CyberGraph 2.0 - Getting Started Guide

Updated

This guide describes the process of configuring the CyberGraph environment.

The initial configuration should be applied to a sub-organization for testing and propagation. Once testing is complete, the configuration must be updated to apply to the entire organization.

Overview

This document helps new CyberGraph customers set up their CyberGraph environment.

There are two different Getting Started customer scenarios to which this applies:

  1. New Mimecast customers
  2. Already using Mimecast Cloud Gateway and are now adding CyberGraph

This does not apply to Email Security Cloud Integrated (Cloud Integrated) because CyberGraph is a single feature within Cloud Integrated - For information regarding the Cloud Integrated banners feature, see Policy Detection Engines.

For new Mimecast customers, you should first configure Cloud Gateway.  As a new or existing customer, once Mimecast Cloud Gateway is correctly configured with inbound and outbound mail flow established, you can proceed to configure CyberGraph. See Cloud Gateway Guides & Resources.

As best practice for CyberGraph implementation, start small and narrow and expand as feature operations are confirmed. This means:

      • Configure CyberGraph banners initially in Learning Mode so CyberGraph's social graph silently learns your organization's mail patterns before enabling end-user banners. This will reduce false positives and over-bannering, which might result in "banner fatigue" for your end users.
      • When enabling banners, start with a pilot group before expanding to all, leaving the remaining users to continue in Learning Mode. This will help with troubleshooting and help you assess the best settings adjustments for your organization.
      • For the same scoping reasons as above, consider starting with just banners and later adding the image tracker removal feature (Tracker) and Misaddressed Email Protection.
      • Also, alert your end users about the new product and what they can expect in their mails. Links to some helpful templates are mentioned below.

The below steps should be implemented in order unless otherwise indicated.

Configuring CyberGraph Policies

Your first step is to configure the initial CyberGraph Policy. See CyberGraph 2.0 - Policy Configuration.

Best Practices:

      • Your initial Policy should specify the Learning Mode and it should be from everyone to everyone. This will allow the AI-based social graph to learn your messaging patterns.  The CyberGraph dashboards will indicate rules being triggered and you can review this information to decide if any rules are so noisy, that they should be disabled.
      • The Learning Mode Policy should be left to run for at least two weeks depending on your traffic volumes. Smaller organizations with fewer users should allow this learning period to continue longer - 4 weeks.

After the learning period, add another Policy to specify a pilot group to test the banners (for example your IT department or testing group).

When adding the pilot group, it is recommended that you enable user reporting (default) as part of the banner testing. Also, we recommend that the pilot group includes users who are actively sending emails, i.e. not test accounts.

When you ultimately enable CyberGraph banners for your entire organization, you may want to disable banner reporting if you have any concerns about end-user confusion or conflict with other message reporting tools. When disabled, the banners appear without any reporting button.

Trusted Sites configuration

For bannering to work, and the Tracker feature as well, you need to configure Trusted Sites to automatically download Mimecast images which will be external sender images.

Because Outlook Web Access and the New Outlook for Windows client do not support Trusted Sites settings and therefore cannot display the dynamic image banners by default, organizations using these products should configure CyberGraph for text banners. See Banners section of Configuration Settings.

Note the following regarding configuring Trusted Sites:

Information on how to configure Trusted Sites for Windows and Apple devices is listed in CyberGraph 2.0 - Trusted Sites.

This may require another department's assistance, as the configuration needs to be done using Windows (or Apple) administration tools. Depending on the change control Policies in your organization, this process could have a significant lead time. This can be done ahead of or in parallel to, the above Policy configuration.

Once you believe the change is completed and is in effect, confirm this is true by checking the Outlook settings on a few devices (your own can be one). You can confirm this in the Outlook Options area under "Trust Center". You want to ensure under the Trust Center Settings that the checkbox is enabled to Permit downloads from Trusted Security zones.

gettingstrtedguidecyg2.jpg

Testing Banners

You can test banner enablement, via a couple of methods

      • Send an inbound message from any external domain (that is not safe listed per below), such as a personal email service. If you have never received mail from that address (or if sending to a colleague if they haven't), you should get a banner about the first-time sender and/or likely a  "never replied" rule banner
      • Work with Mimecast Technical Support or your on-boarding consultant. Mimecast technical staff can trigger a banner in your environment via an internal tool, for purposes of testing the banners functionality.

CyberGraph Application Settings for Banners

After setting up your Policies and Trusted Sites,

  1. Log in to the Mimecast Administration Console,
  2. In the left navigation menu under More Services, navigate to CyberGraph | Settings.
2025-05-21_12-40-36.png

Some of these need to be configured initially, and some can wait till later, as described.

Here you will find the CyberGraph dashboards and the Settings Page.

2025-05-27_22-31-58.png

 

      1. Single Sign On: The default method for end-user banner reporting is a secure one-click method known as login-less.  If you decide you want to use your SSO provider instead, you can enable that here, but since your initial state is Learning Mode with no banners, this can be done later. See Cybergraph 2.0 - Single Sign-On.
      2. Quantity of Banners: This allows the selection of the banner for Targeted or Broad threats. See the Quantity of Banners section of the Configuration Settings article here: CyberGraph 2.0 - Configuration Settings
      3. Name Matching Configuration: Leave these as the default - they can be adjusted based on your pilot experience. See CyberGraph 2.0 - Configuration Settings.
      4. Banner Configurations: The language setting allows administrators to select the language for banners and the banner reporting page to apply to all users. The banner can be configured in either Image or Text banners (See this article about when Text banners are needed: CyberGraph 2.0 - Dynamic Banners ). Again, this can be done later since you will initially be in learning mode. You can also customize the text in this area (many customers use this feature to provide bilingual banner messages for their global users - this is a global account setting). See: CyberGraph 2.0 - Configuration Settings
      5. Inline Dynamic Banner: You can choose to disable rules and customize banner messages. This is another area that should be changed only once you have banner experience (e.g., if a particular rule seems too noisy). Like the area above, you can customize the text shown for each rule.

Domain Safelist

On the Domain Safelist tab of the CyberGraph Settings page, you can specify a set of domains for which bannering should be skipped. You would want to do this if your pilot experience finds that certain senders are triggering banners too often. This tends to happen for commercial senders - like newsletters or business partners. You can safelist their domains to skip bannering. Note: only domains can be added. Specific sender-safe listing is done only on an individual level via banner "Mark Safe" reporting.

Notification Subscriptions

On this tab, you can elect to subscribe to two different kinds of notifications.

      • Tracker Summary notification. When you enable the Tracker feature, you can receive a daily or weekly summary of Tracker activity. This is the same information as is found on the Tracker Dashboard pages.
      • Report Dangerous Notification: When a user reports a mail as Dangerous (but not when they receive a suspicious message), you will receive a notification email.

Don't forget to subscribe to Mimecast Service Status update notifications. Select the subscribe button in the upper right side of the status page.

Tracker feature

As part of the initial Policy configuration, you can specify if you want to enable the Tracker feature (image tracker removal). It may be helpful, as a best practice, for the sake of troubleshooting control, to add this later, so you can adjust and troubleshoot bannering, before adding in Tracker.

Before enabling the Tracker feature, consult with your Marketing department. Although CyberGraph Tracker does not operate on outgoing emails, it may interfere with any image-tracking capabilities that your Marketing team relies on from a third-party provider. If this is the case, it is advisable to implement a bypass (override) policy for these users to exclude them from the Tracker feature.

When enabling the Tracker feature, you can also put certain domains on the 'watch list' to flag images as suspect for Tracking. (For example, you can add certain Competitor domains to watch for.) This is done on the Tracker tab of the CyberGraph settings page. See CyberGraph 2.0 - Configuration Settings.

Misaddressed Email Protection

This is another optional feature that you can enable to monitor outgoing mail and hold messages that might be mistakenly addressed to an uninvolved person instead of the intended recipient. You might want to do this after confirming the success of your bannering program - to help isolate initial setup troubleshooting activity. 

It is recommended, that like Banners, MEP be initiated in the "No Action" audit mode (similar to Learning mode) so that it can learn outbound patterns before commencing to hold mails. Matches will be logged but email will not be held under this option setting.
To configure MEP, see Misaddressed Email Protect - Administrator Guide.

Notify Users

Be sure to notify your end users of the new messaging experience (bannering and MEP if enabled). You can use these templates to alert end users.

Troubleshooting Guide

If you experience operational issues after getting CyberGraph implemented, please reference the CyberGraph Troubleshooting Guide.

Related to

Was this article helpful?
2 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.