Ignore Business Email Compromise test cases at your peril

Cisco Secure Email Threat Defense Protection test results.

SE LABS tested Cisco Secure Email Threat Defense, against a mixture of targeted attacks using well-established techniques and public attacks that were found to be live on the internet at the time of the test.

The results indicate how effectively the service was at detecting and/or protecting against those threats in real time and shortly after the attacks took place.

Loading…

Taking too long?

Reload document

| Open in new tab

Download

Factsheet

Cisco Secure Email Threat Defense

Good security testing is realistic, using the kinds of threats customers see in real life. This is why we put a lot of focus on Business Email Compromise (BEC) scenarios, rather than just more conventional threat types (like generic phishing and malware).

Many organisations focus on blocking spam and detecting malware, but BEC attacks present a different kind of threat. BEC targets the human element of email communication. Attackers craft convincing, fraudulent emails that appear to come from legitimate sources, tricking recipients into transferring money, sharing sensitive information or performing other actions that compromise the organisation.

BEC attacks exploit trust

BEC cases are not about malware detection or basic spam filtering. Instead, they exploit trust and authority. These attacks may bypass traditional security mechanisms because they often don’t contain malicious links or attachments. Instead, they rely on social engineering, making them incredibly dangerous and quite hard to spot by either people or technology.

Testing email security without BEC scenarios is to ignore a highly effective and popular method that attackers use every day to infiltrate businesses. It’s essential to ensure that email security solutions are able to recognise these nuanced threats and react accordingly.

Furthermore, adding security to a standard email platform shouldn’t be an afterthought. Many businesses assume that the platforms they use, such as Microsoft 365 or Google Workspace, have robust, built-in defences. While these platforms offer a solid baseline, they are not infallible. Attackers continuously evolve their tactics, exploiting gaps in standard security settings.

Cisco Secure Email Threat Defense

Comprehensive email security requires layered defences that integrate seamlessly with these platforms, providing advanced detection capabilities, including AI-driven anomaly detection, BEC filtering, and more.

By enhancing the built-in security of these platforms with products such as Cisco‘s, organisations can mitigate risks more effectively. Security should be adaptive and proactive, not reactive, ensuring that your organisation stays protected even as threats evolve. Including BEC scenarios in testing is an essential part of validating these systems’ robustness.

Network testing Standards, analysis and transparency

SE LABS tested the performance of the Cisco Secure Firewall 4225. We assessed its ability to operate under a variety of network loads, including a range of well-established but synthetic sets of traffic. We also used a more realistic mix of protocols.

This test is based on available standards of testing, including the methodology provided by the Internet Engineering Task Force. The results indicate how effectively the product was at handling network traffic in different circumstances, using the configuration specified.

Loading…

Taking too long?

Reload document

| Open in new tab

Download

Factsheet

Cisco Secure Firewall 4225

This test was conducted using recommendations made by the Internet Engineering Task Force for testing the performance of network security devices. Devices such as next-generation firewalls, intrusion detection and protection systems and unified threat management devices. At a minimum it should show, in a transparent and repeatable way, how the device under test handles network traffic of different types and in different scenarios.

On its own, the raw data is useful for comparing products with a view to choosing which is most suitable for your organisation.

We also ran an extended set of tests to see how a device would behave in a more realistic, production environment. This involved using a mixture of network traffic protocols and testing individual types of application traffic with the Cisco Secure Firewall 4225.

Cisco Secure Firewall 4225 performance test results

At SE Labs we don’t just publish raw figures, though. We use our knowledge and expertise to analyse that information to help add useful colour to the results.

The goal is to give a real-world opinion as to which figures are most important. We want to highlight where optimum performances are achieved and to explain why some details are more significant than others.

For example, a device might achieve an apparently strong performance when handling Voice over IP, but in real-life the human ear might struggle with sub-par connection quality. Conversely, what may seem like poor performance on paper might not be noticeable to users in a real deployment.

Testing standards and configurations

We have followed the available testing standards. This means you can verify our figures with reports generated by other test labs. It also gives you confidence that the testing was conducted correctly, while also being completely transparent about the configuration used. This configuration might not be the one you experience out of the box. Or might not be suitable for your own deployment. We’ve included configuration details so you can make a fully informed decision when comparing products and reports. See our full network performance testing methodology for more details.

Managing identity and access in the real world

Cisco Universal ZTNA test results by SE Labs.

SE LABS tested Cisco Universal Zero Trust Network Access (ZTNA) against a range of attacks designed to bypass traditional security controls.

These attacks were realistic, using the same tactics and techniques as those used against victims in recent months.

Testers attacked target systems protected by Cisco Universal ZTNA. These same testers acted in the same way as we observe advanced attack groups to behave.

Attacks initiated from the start of the attack chain, using stolen credentials, multi-factor flooding techniques and hijacked sessions.

Each attack was run from the very start to its obvious conclusion, which means attempting to steal, encrypt and destroy sensitive data on the target systems.

Full Report

Download the full report from Cisco’s website.

Cisco Universal ZTNA (Protection)

Factsheet

Cisco Universal ZTNA (Protection)

This report is the first independent assessment of a service that aims to make it more secure to connect to cloud services.

If you’re interested in IAM, SASE and ZTNA then this is the report for you. We’ll explain what all those terms mean here.

The general term for ensuring that only the right people (or computers) can gain access is called Identity and Access Management (IAM). This is an IAM security report, but you could just as well call it an Identity Threat Detection and Response test.

SASE: Beyond the VPN

Many organisations use services in the cloud, needing high-performance, well-controlled authentication. Data needs to be accessible, at high speeds, but using strong security.

And businesses need to manage this security simply.

Secure access used to be handled primarily by Virtual Private Networks (VPNs). Demand for faster, more flexible approaches means that we’re more likely to connect to a well-distributed cloud service.

This is what SASE means – Secure Access Service Edge. It offers Secure Access, providing this Service at a location close to the user, at the ‘Edge’ of the internet. SASE includes a number of services. The one we’re interested in here is authentication.

Zero Trust

A Zero Trust Network Access (ZTNA) approach to authentication means, simply, that a system should never trust another system. It requires verification every time access is needed. This approach often includes the use of multi-factor authentication (MFA). However, it can become much more advanced and look at context. Such context coudl be “why is Simon logging in from London and Indonesia at the same time?”

Does Cisco Universal ZTNA Work?

Cisco’s Universal Zero Trust Network Access (UZTNA) is a solution combining multiple products to provide zero trust authentication. In this test we tested like hackers, attempting to break in using different techniques from different part of the world. We are proud to present the results in this report.

Testing protection against fully featured attacks

Our Advanced Security test is unique, in that we test products by running a full attack. We follow every step of a breach attempt to ensure that the test is as realistic as possible. In this test we assess the capabilities of the Cisco Secure Firewall 4225.

Loading…

Taking too long?

Reload document

| Open in new tab

Download

Factsheet

Cisco Secure Firewall 4225

Early Protection Systems

There are many opportunities to spot and stop attackers. Products can detect them when attackers send phishing emails to targets. Or later, when other emails contain links to malicious code. Some kick into action when malware enters the system. Others sit up and notice when the attackers exhibit bad behaviour on the network.

Regardless of which stages your security takes effect, you probably want it to detect and prevent before the breach runs to its conclusion in the press.

Our Advanced Security test is unique, in that we test products by running a full attack. We follow every step of a breach attempt to ensure that the test is as realistic as possible.

This is important because different products can detect and prevent threats differently.

Ultimately you want your chosen security product to prevent a breach one way or another, but it’s more ideal to stop a threat early, rather than watch as it wreaks havoc before stopping it and trying to clean up.

Some products are designed solely to watch and inform, while others can also get involved and remove threats either as soon as they appear or after they start causing damage.

For the ‘watchers’ we run the Advanced Security test in Detection mode. For ‘stoppers’ like Cisco Secure Firewall 4225 we can demonstrate effectiveness by testing in Protection Mode.

In this report we look at how Cisco Secure Firewall 4225 handled full breach attempts. At which stages did it detect and protect? And did it allow business as usual, or mis-handle legitimate applications?

Understanding the capabilities of different security products is always better achieved before you need to use them in a live scenario. SE Labs’ Advanced Security test reports help you assess which are the best for your own organisation.

How we test the Cisco Secure Firewall 4225

SE LABS tested Cisco Secure Firewall 4225 against targeted attacks based on Threat Series: 9

These attacks are designed to compromise systems and penetrate target networks in the same way as the advanced persistent hacking groups known as Scattered Spider and APT29 operate to breach systems and networks.

Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.

Choose your reports and reviews carefully

Cisco Secure Endpoint – DETECTION

Testing protection against fully featured attacks

SE Labs tested Cisco Secure Endpoint against targeted attacks based on the Turla threat. These attacks are designed to compromise systems and penetrate target networks in the same way as the advanced persistent hacking group known as Turla operates to breach systems and networks.

An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack. While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.

Loading…

Taking too long?

Reload document

| Open in new tab

Download

Results – Cisco Secure Endpoint (Detection)

Cisco scored a 100% Detection Accuracy Rating for detecting every element of the Turla attacks, starting from the delivery of the spear phishing attachment through to all the subsequent malicious activities in the attack chain. It also prevented all of the malicious activities from running, incurring no penalties for allowing the full or partial execution of targeted attacks. The product did not generate false positives, meaning that it didn’t wrongly detect or hamper harmless, legitimate software.

Read more of our reports here.

Cisco Secure Endpoint

Testing protection against fully featured attacks

SE Labs tested Cisco Secure Endpoint – Protection against targeted attacks based on the Turla threat. These attacks are designed to compromise systems and penetrate target networks in the same way as the advanced persistent hacking group known as Turla operates to breach systems and networks.

There are many opportunities to spot and stop attackers. Products can detect them when attackers send phishing emails to targets. Or later, when other emails contain links to malicious code. Some kick into action when malware enters the system. Others sit up and notice when the attackers exhibit bad behaviour on the network.

Ultimately you want your chosen security product to prevent a breach one way or another, but it’s more ideal to stop a threat early, rather than watch as it wreaks havoc before stopping it and trying to clean up.

Loading…

Taking too long?

Reload document

| Open in new tab

Download

Results

Cisco Secure Endpoint scored a 100% Protection Accuracy Rating for blocking every threat at the initial delivery stage. The product did not generate any false positives, meaning that it didn’t wrongly detect or hamper harmless, legitimate software.

It also prevented all of the malicious activities from running, incurring no penalties for allowing the full or partial execution of targeted attacks.

Choose your reports and reviews carefully

We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.