Embed Size (px)
Citation preview
Exchange 2013 – Data Loss Prevention
B. Roop SankarPremier Field Engineer (PFE)
“Large Retailer Leaks Payment Information via Email… ”
“Accidental email with attachment exposed hundreds of individuals’ names and Social Security Numbers..”
2
DLP helps to identifymonitorprotect
sensitive data through deep content analysis
Data Loss Prevention in Exchange
Easy to use
Monitor
Protect
Identify
3
Click to insert photo.
Challenges
Potential loss of sensitive data
Keeping email safe without impacting users
What Problem is DLP Trying to Solve
Administrators
Information Workers
Don �͛t get in the way of work
Compliance Officer
How much sensitive content is flowing? What policies should I
use? What �͛s the effect?
Are we compliant?
Is there a problem?
Click to insert photo.
DLP is designed to prevent accidental disclosure of sensitive data.
DLP is designed to prevent accidental disclosure
What it will not do? • Provide 100%
unbreakable solution to data loss
• It will not prevent analog data loss
What is Data Loss Prevention?
6
• DLP can be customized to filter on any content
• New classification(s) can be created by customer or third party
What kinds of data can DLP protect?
Extension File Type
Doc , Docx Word 2003 to Word 2013
XLS, XLSX, XLSB Excel 2003 to Excel 2013
PPT PowerPoint 2003 to 2013
TXT, CSV Text Files
What kinds of files can DLP scan?
7
Password protected files cannot be scanned by DLP
Zip
GZIP (GZ)
RAR
TAR (Tape Archive )
UU Encode (UUE)
Mime
S/Mime
TNEF
MSG
MacBin
Archive Files.
RTF Rich Text Format
HTML/XML
PDF Portable Document Format
• Sarbanes-Oxley Act of 2002 (SOX)• Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4)• National Association of Securities Dealers 3010 & 3110 (NASD 3010
& 3110)• Gramm-Leach-Bliley Act (Financial Modernization Act)• Financial Institution Privacy Protection Act of 2001• Financial Institution Privacy Protection Act of 2003• Health Insurance Portability and Accountability Act of 1996 (HIPAA)• Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act)
• European Union Data Protection Directive (EUDPD)• Japan’s Personal Information Protection Act
What are some the requirements that organizations need to meet?
DLP Policy TemplatesBuilt-in templates based on common regulations
Import DLP policy templates from security partners
Build your own
9
DLP policy templatesXML
Policies
Conditions
• Content to monitor
• User action• Mail flow actions
Classification rules
contains
Name
• Credit cards• EU debit cards
Defines the policy objectivesto help meet regulatory requirementsfor identified content
Contains data type definitionsto help identify sensitive content
DLP Policy Templates (Cont’d)
10
11
Data Loss Prevention ArchitectureArchitecture areas
• Exchange Transport Architecture
• Outlook Architecture
12
DLP Architecture- Exchange Transport Architecture
• Text Extraction Agent • Classification Engine
• Policy Engine
13
DLP Architecture- Exchange Transport Architecture Text Extraction Agent
• Does the text extraction of information that will be fed into classification engine
• Only extracts content from known file types
14
DLP Architecture- Exchange Transport Architecture Classification Engine
• Does deep content analysis and matches it to classifications
• Content needs to be text format when it feed into classification engine
• Custom classifications can be developed by third parties or customers
• Custom classifications can be imported into classification engine.
15
DLP Architecture- Exchange Transport Architecture Policy Engine
• Brains of the operation • Knows the Rules and classifications • Moves the data through the different components and
the different stages • Will eventually be in charge of taking action based on
classifications that are returned based on policy.
DLP Content Detection Architecture
Integrated into ETR engine:• Runs in categorizer during
OnResolvedMessage
• Integrated as a new ETR Predicate
• Performs text extraction for body & attachments followed by classification
• Can be combined with any existing Predicates & Actions
SMTP Receive
Categorizer
Queue Management
Message Delivery
Store Driver
Transport Rule Agent
Text Extraction
Classification
17
How do the components work together?
DLP Architecture – Exchange Transport Architecture
Transport Rules Agent Policy Engine Action Taken on the
message
Classification AgentText Extraction
Agent
How content analysis works in Exchange 2013
Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2012
Get Content1
Example
This content would match for Credit Cards
ACME Travel,
I have received updated credit card information for Joseph
Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2012
Please update his travel profile.
This content will NOT match for Credit Cards
Hi Alex,
I expect to be in Hawai too. My booking code is 1234 1234 1234 1234 and I’ll be there on 3/2012
Regards,lisa
4485 3647 3952 7352 a 16 digit number is detected
RegEx Analysis2
1. 4485 3647 3952 7352 matches checksum
2. 1234 1234 1234 1234 does NOT match
Function Analysis3
1. Keyword Visa is near the number2. A regular expression for date (2/2012) is
near the number
Additional Evidence4
1. There is a regular expression that matches a check sum
2. Additional evidence increases confidenceVerdict5
DEMO…
20
Data Loss Prevention ArchitectureArchitecture areas
• Exchange Transport Architecture
• Outlook Architecture
21
DLP Architecture- Outlook Architecture
What are the main components in the Outlook DLP Architecture?
• Text Extraction Engine• Policy Evaluation• Classification engine
Empower users to manage their own compliance
Click to insert photo.
Provide User Education
Doesn’t disrupt user workflow
Can work even when disconnected
Contextual policy education
Admin customizable text and actions
23
DLP Architecture - Outlook Architecture
• DLP Policy Tips in Outlook only work in Outlook 2013.
• Requires that the full Office 2013 Professional Plus Edition be installed.
• All the DLP processing happens on the client. • No support for OWA at RTM
24
DLP Architecture- Outlook Architecture
Outlook 2013 policy rules and classifications are downloaded during the following situations:
• When Outlook is opened it checks for updates using date time or it downloads new policies if none have been downloaded or the XML file does not exist.
• If Outlook 2013 has been open for 24 hours it will check for updates to the policies.
Outlook 2013 updates the following registry key the last time that it downloaded a policy:
HKEY_Current_User\Software\Microsoft\Office\15.0\Outlook\PolicyNudges\ LastDownloadTimePerAccount
DEMO…
DLP System
DLP policy configuration
Outlook policy distributionContextual policy education
Backend policy evaluation
Audit & incident data generationAdmi
n
Information Workers
Exchange DLP Reporting and Auditing
Comprehensive view of DLP policy performance
Downloadable Excel workbook
Drill into specific departures from policy to gain business insights27
Education experience in Outlook
Available in Exchange Server and Office 365
Out-of-the-box DLP policy templates
Predefined sensitive content types
Support for third party–defined DLP policy templates
DLP administration in Exchange Admin Center
Rich reporting
Exchange DLP Features
29
Questions…?
31
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
