Identify Your System The best way to protect you against computer attack Irvan .
EDC302 Data Loss Prevention in Exchange Helps to identify monitor protect sensitive data through...
-
Upload
brooke-pierce -
Category
Documents
-
view
220 -
download
3
Transcript of EDC302 Data Loss Prevention in Exchange Helps to identify monitor protect sensitive data through...
Jack KabatLead Program ManagerMicrosoft
Advanced Data Loss Prevention (DLP) in Exchange
EDC302
Data Loss Prevention in ExchangeHelps to • identify• monitor• protect sensitive data through deep content analysis
Identify
Protect
Monitor
End user education
Demo
Out of the box DLP policies
Customizing Your DLP Deployments
Identify
Protect
Monitor
End user education
• Custom policy templates• Tuning of built-in types• Custom sensitive
types
• Real-time incident reports• Policy rule reports• Policy audit mode
• Flexible policy authoring system• Rich policy conditions
and actions
• End-user false positive reporting• Configurable end-user
education content
DLP Deployment Phases
Plan •Start with built-in templates to assist meeting your business or regulatory requirements•Customize policy rules, sensitive types and scope•Target a pilot group of users
Tune •Set policies to test and notify modes•Enable incident reports to assess impact of rules•Tune based on false positive reports and hit rates
Enable •Switch policies to enforce mode•Continue to tune based on report data trends
DLP policy templatesBuilt-in templates based on common regulations
Import DLP policy templates from partners
Build your own
What are DLP policy templates?XML configuration that define policy objectives
Built atop of Exchange transport rules
Management and deployment Exchange standard interfaces – Web and PowerShell
XML
Conditions
• Content to monitor
• User action• Mail flow actions
Classification rules
contains
Policies
• Credit cards• EU debit cards
Name
DLP policy rulesBuilt on transport rules
Rules applied in sequential order
Set of conditions and resulting actions that describe the policy objective
Take action to enforce policy
Range of actions including: Hold, block, audit & provide notification for email that contains sensitive business data
Conditions
Actions
Exceptions
Demo
Customizing DLP policies
Incident Reports
Audit dataClassificationRule detailsMatch details
Examples:Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2015
Get Content
4485 3647 3952 7352 a 16 digit number is detected
RegEx Analysis
1. 4485 3647 3952 7352 matches checksum2. 1234 1234 1234 1234 does NOT match
Function Analysis
1. Keyword Visa is near the number2. A regular expression for date (2/2015)
is near the number
Additional Evidence
1. There is a regular expression that matches a check sum
2. Additional evidence increases confidenceVerdict
Content analysis process
Sensitive content type customizationsPolicy level configuration based on counts
Tune existing built-in types to add corroborative evidences and exclusions (keywords, regular expressions)
Add different patterns with different confidence scores for difference policy actions
Define custom sensitive types that can leverage internally defined functions (dates, keywords, Credit Cards, Passport Numbers)
XML
Patterns
• Confidence score• Proximity
specification• Identifier
Match Conditions
contains• Functions / regular
expressions• Corroborative evidence
Keywords / functions
Entities
Name
Demo
Customizing sensitive content types
Document Fingerprinting – New in SP1Matching derivative document from a previously configured template
A tax firm needs to detect and encrypt standard tax forms, like the 1040 EZ, W2, etc.
A Law firm can fingerprint legal forms, and have them detected automatically for policy application
Integrates with the existing DLP infrastructure as a custom sensitive information type
Surfaced in Exchange, Outlook and OWAContoso Pharma
Confidential
Contoso Pharma Confidential
PATENT TITLE:
INVENTORSList the names of the inventors
DESCRIPTIONDescribe your invention
Matches Filled in Template
Contoso Pharma Confidential
Contoso Pharma Confidential
PATENT TITLE: Foo Bar
INVENTORSList the names of the inventorsShobhit, Alex
DESCRIPTIONDescribe your inventionFoo Bar helps in curing diseases.
Fabrikam Patent Form Tracking Number Author Date Invention Title Names of all authors...
Get Template Content
1. Condensed representation of the hashed template content
2. Stored as a custom sensitive information type
Create Fingerprint
CO
NFI
GU
RATIO
NDocument Fingerprinting - Configuration
CLASSIFICATION RULE with
FINGERPRINT
1. Add fingerprint to policy rules together with other conditions
2. Map to desired actions
Refernce in
Policy Rule
Fingerprint generation from template documents
Fingerprint stored as custom sensitive type
Configured in policy rules as any other custom sensitive type
Fabrikam Patent Form Tracking Number 12345 Author Alex Date 1/28/2014 Invention Title Fabrikam Green Energy...
Get Email Content
1. Temporary in memory representation2. Used for comparson with source
fingerprint created at config time
Create Fingerprint
1. Compare the two fingerprints2. Evaluate a ’containtment coefficient’
to declare a matcbVerdict
RU
NTIM
EDocument Fingerprinting - Runtime
POLICY RULES REFERENCES TO
PREVIOUSLY GENEATED FINGERPRINTS
FINGERPRINTGENERATION
Evaluation
+ verdict
Fingerprint generated at run-time for target attachment
Fingerprint evaluated against configured fingerprints for template documents
Match declared based on ‘containment coefficient’
b-Bit Minwise HashingINPUT TEXT
This is a test. I love DLP and Fingerprinting.
STEP 1Break into Shingles of length 2
This is Is a a test test I I LoveLove DLP
DLP and
And Fingerprinting
64 bit hash value of the shingle (e.g., This is 1010101010101110100111000111)
Hash 1 (universal hash function)
Hash 2 (hash function with random dispersion)
STEP 2Convert to a 64 bit value (hash it!)
STEP 3Map the 64 bit value randomly to 1024 other 64 bit values
STEP 4Reduce each 64 bit value to a 16 bit value (LSB Mask)
Apply a 16 bit mask
Demo
Document Fingerprinting
Empower users to manage their compliance
Contextual policy education
Doesn’t disrupt user workflow
Can work even when disconnected
Admin customizable text and actions
Outlook OWA
User education
Customizing End User Policy Tips
Customize Policy Tip messagesMessages for notification, block and override can be customized.
Customize link for user educationSpecify an internal URL with company policies around handling sensitive content.
Custom classification rule names are displayed here.
Demo
Customizing end user Policy Tips
DLP extensibility pointsCustom DLP content:
Supplemental DLP policy templatesSupplemental DLP classification rules
Incident reports integration with custom workflows
Custom agents for additionalconditions and actions
Custom reporting solutionsE.g. MessageStats Business Insights from Dell
NEW in SP1 – EXCHANGE and OUTLOOK 2013
Exchange DLP Feature Set
Deep content analysis engine
46 OOB sensitive information types
40 OOB DLP Templates
Support for 3rd party defined DLP policy templates
Policy Tips in OWA and Mobile OWA
Advanced Document Fingerprinting in Exchange, Outlook, and OWA
5 new OOB sensitive information types
Policy Tips in Outlook 2013
Contextual user education and empowerment
Incident management Rich reporting
EXCHANGE and OUTLOOK 2013
ResourcesDLP in Exchange 2013 SP1http://blogs.technet.com/b/exchange/archive/2014/02/25/data-loss-prevention-in-exchange-just-got-better.aspx
DLP policy templateshttp://technet.microsoft.com/en-us/library/jj657730
Managing DLP policieshttp://technet.microsoft.com/en-us/library/jj673559
OOB DLP policy templateshttp://technet.microsoft.com/en-us/library/jj150530
Policy tips in Exchange 2013http://technet.microsoft.com/en-us/library/jj150512
Supported file types http://technet.microsoft.com/en-us/library/jj674307
MessageStats Quick Guide http://mbidemo.quest.com/Insights/#page/home
Related Sessions Session Title Timing Room
SPR.202 Encryption in Exchange Tue 10:45 AM - 12:00 PM Ballroom E
SPR.201Eliminate the Regulatory Compliance Nightmare Tue 9:00 AM-10:15 AM MR 19ab
SPR.UN.305Exchange Online Protection: Notes from the field Wed 10:15 AM – 11:30 AM Ballroom G
SPR.UN.304Experts Unplugged: EOP & Encryption
Wed 8:30-9:45 AMWed 1:00-2:15 PM
MR 18dMR 17b
USX.206 What's New in Outlook Web App 9:00 AM - 10:15 AM Ballroom G
SPR.401Extending Data Loss Prevention For Your Business Wed 4:45 PM- 6:00 PM MR 18bc
SPR.203
Protect your Organization with Exchange Online Protection (EOP) Mon 4:30 PM - 5:45 PM MR 18bc
SPR.301So how does Microsoft handle my spam? Tue 4:45 PM – 6:00 PM MR 19ab
SPR.401Using Connectors & Mail Routing Wed 2:45 PM - 4:00 PM MR 18bc
ARC.304Exchange Server 2013 Transport Architecture Tues 9:00 AM - 10:15 AM Ballroom F
EDC.302Advanced Data Loss Prevention in Exchange Tues 1:30 PM-2:45 PM Ballroom F
EDC.UN.301Experts Unplugged: Data Loss Prevention
Tue 3:00 PM-4:15 PMWed 10:15 AM-11:30 AM
MR 18dMR 13ab
EDC.204Data Loss Prevention in Exchange, Outlook, OWA Mon 2:45 Pm-4:00PM MR 18bc
MNG.304Reporting On O365 Mail flow and Mailbox Data Wed 1:00 PM-2:15 PM MR 17a
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.