Titus and Cisco IronPort Integration Guide Improving Outbound and Inbound Security. Titus White Paper

Transcription

1 Titus and Cisco IronPort Integration Guide Improving Outbound and Inbound Security Titus White Paper

2 Information in this document is subject to change without notice. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written consent of Titus Titus may have patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Copyright Titus Image of Cisco IronPort Security Appliance courtesy of Cisco Systems, Inc. Unauthorized use not permitted. IronPort, the IronPort logo and SenderBase are registered trademarks of Cisco Systems, Inc. or its affiliates. Microsoft Windows, Windows 2000, Windows XP, Windows Server 2003, Microsoft Windows Rights Management Services, and Microsoft SharePoint are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. At Titus we work to help businesses better manage and secure valuable corporate information. Our focus is on building policy management solutions that make it easier for IT administrators to protect and manage corporate correspondence including and documents. For further information, contact us at (613) or us at Titus and Cisco IronPort Integration Guide 2

3 Table of Contents 1.0 Abstract What is Classification Business Drivers Combining Desktop Classification with Gateway Controls Step By Step Demonstration Configuration Additional Deployment Scenarios Outbound Sensitive , Automatically Quarantined for Approval Inbound Sensitive , Automatically Tagged at Gateway Outbound Uncategorized , Automatically Tagged at the Gateway Summary Titus and Cisco IronPort Integration Guide 3

4 1.0 Abstract Information classification is an important foundation for a comprehensive information security management plan. When information is properly classified it enables organizations and the people within them to more effectively enforce security controls at the same time it simplifies information sharing through various communication channels, most notably through . While has become an indispensable tool of modern communications its use has also been at the center of numerous security and privacy breaches in government and commercial organizations. In response regulatory frameworks and organizational best practices for security controls have evolved considerably over the past five years, as have the tools that enable them. This paper will focus on security controls enabled through the use of and document classification with a particular focus on technical integration of the Titus Message Classification product and IronPort Security Appliance. The use of these two products together enables more comprehensive security controls while providing the flexibility to ensure productivity is not unduly impacted. To illustrate how these products can be used together several usage scenarios relevant to security controls are described and configuration guidance is provided to enable them. Titus and Cisco IronPort Integration Guide 4

5 2.0 What is Classification? Classification is a technique for adding labels or protective markings and metadata to and documents. If applied judiciously, it offers an effective strategy for managing and controlling and document content. Often referred to as Classifications or Labels or Tags, this information can take many different forms and vary in complexity between businesses, often dependent on the regulatory requirements being imposed upon the industry. In their simplest form they are labels or visual markings found in prominent locations in s and documents to inform the reader to the sensitivity with which the asset should be considered. The most common locations in s are: Subject (prefix, postfix, abbreviated); Body (prefix, postfix, custom fonts, supports HTML); and Metadata within the MAPI property or SMTP message header (x-header). Figure 1 - Locations for Classification Information The most common locations in documents are: Within the document header & footer sections; As a watermark across the document; and Metadata within the custom properties of the document. Titus and Cisco IronPort Integration Guide 5

6 Figure 2 - Locations for Document Classification Information Titus and Cisco IronPort Integration Guide 6

7 3.0 Business Drivers Government agencies and the military have historically faced higher expectations than other organizations in the handling of information. Governments hold sensitive information in the public trust and are ultimately answerable to the public. As such they place stringent safeguards on the handling and safeguarding of that information in the traditional paper world and have been early adopters of classification concepts in the digital world as well. Classifying s by applying labels and metadata presents an obvious opportunity for governments efforts to manage and control electronic communications. Through the use of security procedures and server-based content scanning which complement user-based classification, governments can ensure that private or confidential information is protected from unintended or illegal disclosure, while ensuring citizens timely and cost effective access to public records and personal information under fair disclosure legislation. Some governments, such as the United State (US), United Kingdom (UK), and Australian governments, have specifically required various forms of classification for their departments. In the US the White House has issued a Memorandum called Designation and Sharing of Controlled Unclassified Information (CUI) that requires Federal Agencies and Departments to take action to designate and safeguard information in a consistent way to allow more secure and more efficient collaboration throughout government. In the United Kingdom, the Government Protective Marking Scheme (GPMS) requires that broad classes of government-generated information, including , be marked with an appropriate security marking and handled appropriately. The UK Government Connect Secure Extranet (GCSx) is a programme to provide secure communications between various departments and levels of government within England and Wales. Departments and Local Authorities are required to demonstrate compliance with the GCSx Code of Connection (CoCo) requirements, which include labeling with protective markings. The Australian government has taken a more pointed approach to government . Amendments to the Australian Defense Signals Directorate s Communications Technology Security Manual require that all originating in federal agencies carry markings in compliance with its Electronic Mail Protective Marking Policy. These markups establish a maximum-security classification and accompanying caveats for the message. On a global level there is a growing recognition that organizations outside of government must also implement appropriate information security policies and systems. As an example, ISO is a published standard for an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. The use of classification and labeling on and documents helps organizations become ISO certified by enabling controls for the handling and management of information. Titus has a number of white papers available that go into greater depth regarding specific business drivers and relevant regulations. Titus and Cisco IronPort Integration Guide 7

8 4.0 Combining Desktop Classification with Gateway Controls The use of Titus Message Classification (TMC) and Titus Document Classification (TDC) on the desktop is an excellent method of building security awareness. These tools ensure that users creating content consider security implications before sharing the information. The visible labels applied to s and documents serve to inform recipients of the sensitivity of the information and help them make appropriate handling decisions. In a similar way, the classification metadata applied to s and documents can be used by automated systems to implement information handling controls. An excellent example of a system that can provide such controls in combination with the TMC/TDC desktop tools is the Cisco IronPort Security Appliance series of products. The combined deployment of these two products enables more effective controls than either used alone. The following table describes some of the capabilities enabled through this combination. Capability Description User Based Classification / Marking The Titus Message Classification and Document Classification solutions allow the end user to classify & mark s and documents while they are being created. Automated Marking of Attachments The use of Titus Document Classification on the desktop enables classification and marking of documents which can then be appropriately detected and controlled as message attachments by IronPort filters. Immediate User Feedback on Policy Violation Titus Message Classification can analyze and provide immediate feedback to the user about sensitive content and policy violations before the is sent. This reduces the number of inappropriate or compromising s processed and streamlines the remediation process by suggesting corrective action that can be taken while the content is still open. Policy Enforcement on Internal Communications By including Titus Message Classification in desktop deployments the solution can also enforce policy controls on internal communications which do not pass through the outbound gateway. Titus and Cisco IronPort Integration Guide 8

9 Visual Marking of Inbound Messages In many cases inbound content is sensitive or privacy protected and should be handled appropriately, but it may not arrive with appropriate markings or labels. To address these scenarios, IronPort message filters can automatically classify inbound s which can then be detected and visually labeled by Message Classification. Layered approach Deploying policy controls at the desktop (Titus) and outbound gateway (IronPort) in combination increases the flexibility of policies to allow business to continue as smoothly as possible while reducing the likelihood of data leakage much more than using either approach exclusively. Control labelling on replies Using TMC as part of the solution enables greater control over content classification, for example ensuring replies to a message retain the equivalent or higher classification. Encryption Options Using TMC with IronPort adds TLS and secure web envelopes (Cisco RES) to the supported methods for automated secure delivery of sensitive information. Advanced Message Routing The IronPort appliance can quarantine or intelligently route through different networks based on classification applied by Message Classification at the desktop, and on recipient domain or address. Recipient Validation The combined solution can enforce controls on external delivery based on user classification and recipient address or domain. Titus and Cisco IronPort Integration Guide 9

10 5.0 Step By Step Demonstration Configuration This document will refer to a simple demonstration configuration to illustrate how Titus Message Classification, Titus Document Classification, and the IronPort Security Appliance can interact in a typical environment. The following instructions and screen captures show the process of configuring and deploying a basic content filter on the IronPort appliance to detect and take action based on the presence of Titus message headers (x-titus-classifications-30) in outbound messages. For the purposes of the example the user has selected a classification of Confidential and the action taken is to automatically encrypt the prior to delivery. The steps listed below assume a working installation of the IronPort appliance appropriately configured in your environment with inbound and outbound mail flows. IronPort AsyncOS v7.0.1 was installed on the appliance used. The instructions also assume that the Titus Message Classification is installed and a number of classification labels are defined, including a Confidential label (see Figure 3). Titus Message Classification/Document Classification v was installed on the desktop and used with Microsoft Outlook Figure 3 - Add a CONFIDENTIAL Classification Titus and Cisco IronPort Integration Guide 10

11 Figure 3 shows the CONFIDENTIAL Classification Control Definition (left side) that has been dragged and dropped onto the Outlook Definitions Control Structure (right side) to enable the classification and marking used throughout the following example. Step 1 Create An Outgoing Content Filter Figure 4 - Select Outgoing Content Filters under the Mail Policies menu Click on the Mail Policies menu and then on Outgoing Content Filters as shown in Figure 4. Figure 5 - Click on 'Add Filter...' To create the new filter click on Add Filter as shown in Figure 5. Titus and Cisco IronPort Integration Guide 11

12 Figure 6 - Name and describe the new filter. Click on "Add Condition..." Name the new filter and provide a short description of its purpose. Once done, click on Add Condition as shown in Figure 6. Step 2 Define the Content Filter Conditions Figure 7 Define A Condition For the Filter From the Add Condition dialog that appears select the Other Header tab and enter the Header Name as "x-titus-classifications-30". Then select Header value and the operator Contains before typing in the search term CONFIDENTIAL as shown in Figure 7. Titus and Cisco IronPort Integration Guide 12

13 Step 3 Create the Corresponding Action Figure 8 Adding an Action To the Filter Review the Conditions settings in the filter overview page that follows, and then click on Add Action as shown in Figure 8. Figure 9 Adding an Encrypt on Deliver Action To the Filter Titus and Cisco IronPort Integration Guide 13

14 For this example the chosen action to take when a message matches the defined conditions is to deliver the message using IronPort encryption services. As shown in Figure 9, IronPort also provides a wide range of other actions Such as Quarantine and Strip Attachment. Figure 10 - IronPort Encryption Configuration Setting up an encryption profile using Cisco s hosted Registered Envelope Service(RES) is outside of the scope of this document, but is relatively straightforward. The configuration process is started using the Add Encryption Profile button on the IronPort Encryption page found under the Security Services menu item. Titus and Cisco IronPort Integration Guide 14

15 Figure 11 Final Filter Settings Review the finalized filter settings as shown in Figure 11, click Submit, and then Commit Changes. Step 4 Apply the Outbound content filter to the Outbound Mail Policies Figure 12 - Select Outgoing Mail Policies from under the Mail Policies menu Now that the filter is defined the next step is to add it to an outgoing policy. To begin, select Outgoing Mail Policies from under the Mail Policies menu as shown in Figure Titus and Cisco IronPort Integration Guide 15

16 Figure 13 - Click on the 'Disabled' link under 'Content Filters' in the Default Policy row item. For this exercise the content filter will be added to the pre-defined Default Policy. Content Filters are initially disabled on this policy, so click on the Disabled link to begin changing settings as shown in Figure 13. Figure 14 - Select 'Enable Content Filters (Customize settings)' from the drop down menu. Click on the drop down menu as shown in Figure 14 and select Enable Content Filters (Customize settings). Once that selection is made the Titus-CONFIDENTIAL filter created earlier will be visible. Titus and Cisco IronPort Integration Guide 16

17 Figure 15 Enabled the Titus-CONFIDENTIAL filter Click 'Enable' beside the filter as shown in Figure 15, click Submit, and then Commit Changes. Figure 16 - The new policy and filter are now enabled. Figure 16 shows the filter enabled as part of the Default Policy. At this point any sent outside the organization labeled as confidential will be encrypted prior to delivery. Titus and Cisco IronPort Integration Guide 17

18 Figure 17 - Confidential Being Forwarded Outside Organization Figure 17 shows a sample classified as confidential and addressed to a recipient outside of the internal domain. Figure 18 Confidential Automatically Encrypted For Delivery Figure 18 shows the encrypted as it arrives in the external recipient s mailbox when using Cisco RES encryption. Titus and Cisco IronPort Integration Guide 18

19 6.0 Additional Deployment Scenarios Once the basics of integration between the Titus classification solutions and IronPort are understood it is possible to construct any number of control and remediation scenarios. These capabilities can be grouped as preventive, detective, or corrective controls. Automatic encryption of an based on classification metadata was shown in the previous section. This can be thought of as a preventive control, since information leakage was prevented by automated encryption of the sensitive information. A few additional example scenarios are described here. 6.1 Outbound Sensitive , Automatically Quarantined for Approval This scenario is very similar to the one described in the previous section, 5.0 Step By Step Demonstration Configuration. Instead of automatically encrypting the confidential it will be quarantined for administrator review. Figure 19 - Edit Titus-CONFIDENTIAL Filter To Use Quarantine Figure 19 Shows Quarantine selected instead of Encrypt on Delivery while editing the Titus- CONFIDENTIAL filter defined in Step By Step Demonstration Configuration. The IronPort default Titus and Cisco IronPort Integration Guide 19

20 installation includes several pre-defined quarantines to hold until they can be reviewed. Here the Policy quarantine is used. Figure 20 - Titus-CONFIDENTIAL Filter Changed to Use Quarantine Action Figure 20 shows the modified filter now using a Quarantine action. With this modified filter found to have the CONFIDENTIAL classification within the TMC x-header will be held by the IronPort appliance until an administrator can review it or until a specified amount of time passes. Figure 21 - View of IronPort Quarantine Titus and Cisco IronPort Integration Guide 20

21 Figure 22 - Viewing Quarantined Message Details and Available Actions The preceding scenario is a preventative control, since the was not delivered to the intended recipient. An example of a detective control would be to use the duplicate message option in the Quarantine action (see Figure 23) and to allow the original message to be delivered. The quarantined copy could be used in subsequent investigations if required. Figure 23 - Duplicate Message Option in Quarantine Action Titus and Cisco IronPort Integration Guide 21

22 6.2 Inbound Sensitive , Automatically Tagged at Gateway A number of use cases can be described where it is useful to be able to tag inbound appropriately to ensure proper handling and controls as internal users process and share the information. One example is inbound resumes. Whether they are sent to an HR inbox, or directly to employees of the company the documents are considered privacy protected documents under many countries regulations. Adding appropriate header information to the message right at the gateway seamlessly enables the visual privacy protection cues and controls made possible with the TMC desktop client. Figure 24 - Simple Filter to Detect Incoming Resumes Figure 24 above shows a basic filter to detect attached resume files in incoming . The filter was created using variations of the steps described above in the Step By Step Demonstration Configuration section. Condition 1 uses a regular expression to search the message body and attachment content for variations of the words resume or CV (the simple RegEx used here is [Rr]esume CV, without quotes). Condition 2 requires that a file attachment is present. Note that both of these conditions must be true for the defined action to be taken. To do this select Only if all conditions match from the drop-down provided beside Apply rule:. Titus and Cisco IronPort Integration Guide 22

23 The action taken is to add header information. Here the standard TMC x-header (x-tituslabsclassifications-30) is added with a value of Classification=CONFIDENTIAL;Sensitivity=HR; to indicate that the information is confidential and HR related. Figure 25 - TMC Detects the X-Header Added By IronPort Figure 26 - Titus X-Header As Applied by IronPort Figure 25 shows that the original internal recipient of the can see that the is classified as Confidential with HR sensitivity and Figure 26 shows the x-header information that was added by the IronPort filter. Titus and Cisco IronPort Integration Guide 23

24 Figure 27 - Labels Are Applied on Forward or Reply Figure 27 shows that appropriate labels are applied when the is shared with other users. 6.3 Outbound Uncategorized , Automatically Tagged at the Gateway Where organizational security policy, or the policy of a partner network requires that all be classified and labeled, appropriate controls should be put in place at the outbound gateway to verify and enforce this. The use of TMC on user desktops for classification and labeling provides a high degree of coverage but some internal systems generating automated s may not apply appropriate labels. As an example of what is possible with IronPort filtering the following scenario explores how to detect and act on outbound unclassified during a transition period. A copy of all without appropriate classification headers is sent to a defined address, but the original is allowed to proceed. In this way it is possible to identify any sources of unclassified without impeding the flow of business. In addition to the web-based interface shown previously the IronPort AsyncOS provides a powerful Command Line Interface (CLI). This example will configure and apply a message filter to detect and act on unclassified messages using the CLI. An SSH client is required to connect and login to the IronPort appliance, and the SSH service must be enabled on at least one IP Interface. Titus and Cisco IronPort Integration Guide 24

25 The sample filter acts on that does not include the Titus x-header. Actions taken are: insert an x-header with a value of UNCLASSIFIED, insert UNCLASSIFIED at the beginning of the subject line, and send a copy of the message to the Policy quarantine. The following is a transcript of an SSH session to add and enable the filter through the CLI. Typed commands and content is in bold. Last login: Mon Aug 30 11:56: from Copyright (c) , IronPort Systems, Inc. AsyncOS 7.0 for IronPort C160 build 102 Welcome to the IronPort C160 Messaging Gateway(tm) Appliance ironport.tlmcdc.com> ironport.tlmcdc.com> filters Choose the operation you want to perform: - NEW - Create a new filter. - IMPORT - Import a filter script from a file. []> new Enter filter script. Enter '.' on its own line to end. No_Classification_Headers: if(not header("x-tituslabs-classifications-30")) { insert-header("x-tituslabs-classifications-30","unclassified"); edit-header-text ("Subject","^\\s*","[UNCLASSIFIED] "); duplicate-quarantine("policy"); }. 1 filters added. Choose the operation you want to perform: - NEW - Create a new filter. - DELETE - Remove a filter. - IMPORT - Import a filter script from a file. - EXPORT - Export filters to a file - MOVE - Move a filter to a different position. - SET - Set a filter attribute. - LIST - List the filters. - DETAIL - Get detailed information on the filters. - LOGCONFIG - Configure log subscriptions used by filters. - ROLLOVERNOW - Roll over a filter log file. Titus and Cisco IronPort Integration Guide 25

26 []> ironport.tlmcdc.com> commit Please enter some comments describing your changes: []> Added No Classification Header filter Changes committed: Mon Aug 30 12:44: EDT ironport.tlmcdc.com> Figure 28 - Unclassified In Quarantine Figure 28 shows an that has triggered the message filter and has been copied to the Policy quarantine. Note that the subject line and header modifications defined in the filter were done prior to sending the message copy to the quarantine. Titus and Cisco IronPort Integration Guide 26

27 7.0 Summary The scenarios discussed in this paper covered a few simple use cases to illustrate how Titus Message Classification and Cisco s IronPort Security Appliance can be used together to enable better security controls on outbound and inbound . Information security management is not one size fits all. Whether you are complying with government regulations and directives or protecting sensitive commercial information, Titus Message Classification and Cisco s IronPort Security are a powerful combination, providing the tools and flexibility you need to implement suitable controls in your environment. To learn how Titus can help your organization promote better security, please visit Titus 343 Preston Street, Suite 800, Ottawa, ON, Canada. Call us: (613) ext.127 Toll Free or us: info@titus.com Titus and Cisco IronPort Integration Guide 27