0
Exchange 2013 – Exchange Online
Data Loss Prevention
Jethro Seghers
“
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
WHAT IS SENSITIVE DATA
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
WHAT IS SENSITIVE DATA
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
WHAT IS SENSITIVE DATA
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
HOW DO PEOPLE EXPOSE SENSITIVE DATA
7
DLP
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
DLP IS DESIGNED TO PREVENT ACCIDENTAL
DISCLOSURE
 IT WILL N...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
CHALLENGES IN REAL LIFE SCENARIO:
COMPLIANCY MANAGER
10
Are ...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
CHALLENGES IN REAL LIFE SCENARIOS:
ADMINISTRATOR
11
How will...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
CHALLENGES IN REAL LIFE SCENARIOS:
INFORMATION WORKER
12
Why...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
CHALLENGE: DATA LOSS PREVENTION
 Keeps sensitive data safe
...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
DEMO
Data Loss Protection in action
14
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
OUTLOOK POLICY TIPS: LESSONS LEARNED
 Doesn’t interrupt dai...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
OUTLOOK POLICY TIPS: LESSONS LEARNED
 Outlook will connect ...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
OUTLOOK POLICY TIPS: TROUBLESHOOTING
 Be sure that you have...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
WHAT DOES DLP PROTECT
 DLP will scan content in the mail an...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
SCANNING ATTACHMENT LIMITATIONS
 The following file extensi...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
DEMO
Manage Data Loss Prevention
20
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
ADMINISTRATION OF DLP
 Start from built-in Template
 Impor...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
STRUCTURE OF A DLP POLICY
 XML structure
 Defines
 Name
...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
BEHAVIOR ENFORCING OPTIONS
23
TEST WITHOUT
NOTIFICATIONS
TES...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
CLASSIFICATION OF CONTENT
24
This content would match for Cr...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
Hi Alex,
I expect to be in Hawai too. My booking code is 123...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
USER ACTION & FLOW OPTIONS
 Integrated with the Exchange Tr...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
THE DIFFERENT COMPONENTS
27
Transport Rules
Agent
Policy Eng...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
DEMO
AUDIT & INCIDENT REPORTING
28
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
INCIDENT REPORTS
29
Audit data
Classification
Rule details
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
DATA LOSS PREVENTION
RECAP
30
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
DLP policy configuration
Outlook policy distributionContextu...
www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
EXAMPLE OF DEPLOYMENT FLOW
1. Define Sensitive Data
2. Trans...
Exchange Data Loss Prevention in Exchange 2013 - Exchange Online
Exchange Data Loss Prevention in Exchange 2013 - Exchange Online
Upcoming SlideShare
Loading in...5
×

Exchange Data Loss Prevention in Exchange 2013 - Exchange Online

976

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
976
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
47
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • These werenotmaliscous hackers or intentialleaking of information. This was doneunintentiallyby end users byeitherconnection the wrong data toemails or send information to the wrong recipient.
  • There are 3 categories of sensitive data that are relevant in this session:Personal data: your ethnic or racial origin; political opinion; religious or other similar beliefs; memberships; physical or mental health details; personal life; or criminal or civil offences. These examples of information are protected by your civil rights.Society Sensitive data: Social security numbers, Credit Card Data, Passport InformationCompany Sensitive data: data that is defined as sensitive by the company.
  • Society Sensitive data: Social security numbers, Credit Card Data, Passport InformationCompany Sensitive data: data that is defined as sensitive by the company.
  • Company Sensitive data: data that is defined as sensitive by the company.
  • 25% of all lost data happens by accident. Source: “Data loss by the numbers” a white paper of McAcfee: http://www.mcafee.com/us/resources/white-papers/wp-data-loss-by-the-numbers.pdf
  • It helps to identity, monitor and protect sensate data through deep content analysis.Identity through the classification engine that is been build in Exchange to identity sensitive data and attached to it a set of rules on what has to be happen when that data is detected.Monitor, yearly review and a set of tools we want to know what kind of sensitive data is flowing through the organization and what business impact it would be if we would deploy a certain set of DLP rules without interrupting any LOB Applications, without interrupting day to day business processes. Protection: array of different options, it depends on the environment and the context of interaction. If you want to protect with external partner, you use e.g. hosted encryption, if you want to protect certain communication internally you might want to use IRM. The same is the case with sending sensitive data. Sending 5 credit card number to another internal department can require a whole other set of rules then sending a 100 credit cards to an external recipient. The system can define which kind of protection is needed on what level.End User education: change behavior.
  • In this demo I’ll cover DLP in action.This will cover the end user side of DLP. Examples: User add a single VISA numbertoanexternalrecipient. Thisrulesblocks but canbeoverriden. User cansendittoaninternalrecipient. We’ll do the samefor multiple VISA numbersstored in a document forinternal & externalnumbers. Thoserulescannotbeoverridden. This demo willbeexecuted in Outlook 2013 and OWA. In this demo we’ll show the diffencebetween Outlook 2013 and OWA. Make sure you show the things that make up the Lessons Learned Slide. Use Fiddler to see how it connects to Exchange (Online)
  • Will check the number of attachments…
  • Enforce   Rules within the policy are evaluated for all messages and supported file types. Mail flow can be disrupted if data is detected that meets the conditions of the policy. All actions described within the policy are taken.Test DLP policy with Policy Tips   Rules within the policy are evaluated for all messages and supported file types. Mail flow will not be disrupted if data is detected that meets the conditions of the policy. That is, messages are not blocked. If Policy Tips are configured, they are shown to users.Test DLP policy without Policy Tips   Rules within the policy are evaluated for all messages and supported file types. Mail flow will not be disrupted if data is detected that meets the conditions of the policy. That is, messages are not blocked. If Policy Tips are configured, they are not shown to users.
  • Text Extraction Agent: Does the text extraction of information that will be fed into classification engine Only extracts content from known file types Classification Engine Does deep content analysis and matches it to classificationsContent needs to be text format when it feeds into classification engine Custom classifications can be developed by third parties or customers Custom classifications can be imported into classification enginePolicy EngineBrains of the operation Knows the Rules and classifications Moves the data through the different components and the different stages Will eventually take action based on results of examination
  • Transcript of "Exchange Data Loss Prevention in Exchange 2013 - Exchange Online"

    1. 1. Exchange 2013 – Exchange Online Data Loss Prevention
    2. 2. Jethro Seghers
    3. 3.
    4. 4. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD WHAT IS SENSITIVE DATA
    5. 5. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD WHAT IS SENSITIVE DATA
    6. 6. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD WHAT IS SENSITIVE DATA
    7. 7. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD HOW DO PEOPLE EXPOSE SENSITIVE DATA 7 DLP
    8. 8. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DLP IS DESIGNED TO PREVENT ACCIDENTAL DISCLOSURE  IT WILL NOT  Provide 100% unbreakable solution to data loss  It will not prevent analog data loss  Stop the malicious insider  Stop the external threats 9
    9. 9. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD CHALLENGES IN REAL LIFE SCENARIO: COMPLIANCY MANAGER 10 Are we compliant? Are there problems? Our business needs these compliancy rules! Can I create my own compliancy rules?
    10. 10. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD CHALLENGES IN REAL LIFE SCENARIOS: ADMINISTRATOR 11 How will this effect my end users? How much sensitive data is flowing through the system? How do I report this all to management? How do I educate my end users? Will it scan my attachments? What client updates are necessary? What type of policies should I use?
    11. 11. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD CHALLENGES IN REAL LIFE SCENARIOS: INFORMATION WORKER 12 Why is this new rule applied? I just want to work! I want to be able to override the rule if the need it to
    12. 12. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD CHALLENGE: DATA LOSS PREVENTION  Keeps sensitive data safe  WITHOUT interrupting the daily Line of Business of the user. 13
    13. 13. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DEMO Data Loss Protection in action 14
    14. 14. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD OUTLOOK POLICY TIPS: LESSONS LEARNED  Doesn’t interrupt daily business  Will work in Offline Mode  Contextual User Education  Only works with Outlook 2013  Requires that the full Office 2013 Professional Plus Edition be installed  All the DLP processing happens on the client  No support for OWA at RTM, up to RTM CU2 15
    15. 15. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD OUTLOOK POLICY TIPS: LESSONS LEARNED  Outlook will connect to the ExternalUrl defined in EWS Virtual Directory and download the new/update Policy Definition Files.  Updating Policy Tips happens during opening of Outlook or once every 24 hours.  Outlook 2013 updates the following registry key the last time that it downloaded a policy: HKEY_Current_UserSoftwareMicrosoftOffice15.0Outlook PolicyNudges LastDownloadTimePerAccount 16
    16. 16. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD OUTLOOK POLICY TIPS: TROUBLESHOOTING  Be sure that you have the correct version of Client  Check that ExternalUrl is configured  Try to delete the registry key (previous slide) that holds the last download date and time.  Check presence XML in the profile (Users<User>AppdataLocalMicrosoftOutlook) 17
    17. 17. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD WHAT DOES DLP PROTECT  DLP will scan content in the mail and attachments  LIMITATIONS  DLP Cannot scan password secured files.  DLP can only work with Encrypted messages and attachments if the DLP agent has the ability to decrypt the data. Not the case in Exchange Online. 18
    18. 18. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD SCANNING ATTACHMENT LIMITATIONS  The following file extensions are scanned: 19 Extensions Type Doc, docx, xls, xlsx, ppt, pptx Word, Excel, Powerpoint (2003-2013) Txt, csv Text files Zip,GZIP (GZ), RAR, TAR (Tape Archive), UU Encode (UUE), Mime, S/Mime, TNEF, MSG, MacBin Archive Files RTF Rich Text Format HTML/XML Internet File PDF Portable Document Format (in Tekst)
    19. 19. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DEMO Manage Data Loss Prevention 20
    20. 20. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD ADMINISTRATION OF DLP  Start from built-in Template  Import DLP Policy  New Custom DLP policy 21
    21. 21. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD STRUCTURE OF A DLP POLICY  XML structure  Defines  Name  Enforcing Options  Policy Definition  Classification of the content (e.g. contains CC info, …)  User Action  Mail Flow Options 22
    22. 22. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD BEHAVIOR ENFORCING OPTIONS 23 TEST WITHOUT NOTIFICATIONS TEST WITH NOTIFICATIONS ENFORCE
    23. 23. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD CLASSIFICATION OF CONTENT 24 This content would match for Credit Cards ACME Travel, I have received updated credit card information for Joseph Joseph F. Foster Visa: 4485 3647 3952 7352 Expires: 2/2012 Please update his travel profile. Get ContentThis content would match for Credit Cards ACME Travel, I have received updated credit card information for Joseph Joseph F. Foster Visa: 4485 3647 3952 7352 Expires: 2/2012 Please update his travel profile. RegEx Analysis This content would match for Credit Cards ACME Travel, I have received updated credit card information for Joseph Joseph F. Foster Visa: 4485 3647 3952 7352 Expires: 2/2012 Please update his travel profile. Function Analysis This content would match for Credit Cards ACME Travel, I have received updated credit card information for Joseph Joseph F. Foster Visa: 4485 3647 3952 7352 - > CHECKSUM: OK Expires: 2/2012 Please update his travel profile. Additional Evidence This content would match for Credit Cards ACME Travel, I have received updated credit card information for Joseph Joseph F. Foster Visa: 4485 3647 3952 7352 - > CHECKSUM: OK Expires: 2/2012 Please update his travel profile. Verdict
    24. 24. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD Hi Alex, I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012 Regards, lisa CLASSIFICATION OF CONTENT 25 Get Content RegEx Analysis Function Analysis Additional Evidence Verdict Hi Alex, I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012 Regards, lisa Hi Alex, I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012 Regards, lisa Hi Alex, I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012 -> CHECKSUM = not OK Regards, lisa
    25. 25. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD USER ACTION & FLOW OPTIONS  Integrated with the Exchange Transport Rules Engine  Allows us to use already built-in predicates and actions  New actions  Notify sender  Block Sender (with/out) override (with/out) business justification  Block Sender unless false positive 26
    26. 26. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD THE DIFFERENT COMPONENTS 27 Transport Rules Agent Policy Engine Action Taken on the message Classification Agent Text Extraction Agent
    27. 27. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DEMO AUDIT & INCIDENT REPORTING 28
    28. 28. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD INCIDENT REPORTS 29 Audit data Classification Rule details
    29. 29. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DATA LOSS PREVENTION RECAP 30
    30. 30. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DLP policy configuration Outlook policy distributionContextual policy education Audit & incident data generation Admin Information Workers Backend policy evaluation
    31. 31. www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD EXAMPLE OF DEPLOYMENT FLOW 1. Define Sensitive Data 2. Translate it to DLP 1. Name 2. Rules 3. Classification 4. Test DLP with/out Policy Tips and make sure DLP rules don’t interfere with other transport rules. 3. Analyze Results 4. Update DLP 1. Change rules where needed 2. Change DLP to enforce if needed. 32
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×