Exchange Online Protection In-Depth Slides - · PDF fileEXCHANGE ONLINE PROTECTION IN-DEPTH Advanced Threat Protection ... Multiple filters + 3 antivirus engines with Exchange Online

Exchange Online Protection

In-Depth

#ITDEVCON

Mike CrowleyBaseline Technologies

EXCHANGE ONLINE PROTECTION IN-DEPTH

Session Agenda

• Introduction to EOP

• Administration

• DMARC, SPF & DKIM

• Advanced Threat Protection

• EOP Deployment Tips

#ITDEVCON


Introduction to EOP• 3 use cases:

– Standalone

– With Exchange Online

– With Exchange Hybrid

• Purchase options

– Standalone

– Included with Exchange Online (free for EDUs)

– Exchange Enterprise CAL with Services

#ITDEVCON


Introduction to EOP

• Office 365

service

comparison

Tool

#ITDEVCON

technet.microsoft.com/

dn788955


#ITDEVCON

EOPFeatures


#ITDEVCON

EOPFeatures cont'd Introduction to EOP


Introduction to EOP

• Is it any good?

#ITDEVCON

Gartner:

Magic Quadrant for

Secure Email Gateways


Introduction to EOP

• SMTP Pipeline– Filters optimized for

performance

– This flowchart may help answer the question:

“Why is this button so far from that one?”

#ITDEVCON

Analysts, Engineering, and

Support

Automation and Response Tools

Edge Protection

Reputation and spam detection engine

Detection

Senders

Recipients

Internal Data

Data Sources

SubscriptionsJMRT

Recipient Feedback Loop

DKIM / DMARC / SPF

Throttling

Response

IP/Domain Block Lists

Tenant–Specific Configuration

Transport Rules and Admin configuration

Quarantine

DataMailProcess

Tenant and Mailbox specific behavior

Sender Support

Anti Malware

Boomerang


Administration• EAC (/ecp)

– Good for:• Initial setup• Infrequent configurations• n00bs

• EOP cmdlets:– Good for

• Recipient management• Complex message tracking / Reporting• Consistent Transport Rule creation• Advanced configurations, not exposed in the GUI

(e.g. Azure RMS)

– Cmdlet reference: technet.microsoft.com/dn621038

• On-Premises Active Directory:– Recipient Management, if using Directory

Synchronization

#ITDEVCON


Administration• EAC Demo:

– Accepted Domains

– Connectors

– Rules

– Message Trace

– Filters• Malware

• Connection

• Spam

– Quarantine

#ITDEVCON


Administration• PowerShell:

– Like any tool, it is only useful once you learn how it works.

– Web portals change frequently; PowerShell cmdlets are more stable.

– Naturally encourages consistent configurations

– PowerShell automates virtually every Microsoft product

– Useful for documentation

#ITDEVCON


Administration• Data Loss/Leak Prevention

– ExO P2 or Ent. CAL required

– Not limited to Exchange (SPO, OneDrive, Office Apps)

– DLP policies contain 1 or more rules• Rule = Condition + Action

• ~40 Built-in templates exist (e.g. PCI DSS)

• Templates importable from 3rd

parties

• Build your own#ITDEVCON


Administration• Data Loss/Leak Prevention

cont'd– Document Fingerprinting

• Looks attachments that resemble your org’s forms:

– Government forms– Health Insurance Portability

and Accountability Act (HIPAA) compliance forms

– Employee information forms for Human Resources departments

– Custom forms created specifically for your organization

• Used in policy rule conditions

– Policy Tips

– Auditing• Reports

• Real-time notifications (via email & CRM)

• DLP Search in SPO#ITDEVCON


Administration

#ITDEVCON

• On-Demand Ignite Webcast:

End-to-End Data Loss Prevention

channel9.msdn.com/Events/Ignite/2015/BRK3181

Integrated into Exchange Transport Rule (ETR) engine

Text extraction

Transport rule agent

Classification

DLP content detection flow in Exchange


DMARC, SPF & DKIM• Sender Policy Framework (SPF)

– Tell the internet who is authorized to send mail on behalf of <your domain here>• Validates 5322.From

– Limits spoofing and phishing

– Protect others:• DNS TXT records - easy to create with the

help of numerous online wizards

– Protect yourself:• Enable SPF filtering

– EAC\Protection\Spam Filter\<policy>\Advanced Options\SPF record Hard Fail

– PowerShell> Set-HostedContentFilterPolicy default -MarkAsSpamSpfRecordHardFail On

#ITDEVCON


DMARC, SPF & DKIM• DomainKeys Identified

Mail (DKIM)– EOP Scans inbound DKIM

• Authentication-Results

• DKIM-Signature

• X-DkimResult-Test

– Outbound is still being rolled out

• http://success.office.com/en-us/roadmap

#ITDEVCON

http://success.office.com/en-us/roadmap


DMARC, SPF & DKIM

• DMARC– Validates 5322.From

• DMARC, SPF, DKIM Gotchya’s:– False negatives are common in

complex organizations which send mail from many systems or services

– Legitimate distribution lists can mess with SMTP headers

– Some DNS servers don’t support TXT records

– Not all recipient systems are going to bother reading your records

#ITDEVCON


DMARC, SPF & DKIM

#ITDEVCON

• On-Demand Ignite Webcast:Deep Dive into How Microsoft Handles Spam and Advanced Email Threatschannel9.msdn.com/Events/Ignite/2015/BRK3106

Problem Solution


Advanced Threat Protection• Aims to thwart:

– Unknown malware

– Phishing

• Per-user license– Requires EOP (does not require ExO)

– $2 extra, per user• Cheaper for government

• Not available for edu or non-profit

#ITDEVCON


Advanced Threat Protection• Safe Attachments

– Routes messages which meet the criteria to a sandbox. Scans for:

• Executables• Registry calls• Privilege escalation• etc.

• Safe Links– Re-writes (not proxies) URLs.

• Like a filtering version of bitly.com or tinyurl.com

– Inspects• Exchange Online• Exchange On-Prem• SharePoint in the future*

• Reporting– See who is being targeted & how the

phishing messages are crafted

#ITDEVCON

*https://channel9.msdn.com/Events/Ignite/2015/THR0136

Protection against unknown malware/virus

• Behavioral analysis with machine learning

• Admin alerts

Time of click protection• Real time protection

against Malicious URLs

• Growing URL coverage

Rich reporting and tracing• Built-in URL and message

trace

• Reports for advanced threats

Safe

Multiple filters + 3 antivirus engineswith Exchange Online protection

Links

RecipientUnsafe

Attachment• Supported file type• Clean by AV/AS filters• Not in Reputation list

Detonation chamber (sandbox)Executable? Registry call?Elevation?……?

Sender

EOP userwithout ATP

EOP userwith ATP


Advanced Threat Protection

#ITDEVCON

• Safe Attachments

EOP userwithout ATP

Rewriting URLs to redirect to a

web server

EOP userwith ATP



#ITDEVCON

• Safe Links



#ITDEVCON

• Reporting


EOP Deployment Tips

• Microsoft’s Best Practices– technet.microsoft.com/jj723164

• Use a test domain

• Synchronize recipients

• SPF record customization

• Set anti-spam options (Start with Test Mode)

• Set anti-malware options

• Create transport rules

• Reporting and troubleshooting

•

•

•

NDR

SPAM

Bulk

Multi-Lane Normal

VIPS

Outbound Mail


EOP Deployment Tips

• Other Best Practices– Read the service descriptions

– EOP should not be daisy-chained

– Create firewall rules, allowing SMTP only from EOP’s IP ranges• Subscribe to the rss feed

– Route mail out through EOP as well• Helps with backscatter, <your> IP reputation, reporting

• Simplifies mail flow

– For high-confidence spam: Quarantine

– For med/low-confidence spam: Consider the end-user interactions• Central quarantine or delete all spam?

• Regular report?

• Personal quarantine?

• Junk folder routing?

– Use PowerShell


Additional Resources• TechNet/MSDN Articles

– ExO & ATP Service Descriptions• https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx

– ATP Video• https://channel9.msdn.com/Events/Ignite/2015/THR0136

– 3rd party migration resources• technet.microsoft.com/jj723140

• Tools– DMARC Deployment Tools

• https://dmarc.org/resources/deployment-tools

– DMARC Inspector• https://dmarcian.com/dmarc-inspector

– MX Toolbox• http://mxtoolbox.com/SuperTool.aspx

– RCA• https://testconnectivity.microsoft.com

– SPF Record Creation Wizard• http://www.spfwizard.net/

– SPF Record Testing Tool• http://www.kitterman.com/spf/validate.html

• Blogs– EOP Field Notes

• http://blogs.technet.com/b/eopfieldnotes/

– Terry Zink: Security Talk• http://blogs.msdn.com/b/tzink/

– Brian Reid’s articles on ATP• http://www.c7solutions.com/category/atp

https://channel9.msdn.com/Events/Ignite/2015/THR0136

Rate This Session Now!Rate with Mobile App:

• Select the session from the

Agenda or Speakers menus

• Select the Actions tab

• Click Rate Session

Rate with Website:

Register at www.devconnections.com/logintoratesession

Go to www.devconnections.com/ratesession

Select this session from the list and rate it

Tell Us

What

You

Thought

of This

Session

Be Entered to

WINPrizes!

#ITDEVCON

TOPIC DIVIDER

Documents

Exchange Online Protection In-Depth Slides - · PDF fileEXCHANGE ONLINE PROTECTION IN-DEPTH Advanced Threat Protection ... Multiple filters + 3 antivirus engines with Exchange Online