Data Loss Prevention (DLP) in Office 365Shobhit SahayTechnical Product ManagerMicrosoft corporation

• Why use Data Loss Prevention?

• DLP for End User [DEMO]

• DLP Policy Management [DEMO]

• How does DLP perform content analysis

• DLP Policy Tips and Document Fingerprinting [DEMO]

• Reporting & Logging [if time allows, appendix]

• Extending DLP for your business

Agenda at a glance

What causes a breach?

System glitches

Malicious intent Oops!

39%

24%

37%

97% avoidable!

Online Trust Alliance: 2013 Data Protection and Breach Readiness Guide

Data Loss Prevention in Exchange Helps to

• identify• monitor• protect sensitive data through deep content analysis

Identify

Protect

Monitor

End user education

Purchasing DLP

• DLP is a Premium Feature!• Can not buy standalone

Available in Exchange Online • A3/A4• G3/G4• E3/E4

Available in Exchange Server 2013• Requires an Exchange

Enterprise Client Access License (CAL) with services

http://office.microsoft.com/en-us/exchange/microsoft-exchange-server-licensing-licensing-overview-FX103746915.aspx

Note: Can be used with Exchange 2010 with limited functionality

Demo

Outlook Policy Tips (or an IW’s view of DLP)

Policy distribution

Contextual policy education

DLP policy configuration

Backend policy evaluation

Audit & incident data generation

Admin

Information workers

DLP system walkthrough

DLP Policy Enforcement

Flexible tools for policy enforcement that provide the right level of control

• Transport Rules• Rights Management• Data Loss Prevention

ALERT

CLASSIFY

ENCRYPT

APPEND OVERRIDE

REVIEW

REDIRECT

BLOCK

Click to insert photo.

DLP policy templatesBuilt-in templates based on common regulations

Import DLP policy templates from security partners

Build your own

What are DLP policy templates?XML configuration that define policy objectives

Built atop of Exchange transport rules

Management and deployment Exchange standard interfaces – Web and PowerShell

XML

Conditions

• Content to monitor

• User action• Mail flow actions

Classification rules

contains

Policies

• Credit cards• EU debit cards

Name

DLP policy rulesBuilt on transport rules

Supports discovery phase of compliance

Take action to enforce policy

Hold, block, audit & provide notification for email that contains sensitive business data

Transport rule conditions

DLP specific action – Policy Tip

Exceptions

DLP specific condition

Transport rule actions

Demo

DLP policy management

Sensitive content detectionPredefined rules targeted at sensitive data types

Advanced content detection

Combination of regular expressions, dictionaries, and internal functions (e.g. validate checksum on credit card numbers)

Extensibility for customer and ISV defined data types

14

Country

PII Financial Health

US US State Security Breach Laws,US State Social Security Laws, COPPA

GLBA & PCI-DSS (Credit, Debit Card, Checking andSavings, ABA, Swift Code)

Limited Investment: US HIPPA, UK Health Service,Canada Health Insurance card

Rely on Partners and ISVs

GermanyEU data protection,Drivers License, Passport National Id

EU Credit, Debit Card,IBAN, VAT, BIC,Swift Code

UKData Protection Act,UK National Insurance, Tax Id, UK Driver License, Passport

EU Credit, Debit Card,IBAN, BIC, VAT,Swift Code

Canada PIPED Act,Social Insurance, Drivers License

Credit Card, Swift Code

France

EU data protection, Data Protection Act,National Id (INSEE),Drivers License, Passport

EU Credit, Debit Card,IBAN, BIC, VAT,Swift Code

JapanPIPA, Resident Registration, Social Insurance, Passport, Driving License

Credit Card,Bank Account,Swift Code

Australia Drivers License, Passport, Social Insurance Credit Card, Bank Account, Swift Code

Built-in DLP content areas

15

Integrated into Exchange Transport Rule (ETR) engineRuns in categorizer during OnResolvedMessage

Integrated as a new ETR Predicate

Performs text extraction for body & attachments followed by classification

Can be combined with any existing Predicates & Actions

DLP content detection architectureSMTP receive

Categorizer

Queue managementMessage deliveryStore driver

Text extraction

Transport rule agent

Classification

Content analysis process

Examples

Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2012

Get Content

4485 3647 3952 7352 a 16 digit number is detected

RegEx Analysis

1. 4485 3647 3952 7352 matches checksum2. 1234 1234 1234 1234 does NOT match

Function Analysis

1. Keyword Visa is near the number2. A regular expression for date (2/2012)

is near the number

Additional Evidence

1. There is a regular expression that matches a check sum

2. Additional evidence increases confidenceVerdict

DLP Document FingerprintingAdvanced deep content analysis enabling new scenarios! A tax firm needs to detect and encrypt standard tax forms, like the 1040 EZ, W2, etc.

Company Confidential documents like Patents detected based on their template

A Law firm can fingerprint legal forms, and have them detected automatically for policy application

Integrates with the existing DLP infrastructure as a custom sensitive information type

Surfaced in Exchange, Outlook and OWA

Fabrikam Patent Form Tracking Number Author Date Invention Title Names of all authors...

Get Template Content

1. Condensed representation of the hashed template content

2. Stored as a custom sensitive information type

Create Fingerprint

CO

NFI

GU

RATIO

NDocument Fingerprinting - Configuration

CLASSIFICATION RULE with

FINGERPRINT

1. Add fingerprint to policy rules together with other conditions

2. Map to desired actions

Refernce in

Policy Rule

Fingerprint generation from template documents

Fingerprint stored as custom sensitive type

Configured in policy rules as any other custom sensitive type

Fabrikam Patent Form Tracking Number 12345 Author Alex Date 1/28/2014 Invention Title Fabrikam Green Energy...

Get Email Content

1. Temporary in memory representation2. Used for comparson with source

fingerprint created at config time

Create Fingerprint

1. Compare the two fingerprints2. Evaluate a ’containtment

coefficient’ to declare a matcbVerdict

RU

NTIM

EDocument Fingerprinting - Runtime

POLICY RULES REFERENCES TO

PREVIOUSLY GENEATED FINGERPRINTS

FINGERPRINTGENERATION

Evaluation

+ verdict

Fingerprint generated at run-time for target attachment

Fingerprint evaluated against configured fingerprints for template documents

Match declared based on ‘containment coefficient’

Fabrikam Patent Form Tracking Number Author Date Invention Title Names of all authors...

Get Template Content

1. Condensed representation of the template content

2. Document is not stored3. Stored as a sensitive information

type

Create Fingerprint

Fabrikam Patent Form Tracking Number 12345 Author Alex Date 1/28/2014 Invention Title Fabrikam Green Energy...

Get Email Content

1. Temporary in memory representation2. Used for comparson with source

fingerprint created at config time

Create Fingerprint

1. Compare the two fingerprints2. Evaluate a ’containtment

coefficient’ to declare template contained in email content

Verdict

CO

NFI

GU

RATIO

NR

UN

TIM

EPutting it all together

CLASSIFICATION RULE with

FINGERPRINT

FINGERPRINTGENERATION

Evaluation

+ verdict

b-Bit Minwise HashingINPUT TEXT

This is a test. I love DLP and Fingerprinting.

STEP 1Break into Shingles of length 2

This is Is a a test test I I LoveLove DLP

DLP and

And Fingerprinting

64 bit hash value of the shingle (e.g., This is 1010101010101110100111000111)

Hash 1 (universal hash function)

Hash 2 (hash function with random dispersion)

STEP 2Convert to a 64 bit value (hash it!)

STEP 3Map the 64 bit value randomly to 1024 other 64 bit values

STEP 4Reduce each 64 bit value to a 16 bit value (LSB Mask)

Apply a 16 bit mask

Empower users to manage their compliance

Contextual policy education

Doesn’t disrupt user workflow

Can work even when disconnected

Admin customizable text and actions

Outlook

OWA

User education

Policy Tips in OWA for devices

Demo

Tying it all together(Policy Tips and Document Fingerprints)

NEW in SP1 – EXCHANGE and OUTLOOK 2013

Exchange DLP Feature Set

Deep content analysis engine

46 OOB sensitive information types

40 OOB DLP Templates

Support for 3rd party defined DLP policy templates

Policy Tips in OWA and Mobile OWA

Advanced Document Fingerprinting in Exchange, Outlook, and OWA

5 new OOB sensitive information types

Policy Tips in Outlook 2013

Contextual user education and empowerment

Incident management Rich reporting

EXCHANGE and OUTLOOK 2013

Classification integration with SharePoint through FAST index demoed at SPC keynote [Feb]

DLP in E-discovery Search

Q&A

Appendix

Reporting & Logging

Incident reports

Bonnie@fabrikam.com

Katie, katiej@contoso.com < 8dcae419557f4d819d4a19061ea96550@Server1.contoso.com >

Audit dataClassificationRule details

Exchange DLP Reporting and AuditingComprehensive view of DLP policy performance

Downloadable excel workbook

Drill into specific departures from policy to gain business insights

Extending DLP for your business

Customizing Your DLP Deployments

Identify

Protect

Monitor

End user education

• Custom policy templates• Tuning of built-in types• Custom sensitive

types

• Real-time incident reports• Policy rule reports• Policy audit mode

• Flexible policy authoring system• Rich policy conditions

and actions

• End-user false positive reporting• Configurable end-user

education content

DLP Deployment Phases

Plan

• Start with built-in templates to assist meeting your business or regulatory requirements

• Customize policy rules, sensitive types and scope• Target a pilot group of users

Tune

• Set policies to test and notify modes• Enable incident reports to assess impact of rules• Tune based on false positive reports and hit rates

Enable

• Switch policies to enforce mode• Continue to tune based on report data trends

Customizing End User Policy Tips

Customize Policy Tip messagesMessages for notification, block and override can be customized.

Customize link for user educationSpecify an internal URL with company policies around handling sensitive content.

Custom classification rule names are displayed here.

DLP extensibility pointsCustom DLP content:

Supplemental DLP policy templatesSupplemental DLP classification rules

Incident reports integration with custom workflows

Custom agents for additionalconditions and actions

Custom reporting solutionsE.g. MessageStats Business Insights from Dell

ResourcesExchange 2013 DLP introductionhttp://blogs.technet.com/b/exchange/archive/2012/09/28/introducing-data-loss-prevention-in-the-new-exchange.aspxhttp://technet.microsoft.com/en-us/library/jj150527.aspx

DLP policy templateshttp://technet.microsoft.com/en-us/library/jj657730

Managing DLP policieshttp://technet.microsoft.com/en-us/library/jj673559

OOB DLP policy templateshttp://technet.microsoft.com/en-us/library/jj150530

Policy tips in Exchange 2013http://technet.microsoft.com/en-us/library/jj150512

Supported file types http://technet.microsoft.com/en-us/library/jj674307

MessageStats Quick Guide http://mbidemo.quest.com/Insights/#page/home

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.