How to Create an Email Protection Policy

Part 1 – Policy Overview

The Avanan Cloud Security Platform offers the industry’s most complete cloud security solution with defense-in-depth capabilities to make your SaaS or IaaS both safe and compliant. We protect your users and files in any cloud environment, from Office365 to Gmail, Amazon to Azure. This guide describes Avanan’s group based policy frame work that can be leveraged to continuously help protect data that sits in the cloud.

Avanan offers three modes of protection for email outlined below:

  1. Monitor only
  2. Detect and Protect
  3. Protect (Inline)

 

Monitor only mode provides visibility into the cloud-hosted email leveraging publicly available API’s and a journal entry from the SaaS email provider. Scan results are provided from 60+ best of breed security tools. In this mode manual and automated query based quarantines are available after delivery to the user mailbox.

  1. Incoming email passes through email provider’s spam filter. Emails are sorted accordingly,
    1. Rejected
    2. Accepted, Moved to Junk
    3. Accepted, Moved to Inbox
  2. Manual and automated query based quarantines are available after delivery to the user mailbox.

 

Detect and Protect mode provides an increased level of protection that scans email via journaling leveraging the same SaaS email provider API’s. This mode adds an automated policy action to quarantine malware, phishing attacks etc. based on the results of the best of breed security stack. In this mode user notifications and release workflows are available.

  1. Incoming email arrives in respective mailbox folder.
  2. Avanan detects new email and scans (10 sec - 5 min).
  3. If malicious, Avanan takes automatic action, otherwise, leave the email alone.
  4. Optional user notifications and release workflows are available.

 

Protect Mode provides the highest level of protection and scans email prior to delivery to the end user’s inbox. Leveraging the same SaaS email provider API’s and implementing mail flow rules Avanan can scan email with a best of breed security stack to protect end users from malware, data leaks, phishing attacks and more. Scanning and quarantining takes place before email is delivered to the user’s inbox. This mode insures that threats are detected and remediated before the user has access to the email.

  1. Incoming email heads to the mail flow.
  2. Avanan redirects the mail to the Avanan platform for scanning (10 sec - 5 min).
  3. If malicious, Avanan takes action, otherwise, returns email to the mail flow.
  4. User notifications and release workflows are defined in policy.

 

Part 2 – Policy Configuration

Before group based policy is configured you must configure a dedicated quarantine mailbox that will be used to store any emails or attachments that are quarantined during the scanning process by policy or via manual actions. The configuration is located under the Cloud App Store under your cloud-based email platform. This must be a full licensed mailbox it cannot be a shared mailbox.

You must also specify a restore request approver email account. This will be a current administrator in the Avanan platform. This account is used to notify administrators when there is a user requesting an email to be released from quarantine.

Email policy is configured from the policy console location on the left-hand panel of the Avanan dashboard.

Step 1

Select the SaaS platform you want to set policy for Office 365 Emails or Gmail. Click the + to configure a new policy.

Step 2

Select the Threat detection for security. Threat detection will cover AV, Malware and Phishing protection in the policy.

Step 3

Rule State should be set to running and you can change the default name of the rule. Severity can be set to Auto or a predetermined level. You must also select the desired mode Monitor Only, Detect and Protect or Protect (Inline).

Step 4

Select the scope of users and/or groups to be covered by the policy. All users can be protected by selecting all users and groups.

Step 5

Under the advanced tab you can select the security tools that are running for this specific policy. Available security tools are configured in the Security App Store under configuration.

Note - If you select either Detect and Protect or Protect (Inline) mode you will see additional configuration screens that allow customization of the user level email notifications in the advanced configuration. Workflow and Notification options are outlined in the next section.

Step 6

Alerts can be configured to be sent to the configured Administrators, (Admins can opt in under user management) or to specified email addresses. Alerts are available separately for Malware and Phishing. Email alert templates can be customized by clicking on the gears to the right of the alert.

Step 7

Once the policy is configured hit the Save and Apply button to apply the policy to the configure user population. Policies are based on precedence so make sure your rules are applied in the proper order. The order can be adjusted from the policy console.



Workflows and Notification

Detect and Prevent Mode and Protect (inline) Mode both offer three separate workflows to manage Malware and Anti-Phishing attacks in the platform. The only difference is when the workflow is invoked. Detect and Prevent scans email after delivery of email to the user and Protect (inline) scan just prior to delivery.

Malware

  • User is alerted and allowed to restore the email
  • User is alerted, allowed to requests a restore. Admin must approve
  • Email quarantined. User is not alerted. Admin can restore
  • Do nothing

Anti-Phishing

  • User receives the email with an alert
  • Email quarantined. Admin can restore
  • Email Quarantined. User is alerted, allowed to request a restore. Admin must approve
  • Do nothing

Suspicious Phishing affects

  • User receives the email with a warning
  • User is not alerted. Admin can restore
  • Do nothing

Advanced options are available to customize all messages and notifications to the end users

Manual Notification settings

To take actions outside of the policy frame work actions can be taken from the email profile or be set through queries. Advanced options are available to customize all manual generated messages and notifications to the end users. These notifications are set in the Cloud Store under your cloud email service.



Part 2 – End-use experience

Malware End-user workflow

  • 1 - User is alerted and allowed to restore the email

Email to the user is scanned and when found malicious the subject is replaced with a quarantined notice and the original subject is provided in brackets. The body of the message is replaced with a customizable message to the user along with a link to release the file if a false positive is suspected. The attachment is also stripped and noted in the replaced body. In this mode, the user is authorized to perform their own release of the attachment. Using the link in the email end-users can release quarantined attachment. The original email and attachment will be immediately delivered back to the inbox.

  • 2 - User is alerted, allowed to requests a restore. Admin must approve

Email to the user is scanned and when found malicious the subject is replaced with a Quarantined notice and the original subject is provided in brackets. The body of the message is replaced with a customizable message to the user along with a link to release the file if a false positive is suspected. The attachment is also stripped and noted in the replaced body. The Malware will be zipped, password protected and delivered to the Restore request approver.

Quarantine release process

Using the link in the email end-users can request release of the quarantine attachment if a false positive is suspected. Justification for the request can be provided in the workflow.

If the request is approved by the administrator the original message will be delivered unaltered to the user.

  • 3 - Email removed. User is not alerted. Admin can restore

In this mode, the email is automatically quarantined with no user notification

Anti-Phishing End-user workflow

  • 1 - User receives the email with an alert

Email to the user is scanned and when found to be suspicious the subject is replaced with a Phishing Alert! notice and the original subject is provided in brackets. The body of the message includes a customizable message to the user along with a link to remove the warning if a false positive is suspected by the user.

  • 2 - User does not receive the email. Admin can restore In this mode, the email is automatically quarantined with no user notification
  • 3- Email to the user is scanned and when found malicious the subject is replaced with Quarantined and the original subject is provided in brackets. The body of the message is replaced with a customizable message to the user along with a link to release the email if a false positive is suspected.

Quarantine release process

Using the link in the email end-users can request release of the quarantine attachment if a false positive is suspected. Justification for the request can be provided in the workflow.

If the request is approved by the administrator the original message will be delivered unaltered to the user.

Suspicious Phishing affects

  • 1- Enabled for all users
  • 2 - Enabled for a subset of Inline users



Part 3 – Release Process

Admin release process

The admin will be notified via email to the configured Restore requests approver email address. Optional alerts and email notifications can also be configured. The email will contain the Malware in a zipped, password protected attachment with a direct link to the email profile in the Avanan portal. Once in the Avanan portal a full security review of the Malware can be completed and the release request can be fulfilled or declined.



Part 4 – Manual Actions

Manual quarantine process

The manual quarantine process can be initiated to complete quarantines 1 at a time via 2 workflows in the Avanan dashboard. The first is available in the event workflow (SS1) and the 2nd is available in the email profile (SS2). When email is quarantined it is removed from the user mailbox and moved to the designated quarantine mailbox. This effectively removes access from the user to the mail. Once quarantined the mail is managed via the Quarantine workflow for investigations and if needed the mail can be released back to the user (SS3). Release can be 1 at a time or via multi select.

* Note the default notification to a manual action is set to no notification to the user. Work with your Avanan account rep to change the default.

When implementing notifications to end users an optional admin approval release workflow can be delivered to the user. In this configuration admins will be notified of pending requests in the quarantine work flow. (SS4)

(SS1)


(SS2)


(SS3)


(SS4)

Bulk manual quarantine process

The manual quarantine process can also be initiated in bulk via multi-select in the event workflow.

Query based quarantine process

For performing quarantine in bulk, the custom query engine gives you a robust search and destroy capability. Once your search criteria are established manual actions can be executed on the search results (SS1). See the Avanan query building guide for more details on how to build queries.



Part 5 – Audit Trail

System log

All actions are reported to the system log under configuration





Download as PDF