Modules - Data Loss Prevention (DLP)

What is Avanan DLP?

Cloud applications make it easier than ever for your employees to access and share data, both internally and externally. This makes cloud services a major source of risk. Complicated sharing permissions make data leakage and compliance difficult to manage.

Avanan enables you to create universal policies across multiple cloud applications to control how files are shared amongst internal and external users. Our advanced tools identify and mark files containing confidential, financial, and personally identifiable information, including: credit card numbers, social security numbers, bank routing numbers, or data protected under HIPAA.

Avanan SmartDLP - DLP Engine

SmartDLP is a DLP engine developed by Avanan. It allows to easily detect sensitive information and generate security alerts in Avanan with a DLP policies.

For more information on SmartDLP read the following article.

Benefits

Scan emails and files for sensitive information with ease, by using a common solution for all platforms.
Stop data leakage by using automated actions.
Generate actionable alerts.
Use an integrated solution for DLP and other types of attacks, such as phishing and malware.

Data Loss Prevention (DLP) Policy

DLP Policy filters outgoing emails to ensure that sensitive data does not reach unauthorized recipients. In addition, it can also filter incoming emails to ensure sensitive data is not stored in your organization's mailboxes and/or that it is shared only through authorized delivery methods.

Note - Changing the policy protection mode from Monitor Only or Detect and Prevent mode to Prevent (Inline) mode takes time to start protecting in Prevent (Inline) mode. It could take up to an hour, depending on the number of protected users in the Avanan account.

For more details about the DLP security engine, see Configuring DLP Security Engine.

DLP Policy for Outgoing Emails

To configure the DLP policy for outgoing emails:

Go to Policy.
Click Add a New Policy Rule.
Select the desired SaaS application under Choose SaaS drop-down.
Select DLP under Choose Security drop-down and click Next.
Select Protect (Inline) or Monitor only mode.
Select the Scope of the policy:
1. Select Outbound Emails.
2. Select the Specific Sending Users and Groups, the policy applies to.
In the DLP Criteria section, do these:
1. Select the required DLP Categories.
2. Select the required Sensitivity Level. See DLP Policy Sensitivity Level.
3. If you need to add a subject regular expression as the matching criteria to the DLP policy, under Advanced, enable the Enable matching based on subject regular expression checkbox and enter the regular expression. See DLP Subject Regular Expression.
In the DLP Workflow section, select the required DLP workflow. See DLP Workflows for outgoing emails.
Note - This option is available only in Protect (Inline) mode.
Select the required Severity.
Select the required DLP Alerts. See DLP alerts for outgoing emails.
Click Save and Apply.
Note - Applying a Prevent (Inline) rule could take up to an hour to take effect, depending on the number of protected users in the Avanan account.

For more details about the DLP security engine, see Data Loss Prevention.

DLP Subject Regular Expression (Regex)

You can add a subject regular expression as the matching criteria to every DLP policy. If an email subject contains a string that matches this regular expression, the policy rule will be matched, regardless of the data types detected in it.

Example: The security team sets the pattern as [SECURE] while configuring the DLP Engine. All the emails sent by the users with the pattern are automatically encrypted, even if no data type is detected in the email. If the DLP Engine detects a violation, and the subject doesn't contain the pattern, it means the user unknowingly sent sensitive information. This helps the security team to act on these cases to educate the users.

Notes:

It is recommended to use simple regex control characters to simplify the pattern (“.*)
By default, this feature is turned off. To enable this feature, open a support ticket or contact Avanan Support.

DLP Workflows for Outgoing Emails

Email is blocked. User is alerted and allowed to request a restore (admin must approve) (default) - Any detected email will not be delivered to the recipient and will be moved to quarantine mailbox; the user will receive an email with alert of the quarantine action, and will be able to request to restore the original email (send the original email to the recipient).
Email is blocked. User is alerted and allowed to restore the email - Any detected email will not be delivered to the recipient and will be moved to quarantine mailbox; the user will receive an email with alert of the quarantine action, and will be able to restore the original email (send the original email to the recipient).
Email is blocked and user can request to resend as encrypted (admin must approve) - Detected
email will not be delivered to the recipient and will be moved to quarantine mailbox. The user will
receive an email with an alert of the quarantine action, and will be able to request to resend the email
as encrypted email.
Email is blocked and user can resend as encrypted - Detected email will not be delivered to the recipient and the user can resend the email as encrypted email. For more details, see Office 365 Encryption Office 365 Encryption.
Email is allowed. Header is added to the email - The detected email is delivered to the recipient with an additional header that can be configured in the policy.
Email is blocked and user can resend as encrypted - Detected email will not be delivered to the
recipient and the user can resend the email as encrypted email. For more details, see Office 365 Encryption.
Do nothing - Any detected email will be delivered to the recipient without any changes.

DLP Alerts for Outgoing Emails

You can configure alerts for outgoing emails detected to contain a DLP violation:

Send notification email to specific recipients when DLP is detected. It is possible to customize email
template using the gear icon next to the action.
Send email alert to the sender when DLP Subject Regex pattern and DLP is detected in the email
subject. For details, see DLP Subject Regular Expression.
Send email alert to the sender when DLP Subject Regex pattern is not detected but DLP is detected in the email subject. For details, see DLP Subject Regular Expression.

Prerequisites to Avoid Failing SPF Checks

For Office 365 Mail, if you enable Protect (Inline) Outgoing Traffic in the DLP or Threat Detection policy, Avanan gets added to the email delivery chain before reaching external recipients (Internal email sender > Microsoft 365 > Avanan > Microsoft 365 > External recipient).

The recipient's email security solution sees the Avanan IP address as part of the delivery chain. If the recipient's email security solution fails to recognize the original IP address, it may consider the Avanan IP address as the IP address from which the email was sent.

If you do not configure the SPF record in your DNS to allow Avanan IP addresses to send emails on behalf of your domain, your emails might fail SPF checks and may be rejected. Avanan recommends you add the Avanan IP addresses to your SPF record before you enable Protect (Inline) Outgoing Traffic for outgoing emails.

Based on the data residency of your Avanan tenant, add the relevant IP addresses and networks to the SPF record:

US
- 3.214.204.181
- 44.211.178.112/28
- 3.101.216.144/28
EU
- 52.17.62.50
- 3.252.108.176/28
- 13.39.103.16/28
Canada
- 52.60.189.48
- 3.101.216.144/28
India
- 43.204.62.184/32
- 243.205.150.248/29
- 318.143.136.80/28

If you need to know the data residency of your Avanan tenant, contact Avanan Support.

Office 365 Footprint

Transport rules:

Additional transport rule is created when enabling Inline DLP.

Rule name: Avanan - Protect Outgoing.
Verify similar to Avanan - Protect.
Rule:
Rule description:

Connectors

Additional connector will be added, Avanan to O365

Connector:

Office 365 Email Encryption for Outgoing Emails

Office 365 provides the ability to encrypt the outgoing emails using Microsoft Encryption. Encryption can be applied automatically for emails detected as sensitive by the DLP engine.

Note - The Office 365 email encryption is applicable only for outgoing emails.

For more information about the Office 365 encryption mechanism, see the Microsoft Documentation.

Licensing

In Monitor only mode, you can use the existing license of Office 365 as the minimum requirement. However if you want to use Microsoft Encryption as an action in policy, you must have license with Office 365 Message Encryption (OME) capabilities. For more details, see Microsoft plans with OME capabilities and Microsoft Documentation.

Encrypting Outgoing Emails

Select the required DLP workflow that has encryption (Email is allowed. Encrypted by Microsoft or Email is blocked and user can resend as encrypted). Based on the workflow defined, the emails are encrypted automatically.

All outgoing emails that has data leak will be sent with a header:

Microsoft Encryption: X-CLOUD-SEC-AV-Encrypt-Microsoft: True

DLP Policy Sensitivity Level

The Sensitivity Level for a DLP policy is the minimum number of times all the Data Types in the selected categories need to match (hit count) for the policy to trigger the DLP workflow.

You can select these Sensitivity Level for every policy rule.

Very High (hit count > 0)
High (hit count > 2)
Medium (hit count > 5)
Low (hit count > 10)
Very Low (hit count > 20)
Custom (and enter the minimum hit count (Hit count higher than) required for the policy)

For example, a DLP policy includes only the PII category and you selected the Sensitivity Level as High.

If all the Data Types in PII were matched only once - the rule does not trigger the selected DLP workflow.
If all the Data Types in PII were matched three times - the rule triggers the selected DLP workflow.

DLP Policy for Incoming Emails

To configure the DLP policy for incoming emails:

Go to Policy.
Click Add a New Policy Rule.
Select the desired SaaS application under Choose SaaS drop-down.
Select DLP under Choose Security drop-down and click Next.
Select Protect (Inline) mode.
Select the Scope of the policy:
1. Select Inbound Emails.
  Note - This option is available only in Protect (Inline) mode.
2. Select the Specific Receiving Users and Groups to which the policy applies.
In the DLP Criteria section, do these:
1. Select the required DLP Categories.
2. Select the required Sensitivity Level. See DLP Policy Sensitivity Level.
Select the required DLP Rules.
Select the required DLP workflow.
Click Save and Apply.
Note - Applying a Prevent (Inline) rule could take up to an hour to take effect, depending on the number of protected users in the Avanan account.

For more details about configuring the DLP engine, see Data Loss Prevention.

DLP Workflows for Incoming Emails

Email is blocked. User is alerted and allowed to request a restore (admin must approve) (default)
- Detected email will not be delivered to the recipient and will be moved to quarantine mailbox. The
user will receive an email with an alert of the quarantine action, and will be able to request to restore
the original email (send the original email to the recipient).
Email is blocked. User is alerted and allowed to restore the email - Any detected email will not be
delivered to the recipient and will be moved to quarantine mailbox; the user will receive an email with
alert of the quarantine action, and will be able to restore the original email (send the original email to
the recipient).
Do nothing - Any detected email will be delivered to the recipient without any changes.
User receives the email with a warning - The email is delivered to the user with a warning banner inserted in the body of the email. To customize the banner (text, background color, etc.), click the gear icon next to the workflow.

DLP Alerts for Incoming Emails

You can configure alerts for incoming emails detected to contain a DLP violation:

Send alert on this violation to specific mailboxes.
Alert the external sender about the violation when the email is quarantined.