WEBVTT 0:00:02.220000 --> 0:00:05.580000 Hello and welcome to this video in which I'm going to be talking about 0:00:05.580000 --> 0:00:10.660000 the Cisco ESA introducing it just at a real high level and going over 0:00:10.660000 --> 0:00:13.020000 some of its features that it can do. 0:00:13.020000 --> 0:00:17.560000 So in this video I'm going to be giving you a brief introduction to the 0:00:17.560000 --> 0:00:19.720000 platform, to the appliance. 0:00:19.720000 --> 0:00:25.460000 At a high level talking about how the ESA fights spam, malware, viruses, 0:00:25.460000 --> 0:00:28.240000 and a large part of that is something called AMP. 0:00:28.240000 --> 0:00:32.140000 So I'll be introducing AMP and how the ESA incorporates AMP. 0:00:32.140000 --> 0:00:36.660000 And without AMP you can't talk about AMP without talking about Cisco Talos. 0:00:36.660000 --> 0:00:38.540000 So I'll be talking about that as well. 0:00:38.540000 --> 0:00:43.600000 And then finishing up with how the ESA handles data loss prevention. 0:00:43.600000 --> 0:00:47.100000 Alright so let's go into an introduction, a brief overview here of the 0:00:47.100000 --> 0:00:49.260000 ESA. You may never have heard this before. 0:00:49.260000 --> 0:00:51.360000 You might not know what ESA stands for. 0:00:51.360000 --> 0:00:55.140000 It stands for the Cisco email security appliance. 0:00:55.140000 --> 0:00:59.100000 So if you watch any of my other videos or videos from other people, or 0:00:59.100000 --> 0:01:02.560000 if you just dealt with emails for any length of time, you realize that 0:01:02.560000 --> 0:01:05.440000 emails are a big source of malware. 0:01:05.440000 --> 0:01:10.660000 A lot of people choose to use emails to spread attacks, to spread spam, 0:01:10.660000 --> 0:01:14.600000 and so the email security appliance is designed to help mitigate that 0:01:14.600000 --> 0:01:20.180000 stuff. Now as far as purchasing and using the Cisco email security appliance, 0:01:20.180000 --> 0:01:22.460000 you have three options. 0:01:22.460000 --> 0:01:26.260000 You can do cloud based, which means that you don't actually own the hardware 0:01:26.260000 --> 0:01:31.800000 itself. You're using the services of Cisco, you're paying for their services, 0:01:31.800000 --> 0:01:36.220000 and you use their ESAs, which are spread out all over the world for all 0:01:36.220000 --> 0:01:38.060000 of your cloud based emails. 0:01:38.060000 --> 0:01:41.160000 Or vice versa, you could use on premises. 0:01:41.160000 --> 0:01:44.020000 You could purchase the ESA appliance yourself, which looks something like 0:01:44.020000 --> 0:01:47.380000 this picture right here, and you could have it set up in your own company. 0:01:47.380000 --> 0:01:49.780000 Or you could do a blend of both, a hybrid approach. 0:01:49.780000 --> 0:01:53.280000 When you choose to use a hybrid approach, what that's talking about is, 0:01:53.280000 --> 0:01:57.900000 yes, you own one or more ESAs yourself, but in a hybrid situation, your 0:01:57.900000 --> 0:02:01.420000 ESAs are only being used to scan outbound emails. 0:02:01.420000 --> 0:02:04.960000 So trying to protect the emails that you're sending out to the world from 0:02:04.960000 --> 0:02:09.280000 containing sensitive information, confidential information, inadvertently 0:02:09.280000 --> 0:02:13.040000 spreading malware, viruses that maybe you didn't know you had. 0:02:13.040000 --> 0:02:16.940000 So that's a hybrid, and your inbound email would still be handled in the 0:02:16.940000 --> 0:02:20.480000 cloud. So email coming into your organization would be handled in a cloud 0:02:20.480000 --> 0:02:25.200000 based platform that Cisco controls and operates. 0:02:25.200000 --> 0:02:28.580000 So the Cisco ESA has its own operating system. 0:02:28.580000 --> 0:02:30.280000 It does not use Cisco iOS. 0:02:30.280000 --> 0:02:33.680000 It uses something called the AnySync operating system. 0:02:33.680000 --> 0:02:36.340000 And here's a real high level here of what it does. 0:02:36.340000 --> 0:02:41.900000 So it protects your email by identifying spam, both malicious spam, as 0:02:41.900000 --> 0:02:43.600000 well as just junk mail spam. 0:02:43.600000 --> 0:02:47.220000 And it can quarantine or discard email that has been sent from untrusted 0:02:47.220000 --> 0:02:50.840000 or potentially hostile locations. 0:02:50.840000 --> 0:02:54.420000 Now you might be wondering, well, how does it know if an email has come 0:02:54.420000 --> 0:02:56.620000 from an untrusted or hostile location? 0:02:56.620000 --> 0:02:58.160000 We will talk about that. 0:02:58.160000 --> 0:03:02.800000 It also has anti-virus scanning to try to detect virus and malware that 0:03:02.800000 --> 0:03:07.840000 is inside of emails that you're sending or receiving. 0:03:07.840000 --> 0:03:16.580000 Now one thing to be aware of is that the ESA only monitors SMTP traffic. 0:03:16.580000 --> 0:03:18.300000 It only monitors SMTP traffic. 0:03:18.300000 --> 0:03:21.100000 And if you know about the pipeline of email, you know that sometimes, 0:03:21.100000 --> 0:03:26.560000 depending on if email applications or software are locally installed on 0:03:26.560000 --> 0:03:30.580000 laptops, then that case the laptop or PC might be using something called 0:03:30.580000 --> 0:03:34.700000 POP or IMAP to send and retrieve email. 0:03:34.700000 --> 0:03:36.780000 Actually it's used to retrieve email. 0:03:36.780000 --> 0:03:42.520000 SMTP is always used to push email out, but downloading email locally onto 0:03:42.520000 --> 0:03:46.040000 your hard drive could use a combination of IMAP or POP. 0:03:46.040000 --> 0:03:49.580000 The Cisco ESA does not look at IMAP or POP messages. 0:03:49.580000 --> 0:03:56.220000 So it's placement is supposed to be placed between the mail exchange servers, 0:03:56.220000 --> 0:03:58.760000 not from the mail exchange server to the client. 0:03:58.760000 --> 0:04:01.760000 So here's all your employees down here which are sending and receiving 0:04:01.760000 --> 0:04:03.900000 email to your mail exchange server. 0:04:03.900000 --> 0:04:06.500000 That is not where the ESA fits. 0:04:06.500000 --> 0:04:09.340000 Here's a mail exchange server which is going out to the outbound world 0:04:09.340000 --> 0:04:10.900000 and emails are coming in. 0:04:10.900000 --> 0:04:16.760000 All of that is using SMTP somewhere around there is where the Cisco ESA 0:04:16.760000 --> 0:04:20.220000 is supposed to fit. 0:04:20.220000 --> 0:04:23.640000 Okay, so let's talk about what the ESA can do in a little bit more detail 0:04:23.640000 --> 0:04:28.640000 now. So it has several methods of protecting your inbound and outbound 0:04:28.640000 --> 0:04:31.780000 email. Let's start by talking about spam. 0:04:31.780000 --> 0:04:34.100000 Now we know that spam can be one of two categories. 0:04:34.100000 --> 0:04:36.820000 It can be spam that's just junk mail. 0:04:36.820000 --> 0:04:41.580000 You're getting a ton of emails from the local mechanic, the local food 0:04:41.580000 --> 0:04:43.020000 store, whatever. 0:04:43.020000 --> 0:04:46.220000 It's not harmful, it's just irritating that spam. 0:04:46.220000 --> 0:04:48.840000 But then there's also spam which is malicious. 0:04:48.840000 --> 0:04:53.100000 Spam which is intentionally designed to look like it came from a known 0:04:53.100000 --> 0:04:57.320000 trusted sender to try to trick you into divulging some personally identifiable 0:04:57.320000 --> 0:05:02.860000 information. So the Cisco ESA can protect you against both types by using 0:05:02.860000 --> 0:05:07.860000 reputation based filtering and context based filtering. 0:05:07.860000 --> 0:05:10.160000 What do these two mean? 0:05:10.160000 --> 0:05:18.740000 Well reputation based filtering means that there is a list of known mail 0:05:18.740000 --> 0:05:19.760000 exchange servers. 0:05:19.760000 --> 0:05:20.900000 Now think about this, right? 0:05:20.900000 --> 0:05:25.200000 If your company has your own mail exchange server for all the email is 0:05:25.200000 --> 0:05:28.680000 coming in and going out of your company, that mail exchange server has 0:05:28.680000 --> 0:05:33.360000 an IP address. Now let's say that one or more employees in your company 0:05:33.360000 --> 0:05:38.100000 are using that mail exchange server to push out viruses or actually launching 0:05:38.100000 --> 0:05:42.500000 an attack from within your company by sending out tons of spam with viruses, 0:05:42.500000 --> 0:05:44.500000 malware, what have you. 0:05:44.500000 --> 0:05:49.960000 Well there are companies like Cisco that keep track of mail exchange servers 0:05:49.960000 --> 0:05:54.140000 which have a known history from which a lot of junk mail, a lot of spam, 0:05:54.140000 --> 0:05:58.280000 a lot of virus have have emanated or started from that mail exchange server. 0:05:58.280000 --> 0:06:01.320000 So that's what we mean by reputation based filtering. 0:06:01.320000 --> 0:06:05.060000 If an email is coming into my company and the source IP address is coming 0:06:05.060000 --> 0:06:09.060000 from a mail exchange server that is known to have launched attacks against 0:06:09.060000 --> 0:06:13.600000 other people, the ESA can be aware of that and take some action. 0:06:13.600000 --> 0:06:18.060000 Context based filtering is where the ESA actually scans the email itself, 0:06:18.060000 --> 0:06:23.020000 where it came from, the source email address, the body of the email and 0:06:23.020000 --> 0:06:24.320000 the attachments are in the email. 0:06:24.320000 --> 0:06:28.160000 It looks at how is the email format is have some weird formatting and 0:06:28.160000 --> 0:06:31.740000 by using a whole bunch of very complex rules, it tries to tell just by 0:06:31.740000 --> 0:06:37.200000 how the email looks and feels if it falls into the category of spam. 0:06:37.200000 --> 0:06:45.700000 It can also certainly fight viruses and malware by using something called 0:06:45.700000 --> 0:06:47.640000 outbreak filters. 0:06:47.640000 --> 0:06:53.800000 So an outbreak filter in this case is sort of like reputation based filtering. 0:06:53.800000 --> 0:06:57.740000 Think of it this way, you know if you've been alive for any length of 0:06:57.740000 --> 0:07:02.640000 time you might remember how in the news over the past several years, there 0:07:02.640000 --> 0:07:06.380000 have been news stories about certain countries where there's been massive 0:07:06.380000 --> 0:07:09.940000 outbreaks of really deadly viruses that have killed people. 0:07:09.940000 --> 0:07:12.620000 There's been an outbreak in that country. 0:07:12.620000 --> 0:07:17.100000 And so what do a lot of other countries typically do when they hear that 0:07:17.100000 --> 0:07:18.060000 that's happening? 0:07:18.060000 --> 0:07:23.380000 They say, oh, well if someone's trying to leave that country from which 0:07:23.380000 --> 0:07:26.600000 an outbreak is happening and they're trying to fly into our country, they're 0:07:26.600000 --> 0:07:29.760000 trying to fly into our airport, a lot of times what countries will do 0:07:29.760000 --> 0:07:33.860000 will say, well, we don't know if you're healthy or not, but you came from 0:07:33.860000 --> 0:07:37.420000 a country where there's a huge outbreak of this virus or deadly thing 0:07:37.420000 --> 0:07:40.280000 going on. So we're going to put you in quarantine. 0:07:40.280000 --> 0:07:41.180000 We're going to put you in quarantine. 0:07:41.180000 --> 0:07:44.180000 We're going to check you out and make sure that you're healthy before 0:07:44.180000 --> 0:07:48.240000 we allow you into our country and our general population. 0:07:48.240000 --> 0:07:52.320000 Same thing is true here of fighting viruses and malware. 0:07:52.320000 --> 0:07:57.540000 If an email is coming into my mail exchange server and it hits my ESA 0:07:57.540000 --> 0:08:02.940000 first, that ESA is going to look at the source IP address once again of 0:08:02.940000 --> 0:08:07.820000 the mail exchange server that sent that email to me before it hits my 0:08:07.820000 --> 0:08:12.420000 email. If the source IP address says, oh, wait a second, that's coming 0:08:12.420000 --> 0:08:16.060000 from a mail exchange server that we know a lot of viruses have emanated 0:08:16.060000 --> 0:08:20.680000 from there. A lot of malware and ransomware and stuff have started at 0:08:20.680000 --> 0:08:21.900000 that mail exchange server. 0:08:21.900000 --> 0:08:26.280000 That mail exchange server is the center of where there's a current outbreak. 0:08:26.280000 --> 0:08:29.120000 Then that would trigger the outbreak filter. 0:08:29.120000 --> 0:08:33.820000 So in that particular case, the email would go into quarantine and one 0:08:33.820000 --> 0:08:35.420000 of two things would happen. 0:08:35.420000 --> 0:08:39.420000 If the email is scanned and determines, oh, it's got a virus in it that 0:08:39.420000 --> 0:08:42.740000 we recognize. It's got a known malware we already know. 0:08:42.740000 --> 0:08:48.760000 If we have an antivirus or anti-malware filter, we can filter out that 0:08:48.760000 --> 0:08:50.260000 email. We can delete it. 0:08:50.260000 --> 0:08:53.860000 Maybe we can remove the attachment from it that has the mailware and then 0:08:53.860000 --> 0:08:55.440000 continue the email on. 0:08:55.440000 --> 0:09:00.960000 However, if the email comes in and the ESA says, hmm, I don't know. 0:09:00.960000 --> 0:09:05.340000 This doesn't really look like any known malware or virus that I'm familiar 0:09:05.340000 --> 0:09:09.240000 with. However, it did come from a mail exchange server where there are 0:09:09.240000 --> 0:09:13.640000 known outbreaks to be happening right now or in the recent past. 0:09:13.640000 --> 0:09:18.200000 Then it will stay in quarantine and allow you as a human being to take 0:09:18.200000 --> 0:09:21.760000 additional measures to scan that email before it's safely distributed 0:09:21.760000 --> 0:09:24.400000 to somebody else. 0:09:24.400000 --> 0:09:27.420000 Also, the Cisco ESA has antivirus signatures. 0:09:27.420000 --> 0:09:30.160000 Just like when you download an antivirus program onto your own laptop 0:09:30.160000 --> 0:09:34.700000 or PC, how it scans incoming files and tries to detect, if they match 0:09:34.700000 --> 0:09:40.280000 what a known virus would look like, the ESA can do that as well. 0:09:40.280000 --> 0:09:44.560000 And then, of course, lastly, the ESA can do outbound email scanning as 0:09:44.560000 --> 0:09:52.580000 well, just in case you're accidentally sending out viruses or malware. 0:09:52.580000 --> 0:09:57.060000 Now, one would logically raise the question, okay, well, how does the 0:09:57.060000 --> 0:09:58.740000 ESA get this information? 0:09:58.740000 --> 0:10:02.840000 How does the ESA know where outbreaks are happening? 0:10:02.840000 --> 0:10:06.980000 How does it know what current viruses are out there? 0:10:06.980000 --> 0:10:11.760000 Is this something that I have to perpetually download as files or attachments 0:10:11.760000 --> 0:10:14.840000 or something to the ESA to keep it updated? 0:10:14.840000 --> 0:10:17.860000 And that's the beautiful thing about the ESA is that, no, you don't have 0:10:17.860000 --> 0:10:22.680000 to do that. The ESA works right alongside with AMP. 0:10:22.680000 --> 0:10:24.600000 What is AMP, you say? 0:10:24.600000 --> 0:10:29.240000 Well, AMP is Cisco's advanced malware protection. 0:10:29.240000 --> 0:10:31.220000 So this is a cloud-based service. 0:10:31.220000 --> 0:10:34.720000 And the Cisco ESA, when you get one, you sign up for the subscription 0:10:34.720000 --> 0:10:38.120000 of AMP along with the Cisco ESA. 0:10:38.120000 --> 0:10:41.860000 And what it does is it utilizes the cloud security intelligence networks 0:10:41.860000 --> 0:10:45.800000 of Cisco Talos. Now, what is Cisco Talos? 0:10:45.800000 --> 0:10:46.300000 We'll get to that. 0:10:46.300000 --> 0:10:47.180000 That's in the next slide. 0:10:47.180000 --> 0:10:52.360000 But basically, the ESA is always being updated with the latest information 0:10:52.360000 --> 0:10:56.700000 from the cloud. From Cisco's security network. 0:10:56.700000 --> 0:11:01.000000 Cisco is very aware of what's going on in the security world. 0:11:01.000000 --> 0:11:05.940000 They have dedicated teams for knowing exactly what the latest viruses 0:11:05.940000 --> 0:11:09.960000 are, what the latest mail exchange servers are, from which outbreaks are 0:11:09.960000 --> 0:11:14.320000 happening. They collect all this information and they're constantly updating 0:11:14.320000 --> 0:11:19.580000 your ESA so that your ESA has the latest and greatest information. 0:11:19.580000 --> 0:11:23.680000 Now, advanced malware protection, in this case, we're talking about it 0:11:23.680000 --> 0:11:25.500000 being on the ESA. 0:11:25.500000 --> 0:11:29.960000 Okay, so in this particular case, the ESA would use AMP to when an email 0:11:29.960000 --> 0:11:33.360000 comes in to check that email to see if it's okay. 0:11:33.360000 --> 0:11:36.260000 And similarly, when an email is about to go out to check it to see if 0:11:36.260000 --> 0:11:39.940000 it's okay. Now, it knows here, it says just in general, not talking about 0:11:39.940000 --> 0:11:44.300000 the ESA, but in general with AMP, it says AMP assists both before, during 0:11:44.300000 --> 0:11:46.360000 and after an attack. 0:11:46.360000 --> 0:11:50.640000 Now, when I first read that, I thought after an attack, if an email has 0:11:50.640000 --> 0:11:56.320000 come in, the ESA thought it was okay and it allowed it into my organization, 0:11:56.320000 --> 0:12:00.720000 it turns out that email had a virus or malware that the ESA did not recognize, 0:12:00.720000 --> 0:12:03.080000 isn't it too late? 0:12:03.080000 --> 0:12:05.240000 How is the ESA going to take any action on that? 0:12:05.240000 --> 0:12:07.920000 Well, the short answer is it can't. 0:12:07.920000 --> 0:12:11.900000 If we're just talking about an ESA, the email security appliance, it's 0:12:11.900000 --> 0:12:15.000000 done. If the email gets through and it's got some malware or virus in 0:12:15.000000 --> 0:12:17.720000 it, the ESA's job is finished. 0:12:17.720000 --> 0:12:19.680000 It failed. It did not stop it. 0:12:19.680000 --> 0:12:23.780000 But Cisco AMP is not just for ESA. 0:12:23.780000 --> 0:12:27.760000 As a matter of fact, you can download Cisco AMP software right on a laptop. 0:12:27.760000 --> 0:12:30.460000 It's called AMP for endpoints or AMP for clients. 0:12:30.460000 --> 0:12:36.340000 You can have laptops and PCs and servers all running AMP on them. 0:12:36.340000 --> 0:12:40.720000 And so in that way, if AMP is not only on the ESA, but also on your endpoints 0:12:40.720000 --> 0:12:46.480000 as well, now, if an endpoint gets attacked, and all of a sudden a virus 0:12:46.480000 --> 0:12:50.860000 is discovered on an endpoint, AMP can detect that, AMP can keep a record 0:12:50.860000 --> 0:12:54.880000 of that, and AMP can see where that virus went. 0:12:54.880000 --> 0:12:59.360000 Did that virus, was that virus propagated by that laptop as it exchanged 0:12:59.360000 --> 0:13:03.620000 a file with another laptop running AMP, or does it send an email to a 0:13:03.620000 --> 0:13:05.200000 server running AMP? 0:13:05.200000 --> 0:13:09.860000 So by having AMP spread out, not only on the ESA, but also on your clients, 0:13:09.860000 --> 0:13:14.040000 that's how AMP can really help after the attack, tracking down where that 0:13:14.040000 --> 0:13:19.740000 file went so you can stop it before it spreads any further. 0:13:19.740000 --> 0:13:23.360000 So what are the features of AMP just in general? 0:13:23.360000 --> 0:13:29.020000 It has file reputation, so AMP basically captures a fingerprint of every 0:13:29.020000 --> 0:13:31.900000 file as it traverses the Cisco ESA. 0:13:31.900000 --> 0:13:36.440000 And then sends that fingerprint to the AMP cloud-based network for reputation 0:13:36.440000 --> 0:13:44.180000 verdict. File sandboxing, so if a file comes in and it's unknown, and 0:13:44.180000 --> 0:13:48.480000 it's going through the ESA, it can be placed into a highly secure sandboxed 0:13:48.480000 --> 0:13:52.820000 environment. So a combination of human intelligence could look at it as 0:13:52.820000 --> 0:13:56.420000 well as software intelligence to determine what the threat level is of 0:13:56.420000 --> 0:13:58.440000 that particular file. 0:13:58.440000 --> 0:14:00.620000 And then we also have file retrospection. 0:14:00.620000 --> 0:14:03.680000 This is why I talked about just a moment ago, where if a file actually 0:14:03.680000 --> 0:14:08.900000 gets through the ESA and then later on is determined, oh, that file actually 0:14:08.900000 --> 0:14:13.180000 was malicious. Well, if we have AMP on our endpoints, we can actually 0:14:13.180000 --> 0:14:17.580000 see what endpoints received that file and how it was spread from there. 0:14:17.580000 --> 0:14:21.800000 Now, AMP, as this mentions here, relies on Cisco Talos. 0:14:21.800000 --> 0:14:23.560000 What exactly is that? 0:14:23.560000 --> 0:14:29.000000 And I have just a couple of quotes here. 0:14:29.000000 --> 0:14:32.460000 Spacingly, you can see that the Cisco Talos is an intelligence and research 0:14:32.460000 --> 0:14:36.920000 group made up of tons of people, very smart people with the latest technology 0:14:36.920000 --> 0:14:40.200000 that can detect what's going on in the world. 0:14:40.200000 --> 0:14:43.660000 They can detect the latest threats, the latest outbreaks. 0:14:43.660000 --> 0:14:46.240000 They can figure out what the mail exchange servers are from which a lot 0:14:46.240000 --> 0:14:47.760000 of this stuff is emanating. 0:14:47.760000 --> 0:14:50.400000 They create a lot of the latest virus signatures. 0:14:50.400000 --> 0:14:56.600000 And all this information they collect, they download onto your Cisco ESA. 0:14:56.600000 --> 0:14:59.680000 And I found some statistics that say that actually these updates occur 0:14:59.680000 --> 0:15:03.120000 about every three to five minutes on the ESA. 0:15:03.120000 --> 0:15:06.860000 So it is being updated continually. 0:15:06.860000 --> 0:15:10.940000 And the last thing I want to talk about that the ESA can do is enforcement 0:15:10.940000 --> 0:15:16.720000 of DLP, which stands for data loss prevention. 0:15:16.720000 --> 0:15:22.300000 What is that? Well, you know, the worst thing, if you're in management 0:15:22.300000 --> 0:15:26.460000 or a CEO or something, the worst thing you can hear is that, uh-oh, some 0:15:26.460000 --> 0:15:31.340000 of our company confidential documents like our payroll records or our 0:15:31.340000 --> 0:15:38.960000 super secret marketing sauce or our latest patent pending device, we just 0:15:38.960000 --> 0:15:40.580000 lost it because it went out in an email. 0:15:40.580000 --> 0:15:43.640000 Somebody sent out an email with an attachment, with a document in it that 0:15:43.640000 --> 0:15:46.180000 never should have left our company. 0:15:46.180000 --> 0:15:47.600000 So we're trying to prevent that. 0:15:47.600000 --> 0:15:52.340000 That's called data loss prevention and the ESA can help us with that. 0:15:52.340000 --> 0:15:55.780000 So number one, it scans the content of the email. 0:15:55.780000 --> 0:15:57.780000 So as they now, this is something that you would turn on. 0:15:57.780000 --> 0:16:00.860000 You turn on and it scans the content of all the emails are going out. 0:16:00.860000 --> 0:16:04.840000 So remember this is the email is now in the mail exchange server and the 0:16:04.840000 --> 0:16:09.900000 mail exchange server is using SMTP to send it out to another mail exchange 0:16:09.900000 --> 0:16:11.740000 server somewhere out there in the world. 0:16:11.740000 --> 0:16:16.260000 This is where it hits the ESA and the ESA scans it. 0:16:16.260000 --> 0:16:19.900000 So it scans the contents of the email looking for things like social security 0:16:19.900000 --> 0:16:23.320000 numbers, looking for corporate intellectual property. 0:16:23.320000 --> 0:16:28.220000 You actually can configure what exactly you want to look for. 0:16:28.220000 --> 0:16:31.240000 So it has built in rules are certain templates that it has that comes 0:16:31.240000 --> 0:16:35.580000 with standard to help identify personally identifiable information in 0:16:35.580000 --> 0:16:38.400000 outgoing email. But you can certainly modify those templates. 0:16:38.400000 --> 0:16:41.500000 You can add your own templates to it. 0:16:41.500000 --> 0:16:44.740000 So it gives you the ability to edit and create your own rules. 0:16:44.740000 --> 0:16:48.780000 You can create a rule based on, hey, any email that is leaving the company 0:16:48.780000 --> 0:16:53.240000 that came from the CEO or came from John in marketing, I want to have 0:16:53.240000 --> 0:16:56.880000 different templates, different rules apply for data loss prevention for 0:16:56.880000 --> 0:17:00.620000 those individuals or email that's coming into the company. 0:17:00.620000 --> 0:17:03.280000 You could also apply it on that way as well. 0:17:03.280000 --> 0:17:07.700000 So what happens when data loss prevention is detected when, uh oh, we 0:17:07.700000 --> 0:17:10.100000 just discovered an email here that's got an attachment that according 0:17:10.100000 --> 0:17:14.640000 to our rules, according to our template, that shouldn't be there. 0:17:14.640000 --> 0:17:16.340000 Well, you get to configure the action. 0:17:16.340000 --> 0:17:19.820000 It's up to you. You can quarantine the email. 0:17:19.820000 --> 0:17:21.900000 You can drop it. 0:17:21.900000 --> 0:17:25.520000 Or you can choose to encrypt it. 0:17:25.520000 --> 0:17:29.660000 So that concludes this video on a high level introduction of the Cisco 0:17:29.660000 --> 0:17:32.080000 ESA. Thank you for watching.