• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Exchange Data Loss Prevention in Exchange 2013 - Exchange Online
 

Exchange Data Loss Prevention in Exchange 2013 - Exchange Online

on

  • 840 views

 

Statistics

Views

Total Views
840
Views on SlideShare
494
Embed Views
346

Actions

Likes
1
Downloads
29
Comments
0

4 Embeds 346

http://j-solutions.azurewebsites.net 276
http://blog.j-solutions.be 68
http://131.253.14.98 1
http://131.253.14.66 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • These werenotmaliscous hackers or intentialleaking of information. This was doneunintentiallyby end users byeitherconnection the wrong data toemails or send information to the wrong recipient.
  • There are 3 categories of sensitive data that are relevant in this session:Personal data: your ethnic or racial origin; political opinion; religious or other similar beliefs; memberships; physical or mental health details; personal life; or criminal or civil offences. These examples of information are protected by your civil rights.Society Sensitive data: Social security numbers, Credit Card Data, Passport InformationCompany Sensitive data: data that is defined as sensitive by the company.
  • Society Sensitive data: Social security numbers, Credit Card Data, Passport InformationCompany Sensitive data: data that is defined as sensitive by the company.
  • Company Sensitive data: data that is defined as sensitive by the company.
  • 25% of all lost data happens by accident. Source: “Data loss by the numbers” a white paper of McAcfee: http://www.mcafee.com/us/resources/white-papers/wp-data-loss-by-the-numbers.pdf
  • It helps to identity, monitor and protect sensate data through deep content analysis.Identity through the classification engine that is been build in Exchange to identity sensitive data and attached to it a set of rules on what has to be happen when that data is detected.Monitor, yearly review and a set of tools we want to know what kind of sensitive data is flowing through the organization and what business impact it would be if we would deploy a certain set of DLP rules without interrupting any LOB Applications, without interrupting day to day business processes. Protection: array of different options, it depends on the environment and the context of interaction. If you want to protect with external partner, you use e.g. hosted encryption, if you want to protect certain communication internally you might want to use IRM. The same is the case with sending sensitive data. Sending 5 credit card number to another internal department can require a whole other set of rules then sending a 100 credit cards to an external recipient. The system can define which kind of protection is needed on what level.End User education: change behavior.
  • In this demo I’ll cover DLP in action.This will cover the end user side of DLP. Examples: User add a single VISA numbertoanexternalrecipient. Thisrulesblocks but canbeoverriden. User cansendittoaninternalrecipient. We’ll do the samefor multiple VISA numbersstored in a document forinternal & externalnumbers. Thoserulescannotbeoverridden. This demo willbeexecuted in Outlook 2013 and OWA. In this demo we’ll show the diffencebetween Outlook 2013 and OWA. Make sure you show the things that make up the Lessons Learned Slide. Use Fiddler to see how it connects to Exchange (Online)
  • Will check the number of attachments…
  • Enforce   Rules within the policy are evaluated for all messages and supported file types. Mail flow can be disrupted if data is detected that meets the conditions of the policy. All actions described within the policy are taken.Test DLP policy with Policy Tips   Rules within the policy are evaluated for all messages and supported file types. Mail flow will not be disrupted if data is detected that meets the conditions of the policy. That is, messages are not blocked. If Policy Tips are configured, they are shown to users.Test DLP policy without Policy Tips   Rules within the policy are evaluated for all messages and supported file types. Mail flow will not be disrupted if data is detected that meets the conditions of the policy. That is, messages are not blocked. If Policy Tips are configured, they are not shown to users.
  • Text Extraction Agent: Does the text extraction of information that will be fed into classification engine Only extracts content from known file types Classification Engine Does deep content analysis and matches it to classificationsContent needs to be text format when it feeds into classification engine Custom classifications can be developed by third parties or customers Custom classifications can be imported into classification enginePolicy EngineBrains of the operation Knows the Rules and classifications Moves the data through the different components and the different stages Will eventually take action based on results of examination

Exchange Data Loss Prevention in Exchange 2013 - Exchange Online Exchange Data Loss Prevention in Exchange 2013 - Exchange Online Presentation Transcript

  • Exchange 2013 – Exchange Online Data Loss Prevention
  • Jethro Seghers
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD WHAT IS SENSITIVE DATA
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD WHAT IS SENSITIVE DATA
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD WHAT IS SENSITIVE DATA
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD HOW DO PEOPLE EXPOSE SENSITIVE DATA 7 DLP
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DLP IS DESIGNED TO PREVENT ACCIDENTAL DISCLOSURE  IT WILL NOT  Provide 100% unbreakable solution to data loss  It will not prevent analog data loss  Stop the malicious insider  Stop the external threats 9
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD CHALLENGES IN REAL LIFE SCENARIO: COMPLIANCY MANAGER 10 Are we compliant? Are there problems? Our business needs these compliancy rules! Can I create my own compliancy rules?
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD CHALLENGES IN REAL LIFE SCENARIOS: ADMINISTRATOR 11 How will this effect my end users? How much sensitive data is flowing through the system? How do I report this all to management? How do I educate my end users? Will it scan my attachments? What client updates are necessary? What type of policies should I use?
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD CHALLENGES IN REAL LIFE SCENARIOS: INFORMATION WORKER 12 Why is this new rule applied? I just want to work! I want to be able to override the rule if the need it to
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD CHALLENGE: DATA LOSS PREVENTION  Keeps sensitive data safe  WITHOUT interrupting the daily Line of Business of the user. 13
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DEMO Data Loss Protection in action 14
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD OUTLOOK POLICY TIPS: LESSONS LEARNED  Doesn’t interrupt daily business  Will work in Offline Mode  Contextual User Education  Only works with Outlook 2013  Requires that the full Office 2013 Professional Plus Edition be installed  All the DLP processing happens on the client  No support for OWA at RTM, up to RTM CU2 15
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD OUTLOOK POLICY TIPS: LESSONS LEARNED  Outlook will connect to the ExternalUrl defined in EWS Virtual Directory and download the new/update Policy Definition Files.  Updating Policy Tips happens during opening of Outlook or once every 24 hours.  Outlook 2013 updates the following registry key the last time that it downloaded a policy: HKEY_Current_UserSoftwareMicrosoftOffice15.0Outlook PolicyNudges LastDownloadTimePerAccount 16
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD OUTLOOK POLICY TIPS: TROUBLESHOOTING  Be sure that you have the correct version of Client  Check that ExternalUrl is configured  Try to delete the registry key (previous slide) that holds the last download date and time.  Check presence XML in the profile (Users<User>AppdataLocalMicrosoftOutlook) 17
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD WHAT DOES DLP PROTECT  DLP will scan content in the mail and attachments  LIMITATIONS  DLP Cannot scan password secured files.  DLP can only work with Encrypted messages and attachments if the DLP agent has the ability to decrypt the data. Not the case in Exchange Online. 18
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD SCANNING ATTACHMENT LIMITATIONS  The following file extensions are scanned: 19 Extensions Type Doc, docx, xls, xlsx, ppt, pptx Word, Excel, Powerpoint (2003-2013) Txt, csv Text files Zip,GZIP (GZ), RAR, TAR (Tape Archive), UU Encode (UUE), Mime, S/Mime, TNEF, MSG, MacBin Archive Files RTF Rich Text Format HTML/XML Internet File PDF Portable Document Format (in Tekst)
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DEMO Manage Data Loss Prevention 20
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD ADMINISTRATION OF DLP  Start from built-in Template  Import DLP Policy  New Custom DLP policy 21
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD STRUCTURE OF A DLP POLICY  XML structure  Defines  Name  Enforcing Options  Policy Definition  Classification of the content (e.g. contains CC info, …)  User Action  Mail Flow Options 22
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD BEHAVIOR ENFORCING OPTIONS 23 TEST WITHOUT NOTIFICATIONS TEST WITH NOTIFICATIONS ENFORCE
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD CLASSIFICATION OF CONTENT 24 This content would match for Credit Cards ACME Travel, I have received updated credit card information for Joseph Joseph F. Foster Visa: 4485 3647 3952 7352 Expires: 2/2012 Please update his travel profile. Get ContentThis content would match for Credit Cards ACME Travel, I have received updated credit card information for Joseph Joseph F. Foster Visa: 4485 3647 3952 7352 Expires: 2/2012 Please update his travel profile. RegEx Analysis This content would match for Credit Cards ACME Travel, I have received updated credit card information for Joseph Joseph F. Foster Visa: 4485 3647 3952 7352 Expires: 2/2012 Please update his travel profile. Function Analysis This content would match for Credit Cards ACME Travel, I have received updated credit card information for Joseph Joseph F. Foster Visa: 4485 3647 3952 7352 - > CHECKSUM: OK Expires: 2/2012 Please update his travel profile. Additional Evidence This content would match for Credit Cards ACME Travel, I have received updated credit card information for Joseph Joseph F. Foster Visa: 4485 3647 3952 7352 - > CHECKSUM: OK Expires: 2/2012 Please update his travel profile. Verdict
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD Hi Alex, I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012 Regards, lisa CLASSIFICATION OF CONTENT 25 Get Content RegEx Analysis Function Analysis Additional Evidence Verdict Hi Alex, I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012 Regards, lisa Hi Alex, I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012 Regards, lisa Hi Alex, I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012 -> CHECKSUM = not OK Regards, lisa
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD USER ACTION & FLOW OPTIONS  Integrated with the Exchange Transport Rules Engine  Allows us to use already built-in predicates and actions  New actions  Notify sender  Block Sender (with/out) override (with/out) business justification  Block Sender unless false positive 26
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD THE DIFFERENT COMPONENTS 27 Transport Rules Agent Policy Engine Action Taken on the message Classification Agent Text Extraction Agent
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DEMO AUDIT & INCIDENT REPORTING 28
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD INCIDENT REPORTS 29 Audit data Classification Rule details
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DATA LOSS PREVENTION RECAP 30
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD DLP policy configuration Outlook policy distributionContextual policy education Audit & incident data generation Admin Information Workers Backend policy evaluation
  • www.devconnections.com DATA LOSS PREVENTION IN THE REAL WORLD EXAMPLE OF DEPLOYMENT FLOW 1. Define Sensitive Data 2. Translate it to DLP 1. Name 2. Rules 3. Classification 4. Test DLP with/out Policy Tips and make sure DLP rules don’t interfere with other transport rules. 3. Analyze Results 4. Update DLP 1. Change rules where needed 2. Change DLP to enforce if needed. 32