Email Protection - Guide

Threat Detection Policy

Overview

The Avanan Cloud Security Platform offers the industry’s most complete cloud security solution with defense-in-depth capabilities to make your SaaS or IaaS both safe and compliant. We protect your users and files in any cloud environment, from Office365 to Gmail, Amazon to Azure. This guide describes Avanan’s group-based policy framework that can be leveraged to continuously help protect data that sits in the cloud.

Avanan offers three modes of protection for email outlined below:

  1. Monitor only
  2. Detect and Protect
  3. Protect (Inline)

Monitor only mode provides visibility into the cloud-hosted email leveraging publicly available API and a journal entry from the SaaS email provider. Scan results are provided from 60+ best of breed security tools. In this mode manual and automated query based quarantines are available after delivery to the user mailbox.

  1. Incoming email passes through the email provider’s spam filter. Emails are sorted accordingly,
    1. Rejected
    2. Accepted, Moved to Junk
    3. Accepted, Moved to Inbox
  2. Manual and automated query-based quarantines are available after delivery to the user mailbox.

Detect and Protect mode provides an increased level of protection that scans email via journaling leveraging the same SaaS email provider API. This mode adds an automated policy action to quarantine malware, phishing attacks, etc. based on the results of the best of breed security stack. In this mode user notifications and release workflows are available.

  1. Incoming email arrives in respective mailbox folder.
  2. Avanan detects new email and scans (10 sec - 5 min).
  3. If malicious, Avanan takes automatic action, otherwise, leave the email alone.
  4. Optional user notifications and release workflows are available.

Protect Mode provides the highest level of protection and scans email prior to delivery to the end user’s inbox. Leveraging the same SaaS email provider API and implementing mail flow rules Avanan can scan email with a best of breed security stack to protect end-users from malware, data leaks, phishing attacks, and more. Scanning and quarantining take place before the email is delivered to the user’s inbox. This mode ensures that threats are detected and remediated before the user has access to the email.

  1. Incoming email heads to the mail flow.
  2. Avanan redirects the mail to the Avanan platform for scanning (10 sec - 5 min).
  3. If malicious, Avanan takes action, otherwise, returns the email to the mail flow.
  4. User notifications and release workflows are defined in the policy.

Policy Configuration

If you would like to store quarantined emails locally, you may configure a dedicated quarantine mailbox. This mailbox will be used to store any emails or attachments that are quarantined during the scanning process by policy or via manual actions. The configuration is located under the Cloud App Store under your cloud-based email platform. This must be a full licensed mailbox it cannot be a shared mailbox.  Specifying such a mailbox is not required, as Avanan will store a copy of quarantined emails in an S3 bucket associated with your portal.

You must also specify a restore request approver email account. This will be a current administrator in the Avanan platform. This account is used to notify administrators when there is a user requesting an email to be released from quarantine.

Part 1 - Threat Detection Policy for Incoming Emails

The threat detection policy for incoming email policy is configured from the policy console location on the left-side panel of the Avanan dashboard.

Step 1

Select the SaaS platform you want to set policy for Office 365 Emails or Gmail. Click the + to configure a new policy.

Step 2

Select the Threat detection for security. Threat detection will cover AV, Malware and Phishing protection in the policy.

Step 3

Rule State should be set to running and you can change the default name of the rule. Severity can be set to Auto or a predetermined level. You must also select the desired mode Monitor Only, Detect and Protect or Protect (Inline).

Step 4

Select the scope of users and/or groups to be covered by the policy. All users can be protected by selecting all users and groups.

Step 5

Under the advanced tab, you can select the security tools that are running for this specific policy. Available security tools are configured in the Security App Store under configuration.

Note - If you select either Detect and Protect or Protect (Inline) mode you will see additional configuration screens that allow customization of the user-level email notifications in the advanced configuration. Workflow and Notification options are outlined in the next section.

Step 6

Alerts can be configured to be sent to the configured Administrators, (Admins can opt-in under user management) or to specified email addresses. Alerts are available separately for Malware and Phishing. Email alert templates can be customized by clicking on the gears to the right of the alert.

Step 7

Once the policy is configured, click Save and Apply button to apply the policy to the configured users.

Note - Policies are based on the order of precedence. Make sure the rules are applied in the proper order. The order can be adjusted from the policy console.


Workflows and Notification

Detect and Prevent Mode and Protect (inline) mode offer three separate workflows to manage Malware and Anti-Phishing attacks on the platform. The only difference is when the workflow is invoked. Detect and Prevent scans email after delivery of email to the user and Protect (inline) scan just prior to delivery.

Malware

  • User is alerted and allowed to restore the email
  • User is alerted, allowed to request a restore. Admin must approve
  • Email quarantined. User is not alerted. Admin can restore
  • Do nothing

Anti-Phishing

  • User receives the email with an alert
  • Email quarantined. Admin can restore
  • Email Quarantined. User is alerted, allowed to request a restore. Admin must approve
  • Do nothing

Suspicious Phishing affects

  • User receives the email with a warning
  • User is not alerted. Admin can restore
  • Do nothing

Advanced options are available to customize all messages and notifications to the end-users.

Manual Notification settings

To take actions outside of the policy framework, actions can be taken from the email profile or be set through queries. Advanced options are available to customize all manual generated messages and notifications to the end-users. These notifications are set in the Cloud Store under your cloud email service.



End-use Experience

Malware End-user workflow

  • 1 - User is alerted and allowed to restore the email

Email to the user is scanned and when found malicious the subject is replaced with a quarantined notice and the original subject is provided in brackets. The body of the message is replaced with a customizable message to the user along with a link to release the file if a false positive is suspected. The attachment is also stripped and noted in the replaced body. In this mode, the user is authorized to perform their own release of the attachment. Using the link in the email end-users can release quarantined attachment. The original email and attachment will be immediately delivered back to the inbox.

  • 2 - User is alerted, allowed to requests a restore. Admin must approve

Email to the user is scanned and when found malicious the subject is replaced with a Quarantined notice and the original subject is provided in brackets. The body of the message is replaced with a customizable message to the user along with a link to release the file if a false positive is suspected. The attachment is also stripped and noted in the replaced body. The Malware will be zipped, password protected and delivered to the Restore request approver.

Quarantine release process

Using the link in the email end-users can request the release of the quarantine attachment if a false positive is suspected. Justification for the request can be provided in the workflow.

If the request is approved by the administrator the original message will be delivered unaltered to the user.

  • 3 - Email removed. User is not alerted. Admin can restore

In this mode, the email is automatically quarantined with no user notification

Anti-Phishing End-user workflow
  • 1 - User receives the email with an alert

Email to the user is scanned and when found to be suspicious the subject is replaced with a Phishing Alert! notice and the original subject is provided in brackets. The body of the message includes a customizable message to the user along with a link to remove the warning if a false positive is suspected by the user.

  • 2 - User does not receive the email. Admin can restore In this mode, the email is automatically quarantined with no user notification
  • 3- Email to the user is scanned and when found malicious the subject is replaced with Quarantined and the original subject is provided in brackets. The body of the message is replaced with a customizable message to the user along with a link to release the email if a false positive is suspected.

Quarantine release process

Using the link in the email end-users can request to release of the quarantine attachment if a false positive is suspected. Justification for the request to be provided in the workflow.

If the request is approved by the administrator the original message will be delivered unaltered to the user.

Suspicious Phishing affects
  • 1- Enabled for all users
  • 2 - Enabled for a subset of Inline users



Quarantine Release Process

Admin release process

The admin will be notified via email to the configured Restore requests approver email address. Optional alerts and email notifications can also be configured. The email will contain the Malware in a zipped, password-protected attachment with a direct link to the email profile in the Avanan portal. Once in the Avanan portal, a full security review of the Malware can be completed and the release request can be fulfilled or declined.


Manual Actions

Manual quarantine process

The manual quarantine process can be initiated to complete quarantines 1 at a time via 2 workflows in the Avanan dashboard. The first is available in the event workflow (SS1) and the 2nd is available in the email profile (SS2). When an email is quarantined, it is removed from the user mailbox and moved to the designated quarantine mailbox. This effectively removes access from the user to the mail. Once quarantined the mail is managed via the Quarantine workflow for investigations and if needed the mail can be released back to the user (SS3). The administrator can release the quarantined emails one at a time or bulk emails via multi-select.

Note - The default notification to a manual action is set to no notification to the user. Work with your Avanan account representative to change the default behavior.

When implementing notifications to end-users an optional admin approval release workflow can be delivered to the user. In this configuration, admins will be notified of pending requests in the quarantine workflow. (SS4)

(SS1)


(SS2)


(SS3)


(SS4)

Bulk manual quarantine process

The manual quarantine process can also be initiated in bulk via multi-select in the event workflow.

Query-based quarantine process

For performing quarantine in bulk, the custom query engine gives you a robust search and destroy capability. Once your search criteria are established manual actions can be executed on the search results (SS1). See the Avanan query building guide for more details on how to build queries.



Audit Trail

System log

All actions are reported to the system log under configuration.


Part 2- Threat Detection Policy for Outgoing Emails

Administrators can enable threat detection to prevent malware, phishing, and spam emails from being sent by their organization’s users to external parties.

Note – This feature is supported only for Office 365 Mail.

To enable threat detection for outgoing emails:

  1. Navigate to Policy on the left panel of the Avanan Portal.
  2. Click on an Office 365 Mail Threat Detection policy rule.
    If you do not have an Office 365 Mail Threat Detection policy rule, create a new policy. See Creating Threat Detection policy.
  3. Set the policy mode as Prevent (Inline).
  4. Scroll down and expand Advanced Configuration.
  5. Enable Protect (Inline) Outgoing Traffic check-box.
  6. Click Save and Apply.

Supported Workflow Actions

As the protected emails are sent from inside the organization to external parties, the threat detection for
outgoing emails do not support all the workflows as specified for the incoming emails.

It does not support these workflows:

  • Delivering the email to the recipient's Junk folder (Email is allowed. Deliver to Junk folder)
  • Delivering the email with a warning banner (User receives the email with a warning)
  • Delivering the email with a prefix added to the subject (Add [Spam] to subject)

All the workflow actions that are not supported for outgoing emails are marked with a warning symbol.
Outgoing-Inline-Protection-Office 365

Note - If the policy rule contains any of the unsupported workflows, the email will be delivered to the external recipient unchanged.