way to know how to do things or how to find things, it would be good.

You can consolidate on SMA if you want to spam or threats quarantined for multiple devices. It is not advisable for a single device, because if it fails, you are left without any email. I would like to see a few changes to the UX. There is space for improvement with data loss prevention, particularly with third-parties integration. Data loss prevention is quite important, though most customers have some third-party or other elements in their network doing data loss prevention, specifically for email. However, if it could be possible to integrate with other solutions, not only on the email flow, but on analysis for a connector or something like that, then that would be ideal. The Forged Email Detection feature needs improvement, particularly with domain. The sensors are not that good and the rules sets are unclear.

We have Microsoft and we have the E5 licenses, they have more EDR responses on certain emails. That's something that Cisco ESA on the cloud doesn't have. They don't do anything about MITRE attacks. They only detect if there is a malicious email or a threat and they remove it. If there is an email that has passed through, there is no way to have a global system delete that email from every mailbox. You have to look up the malicious files yourself. With Microsoft, you can look it up, you can hunt for that in their compliance dashboard. You can hunt that email and then delete that email in one step. That's something that Cisco doesn't have.

The area of license renewal should be improved. We normally renew our license every year. There is a feature called smart licensing, and I switched from the legacy mode to the smart licensing mode because of what I thought smart licensing does. I thought it would make licensing renewal seamless and very swift, but ever since I've switched to smart licensing, each time I want to renew my license, it is a whole lot of headache. The process is not smooth, and I had to keep calling Cisco TAC to see how the issue can be resolved. At one point, I wanted to revert back to the legacy mode, but I can't revert. Once you switch from the legacy mode to the smart licensing mode, you can't revert. They should improve on the visibility of the smart licensing mode so that it can indeed be smart and easier to use for the license renewal every year. That is one challenge. Another challenge is that there is no way for me to know my level of utilization. For example, if I have a subscription of 2,000, there should be a way for me to know my level of utilization. Currently, I don't know my level of utilization. So, if my license is renewed on 20,000 subscribers and I'm using less than 20,000, I wouldn't know. It doesn't improve my ROI. If I'm using less than the subscription I've applied for, there should be a way the system should tell me, rather than me going to find out manually. When I go to the smart licensing profile, I should be able to see my utilization. I should be able to see that I've subscribed for 20,000 but I'm only using 12,000. This means that if I'm going to renew, I should reduce my licensing mode from 20,000 to maybe 15,000. This kind of information should be given to the customers, but right now, we don't have that.

The UI is definitely one area of improvement because it doesn't match other interfaces and the navigation can be a little clunky. Generally speaking, it is just dated, and I know that they're working on enhancing it for later versions. They should continue to develop their integration with Office 365 or Hosted Exchange since a lot of organizations, ours included, are moving primary Exchange services to the Microsoft Cloud. Being able to integrate tighter with that environment is important.

We have been struggling in the last month with Cisco encryption and with the S/MIME encryption. I don't know if it is an issue on our side or if these features of the solution are not working very well. The documentation is good but I'm not sure if the functionality in these areas of the solution is implemented very well. We are evaluating the situation.

I use the search all the time. Sometimes, it is hard to search for things and things are hard to find. People come to me all the time, saying, "This email didn't get through." Then, I go searching and don't find it on the first search. You have to think about alternative searches. I don't know if there is an easier way that they could help to find things. I don't know how they could simplify it, because now everybody else is using the cloud and everything is coming from Office 365, or whatever. It is just not the same environment from years ago where everybody had their own server and you could search easier. When you run a trace and you are in the cloud, it's harder. You run a trace and it generates trace results. I haven't figured out how to get those off of the cloud. I don't know if there is a path to open up a ticket on that.

I would like more functionality and how to use it for Level 2 type staff. The biggest issue is it needs to be easier to use and navigate. I know there are a lot more documents in the later versions about how to do things. This is a great improvement from a few years ago when you would have to call a tech to get them to assist you, which they're more than happy to do, but now there are a lot more how-to guides. If they could continue to do that, then it would make the product even more usable. Also, it needs more detail/documentation around what different features do. That would be valuable for the product. That way, when you do have lower level staff who are using it, they will actually know what it can do, e.g., having help icons for each section, and even each setting, does make it easier for the users. As they can click on the question mark for that setting, then they can then see what it does or have it take them to a how-to page on what it does. The reporting could be improved, especially at a senior management level. The reporting side of things is a big component of what people, especially executives, want to see. In that way, it can justify its use ongoing. The executives want to know the volume of traffic that it's stopping. While users have to deal with the potential loss of income and hours. With reporting, it becomes a no-brainer. It's one of those things on an IT budget that you need to have.

When it comes to phishing, I would not give this appliance a perfect score by any means. It's hard to get a perfect score on phishing with any solution. But typically, in a phishing email, they try to use a name everybody's going to recognize, like the CEO's name or the CFO's name. They might spell it wrong, but they will try to get your attention so that you'll do something. With this appliance, the way it's designed at the moment, for us to really stop that with any level of confidence, we have to build a dictionary of all the names of the people we want it to check, and all the ways they could be spelled. My name would be in there as Phillip Collins, Phillip D. Collins, Phillip Dean Collins, Phil Collins, Phil D. Collins. There could be eight or 10 variations of my name that we'd have to put in the dictionary. There's no artificial intelligence to say "Phil Collins" could be all these other things, and to stop phishing from coming through in that way. It is stopping a lot of phishing when we do use that dictionary. We essentially let the email come in, but we put a header at the top, in red, telling the user to be very careful, this may not be a real email, and let the user decide at that point, because it's looking at whether or not it came from a domain outside our domains. If I have to send myself an email from my personal domain at home, it has my name in it, Phillip Collins. We want it to notice that Phillip Collins is a name that's in the company directory, but it's not coming from one of our domains. We want the user to understand that that is how they get around it. Phishing emails will come from the attacker's own email address, but they will set the display name, what you'll see, as something familiar. That's why I wouldn't give it anywhere near a perfect score, because the artificial intelligence just isn't there yet. You have to manually put these things. As you have people come and go in your organizations, you have to decide if you want these people in that dictionary or not. If they leave then you've got to take them out. There's a lot of work to doing that with this solution at the moment. Another minor thing is the interface that you work with as an administrator. It is not as intuitive as I would like it to be. It's all there, if you understand what you're doing; what email is doing and how you detect certain things. It is not difficult at all to work with, but it could be more intuitive for somebody starting out. Finally, they separate the email security appliance from the reporting appliance. It's the Cisco Secure Email Gateway and the SMA; they are two separate appliances. The reporting appliance just gets information from the email security appliance and helps you formulate reports. To me, that should all be one. It doesn't bother me that it's not, but sometimes I have to think, "Do I need to go to this appliance or this appliance to get that information?" It should all be in one place, but those are minor things.

The reporting functionality needs to be improved.

Having Cisco Email Security as a standalone solution is not good enough. It needs to be combined with another solution. For example, it will not stop all phishing and malware. We tried having only Cisco Email Security (IronPort) and faced multiple issues due to the sandboxing. The sandboxing for this solution is not up to mark and needs improvement. It does not detect much at the moment, just the set criteria that it already has designated. The solution needs to improve its advanced phishing filters. It is very good at filtering things which have bad reputations. However, when phishing or malicious emails are new or coming from a legitimate source, we don't feel that the solution is working. While the tool does a good job of blocking malicious emails, it does have limitations. For example, it sometimes cannot identity file extensions and sends through files that we don't want, like OneNote. We can filter by file name extension, but it is too easy to change the file name extension by adding numerical characters, etc.

We would like to see more options for the customization of content filters.

We have occasionally had hardware problems because we are using an appliance-based solution, but that might change.

The configuration UI should be made more intuitive. Currently, it takes a while to understand how to do the basic configurations. In terms additional features, I would like to see customization of reports and dashboards. There should be separately module for Phishing and Fraudulent emails

We find bugs, just like anyone else. We bring them to Cisco's attention. If there was one area I would like to see improved it might be having someone who can help us when Cisco comes out with a new product. Let's say I'm going to be purchasing and utilizing version two of this product. They assign me an account specialist and a technical specialist to help with the bring-up. It would be nice if the specialist would be able to help foresee some of the issues we might run into, specific to the version we're implementing. I know that's a bit of a loaded issue because sometimes it depends on your particular environment. I know that's very difficult. But, there have been some instances where particular hiccups could have been avoided if the individual assisting us was slightly more versed in the version that we were going with. Maybe he could have told us that it wasn't the version we should have gone with. Maybe we should have gone with a previous version and then skipped over this version until they came out with a more upgraded version of it. The version we first chose might be a stable version in general, or it might be stable for other environments, but not for our particular environment. There's one other thing I would like to see. It would be nice to have an easier way to check on the health of the system, how stressed these appliances are. Sure, you can do it, but it would be helpful to have an easier way to do it, maybe even at a glance. That was something that Proofpoint had that I wish I had here. That would be very useful.

They could improve the filters. In my time at the company, there were several times we had to contact support to update the filters. They can definitely work more on that. They can also work on the updating of the appliance. We had to do it once, when I was part of the engineering team. We had to update to a later version. It was complicated for me. I had to follow the instructions without understanding anything. Maybe there was pressure that caused me to not and understand them properly, but it was still complicated. The documentation was not there when we tried to update it. It may also have been due to my lack of experience. If I had done it twice or three times, I might have become accustomed to it and have done it more easily.

One of the things that Cisco could improve on with IronPort is the support. Cisco doesn't really have enough engineers who have full, hands-on knowledge of IronPort. Knowledge of it is not something you can find easily compared to other security appliances. They could also share more technical resources on how to do conversions. I did a video tutorial while I was training on CISSP and on CCIE security. There was a series that had the Cisco Secure Email Gateway in it and also the WSA. I was able to follow most of the configuration and explanation from the instructor. Also, if Cisco Secure Email Gateway and WSA could be brought together, it would make a better appliance, one wholesome appliance.

There were a couple of access issues. Also, they need to keep their intelligence top-notch. I remember a particular phishing email that came through to my then-CEO. So they could improve on their intelligence.

The user interface needs some improvement to become more user-friendly. The graphics could be better. It's designed more for a technical user rather than a business user. The solution has flexibility. I think they are working on improving it as we speak. They're responsive to the feedback we give.

I would like to see sandboxing for email, where suspicious emails received by the system are analyzed through online services. Some vendors, like Fortinet, have this feature in their firewalls, the FortiSandbox.

There should be some type of help section that can help us configure clients' emails. Sometimes, we just need to customize the quality. The graphical user interface is not user-friendly like other vendors. I find it very difficult at times to find some options on the UI. It's very difficult to configure at that time.

I would like to see a cloud service implemented for IronPort with specific domains which companies register to blacklist. Emails or anything coming from those domains should be automatically blocked or automatically scanned. Cisco should implement a cloud service for IronPort. It should scan automatically, without our needing to say, "Scan this," or "Scan that." It should be done from their side. Also, the hardware is not up to the mark. Two to three times a year we have complete downtime. There must be an issue with the hardware itself. The software is very good. It works really well, but when it comes to the hardware it's not good enough because of the downtime. That hasn't happened with any Cisco device until now.

With each product release since 2012, they have continuously fixed our issues or complaints. In the beginning, it needed a lot of work. Now, we are happy with it.

On their roapmap, they are looking to integrate with different cloud features, like Office 365. I would like them to add some clustering or high availability features.