EDC302
Data Loss Prevention in Exchange
Identify
Monitor
Protect
End user education
Helps to
• identify
• monitor
• protect
sensitive data through deep
content analysis
Customizing Your DLP Deployments
• Custom policy templates
• Tuning of built-in types
• Custom sensitive types
Identify
Monitor
• Flexible policy authoring
system
• Rich policy conditions
and actions
Protect
• Real-time incident reports
• Policy rule reports
• Policy audit mode
• End-user false positive
reporting
• Configurable end-user
education content
End user education
Plan
Tune
Enable
• Start with built-in templates to assist meeting your business or regulatory requirements
• Customize policy rules, sensitive types and scope
• Target a pilot group of users
• Set policies to test and notify modes
• Enable incident reports to assess impact of rules
• Tune based on false positive reports and hit rates
• Switch policies to enforce mode
• Continue to tune based on report data trends
Built-in templates based on common regulations
Import DLP policy templates from partners
Build your own
XML configuration that define policy objectives
Built atop of Exchange transport rules
Management and deployment Exchange standard
interfaces – Web and PowerShell
• Content to monitor
• User action
• Mail flow actions
contains
•
•
Credit cards
EU debit cards
Built on transport rules
Conditions
Rules applied in sequential order
Set of conditions and resulting actions that
describe the policy objective
Take action to enforce policy
Actions
Range of actions including: Hold, block,
audit & provide notification for email that
contains sensitive business data
Exceptions
Match
details
Auditdetails
data
Classification
Rule
Get
Content
Joseph F. Foster
Visa: 4485 3647 3952 7352
Expires: 2/2015
RegEx
Analysis
4485 3647 3952 7352  a 16 digit number
is detected
Function
Analysis
1. 4485 3647 3952 7352  matches checksum
2. 1234 1234 1234 1234  does NOT match
Additional
Evidence
1. Keyword Visa is near the number
2. A regular expression for date (2/2015)
is near the number
Verdict
1. There is a regular expression that matches
a check sum
2. Additional evidence increases confidence
Examples:
Policy level configuration based on counts
Tune existing built-in types to add
corroborative evidences and exclusions
(keywords, regular expressions)
Add different patterns with different
confidence scores for difference policy actions
Define custom sensitive types that can
leverage internally defined functions (dates,
keywords, Credit Cards, Passport Numbers)
• Confidence score
• Proximity specification
• Identifier
contains
•
•
Functions / regular expressions
Corroborative evidence
Keywords / functions
Contoso Pharma Confidential
Contoso Pharma Confidential
PATENT TITLE:
INVENTORS
List the names of the inventors
DESCRIPTION
Describe your invention
Contoso Pharma Confidential
PATENT TITLE: Foo Bar
Matches
Filled in Template
INVENTORS
List the names of the inventors
Shobhit, Alex
DESCRIPTION
Describe your invention
Foo Bar helps in curing diseases.
Contoso Pharma Confidential
CONFIGURATION
Get
Template
Content
Fabrikam Patent Form Tracking Number
Author Date Invention Title Names of all
authors...
Create
Fingerprint
1. Condensed representation of the hashed
template content
2. Stored as a custom sensitive information
type
Refernce in
Policy Rule
1. Add fingerprint to policy rules together
with other conditions
2. Map to desired actions
CLASSIFICATION RULE with
FINGERPRINT
RUNTIME
Get Email
Content
Fabrikam Patent Form Tracking Number 12345
Author Alex Date 1/28/2014 Invention Title
Fabrikam Green Energy...
POLICY RULES REFERENCES
TO PREVIOUSLY GENEATED
FINGERPRINTS
Evaluation
Create
Fingerprint
1. Temporary in memory representation
2. Used for comparson with source
fingerprint created at config time
+ verdict
FINGERPRINT
GENERATION
Verdict
1. Compare the two fingerprints
2. Evaluate a ’containtment coefficient’ to
declare a matcb
b-Bit Minwise Hashing
INPUT TEXT
STEP 1
Break into Shingles of
length 2
STEP 2
Convert to a 64 bit
value (hash it!)
STEP 3
Map the 64 bit value
randomly to 1024
other 64 bit values
This is a test. I love DLP and Fingerprinting.
This is
Is a
a test
test I
I Love
Love DLP
And Fingerprinting
Hash 1 (universal hash function)
64 bit hash value of the shingle (e.g., This is  1010101010101110100111000111)
Hash 2 (hash function with random dispersion)
Apply a 16 bit mask
STEP 4
Reduce each 64 bit
value to a 16 bit value
(LSB Mask)
DLP and
User education
Empower users to manage their compliance
Contextual policy education
Doesn’t disrupt user workflow
Can work even when disconnected
Admin customizable text and actions
Outlook
OWA
Customize Policy Tip
messages
Messages for notification,
block and override can be
customized.
Customize link for
user education
Specify an internal URL with
company policies around
handling sensitive content.
Custom classification rule names are displayed here.
Custom DLP content:
Supplemental DLP policy templates
Supplemental DLP classification rules
Incident reports integration with custom workflows
Custom agents for additional
conditions and actions
Custom reporting solutions
E.g. MessageStats Business Insights from Dell
Deep content analysis
engine
46 OOB sensitive
information types
40 OOB DLP Templates
Support for 3rd party
defined DLP policy
templates
Policy Tips in Outlook 2013
Contextual user education
and empowerment
Incident management
Rich reporting
Policy Tips in OWA and
Mobile OWA
Advanced Document
Fingerprinting in Exchange,
Outlook, and OWA
5 new OOB sensitive
information types
DLP in Exchange 2013 SP1
http://blogs.technet.com/b/exchange/archive/2014/02/25/data-loss-prevention-in-exchange-just-got-better.aspx
DLP policy templates
http://technet.microsoft.com/en-us/library/jj657730
Managing DLP policies
http://technet.microsoft.com/en-us/library/jj673559
OOB DLP policy templates
http://technet.microsoft.com/en-us/library/jj150530
Policy tips in Exchange 2013
http://technet.microsoft.com/en-us/library/jj150512
Supported file types
http://technet.microsoft.com/en-us/library/jj674307
MessageStats Quick Guide
http://mbidemo.quest.com/Insights/#page/home
Session
Title
Timing
Tue 10:45 AM - 12:00 PM
Room
SPR.202
Encryption in Exchange
Ballroom E
SPR.201
Eliminate the Regulatory Compliance
Nightmare
Tue 9:00 AM-10:15 AM
MR 19ab
SPR.UN.305
Exchange Online Protection: Notes
from the field
Wed 10:15 AM – 11:30 AM
Ballroom G
SPR.UN.304
Experts Unplugged: EOP &
Encryption
Wed 8:30-9:45 AM
Wed 1:00-2:15 PM
MR 18d
MR 17b
USX.206
What's New in Outlook Web App
9:00 AM - 10:15 AM
Ballroom G
SPR.401
Extending Data Loss Prevention For
Your Business
Wed 4:45 PM- 6:00 PM
MR 18bc
SPR.203
Protect your Organization with
Exchange Online Protection (EOP)
Mon 4:30 PM - 5:45 PM
MR 18bc
SPR.301
So how does Microsoft handle my
spam?
Tue 4:45 PM – 6:00 PM
MR 19ab
SPR.401
Using Connectors & Mail Routing
Wed 2:45 PM - 4:00 PM
MR 18bc
ARC.304
Exchange Server 2013 Transport
Architecture
Tues 9:00 AM - 10:15 AM
Ballroom F
EDC.302
Advanced Data Loss Prevention in
Exchange
Tues 1:30 PM-2:45 PM
Ballroom F
EDC.UN.301
Experts Unplugged: Data Loss
Prevention
Tue 3:00 PM-4:15 PM
Wed 10:15 AM-11:30 AM
MR 18d
MR 13ab
EDC.204
Data Loss Prevention in Exchange,
Outlook, OWA
Mon 2:45 Pm-4:00PM
MR 18bc
MNG.304
Reporting On O365 Mail flow and
Mailbox Data
Wed 1:00 PM-2:15 PM
MR 17a