System glitches Malicious intentOops! 39% 24% 37% 97% avoidable! Online Trust Alliance: 2013 Data Protection and Breach Readiness Guide
Data Loss Prevention in Exchange Helps to identify monitor protect sensitive data through deep content analysis Identify Protect Monitor End user education
Available in Exchange Online A3/A4 G3/G4 E3/E4 Available in Exchange Server 2013 Requires an Exchange Enterprise Client Access License (CAL) with services us/exchange/microsoft-exchange- server-licensing-licensing-overview- FX aspx Note: Can be used with Exchange 2010 with limited functionality
Policy distribution Contextual policy education DLP policy configuration Backend policy evaluation Audit & incident data generation Admin Information workers DLP system walkthrough
DLP Policy Enforcement Flexible tools for policy enforcement that provide the right level of control Transport Rules Rights Management Data Loss Prevention ALERT CLASSIFY ENCRYPT APPENDOVERRIDE REVIEW REDIRECT BLOCK
XML configuration that define policy objectives Built atop of Exchange transport rules Management and deployment Exchange standard interfaces – Web and PowerShell Content to monitor User action Mail flow actions contains Credit cards EU debit cards
Transport rule conditions DLP specific action – Policy Tip Exceptions DLP specific condition Transport rule actions
Countr y PIIFinancialHealth US US State Security Breach Laws, US State Social Security Laws, COPPA GLBA & PCI-DSS (Credit, Debit Card, Checking and Savings, ABA, Swift Code) Limited Investment: US HIPPA, UK Health Service, Canada Health Insurance card Rely on Partners and ISVs Germany EU data protection, Drivers License, Passport National Id EU Credit, Debit Card, IBAN, VAT, BIC, Swift Code UK Data Protection Act, UK National Insurance, Tax Id, UK Driver License, Passport EU Credit, Debit Card, IBAN, BIC, VAT, Swift Code Canada PIPED Act, Social Insurance, Drivers License Credit Card, Swift Code France EU data protection, Data Protection Act, National Id (INSEE), Drivers License, Passport EU Credit, Debit Card, IBAN, BIC, VAT, Swift Code Japan PIPA, Resident Registration, Social Insurance, Passport, Driving License Credit Card, Bank Account, Swift Code Australia Drivers License, Passport, Social InsuranceCredit Card, Bank Account, Swift Code
Integrated into Exchange Transport Rule (ETR) engine Runs in categorizer during OnResolvedMessage Integrated as a new ETR Predicate Performs text extraction for body & attachments followed by classification Can be combined with any existing Predicates & Actions Text extraction Transport rule agent Classification
Content analysis process Examples Joseph F. Foster Visa: Expires: 2/2012 Get Content a 16 digit number is detected RegEx Analysis matches checksum does NOT match Function Analysis 1.Keyword Visa is near the number 2.A regular expression for date (2/2012) is near the number Additional Evidence 1.There is a regular expression that matches a check sum 2.Additional evidence increases confidence Verdict
Fabrikam Patent Form Tracking Number Author Date Invention Title Names of all authors... Get Template Content 1.Condensed representation of the hashed template content 2.Stored as a custom sensitive information type Create Fingerprint CONFIGURATIO N CLASSIFICATION RULE with FINGERPRINT 1.Add fingerprint to policy rules together with other conditions 2.Map to desired actions Refernce in Policy Rule
Fabrikam Patent Form Tracking Number Author Alex Date 1/28/2014 Invention Title Fabrikam Green Energy... Get Content 1.Temporary in memory representation 2.Used for comparson with source fingerprint created at config time Create Fingerprint 1.Compare the two fingerprints 2.Evaluate a ’containtment coefficient’ to declare a matcb Verdict RUNTIME POLICY RULES REFERENCES TO PREVIOUSLY GENEATED FINGERPRINTS FINGERPRINT GENERATION Evaluation + verdict
Fabrikam Patent Form Tracking Number Author Date Invention Title Names of all authors... Get Template Content 1.Condensed representation of the template content 2.Document is not stored 3.Stored as a sensitive information type Create Fingerprint Fabrikam Patent Form Tracking Number Author Alex Date 1/28/2014 Invention Title Fabrikam Green Energy... Get Content 1.Temporary in memory representation 2.Used for comparson with source fingerprint created at config time Create Fingerprint 1.Compare the two fingerprints 2.Evaluate a ’containtment coefficient’ to declare template contained in content Verdict CONFIGURATIO N RUNTIME CLASSIFICATION RULE with FINGERPRINT GENERATION Evaluation + verdict
b-Bit Minwise Hashing INPUT TEXTThis is a test. I love DLP and Fingerprinting. STEP 1 Break into Shingles of length 2 This isIs aa testtest II LoveLove DLPDLP andAnd Fingerprinting 64 bit hash value of the shingle (e.g., This is ) Hash 1 (universal hash function) Hash 2 (hash function with random dispersion) STEP 2 Convert to a 64 bit value (hash it!) STEP 3 Map the 64 bit value randomly to 1024 other 64 bit values STEP 4 Reduce each 64 bit value to a 16 bit value (LSB Mask) Apply a 16 bit mask
Empower users to manage their compliance Contextual policy education Doesn’t disrupt user workflow Can work even when disconnected Admin customizable text and actions Outlook OWA User education
Deep content analysis engine 46 OOB sensitive information types 40 OOB DLP Templates Support for 3rd party defined DLP policy templates Policy Tips in OWA and Mobile OWA Advanced Document Fingerprinting in Exchange, Outlook, and OWA 5 new OOB sensitive information types Policy Tips in Outlook 2013 Contextual user education and empowerment Incident management Rich reporting
Classification integration with SharePoint through FAST index demoed at SPC keynote [Feb]
Q&A
Appendix
Audit data Classification Rule details
Comprehensive view of DLP policy performance Downloadable excel workbook Drill into specific departures from policy to gain business insights
Customizing Your DLP Deployments Identify Protect Monitor End user education Custom policy templates Tuning of built-in types Custom sensitive types Real-time incident reports Policy rule reports Policy audit mode Flexible policy authoring system Rich policy conditions and actions End-user false positive reporting Configurable end-user education content
Plan Start with built-in templates to assist meeting your business or regulatory requirements Customize policy rules, sensitive types and scope Target a pilot group of users Tune Set policies to test and notify modes Enable incident reports to assess impact of rules Tune based on false positive reports and hit rates Enable Switch policies to enforce mode Continue to tune based on report data trends
Customize Policy Tip messages Messages for notification, block and override can be customized. Customize link for user education Specify an internal URL with company policies around handling sensitive content. Custom classification rule names are displayed here.
Custom DLP content: Supplemental DLP policy templates Supplemental DLP classification rules Incident reports integration with custom workflows Custom agents for additional conditions and actions Custom reporting solutions E.g. MessageStats Business Insights from Dell
Exchange 2013 DLP introduction DLP policy templates Managing DLP policies OOB DLP policy templates Policy tips in Exchange Supported file types MessageStats Quick Guide
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.