exchange data loss prevention in exchange 2013 - exchange online
DESCRIPTION
TRANSCRIPT
Exchange 2013 – Exchange OnlineData Loss Prevention
Jethro Seghers
Blogger
Twitter: @jseghersE-mail: [email protected]: [email protected]: http://blog.j-solutions.be
Consultant
Trainer
Large Retailer Leaks
Payment Information
via Email…“ “
Accidental email with attachment exposed hundreds of individuals’ names and Social Security Numbers…“ “
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
WHAT IS SENSITIVE DATA
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
WHAT IS SENSITIVE DATA
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
WHAT IS SENSITIVE DATA
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
7
HOW DO PEOPLE EXPOSE SENSITIVE DATA
DLP
8
End User EducationMonitor ProtectIdentify Sensitive Data
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
9
DLP IS DESIGNED TO PREVENT ACCIDENTAL DISCLOSURE
IT WILL NOT Provide 100% unbreakable solution to data loss
It will not prevent analog data loss
Stop the malicious insider
Stop the external threats
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
10
CHALLENGES IN REAL LIFE SCENARIO: COMPLIANCY MANAGER
Are we compliant?
Are there problems?
Our business needs these compliancy rules!
Can I create my own compliancy rules?
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
11
CHALLENGES IN REAL LIFE SCENARIOS: ADMINISTRATOR
How will this effect my end users?
How much sensitive data is flowing through the system?
How do I report this all to management?
How do I educate my end users?
Will it scan my attachments?
What client updates are necessary?
What type of policies should I use?
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
12
CHALLENGES IN REAL LIFE SCENARIOS: INFORMATION WORKER
Why is this new rule applied?
I just want to work!
I want to be able to override the rule if the need it to
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
13
CHALLENGE: DATA LOSS PREVENTION
Keeps sensitive data safe
WITHOUT interrupting the daily Line of Business of the user.
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
14
DEMOData Loss Protection in action
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
15
OUTLOOK POLICY TIPS: LESSONS LEARNED
Doesn’t interrupt daily business Will work in Offline Mode Contextual User Education Only works with Outlook 2013 Requires that the full Office 2013 Professional Plus Edition
be installed All the DLP processing happens on the client No support for OWA at RTM, up to RTM CU2
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
16
OUTLOOK POLICY TIPS: LESSONS LEARNED
Outlook will connect to the ExternalUrl defined in EWS Virtual Directory and download the new/update Policy Definition Files.
Updating Policy Tips happens during opening of Outlook or once every 24 hours.
Outlook 2013 updates the following registry key the last time that it downloaded a policy:
HKEY_Current_User\Software\Microsoft\Office\15.0\Outlook\PolicyNudges\ LastDownloadTimePerAccount
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
17
OUTLOOK POLICY TIPS: TROUBLESHOOTING
Be sure that you have the correct version of Client Check that ExternalUrl is configured Try to delete the registry key (previous slide) that holds the
last download date and time. Check presence XML in the profile (Users\<User>\Appdata\
Local\Microsoft\Outlook)
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
18
WHAT DOES DLP PROTECT
DLP will scan content in the mail and attachments LIMITATIONS
DLP Cannot scan password secured files.
DLP can only work with Encrypted messages and attachments if the DLP agent has the ability to decrypt the data. Not the case in Exchange Online.
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
19
SCANNING ATTACHMENT LIMITATIONS
The following file extensions are scanned:
Extensions Type
Doc, docx, xls, xlsx, ppt, pptx Word, Excel, Powerpoint (2003-2013)
Txt, csv Text files
Zip,GZIP (GZ), RAR, TAR (Tape Archive), UU Encode (UUE), Mime, S/Mime, TNEF, MSG, MacBin
Archive Files
RTF Rich Text Format
HTML/XML Internet File
PDF Portable Document Format (in Tekst)
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
20
DEMOManage Data Loss Prevention
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
21
ADMINISTRATION OF DLP
Start from built-in Template Import DLP Policy New Custom DLP policy
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
22
STRUCTURE OF A DLP POLICY
XML structure Defines
Name
Enforcing Options
Policy Definition Classification of the content (e.g. contains CC info, …)
User Action
Mail Flow Options
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
23
BEHAVIOR ENFORCING OPTIONS
TEST WITHOUT
NOTIFICATIONS
TEST WITH NOTIFICATION
S
ENFORCE
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
24
CLASSIFICATION OF CONTENT
This content would match for Credit Cards
ACME Travel,
I have received updated credit card information for Joseph
Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2012
Please update his travel profile.
Get ContentThis content would match for Credit Cards
ACME Travel,
I have received updated credit card information for Joseph
Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2012
Please update his travel profile.
RegEx Analysis This content would match for Credit Cards
ACME Travel,
I have received updated credit card information for Joseph
Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2012
Please update his travel profile.
Function Analysis
This content would match for Credit Cards
ACME Travel,
I have received updated credit card information for Joseph
Joseph F. FosterVisa: 4485 3647 3952 7352 - > CHECKSUM: OKExpires: 2/2012
Please update his travel profile.
Additional Evidence
This content would match for Credit Cards
ACME Travel,
I have received updated credit card information for Joseph
Joseph F. FosterVisa: 4485 3647 3952 7352 - > CHECKSUM: OKExpires: 2/2012
Please update his travel profile.Verdict
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
25
Hi Alex,
I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012
Regards,lisa
CLASSIFICATION OF CONTENT
Get Content
RegEx Analysis
Function Analysis
Additional Evidence
Verdict
Hi Alex,
I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012
Regards,lisa
Hi Alex,
I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012
Regards,lisa
Hi Alex,
I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012 -> CHECKSUM = not OK
Regards,lisa
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
26
USER ACTION & FLOW OPTIONS
Integrated with the Exchange Transport Rules Engine Allows us to use already built-in predicates and actions
New actions Notify sender
Block Sender (with/out) override (with/out) business justification
Block Sender unless false positive
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
27
THE DIFFERENT COMPONENTS
Transport Rules Agent Policy Engine Action Taken on the
message
Classification AgentText Extraction
Agent
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
28
DEMOAUDIT & INCIDENT REPORTING
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
INCIDENT REPORTS
29
Audit data
ClassificationRule details
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
DATA LOSS PREVENTIONRECAP
30
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
DLP policy configuration
Outlook policy distributionContextual policy education
Audit & incident data generation
Admin
Information Workers
Backend policy evaluation
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
32
EXAMPLE OF DEPLOYMENT FLOW
1. Define Sensitive Data
2. Translate it to DLP1. Name
2. Rules
3. Classification
4. Test DLP with/out Policy Tips and make sure DLP rules don’t interfere with other transport rules.
3. Analyze Results
4. Update DLP1. Change rules where needed
2. Change DLP to enforce if needed.
Q&A