Exchange Data Loss Prevention in Exchange 2013 - Exchange Online

Exchange 2013 – Exchange OnlineData Loss Prevention

Jethro Seghers

Blogger

Twitter: @jseghersE-mail: [email protected]: [email protected]: http://blog.j-solutions.be

Consultant

Trainer

Large Retailer Leaks

Payment Information

via Email…“ “

Accidental email with attachment exposed hundreds of individuals’ names and Social Security Numbers…“ “

www.devconnections.com

DATA LOSS PREVENTION IN THE REAL WORLD

WHAT IS SENSITIVE DATA









7

HOW DO PEOPLE EXPOSE SENSITIVE DATA

DLP

8

End User EducationMonitor ProtectIdentify Sensitive Data



9

DLP IS DESIGNED TO PREVENT ACCIDENTAL DISCLOSURE

IT WILL NOT Provide 100% unbreakable solution to data loss

It will not prevent analog data loss

Stop the malicious insider

Stop the external threats



10

CHALLENGES IN REAL LIFE SCENARIO: COMPLIANCY MANAGER

Are we compliant?

Are there problems?

Our business needs these compliancy rules!

Can I create my own compliancy rules?



11

CHALLENGES IN REAL LIFE SCENARIOS: ADMINISTRATOR

How will this effect my end users?

How much sensitive data is flowing through the system?

How do I report this all to management?

How do I educate my end users?

Will it scan my attachments?

What client updates are necessary?

What type of policies should I use?



12

CHALLENGES IN REAL LIFE SCENARIOS: INFORMATION WORKER

Why is this new rule applied?

I just want to work!

I want to be able to override the rule if the need it to



13

CHALLENGE: DATA LOSS PREVENTION

Keeps sensitive data safe

WITHOUT interrupting the daily Line of Business of the user.



14

DEMOData Loss Protection in action



15

OUTLOOK POLICY TIPS: LESSONS LEARNED

Doesn’t interrupt daily business Will work in Offline Mode Contextual User Education Only works with Outlook 2013 Requires that the full Office 2013 Professional Plus Edition

be installed All the DLP processing happens on the client No support for OWA at RTM, up to RTM CU2



16

OUTLOOK POLICY TIPS: LESSONS LEARNED

Outlook will connect to the ExternalUrl defined in EWS Virtual Directory and download the new/update Policy Definition Files.

Updating Policy Tips happens during opening of Outlook or once every 24 hours.

Outlook 2013 updates the following registry key the last time that it downloaded a policy:

HKEY_Current_User\Software\Microsoft\Office\15.0\Outlook\PolicyNudges\ LastDownloadTimePerAccount



17

OUTLOOK POLICY TIPS: TROUBLESHOOTING

Be sure that you have the correct version of Client Check that ExternalUrl is configured Try to delete the registry key (previous slide) that holds the

last download date and time. Check presence XML in the profile (Users\<User>\Appdata\

Local\Microsoft\Outlook)



18

WHAT DOES DLP PROTECT

DLP will scan content in the mail and attachments LIMITATIONS

DLP Cannot scan password secured files.

DLP can only work with Encrypted messages and attachments if the DLP agent has the ability to decrypt the data. Not the case in Exchange Online.



19

SCANNING ATTACHMENT LIMITATIONS

The following file extensions are scanned:

Extensions Type

Doc, docx, xls, xlsx, ppt, pptx Word, Excel, Powerpoint (2003-2013)

Txt, csv Text files

Zip,GZIP (GZ), RAR, TAR (Tape Archive), UU Encode (UUE), Mime, S/Mime, TNEF, MSG, MacBin

Archive Files

RTF Rich Text Format

HTML/XML Internet File

PDF Portable Document Format (in Tekst)



20

DEMOManage Data Loss Prevention



21

ADMINISTRATION OF DLP

Start from built-in Template Import DLP Policy New Custom DLP policy



22

STRUCTURE OF A DLP POLICY

XML structure Defines

Name

Enforcing Options

Policy Definition Classification of the content (e.g. contains CC info, …)

User Action

Mail Flow Options



23

BEHAVIOR ENFORCING OPTIONS

TEST WITHOUT

NOTIFICATIONS

TEST WITH NOTIFICATION

S

ENFORCE



24

CLASSIFICATION OF CONTENT

This content would match for Credit Cards

ACME Travel,

I have received updated credit card information for Joseph

Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2012

Please update his travel profile.

Get ContentThis content would match for Credit Cards

ACME Travel,




RegEx Analysis This content would match for Credit Cards

ACME Travel,




Function Analysis


ACME Travel,


Joseph F. FosterVisa: 4485 3647 3952 7352 - > CHECKSUM: OKExpires: 2/2012


Additional Evidence


ACME Travel,


Joseph F. FosterVisa: 4485 3647 3952 7352 - > CHECKSUM: OKExpires: 2/2012

Please update his travel profile.Verdict



25

Hi Alex,

I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012

Regards,lisa

CLASSIFICATION OF CONTENT

Get Content

RegEx Analysis

Function Analysis

Additional Evidence

Verdict

Hi Alex,


Regards,lisa

Hi Alex,


Regards,lisa

Hi Alex,

I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012 -> CHECKSUM = not OK

Regards,lisa



26

USER ACTION & FLOW OPTIONS

Integrated with the Exchange Transport Rules Engine Allows us to use already built-in predicates and actions

New actions Notify sender

Block Sender (with/out) override (with/out) business justification

Block Sender unless false positive



27

THE DIFFERENT COMPONENTS

Transport Rules Agent Policy Engine Action Taken on the

message

Classification AgentText Extraction

Agent



28

DEMOAUDIT & INCIDENT REPORTING



INCIDENT REPORTS

29

Audit data

ClassificationRule details



DATA LOSS PREVENTIONRECAP

30



DLP policy configuration

Outlook policy distributionContextual policy education

Audit & incident data generation

Admin

Information Workers

Backend policy evaluation



32

EXAMPLE OF DEPLOYMENT FLOW

1. Define Sensitive Data

2. Translate it to DLP1. Name

2. Rules

3. Classification

4. Test DLP with/out Policy Tips and make sure DLP rules don’t interfere with other transport rules.

3. Analyze Results

4. Update DLP1. Change rules where needed

2. Change DLP to enforce if needed.

Q&A

Exchange Data Loss Prevention in Exchange 2013 - Exchange Online

Technology

data loss

real life

real world

real world

end users

joseph joseph

registry key

foster visa