Jack KabatLead Program ManagerMicrosoft

Advanced Data Loss Prevention (DLP) in Exchange

EDC302

Data Loss Prevention in ExchangeHelps to • identify• monitor• protect sensitive data through deep content analysis

Identify

Protect

Monitor

End user education

Demo

Out of the box DLP policies

Customizing Your DLP Deployments

Identify

Protect

Monitor

End user education

• Custom policy templates• Tuning of built-in types• Custom sensitive

types

• Real-time incident reports• Policy rule reports• Policy audit mode

• Flexible policy authoring system• Rich policy conditions

and actions

• End-user false positive reporting• Configurable end-user

education content

DLP Deployment Phases

Plan •Start with built-in templates to assist meeting your business or regulatory requirements•Customize policy rules, sensitive types and scope•Target a pilot group of users

Tune •Set policies to test and notify modes•Enable incident reports to assess impact of rules•Tune based on false positive reports and hit rates

Enable •Switch policies to enforce mode•Continue to tune based on report data trends

DLP policy templatesBuilt-in templates based on common regulations

Import DLP policy templates from partners

Build your own

What are DLP policy templates?XML configuration that define policy objectives

Built atop of Exchange transport rules

Management and deployment Exchange standard interfaces – Web and PowerShell

XML

Conditions

• Content to monitor

• User action• Mail flow actions

Classification rules

contains

Policies

• Credit cards• EU debit cards

Name

DLP policy rulesBuilt on transport rules

Rules applied in sequential order

Set of conditions and resulting actions that describe the policy objective

Take action to enforce policy

Range of actions including: Hold, block, audit & provide notification for email that contains sensitive business data

Conditions

Actions

Exceptions

Demo

Customizing DLP policies

Incident Reports

Audit dataClassificationRule detailsMatch details

Examples:Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2015

Get Content

4485 3647 3952 7352 a 16 digit number is detected

RegEx Analysis

1. 4485 3647 3952 7352 matches checksum2. 1234 1234 1234 1234 does NOT match

Function Analysis

1. Keyword Visa is near the number2. A regular expression for date (2/2015)

is near the number

Additional Evidence

1. There is a regular expression that matches a check sum

2. Additional evidence increases confidenceVerdict

Content analysis process

Sensitive content type customizationsPolicy level configuration based on counts

Tune existing built-in types to add corroborative evidences and exclusions (keywords, regular expressions)

Add different patterns with different confidence scores for difference policy actions

Define custom sensitive types that can leverage internally defined functions (dates, keywords, Credit Cards, Passport Numbers)

XML

Patterns

• Confidence score• Proximity

specification• Identifier

Match Conditions

contains• Functions / regular

expressions• Corroborative evidence

Keywords / functions

Entities

Name

Demo

Customizing sensitive content types

Document Fingerprinting – New in SP1Matching derivative document from a previously configured template

A tax firm needs to detect and encrypt standard tax forms, like the 1040 EZ, W2, etc.

A Law firm can fingerprint legal forms, and have them detected automatically for policy application

Integrates with the existing DLP infrastructure as a custom sensitive information type

Surfaced in Exchange, Outlook and OWAContoso Pharma

Confidential

Contoso Pharma Confidential

PATENT TITLE:

INVENTORSList the names of the inventors

DESCRIPTIONDescribe your invention

Matches Filled in Template

Contoso Pharma Confidential

Contoso Pharma Confidential

PATENT TITLE: Foo Bar

INVENTORSList the names of the inventorsShobhit, Alex

DESCRIPTIONDescribe your inventionFoo Bar helps in curing diseases.

Fabrikam Patent Form Tracking Number Author Date Invention Title Names of all authors...

Get Template Content

1. Condensed representation of the hashed template content

2. Stored as a custom sensitive information type

Create Fingerprint

CO

NFI

GU

RATIO

NDocument Fingerprinting - Configuration

CLASSIFICATION RULE with

FINGERPRINT

1. Add fingerprint to policy rules together with other conditions

2. Map to desired actions

Refernce in

Policy Rule

Fingerprint generation from template documents

Fingerprint stored as custom sensitive type

Configured in policy rules as any other custom sensitive type

Fabrikam Patent Form Tracking Number 12345 Author Alex Date 1/28/2014 Invention Title Fabrikam Green Energy...

Get Email Content

1. Temporary in memory representation2. Used for comparson with source

fingerprint created at config time

Create Fingerprint

1. Compare the two fingerprints2. Evaluate a ’containtment coefficient’

to declare a matcbVerdict

RU

NTIM

EDocument Fingerprinting - Runtime

POLICY RULES REFERENCES TO

PREVIOUSLY GENEATED FINGERPRINTS

FINGERPRINTGENERATION

Evaluation

+ verdict

Fingerprint generated at run-time for target attachment

Fingerprint evaluated against configured fingerprints for template documents

Match declared based on ‘containment coefficient’

b-Bit Minwise HashingINPUT TEXT

This is a test. I love DLP and Fingerprinting.

STEP 1Break into Shingles of length 2

This is Is a a test test I I LoveLove DLP

DLP and

And Fingerprinting

64 bit hash value of the shingle (e.g., This is 1010101010101110100111000111)

Hash 1 (universal hash function)

Hash 2 (hash function with random dispersion)

STEP 2Convert to a 64 bit value (hash it!)

STEP 3Map the 64 bit value randomly to 1024 other 64 bit values

STEP 4Reduce each 64 bit value to a 16 bit value (LSB Mask)

Apply a 16 bit mask

Demo

Document Fingerprinting

Empower users to manage their compliance

Contextual policy education

Doesn’t disrupt user workflow

Can work even when disconnected

Admin customizable text and actions

Outlook OWA

User education

Customizing End User Policy Tips

Customize Policy Tip messagesMessages for notification, block and override can be customized.

Customize link for user educationSpecify an internal URL with company policies around handling sensitive content.

Custom classification rule names are displayed here.

Demo

Customizing end user Policy Tips

DLP extensibility pointsCustom DLP content:

Supplemental DLP policy templatesSupplemental DLP classification rules

Incident reports integration with custom workflows

Custom agents for additionalconditions and actions

Custom reporting solutionsE.g. MessageStats Business Insights from Dell

NEW in SP1 – EXCHANGE and OUTLOOK 2013

Exchange DLP Feature Set

Deep content analysis engine

46 OOB sensitive information types

40 OOB DLP Templates

Support for 3rd party defined DLP policy templates

Policy Tips in OWA and Mobile OWA

Advanced Document Fingerprinting in Exchange, Outlook, and OWA

5 new OOB sensitive information types

Policy Tips in Outlook 2013

Contextual user education and empowerment

Incident management Rich reporting

EXCHANGE and OUTLOOK 2013

ResourcesDLP in Exchange 2013 SP1http://blogs.technet.com/b/exchange/archive/2014/02/25/data-loss-prevention-in-exchange-just-got-better.aspx

DLP policy templateshttp://technet.microsoft.com/en-us/library/jj657730

Managing DLP policieshttp://technet.microsoft.com/en-us/library/jj673559

OOB DLP policy templateshttp://technet.microsoft.com/en-us/library/jj150530

Policy tips in Exchange 2013http://technet.microsoft.com/en-us/library/jj150512

Supported file types http://technet.microsoft.com/en-us/library/jj674307

MessageStats Quick Guide http://mbidemo.quest.com/Insights/#page/home

Related Sessions Session Title Timing Room

SPR.202 Encryption in Exchange Tue 10:45 AM - 12:00 PM Ballroom E

SPR.201Eliminate the Regulatory Compliance Nightmare Tue 9:00 AM-10:15 AM MR 19ab

SPR.UN.305Exchange Online Protection: Notes from the field Wed 10:15 AM – 11:30 AM Ballroom G

SPR.UN.304Experts Unplugged: EOP & Encryption

Wed 8:30-9:45 AMWed 1:00-2:15 PM

MR 18dMR 17b

USX.206 What's New in Outlook Web App 9:00 AM - 10:15 AM Ballroom G

SPR.401Extending Data Loss Prevention For Your Business Wed 4:45 PM- 6:00 PM MR 18bc

SPR.203

Protect your Organization with Exchange Online Protection (EOP) Mon 4:30 PM - 5:45 PM MR 18bc

SPR.301So how does Microsoft handle my spam? Tue 4:45 PM – 6:00 PM MR 19ab

SPR.401Using Connectors & Mail Routing Wed 2:45 PM - 4:00 PM MR 18bc

ARC.304Exchange Server 2013 Transport Architecture Tues 9:00 AM - 10:15 AM Ballroom F

EDC.302Advanced Data Loss Prevention in Exchange Tues 1:30 PM-2:45 PM Ballroom F

EDC.UN.301Experts Unplugged: Data Loss Prevention

Tue 3:00 PM-4:15 PMWed 10:15 AM-11:30 AM

MR 18dMR 13ab

EDC.204Data Loss Prevention in Exchange, Outlook, OWA Mon 2:45 Pm-4:00PM MR 18bc

MNG.304Reporting On O365 Mail flow and Mailbox Data Wed 1:00 PM-2:15 PM MR 17a

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.