9. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
DLP IS DESIGNED TO PREVENT ACCIDENTAL
DISCLOSURE
IT WILL NOT
Provide 100% unbreakable solution to data loss
It will not prevent analog data loss
Stop the malicious insider
Stop the external threats
9
10. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
CHALLENGES IN REAL LIFE SCENARIO:
COMPLIANCY MANAGER
10
Are we compliant?
Are there problems?
Our business needs these
compliancy rules!
Can I create my own compliancy
rules?
11. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
CHALLENGES IN REAL LIFE SCENARIOS:
ADMINISTRATOR
11
How will this effect my end users?
How much sensitive data is flowing
through the system?
How do I report this all to
management?
How do I educate my end users?
Will it scan my attachments?
What client updates are
necessary?
What type of policies should I use?
12. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
CHALLENGES IN REAL LIFE SCENARIOS:
INFORMATION WORKER
12
Why is this new rule applied?
I just want to work!
I want to be able to override
the rule if the need it to
13. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
CHALLENGE: DATA LOSS PREVENTION
Keeps sensitive data safe
WITHOUT interrupting the daily Line of Business of the
user.
13
15. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
OUTLOOK POLICY TIPS: LESSONS LEARNED
Doesn’t interrupt daily business
Will work in Offline Mode
Contextual User Education
Only works with Outlook 2013
Requires that the full Office 2013 Professional Plus Edition be
installed
All the DLP processing happens on the client
No support for OWA at RTM, up to RTM CU2
15
16. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
OUTLOOK POLICY TIPS: LESSONS LEARNED
Outlook will connect to the ExternalUrl defined in EWS Virtual
Directory and download the new/update Policy Definition
Files.
Updating Policy Tips happens during opening of Outlook or
once every 24 hours.
Outlook 2013 updates the following registry key the last time
that it downloaded a policy:
HKEY_Current_UserSoftwareMicrosoftOffice15.0Outlook
PolicyNudges LastDownloadTimePerAccount
16
17. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
OUTLOOK POLICY TIPS: TROUBLESHOOTING
Be sure that you have the correct version of Client
Check that ExternalUrl is configured
Try to delete the registry key (previous slide) that holds the last
download date and time.
Check presence XML in the profile
(Users<User>AppdataLocalMicrosoftOutlook)
17
18. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
WHAT DOES DLP PROTECT
DLP will scan content in the mail and attachments
LIMITATIONS
DLP Cannot scan password secured files.
DLP can only work with Encrypted messages and attachments if
the DLP agent has the ability to decrypt the data. Not the case
in Exchange Online.
18
19. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
SCANNING ATTACHMENT LIMITATIONS
The following file extensions are scanned:
19
Extensions Type
Doc, docx, xls, xlsx, ppt, pptx Word, Excel, Powerpoint (2003-2013)
Txt, csv Text files
Zip,GZIP (GZ), RAR, TAR (Tape Archive), UU
Encode (UUE), Mime, S/Mime, TNEF, MSG,
MacBin
Archive Files
RTF Rich Text Format
HTML/XML Internet File
PDF Portable Document Format (in Tekst)
22. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
STRUCTURE OF A DLP POLICY
XML structure
Defines
Name
Enforcing Options
Policy Definition
Classification of the content (e.g. contains CC info, …)
User Action
Mail Flow Options
22
24. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
CLASSIFICATION OF CONTENT
24
This content would match for Credit Cards
ACME Travel,
I have received updated credit card information for
Joseph
Joseph F. Foster
Visa: 4485 3647 3952 7352
Expires: 2/2012
Please update his travel profile.
Get
ContentThis content would match for Credit Cards
ACME Travel,
I have received updated credit card information for
Joseph
Joseph F. Foster
Visa: 4485 3647 3952 7352
Expires: 2/2012
Please update his travel profile.
RegEx
Analysis This content would match for Credit Cards
ACME Travel,
I have received updated credit card information for
Joseph
Joseph F. Foster
Visa: 4485 3647 3952 7352
Expires: 2/2012
Please update his travel profile.
Function
Analysis
This content would match for Credit Cards
ACME Travel,
I have received updated credit card information for
Joseph
Joseph F. Foster
Visa: 4485 3647 3952 7352 - > CHECKSUM: OK
Expires: 2/2012
Please update his travel profile.
Additional
Evidence
This content would match for Credit Cards
ACME Travel,
I have received updated credit card information for
Joseph
Joseph F. Foster
Visa: 4485 3647 3952 7352 - > CHECKSUM: OK
Expires: 2/2012
Please update his travel profile.
Verdict
25. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
Hi Alex,
I expect to be in Hawai too. My booking code is 1234 1234 1234
1234 and I’ll be there on 3/2012
Regards,
lisa
CLASSIFICATION OF CONTENT
25
Get
Content
RegEx
Analysis
Function
Analysis
Additional
Evidence
Verdict
Hi Alex,
I expect to be in Hawai too. My booking code is 1234 1234 1234
1234 and I’ll be there on 3/2012
Regards,
lisa
Hi Alex,
I expect to be in Hawai too. My booking code is 1234 1234 1234
1234 and I’ll be there on 3/2012
Regards,
lisa
Hi Alex,
I expect to be in Hawai too. My booking code is 1234 1234 1234
1234 and I’ll be there on 3/2012 -> CHECKSUM = not OK
Regards,
lisa
26. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
USER ACTION & FLOW OPTIONS
Integrated with the Exchange Transport Rules Engine
Allows us to use already built-in predicates and actions
New actions
Notify sender
Block Sender (with/out) override (with/out) business justification
Block Sender unless false positive
26
27. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
THE DIFFERENT COMPONENTS
27
Transport Rules
Agent
Policy Engine
Action Taken on the
message
Classification Agent
Text Extraction
Agent
31. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
DLP policy configuration
Outlook policy distributionContextual policy education
Audit & incident data
generation
Admin
Information Workers
Backend policy
evaluation
32. www.devconnections.com
DATA LOSS PREVENTION IN THE REAL WORLD
EXAMPLE OF DEPLOYMENT FLOW
1. Define Sensitive Data
2. Translate it to DLP
1. Name
2. Rules
3. Classification
4. Test DLP with/out Policy Tips and make sure DLP rules don’t interfere with other
transport rules.
3. Analyze Results
4. Update DLP
1. Change rules where needed
2. Change DLP to enforce if needed.
32
Notes de l'éditeur
These werenotmaliscous hackers or intentialleaking of information. This was doneunintentiallyby end users byeitherconnection the wrong data toemails or send information to the wrong recipient.
There are 3 categories of sensitive data that are relevant in this session:Personal data: your ethnic or racial origin; political opinion; religious or other similar beliefs; memberships; physical or mental health details; personal life; or criminal or civil offences. These examples of information are protected by your civil rights.Society Sensitive data: Social security numbers, Credit Card Data, Passport InformationCompany Sensitive data: data that is defined as sensitive by the company.
Society Sensitive data: Social security numbers, Credit Card Data, Passport InformationCompany Sensitive data: data that is defined as sensitive by the company.
Company Sensitive data: data that is defined as sensitive by the company.
25% of all lost data happens by accident. Source: “Data loss by the numbers” a white paper of McAcfee: http://www.mcafee.com/us/resources/white-papers/wp-data-loss-by-the-numbers.pdf
It helps to identity, monitor and protect sensate data through deep content analysis.Identity through the classification engine that is been build in Exchange to identity sensitive data and attached to it a set of rules on what has to be happen when that data is detected.Monitor, yearly review and a set of tools we want to know what kind of sensitive data is flowing through the organization and what business impact it would be if we would deploy a certain set of DLP rules without interrupting any LOB Applications, without interrupting day to day business processes. Protection: array of different options, it depends on the environment and the context of interaction. If you want to protect with external partner, you use e.g. hosted encryption, if you want to protect certain communication internally you might want to use IRM. The same is the case with sending sensitive data. Sending 5 credit card number to another internal department can require a whole other set of rules then sending a 100 credit cards to an external recipient. The system can define which kind of protection is needed on what level.End User education: change behavior.
In this demo I’ll cover DLP in action.This will cover the end user side of DLP. Examples: User add a single VISA numbertoanexternalrecipient. Thisrulesblocks but canbeoverriden. User cansendittoaninternalrecipient. We’ll do the samefor multiple VISA numbersstored in a document forinternal & externalnumbers. Thoserulescannotbeoverridden. This demo willbeexecuted in Outlook 2013 and OWA. In this demo we’ll show the diffencebetween Outlook 2013 and OWA. Make sure you show the things that make up the Lessons Learned Slide. Use Fiddler to see how it connects to Exchange (Online)
Will check the number of attachments…
Enforce Rules within the policy are evaluated for all messages and supported file types. Mail flow can be disrupted if data is detected that meets the conditions of the policy. All actions described within the policy are taken.Test DLP policy with Policy Tips Rules within the policy are evaluated for all messages and supported file types. Mail flow will not be disrupted if data is detected that meets the conditions of the policy. That is, messages are not blocked. If Policy Tips are configured, they are shown to users.Test DLP policy without Policy Tips Rules within the policy are evaluated for all messages and supported file types. Mail flow will not be disrupted if data is detected that meets the conditions of the policy. That is, messages are not blocked. If Policy Tips are configured, they are not shown to users.
Text Extraction Agent: Does the text extraction of information that will be fed into classification engine Only extracts content from known file types Classification Engine Does deep content analysis and matches it to classificationsContent needs to be text format when it feeds into classification engine Custom classifications can be developed by third parties or customers Custom classifications can be imported into classification enginePolicy EngineBrains of the operation Knows the Rules and classifications Moves the data through the different components and the different stages Will eventually take action based on results of examination