Data Loss Prevention (DLP) - Overview

What is Avanan DLP?

Cloud applications make it easier than ever for your employees to access and share data, both internally and externally. This makes cloud services a major source of risk. Complicated sharing permissions make data leakage and compliance difficult to manage.

Avanan enables you to create universal policies across multiple cloud applications to control how files are shared amongst internal and external users. Our advanced tools identify and mark files containing confidential, financial, and personally identifiable information, including: credit card numbers, social security numbers, bank routing numbers, or data protected under HIPAA.

 

Benefits

  1. Scan emails and files for sensitive information with ease, by using a common solution for all platforms.
  2. Stop data leakage by using automated actions.
  3. Generate actionable alerts.
  4. Use an integrated solution for DLP and other types of attacks, such as phishing and malware.

How to configure a DLP Policy

  1. Navigate to Policy page.
  2. Add new policy by click on the + button near Office 365 Mail.
  3. On “Choose Security” combo-box Select DLP.
  4. Next.
  5. On “Mode” combo-box select protection mode (inline or monitor).
  6. Optional: Choose Scope.
  7. Select the requested DLP rules.
  8. Select the DLP workflow action (advanced section). See available options in Available workflows.
  9. Click “Save and Apply”.

 

Example Policy:
DLP-one

 

 

Configure Regex Policy

Another ability that current available in addition to DLP rules, is regex on the subject text, the DLP mechanism can identify certain email as data leak using the subject.

For example: every email the has “confidential” string within the subject will be detected as DLP, and the requested workflow will be applied.

To enable such ability please follow:

  1. On edit / create new policy select Use subject regex instead of DLP rules
  2. Use regex rules to match any string within the subject text

The regex feature can be used in addition to DLP rules within the same policy.

For example the following pattern will detect every subject that begins with “confidential
”Pattern: “confidential.*

DLP-two

Note: best practice in these cases to use simple regex control characters to simplify the pattern (“.*)

 

Available workflows

  • Email is blocked. User is alerted and allowed to request a restore (admin must approve) (default) - Any detected email will not be delivered to the recipient and will be moved to quarantine mailbox; the user will receive an email with alert of the quarantine action, and will be able to request to restore the original email (send the original email to the recipient).
  • Email is blocked. User is alerted and allowed to restore the email - Any detected email will not be delivered to the recipient and will be moved to quarantine mailbox; the user will receive an email with alert of the quarantine action, and will be able to restore the original email (send the original email to the recipient).
  • Email is allowed. Header is added to the email - Any detected email will be delivered to the recipient with addition header that configured the the policy.
  • Email is allowed. Encrypted by Microsoft - Any detected email will be delivered to the recipient and a header will be added to email (Go to Office 365 Encryption section in this document for more details).
  • Do nothing - Any detected email will be delivered to the recipient without any changes.

 

Office 365 Footprint

Transport rules:

Additional transport rule is created when enabling Inline DLP.

  • Rule name: Avanan - Protect Outgoing.
  • Verify similar to Avanan - Protect.
  • Rule:
    DLP-three
  • Rule description:
    DLP-four

 

Connectors

Additional connector will be added, Avanan to O365

  • Connector:
DLP-five

 

Office 365 Message Encryption

O365 provides the ability to encrypt the outgoing emails using Microsoft Encryption. Encryption can be applied automatically for emails detected as sensitive by the DLP engine.

More information about the O365 encryption mechanism and how the recipients is available here: https://support.office.com/en-us/article/learn-about-encrypted-messages-in-outlook-com-3521aa01-77e3-4cfd-8a13-299eb60b1957

 

Licensing

Note: Applying encryption to outgoing emails require certain licenses that include encryption. The license is applied per-user, meaning that sensitive emails would be encrypted for certain users and not for others, based on the active licenses. For more information on encryption license consult with Microsoft licensing documentation, you can start here: https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-faq

 

Enable Message Encryption

  1. Navigate to “Security Engines”.
  2. Enable Microsoft Encryption:
    DLP-six-cropped
  3. Navigate to “Policy” page and edit / create new policy.
  4. Choose one of the encryption workflows:
    DLP-seven
  5. From now on, every outgoing email which contains data leak/ regex will be sent with a header:
    • Microsoft Encryption - X-CLOUD-SEC-AV-Encrypt-Microsoft: True

 

Forensics

DLP detections are recorded as events for forensic and auditing purposes. The events include what type of sensitive information was potentially leaked (PII, HIPAA, etc.).

The events can be viewed in the “Events” screen.

DLP-eight