system glitches malicious intentoops! 39% 24% 37% 97% avoidable! online trust alliance: 2013 data...
TRANSCRIPT
Data Loss Prevention (DLP) in Office 365Shobhit SahayTechnical Product ManagerMicrosoft corporation
• Why use Data Loss Prevention?
• DLP for End User [DEMO]
• DLP Policy Management [DEMO]
• How does DLP perform content analysis
• DLP Policy Tips and Document Fingerprinting [DEMO]
• Reporting & Logging [if time allows, appendix]
• Extending DLP for your business
Agenda at a glance
What causes a breach?
System glitches
Malicious intent Oops!
39%
24%
37%
97% avoidable!
Online Trust Alliance: 2013 Data Protection and Breach Readiness Guide
Data Loss Prevention in Exchange Helps to
• identify• monitor• protect sensitive data through deep content analysis
Identify
Protect
Monitor
End user education
Purchasing DLP
• DLP is a Premium Feature!• Can not buy standalone
Available in Exchange Online • A3/A4• G3/G4• E3/E4
Available in Exchange Server 2013• Requires an Exchange
Enterprise Client Access License (CAL) with services
http://office.microsoft.com/en-us/exchange/microsoft-exchange-server-licensing-licensing-overview-FX103746915.aspx
Note: Can be used with Exchange 2010 with limited functionality
Demo
Outlook Policy Tips (or an IW’s view of DLP)
Policy distribution
Contextual policy education
DLP policy configuration
Backend policy evaluation
Audit & incident data generation
Admin
Information workers
DLP system walkthrough
DLP Policy Enforcement
Flexible tools for policy enforcement that provide the right level of control
• Transport Rules• Rights Management• Data Loss Prevention
ALERT
CLASSIFY
ENCRYPT
APPEND OVERRIDE
REVIEW
REDIRECT
BLOCK
Click to insert photo.
DLP policy templatesBuilt-in templates based on common regulations
Import DLP policy templates from security partners
Build your own
What are DLP policy templates?XML configuration that define policy objectives
Built atop of Exchange transport rules
Management and deployment Exchange standard interfaces – Web and PowerShell
XML
Conditions
• Content to monitor
• User action• Mail flow actions
Classification rules
contains
Policies
• Credit cards• EU debit cards
Name
DLP policy rulesBuilt on transport rules
Supports discovery phase of compliance
Take action to enforce policy
Hold, block, audit & provide notification for email that contains sensitive business data
Transport rule conditions
DLP specific action – Policy Tip
Exceptions
DLP specific condition
Transport rule actions
Demo
DLP policy management
Sensitive content detectionPredefined rules targeted at sensitive data types
Advanced content detection
Combination of regular expressions, dictionaries, and internal functions (e.g. validate checksum on credit card numbers)
Extensibility for customer and ISV defined data types
14
Country
PII Financial Health
US US State Security Breach Laws,US State Social Security Laws, COPPA
GLBA & PCI-DSS (Credit, Debit Card, Checking andSavings, ABA, Swift Code)
Limited Investment: US HIPPA, UK Health Service,Canada Health Insurance card
Rely on Partners and ISVs
GermanyEU data protection,Drivers License, Passport National Id
EU Credit, Debit Card,IBAN, VAT, BIC,Swift Code
UKData Protection Act,UK National Insurance, Tax Id, UK Driver License, Passport
EU Credit, Debit Card,IBAN, BIC, VAT,Swift Code
Canada PIPED Act,Social Insurance, Drivers License
Credit Card, Swift Code
France
EU data protection, Data Protection Act,National Id (INSEE),Drivers License, Passport
EU Credit, Debit Card,IBAN, BIC, VAT,Swift Code
JapanPIPA, Resident Registration, Social Insurance, Passport, Driving License
Credit Card,Bank Account,Swift Code
Australia Drivers License, Passport, Social Insurance Credit Card, Bank Account, Swift Code
Built-in DLP content areas
15
Integrated into Exchange Transport Rule (ETR) engineRuns in categorizer during OnResolvedMessage
Integrated as a new ETR Predicate
Performs text extraction for body & attachments followed by classification
Can be combined with any existing Predicates & Actions
DLP content detection architectureSMTP receive
Categorizer
Queue managementMessage deliveryStore driver
Text extraction
Transport rule agent
Classification
Content analysis process
Examples
Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2012
Get Content
4485 3647 3952 7352 a 16 digit number is detected
RegEx Analysis
1. 4485 3647 3952 7352 matches checksum2. 1234 1234 1234 1234 does NOT match
Function Analysis
1. Keyword Visa is near the number2. A regular expression for date (2/2012)
is near the number
Additional Evidence
1. There is a regular expression that matches a check sum
2. Additional evidence increases confidenceVerdict
DLP Document FingerprintingAdvanced deep content analysis enabling new scenarios! A tax firm needs to detect and encrypt standard tax forms, like the 1040 EZ, W2, etc.
Company Confidential documents like Patents detected based on their template
A Law firm can fingerprint legal forms, and have them detected automatically for policy application
Integrates with the existing DLP infrastructure as a custom sensitive information type
Surfaced in Exchange, Outlook and OWA
Fabrikam Patent Form Tracking Number Author Date Invention Title Names of all authors...
Get Template Content
1. Condensed representation of the hashed template content
2. Stored as a custom sensitive information type
Create Fingerprint
CO
NFI
GU
RATIO
NDocument Fingerprinting - Configuration
CLASSIFICATION RULE with
FINGERPRINT
1. Add fingerprint to policy rules together with other conditions
2. Map to desired actions
Refernce in
Policy Rule
Fingerprint generation from template documents
Fingerprint stored as custom sensitive type
Configured in policy rules as any other custom sensitive type
Fabrikam Patent Form Tracking Number 12345 Author Alex Date 1/28/2014 Invention Title Fabrikam Green Energy...
Get Email Content
1. Temporary in memory representation2. Used for comparson with source
fingerprint created at config time
Create Fingerprint
1. Compare the two fingerprints2. Evaluate a ’containtment
coefficient’ to declare a matcbVerdict
RU
NTIM
EDocument Fingerprinting - Runtime
POLICY RULES REFERENCES TO
PREVIOUSLY GENEATED FINGERPRINTS
FINGERPRINTGENERATION
Evaluation
+ verdict
Fingerprint generated at run-time for target attachment
Fingerprint evaluated against configured fingerprints for template documents
Match declared based on ‘containment coefficient’
Fabrikam Patent Form Tracking Number Author Date Invention Title Names of all authors...
Get Template Content
1. Condensed representation of the template content
2. Document is not stored3. Stored as a sensitive information
type
Create Fingerprint
Fabrikam Patent Form Tracking Number 12345 Author Alex Date 1/28/2014 Invention Title Fabrikam Green Energy...
Get Email Content
1. Temporary in memory representation2. Used for comparson with source
fingerprint created at config time
Create Fingerprint
1. Compare the two fingerprints2. Evaluate a ’containtment
coefficient’ to declare template contained in email content
Verdict
CO
NFI
GU
RATIO
NR
UN
TIM
EPutting it all together
CLASSIFICATION RULE with
FINGERPRINT
FINGERPRINTGENERATION
Evaluation
+ verdict
b-Bit Minwise HashingINPUT TEXT
This is a test. I love DLP and Fingerprinting.
STEP 1Break into Shingles of length 2
This is Is a a test test I I LoveLove DLP
DLP and
And Fingerprinting
64 bit hash value of the shingle (e.g., This is 1010101010101110100111000111)
Hash 1 (universal hash function)
Hash 2 (hash function with random dispersion)
STEP 2Convert to a 64 bit value (hash it!)
STEP 3Map the 64 bit value randomly to 1024 other 64 bit values
STEP 4Reduce each 64 bit value to a 16 bit value (LSB Mask)
Apply a 16 bit mask
Empower users to manage their compliance
Contextual policy education
Doesn’t disrupt user workflow
Can work even when disconnected
Admin customizable text and actions
Outlook
OWA
User education
Policy Tips in OWA for devices
Demo
Tying it all together(Policy Tips and Document Fingerprints)
NEW in SP1 – EXCHANGE and OUTLOOK 2013
Exchange DLP Feature Set
Deep content analysis engine
46 OOB sensitive information types
40 OOB DLP Templates
Support for 3rd party defined DLP policy templates
Policy Tips in OWA and Mobile OWA
Advanced Document Fingerprinting in Exchange, Outlook, and OWA
5 new OOB sensitive information types
Policy Tips in Outlook 2013
Contextual user education and empowerment
Incident management Rich reporting
EXCHANGE and OUTLOOK 2013
Classification integration with SharePoint through FAST index demoed at SPC keynote [Feb]
DLP in E-discovery Search
Q&A
Appendix
Reporting & Logging
Incident reports
Katie, [email protected] < [email protected] >
Audit dataClassificationRule details
Exchange DLP Reporting and AuditingComprehensive view of DLP policy performance
Downloadable excel workbook
Drill into specific departures from policy to gain business insights
Extending DLP for your business
Customizing Your DLP Deployments
Identify
Protect
Monitor
End user education
• Custom policy templates• Tuning of built-in types• Custom sensitive
types
• Real-time incident reports• Policy rule reports• Policy audit mode
• Flexible policy authoring system• Rich policy conditions
and actions
• End-user false positive reporting• Configurable end-user
education content
DLP Deployment Phases
Plan
• Start with built-in templates to assist meeting your business or regulatory requirements
• Customize policy rules, sensitive types and scope• Target a pilot group of users
Tune
• Set policies to test and notify modes• Enable incident reports to assess impact of rules• Tune based on false positive reports and hit rates
Enable
• Switch policies to enforce mode• Continue to tune based on report data trends
Customizing End User Policy Tips
Customize Policy Tip messagesMessages for notification, block and override can be customized.
Customize link for user educationSpecify an internal URL with company policies around handling sensitive content.
Custom classification rule names are displayed here.
DLP extensibility pointsCustom DLP content:
Supplemental DLP policy templatesSupplemental DLP classification rules
Incident reports integration with custom workflows
Custom agents for additionalconditions and actions
Custom reporting solutionsE.g. MessageStats Business Insights from Dell
ResourcesExchange 2013 DLP introductionhttp://blogs.technet.com/b/exchange/archive/2012/09/28/introducing-data-loss-prevention-in-the-new-exchange.aspxhttp://technet.microsoft.com/en-us/library/jj150527.aspx
DLP policy templateshttp://technet.microsoft.com/en-us/library/jj657730
Managing DLP policieshttp://technet.microsoft.com/en-us/library/jj673559
OOB DLP policy templateshttp://technet.microsoft.com/en-us/library/jj150530
Policy tips in Exchange 2013http://technet.microsoft.com/en-us/library/jj150512
Supported file types http://technet.microsoft.com/en-us/library/jj674307
MessageStats Quick Guide http://mbidemo.quest.com/Insights/#page/home
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.