IC L05: Email Security.cloud Configuring DLP on to your email flow & Applying security to your Office 365 or Google Apps email deployment Hands-On Lab Description This session is for existing customers and those interested to learn how to apply compliance-driven DLP policies on to your email flow using the new templates and controls that will be launched in Email Security.cloud. We'll also look at how to apply enhanced email security on to Office 365 and Google Apps email deployments, as well as reviewing some of the latest features available in our cloud email security service. At the end of this lab, you should be able to Create Email Data Loss Prevention.cloud policies that enforce acceptable use policies and prevent compliance breaches. Understand the various different actions that can be triggered when an DLP policy matches a particular email. Test some pre-built DLP policies to understand better how the service can prevent data loss. Understand how outbound email from hosted email providers Microsoft Office 365 and Google Apps can now be scanned by the Email Security.cloud service. Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Feel free to follow the lab using the instructions on the following pages. Be sure to ask your instructor any questions you may have. Thank you for coming to our lab session.
Lab 1 Creating some Email Data Loss Prevention.cloud policies In this lab exercise you will start by sending some emails to test some pre-built DLP policies and then examine how outbound emails from hosted email deployments can be scanned by Symantec.cloud. You will then create some DLP policies that will enforce acceptable use policies and prevent compliance breaches. Your instructor will provide you with login credentials for the Symantec.cloud Management Console and Google Apps accounts for a particular cloudtrainx.com domain. Exercise 1 Sending some emails to test Email DLP.cloud In this first exercise you are going to send some emails from your personal webmail account that should be matched against some pre-built DLP policies. At the end of the Lab 2 you will examine whether the emails have been matched. 1. Log in to the Client virtual machine as msmith with a password of Symc4now! 2. Open Internet Explorer and create an email using your personal webmail account and add diana.palmer@cloudtrainx.com (where X is for your allocated domain) into the To: field. Give the email the subject: This email contains a spoofed file and add some appropriate text to the body of the email. 3. Attach the file ThisFileisSpoofed.txt that you will find in the folder C:\LabFiles. 4. Send the email. 5. Create an email using your personal webmail account to diana.palmer@cloudtrainx.com (where X is for your allocated domain). Give the email the subject: This email contains a video file and add some appropriate text to the body of the email. 6. This time attach the file video.mp4 that you will find in the folder C:\LabFiles. 7. Send the email. 8. Create an email using your personal webmail account to diana.palmer@cloudtrainx.com. Give the email the subject: This email contains reference to a confidential document. 9. Add some appropriate text to the body of the email and include the following document ID: DOC_16324_210912 10. Send the email. 11. Create another email using your personal webmail account to diana.palmer@cloudtrainx.com. Give the email the subject: This email contains reference to another document. 12. Add some appropriate text to the body of the email and include the following document ID: DOC_22435_121495. 13. Send the email. 2 of 12
Exercise 2 Examining the settings for scanning outbound emails from Google Apps and Office 365 1. In Internet Explorer click the Symantec.cloud Management Console button on the Favorites bar or type the URL https://clients.messagelabs.com into the address bar. 2. Log in to the Symantec.cloud Management Portal using the account given to you by your instructor, the password is Symc4now! 3. Click the Services tab, then click Email Services, and finally click Outbound Routes. 4. Expand the Hosted Email Services section. 5. Choose the Select hosted email service drop down field. Note that you can choose either Google Apps or Office 365. 6. In addition to setting the hosted email service provider within the Symantec.cloud management console you also need to configure the routing of outbound email via Symantec.cloud in the management console of the hosted email provider. 7. Leave the Internet Explorer window open for the next exercise. Exercise 3 Creating a DLP policy that blocks emails that contain offensive language 1. In the Symantec.cloud Management Console window click the Services tab then click Data Loss Prevention. On the Email Policies page click the Settings button and examine the default settings that can be applied to all Email DLP.cloud policies. 2. In the Default sender email address field type donotreply@cloudtrainx.com (where X is the number for your assigned CloudtrainX.com domain), then scroll down and click Save. 3. Before creating the first policy you are going to create a list group containing all the pre-built lists of English offensive words. Click the Lists tab and then click New List Group. 3 of 12
4. In the Name field type English Offensive Words and in the Description field type Combination of all lists of English offensive language. 5. Change the Content type drop down field to Keywords, then make sure that the Include tab is selected and then select the seven lists that begin with EN and click Save. 6. Click on the Email policies tab, then click New Policy. 7. In the Name field type Block emails containing offensive language. 8. In the Description field type This policy will prevent users from sending or receiving emails that contain offensive words. 9. Leave the Apply to: field as Both inbound and outbound email. 10. Leave the Execute if field as All rules are met. 11. From the Action drop down list choose Block and delete (take a moment to review all the actions are available). Note that Exit is checked and grayed out because the Block and delete is always, by definition, an exit action. 4 of 12
12. Click Add notification and uncheck Notify sender, then click Add. 13. Click Add rule and leave Execute if as All conditions are met. 14. In the Add a condition drop down field choose Content Keyword list, then click Browse for a keyword list. Select the list group called English Offensive Words and click Add. 15. Change the Email contains field to AT LEAST and ensure that the number is 1 (default). In the Look in section check Body, Subject and File attachments. 16. Click Save to save the policy. 5 of 12
17. In the Active column click Off to enable the policy. Leave the management portal open. Exercise 4 Creating a DLP policy from a policy template In this lab exercise you will create a policy using the PCI (Payment Card Industry) Template and then configure it to copy emails to an administrator address. 1. Click on the Email policies tab, then click New Policy from Template. 2. In the Create a new policy from a template dialog box select PCI (Payment Card Industry) Template and then click Create. Notice that a policy is created with a standard name and is added to the bottom of the policy list. 3. Open the newly created policy and examine all the settings within the policy. Notice that the policy contains two different rules. Examine the lists used within the policy to determine what will trigger the policy. 6 of 12
4. Change the Name field to Copy emails containing credit card details to administrator. 5. Change the Apply to field to Outbound email only. 6. Change the Action to Copy to Administrator. 7. Uncheck Use Custom. 8. To save the policy click Save, 9. In the Active column click Off to enable the policy. Leave the Management Portal open. Exercise 5 - Creating a DLP policy that uses a custom regular expression list In this exercise you are going to create a simple custom regular expression list that is going to match confidential project documents IDs of the format ABC_nnnnn (where ABC represents any 3 capital letters and nnnnn is any 5 digit number) being sent to external recipients. 1. Before using any regular expression within the Email Data Loss Prevention.cloud service it is always good practice to test the regular expression using an online tool. 2. In Internet Explorer open another tab and browse to the web site http://www.regexplanet.com/advanced/java/index.html 3. In the Regular expression field type ([A-Z]{3})_([0-9]{5}) then in the Input 1 field type a potential document ID using the format outlined in the introduction to the exercise and click Test. 7 of 12
4. Try several different tests using valid and non valid entries. Note: if you cannot get a match from a correctly formatted document ID then check the regular expression very carefully. Do not proceed until you can get a match. Leave the web browser window open. 5. Return to the tab where the Symantec.cloud Management portal is running and if necessary log in using the credentials given to you at the start of the lab. 6. Click the Services tab, and click Data Loss Prevention then click on the Lists tab. 7. Click New List and in the Create a New List dialog box type Confidential project document IDs in the Name field and in the Description field type Regular expression to match confidential project documents. 8. Change the Category drop down field to Confidential and change the Content type drop down field to Regular expressions. 9. In the Add list items field copy the regular expression from the RegexPlanet web browser window and add \b at the beginning and the end of the expression, it should look like this: \b([a-z]{3})_([0-9]{5})\b then click Add and finally click Save to create the new list. 8 of 12
10. Click on the Email policies tab, then click New Policy. 11. In the Name field type Redirect confidential emails. 12. In the Description field type This policy will redirect confidential emails to an administrator account. 13. Change the Apply to: field to Outbound email only. 14. Leave the Execute if field as All rules are met. 15. From the Action drop down list choose Redirect to administrator. Note that the default redirection email address is already populated from the Email settings dialog box. 16. Click Add notification and uncheck Notify recipient(s), then click Add. 17. Click Add rule and leave Execute if as All conditions are met. 9 of 12
18. In the Add a condition drop down field choose Content Regular Expression List, then click Browse for a regular expression list. Find and select the list Confidential project document IDs and click Add. 19. Leave the first field as Email contains a match for ALL of the regexes in the selected list. In the Look in section check Body, Subject and File attachments, then click Save. 20. In the Active column click Off to enable the policy. 10 of 12
Lab 2 Testing some Email Data Loss Prevention.cloud policies Since it typically takes at least 30 minutes for policy changes to propagate from the Symantec.cloud Management Portal to the thousands of scanning servers around the world you are going to test the Email Data Loss Prevention.cloud service using some pre-built policies. You have already sent some emails so you are now going to examine the pre-built policies and test that they have matched emails successfully. Exercise 1 Examining the pre-built DLP policies In this lab exercise you will examine some pre-built DLP policies. 1. Open Internet Explorer and type in the URL for the Symantec.cloud Management Portal which is: http://clients.messagelabs.com. Log in to the portal using the credentials provided to you by your instructor. 2. Click the Services then click Data Loss Prevention. 3. On the Email Policies page click the policy called Block emails containing attachments that break security policy. 4. Examine the policy settings carefully. What does the policy do? 5. Click the policy called Redirect confidential project documents. 6. Once again, examine the policy settings carefully. This policy uses a regular expression that matches document IDs of the format ABC_nnnnn_DDMMYY (where ABC is any three capital letters, nnnnn is any 5 digit number and DDMMYY is the date in UK format). Exercise 2 Testing the pre-built DLP policies In this exercise you are going to see whether the emails you sent at the beginning of the lab have been matched by the pre-built DLP policies. You are going to use a tool called Track and Trace which enables you to see whether emails have been matched to a particular policy. 1. Open a tab in Internet Explorer and click the Gmail button on the Favorites bar or type in the URL http://mail.google.com and log in as diana.palmer@cloudtrainx.com (where X is your allocated domain) with a password of Symc4now! 2. You sent four emails to Diana Palmer, how many have arrived? 3. Log off from Diana Palmer s Gmail account and log in as admin@cloudtrainx.com (where X is your allocated domain) with a password of Symc4now! Have any emails been delivered to the administrator account, if so why? 4. In Internet Explorer click the Symantec.cloud Management Console button on the Favorites bar or type the URL https://clients.messagelabs.com into the address bar. 5. Log in to the Symantec.cloud portal using the account given to you by your instructor, the password is Symc4now! 11 of 12
6. Click the Tools tab, then click Email Track and Trace. 7. In the Recipient field type diana.palmer@cloudtrainx.com (where X is your allocated Cloudtrain domain), then click Search. 8. You should have four results, one for each of the emails you sent at the beginning of the lab. Click each result and examine the details. In the Security Scan section you should see the email security service that has been triggered, the action and the reason, for Email Data Loss Prevention.cloud this will be the policy name. Email Track and Trace still shows the service as Content Control, this was the old name for the service before the upgrade to Email Data Loss Prevention.cloud. For each of the results compare them to the pre-built DLP policy that was triggered. 12 of 12