Exchange 2013 Data Loss Prevention (Part 1)
If you would like to read the other parts in this article series please go to:
Data Loss Prevention [DLP] is a system designed to detect a potential data breach/leakage incident in a timely manner and prevent it. When this happens, sensitive data such as personal/company information, credit card details, social security numbers, etc., is disclosed to unauthorized users either with malicious intent or by mistake. This has always been an important matter for most companies as the loss of sensitive data can be very damaging for a business. For many years now, there have been both software and hardware solutions that monitor data while:
in-use: end-user actions such as copying data to USB or printing it for example;
in-motion: network communications like e-mail, web traffic, Instant Messaging, etc.;
at-rest: data stored in file shares or on users’ drives.
Up until now, Exchange Administrators had to rely on 3rd party solutions to achieve this, but some solutions would cause more harm than good and user productivity would suffer. With Exchange 2013, Microsoft now makes it possible to enforce compliance requirements for such data and control how it is used in e-mail. DLP is the new feature that allows administrators to manage sensitive data in Exchange!
How DLP Works
DLP works through DLP Policies, packages that contain a set of conditions made up of rules, actions and exceptions. These packages are based on Transport Rules and can be created in the Exchange Administration Center [EAC] or through the Exchange Management Shell [EMS]. Once created and activated, they will start analyzing and filtering e-mails. A nice feature is that you can create a DLP Policy without activating it, allowing you to test its behavior without affecting mail flow.
DLP Policies are nothing more than special Transport Rules. Because the transport rules with Exchange 2010 didn’t provide the means to properly analyze e-mail content, new types of transport rules were created in Exchange 2013 to make DLP possible. These allow information inside e-mails to be checked and classified as sensitive (or non-sensitive) based on keywords, dictionaries or even regular expressions, thus determining if an e-mail violates any organizational DLP Policies.
Another nice feature of DLP is called Policy Tips. These tips, similar to the MailTips introduced in Exchange 2010, inform senders that they might be violating a DLP Policy before they actually send the message! As we will see in the second part of this article, these Policy Tips only work on Outlook 2013 for now but it is just a matter of time until they appear in Outlook Web App as well.
Creating DLP Policies based on Templates
To start with Data Loss Prevention, we have to create a DLP Policy. To do so, we can import one from a file (for example provided by a 3rd party company), use Microsoft-provided templates or build a policy from scratch.
The following is a list of the existing templates which already contain rules configured to meet specific legal and regulatory requirements:
GLBA: helps to detect information subject to the compliance requirements defined in the Gram-Leach-Bliley Act, which includes non-public personal information;
PCI-DSS: helps to detect information commonly considered subject to the compliance requirements defined in the Payment Card Industry Data Security Standard such as credit card and debit card details;
Financial Data – France: helps to detect data commonly considered to be financial information in France such as credit card, account information and debit card details;
Financial Data – Japan: same as above but for Japan;
Financial Data - U.K.: same as above but for the U.K.;
Financial Data - U.S.: same as above but for the U.S.;
PII Data – France: helps to detect information commonly considered to be Personally Identifiable Information in France, such as driver's license or passport numbers;
PII Data – Germany: same as above but for Germany;
PII Data – Japan: same as above but for Japan;
PII Data – U.K.: same as above but for the U.K.;
PII (U.S.): similar to above but for the U.S. and looking for social security numbers and driver license numbers.
Permissions: in order to work with DLP, the account used has to be a member of the Organization Management or the Compliance Management role groups!
Before we create a new DLP Policy it is important to know the different operation modes these policies have:
Enforce Policy: the policy is enabled and all actions specified in the policy will be carried out;
Test Policy with Notifications: the policy is enabled but the actions will not be executed, just logged into Message Tracking Logs. Policy Tips are displayed to users;
Test Policy without Notifications: similar as above but no Policy Tips are displayed to users.
By using the EAC we can customize any of these templates or use them as they are. Because DLP Policies support all the usual transport rules, we can add additional rules after a DLP Policy has been created such as adding disclaimer to messages for example. So let’s start by creating a template-based DLP Policy:
In the EAC, navigate to Compliance Management -> Data Loss Prevention and then click + (you can also click the arrow next to the + icon and select New DLP policy from template from the drop down menu):
Figure 1.1: New DLP Policy from Template
On the create a new DLP policy from a template page, complete the following fields:
Name: chose a name for the new policy. As you can see from the screenshot below, I used spaces for the name. However, although Exchange allows you to do this, you will not be able to add any rules to it if you do… Only use the following valid characters: A-Z, a-z, 0-9. In this example, I had to change the name afterwards;
Description: add an optional description that summarizes the policy;
Choose a template: select the appropriate template to begin creating the new policy. In this example I will use the Financial Data – U.S. template. As you can see from the description on the right hand side, it doesn’t really match what we selected... This is because Microsoft is still working on the user interface;
Incident Management Mailbox: in here we can specify an e-mail address (at this stage only internal mailboxes can be used) that will receive an incident report when the policy flags an e-mail message that matches its criteria;
More options: by clicking in more options we can select the mode for the policy – in this case we will be just auditing the policy without actually blocking any e-mails:
Figure 1.2: Creating a new DLP Policy from Template
Click Save to finish creating the policy.
Now that the policy is created, let’s edit it so we can check what rules it has and see if we need to change them or even add new ones.
Back on the main Data Loss Prevention screen, select the policy we just created and click on the pencil icon to edit it (alternatively you can simply double click on the policy name):
Figure 1.3: DLP Policies
We are now presented with two panes. The General shows us basic information of the policy including its state:
Figure 1.4: DLP Policy Properties - General
The Rules pane is the one that we are interested in as it lists all the rules in the policy and their configuration. From the screenshot below, we can see part of the Financial Data (U.S.): Monitor Data Sent To Outside high count rule configuration, in this case what triggers it:
Figure 1.5: DLP Policy Properties - Rules
For this particular policy template there are 4 rules:
Allow Override: if the e-mail subject contains the word “override”, Exchange will simply override the policy;
Monitor Data Sent To Outside low count: if an e-mail is sent to an external recipient and the policy detects between 1 and 9 positive matches of taxpayer numbers, credit card numbers, bank account numbers or SWIFT codes, then the audit severity is set to medium, the sender is notified that the e-mail violates a DLP policy (but the e-mail is allowed to go through) and an incident report is sent to the mailbox specified;
Monitor Data Sent To Outside high count: similar to the one above but because in this case there are more positive matches (more than 9), Exchange sets the audit severity to high, the sender is notified that the message cannot be delivered but allows the sender to override the policy. An explanation saying “Unable to deliver your message. You can override this policy by adding the word ‘override’ to the subject line.” is displayed. Finally an incident report is sent to the mailbox specified;
Monitor Data Sent Within: if an e-mail containing this type of information is sent from an internal user to another internal user, Exchange sets the audit severity to low and does nothing else.
Let’s add a new rule to automatically override the policy if the e-mail comes from the CEO. To add new rules to a policy we can either click on the arrow next to the + icon and select any of the pre-existing rules:
Figure 1.6: Pre-existing Rules
Or we can click on the + icon to create a new empty rule which is the same as selecting Create a new empty rule from the menu above:
Figure 1.7: New Rule
Note the text saying that this policy is in test mode and that it doesn’t actually affect mail flow. This is because we set the policy state to Test Policy with Notifications previously. For the name of rule I will set it to Override CEO. In *If… we have several options. As we will see below, by clicking in More options… you will have access to more options which also allows you to add multiple conditions and actions instead of simply one of each.
In this case we want to select The sender is... and then select CEO:
Figure 1.8: New Rule IF Conditions
In the Do the following… drop-down menu, we have some basic actions we can perform:
Figure 1.9: New Rule DO Conditions - Basic
However, in this case we need to click in More options... so we can get access to more options (also note the add condition option that allows us to add multiple conditions now):
Figure 1.10: New Rule DO Conditions - Expanded
To override a policy, we need to modify the message header. So we select Modify the message properties... and then Set a message header and you will be presented with the following next to the Do the following… drop-down menu:
Figure 1.11: Setting Message Header
In the first *Enter text… field type X-Ms-Exchange-Organization-Dlp-SenderOverrideJustification as this is the header we want to set and on the second field enter TransportRule override as the value for the header. We will see an example of this header in the second part of this article.
We now have our Override CEO rule ready:
Figure 1.12: Override CEO Rule
Configure any other fields if required and when finished click save to add the rule to the policy. You will then see the new rule added to the policy:
Figure 1.13: DLP Policy Rules
In this first part of the article, we started with a presentation of the new Data Loss Prevention feature of Exchange 2013 Preview and finished by creating a new DLP Policy based on one of the many templates provided by Microsoft. In the second part of this article, we will create a policy from scratch using both the Exchange Administration Center and the Exchange Management Shell Exchange.
In the third and last part of the article, we will explore Policy Tips, test these policies and look at all the information that DLP logs.
If you would like to read the other parts in this article series please go to: