Titus and Cisco IronPort Integration Guide Improving Outbound and Inbound Email Security Titus White Paper
Information in this document is subject to change without notice. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written consent of Titus Titus may have patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Copyright 2008-10 Titus Image of Cisco IronPort Email Security Appliance courtesy of Cisco Systems, Inc. Unauthorized use not permitted. IronPort, the IronPort logo and SenderBase are registered trademarks of Cisco Systems, Inc. or its affiliates. Microsoft Windows, Windows 2000, Windows XP, Windows Server 2003, Microsoft Windows Rights Management Services, and Microsoft SharePoint are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. At Titus we work to help businesses better manage and secure valuable corporate information. Our focus is on building policy management solutions that make it easier for IT administrators to protect and manage corporate correspondence including email and documents. For further information, contact us at (613) 820-5111 or email us at info@titus.com www.titus.com www.titus.com Titus and Cisco IronPort Integration Guide 2
Table of Contents 1.0 Abstract... 4 2.0 What is Classification... 5 3.0 Business Drivers... 7 4.0 Combining Desktop Classification with Gateway Controls... 8 5.0 Step By Step Demonstration Configuration... 10 6.0 Additional Deployment Scenarios... 19 6.1 Outbound Sensitive Email, Automatically Quarantined for Approval... 19 6.2 Inbound Sensitive Email, Automatically Tagged at Gateway... 22 6.3 Outbound Uncategorized Email, Automatically Tagged at the Gateway... 24 7.0 Summary... 27 www.titus.com Titus and Cisco IronPort Integration Guide 3
1.0 Abstract Information classification is an important foundation for a comprehensive information security management plan. When information is properly classified it enables organizations and the people within them to more effectively enforce security controls at the same time it simplifies information sharing through various communication channels, most notably through email. While email has become an indispensable tool of modern communications its use has also been at the center of numerous security and privacy breaches in government and commercial organizations. In response regulatory frameworks and organizational best practices for email security controls have evolved considerably over the past five years, as have the tools that enable them. This paper will focus on email security controls enabled through the use of email and document classification with a particular focus on technical integration of the Titus Message Classification product and IronPort Email Security Appliance. The use of these two products together enables more comprehensive security controls while providing the flexibility to ensure productivity is not unduly impacted. To illustrate how these products can be used together several usage scenarios relevant to email security controls are described and configuration guidance is provided to enable them. www.titus.com Titus and Cisco IronPort Integration Guide 4
2.0 What is Classification? Classification is a technique for adding labels or protective markings and metadata to email and documents. If applied judiciously, it offers an effective strategy for managing and controlling email and document content. Often referred to as Classifications or Labels or Tags, this information can take many different forms and vary in complexity between businesses, often dependent on the regulatory requirements being imposed upon the industry. In their simplest form they are labels or visual markings found in prominent locations in emails and documents to inform the reader to the sensitivity with which the asset should be considered. The most common locations in emails are: Email Subject (prefix, postfix, abbreviated); Email Body (prefix, postfix, custom fonts, supports HTML); and Metadata within the MAPI property or SMTP message header (x-header). Figure 1 - Locations for Email Classification Information The most common locations in documents are: Within the document header & footer sections; As a watermark across the document; and Metadata within the custom properties of the document. www.titus.com Titus and Cisco IronPort Integration Guide 5
Figure 2 - Locations for Document Classification Information www.titus.com Titus and Cisco IronPort Integration Guide 6
3.0 Business Drivers Government agencies and the military have historically faced higher expectations than other organizations in the handling of information. Governments hold sensitive information in the public trust and are ultimately answerable to the public. As such they place stringent safeguards on the handling and safeguarding of that information in the traditional paper world and have been early adopters of classification concepts in the digital world as well. Classifying emails by applying labels and metadata presents an obvious opportunity for governments efforts to manage and control electronic communications. Through the use of security procedures and server-based content scanning which complement user-based classification, governments can ensure that private or confidential information is protected from unintended or illegal disclosure, while ensuring citizens timely and cost effective access to public records and personal information under fair disclosure legislation. Some governments, such as the United State (US), United Kingdom (UK), and Australian governments, have specifically required various forms of email classification for their departments. In the US the White House has issued a Memorandum called Designation and Sharing of Controlled Unclassified Information (CUI) that requires Federal Agencies and Departments to take action to designate and safeguard information in a consistent way to allow more secure and more efficient collaboration throughout government. In the United Kingdom, the Government Protective Marking Scheme (GPMS) requires that broad classes of government-generated information, including email, be marked with an appropriate security marking and handled appropriately. The UK Government Connect Secure Extranet (GCSx) is a programme to provide secure communications between various departments and levels of government within England and Wales. Departments and Local Authorities are required to demonstrate compliance with the GCSx Code of Connection (CoCo) requirements, which include labeling email with protective markings. The Australian government has taken a more pointed approach to government email. Amendments to the Australian Defense Signals Directorate s Communications Technology Security Manual require that all email originating in federal agencies carry markings in compliance with its Electronic Mail Protective Marking Policy. These markups establish a maximum-security classification and accompanying caveats for the message. On a global level there is a growing recognition that organizations outside of government must also implement appropriate information security policies and systems. As an example, ISO 27001 is a published standard for an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. The use of classification and labeling on email and documents helps organizations become ISO 27001 certified by enabling controls for the handling and management of information. Titus has a number of white papers available that go into greater depth regarding specific business drivers and relevant regulations. www.titus.com Titus and Cisco IronPort Integration Guide 7
4.0 Combining Desktop Classification with Gateway Controls The use of Titus Message Classification (TMC) and Titus Document Classification (TDC) on the desktop is an excellent method of building security awareness. These tools ensure that users creating content consider security implications before sharing the information. The visible labels applied to emails and documents serve to inform recipients of the sensitivity of the information and help them make appropriate handling decisions. In a similar way, the classification metadata applied to emails and documents can be used by automated systems to implement information handling controls. An excellent example of a system that can provide such controls in combination with the TMC/TDC desktop tools is the Cisco IronPort Email Security Appliance series of products. The combined deployment of these two products enables more effective controls than either used alone. The following table describes some of the capabilities enabled through this combination. Capability Description User Based Classification / Marking The Titus Message Classification and Document Classification solutions allow the end user to classify & mark emails and documents while they are being created. Automated Marking of Attachments The use of Titus Document Classification on the desktop enables classification and marking of documents which can then be appropriately detected and controlled as message attachments by IronPort filters. Immediate User Feedback on Policy Violation Titus Message Classification can analyze and provide immediate feedback to the user about sensitive content and policy violations before the email is sent. This reduces the number of inappropriate or compromising emails processed and streamlines the remediation process by suggesting corrective action that can be taken while the email content is still open. Policy Enforcement on Internal Communications By including Titus Message Classification in desktop deployments the solution can also enforce policy controls on internal communications which do not pass through the outbound email gateway. www.titus.com Titus and Cisco IronPort Integration Guide 8
Visual Marking of Inbound Messages In many cases inbound content is sensitive or privacy protected and should be handled appropriately, but it may not arrive with appropriate markings or labels. To address these scenarios, IronPort message filters can automatically classify inbound emails which can then be detected and visually labeled by Message Classification. Layered approach Deploying policy controls at the desktop (Titus) and outbound gateway (IronPort) in combination increases the flexibility of policies to allow business to continue as smoothly as possible while reducing the likelihood of data leakage much more than using either approach exclusively. Control labelling on replies Using TMC as part of the solution enables greater control over content classification, for example ensuring replies to a message retain the equivalent or higher classification. Email Encryption Options Using TMC with IronPort adds TLS and secure web envelopes (Cisco RES) to the supported methods for automated secure delivery of sensitive information. Advanced Message Routing The IronPort appliance can quarantine or intelligently route email through different networks based on classification applied by Message Classification at the desktop, and on recipient domain or address. Recipient Validation The combined solution can enforce controls on external delivery based on user classification and recipient address or domain. www.titus.com Titus and Cisco IronPort Integration Guide 9
5.0 Step By Step Demonstration Configuration This document will refer to a simple demonstration configuration to illustrate how Titus Message Classification, Titus Document Classification, and the IronPort Email Security Appliance can interact in a typical environment. The following instructions and screen captures show the process of configuring and deploying a basic content filter on the IronPort appliance to detect and take action based on the presence of Titus message headers (x-titus-classifications-30) in outbound messages. For the purposes of the example the user has selected a classification of Confidential and the action taken is to automatically encrypt the email prior to delivery. The steps listed below assume a working installation of the IronPort appliance appropriately configured in your environment with inbound and outbound mail flows. IronPort AsyncOS v7.0.1 was installed on the appliance used. The instructions also assume that the Titus Message Classification is installed and a number of classification labels are defined, including a Confidential label (see Figure 3). Titus Message Classification/Document Classification v3.2.55 was installed on the desktop and used with Microsoft Outlook 2007. Figure 3 - Add a CONFIDENTIAL Classification www.titus.com Titus and Cisco IronPort Integration Guide 10
Figure 3 shows the CONFIDENTIAL Classification Control Definition (left side) that has been dragged and dropped onto the Outlook Definitions Control Structure (right side) to enable the classification and marking used throughout the following example. Step 1 Create An Outgoing Content Filter Figure 4 - Select Outgoing Content Filters under the Mail Policies menu Click on the Mail Policies menu and then on Outgoing Content Filters as shown in Figure 4. Figure 5 - Click on 'Add Filter...' To create the new filter click on Add Filter as shown in Figure 5. www.titus.com Titus and Cisco IronPort Integration Guide 11
Figure 6 - Name and describe the new filter. Click on "Add Condition..." Name the new filter and provide a short description of its purpose. Once done, click on Add Condition as shown in Figure 6. Step 2 Define the Content Filter Conditions Figure 7 Define A Condition For the Filter From the Add Condition dialog that appears select the Other Header tab and enter the Header Name as "x-titus-classifications-30". Then select Header value and the operator Contains before typing in the search term CONFIDENTIAL as shown in Figure 7. www.titus.com Titus and Cisco IronPort Integration Guide 12
Step 3 Create the Corresponding Action Figure 8 Adding an Action To the Filter Review the Conditions settings in the filter overview page that follows, and then click on Add Action as shown in Figure 8. Figure 9 Adding an Encrypt on Deliver Action To the Filter www.titus.com Titus and Cisco IronPort Integration Guide 13
For this example the chosen action to take when a message matches the defined conditions is to deliver the message using IronPort encryption services. As shown in Figure 9, IronPort also provides a wide range of other actions Such as Quarantine and Strip Attachment. Figure 10 - IronPort Email Encryption Configuration Setting up an encryption profile using Cisco s hosted Registered Envelope Service(RES) is outside of the scope of this document, but is relatively straightforward. The configuration process is started using the Add Encryption Profile button on the IronPort Email Encryption page found under the Security Services menu item. www.titus.com Titus and Cisco IronPort Integration Guide 14
Figure 11 Final Filter Settings Review the finalized filter settings as shown in Figure 11, click Submit, and then Commit Changes. Step 4 Apply the Outbound content filter to the Outbound Mail Policies Figure 12 - Select Outgoing Mail Policies from under the Mail Policies menu Now that the filter is defined the next step is to add it to an outgoing policy. To begin, select Outgoing Mail Policies from under the Mail Policies menu as shown in Figure 12. www.titus.com Titus and Cisco IronPort Integration Guide 15
Figure 13 - Click on the 'Disabled' link under 'Content Filters' in the Default Policy row item. For this exercise the content filter will be added to the pre-defined Default Policy. Content Filters are initially disabled on this policy, so click on the Disabled link to begin changing settings as shown in Figure 13. Figure 14 - Select 'Enable Content Filters (Customize settings)' from the drop down menu. Click on the drop down menu as shown in Figure 14 and select Enable Content Filters (Customize settings). Once that selection is made the Titus-CONFIDENTIAL filter created earlier will be visible. www.titus.com Titus and Cisco IronPort Integration Guide 16
Figure 15 Enabled the Titus-CONFIDENTIAL filter Click 'Enable' beside the filter as shown in Figure 15, click Submit, and then Commit Changes. Figure 16 - The new policy and filter are now enabled. Figure 16 shows the filter enabled as part of the Default Policy. At this point any email sent outside the organization labeled as confidential will be encrypted prior to delivery. www.titus.com Titus and Cisco IronPort Integration Guide 17
Figure 17 - Confidential Email Being Forwarded Outside Organization Figure 17 shows a sample email classified as confidential and addressed to a recipient outside of the internal domain. Figure 18 Confidential Email Automatically Encrypted For Delivery Figure 18 shows the encrypted email as it arrives in the external recipient s mailbox when using Cisco RES encryption. www.titus.com Titus and Cisco IronPort Integration Guide 18
6.0 Additional Deployment Scenarios Once the basics of integration between the Titus classification solutions and IronPort are understood it is possible to construct any number of control and remediation scenarios. These capabilities can be grouped as preventive, detective, or corrective controls. Automatic encryption of an email based on classification metadata was shown in the previous section. This can be thought of as a preventive control, since information leakage was prevented by automated encryption of the sensitive information. A few additional example scenarios are described here. 6.1 Outbound Sensitive Email, Automatically Quarantined for Approval This scenario is very similar to the one described in the previous section, 5.0 Step By Step Demonstration Configuration. Instead of automatically encrypting the confidential email it will be quarantined for administrator review. Figure 19 - Edit Titus-CONFIDENTIAL Filter To Use Quarantine Figure 19 Shows Quarantine selected instead of Encrypt on Delivery while editing the Titus- CONFIDENTIAL filter defined in Step By Step Demonstration Configuration. The IronPort default www.titus.com Titus and Cisco IronPort Integration Guide 19
installation includes several pre-defined quarantines to hold email until they can be reviewed. Here the Policy quarantine is used. Figure 20 - Titus-CONFIDENTIAL Filter Changed to Use Quarantine Action Figure 20 shows the modified filter now using a Quarantine action. With this modified filter email found to have the CONFIDENTIAL classification within the TMC x-header will be held by the IronPort appliance until an administrator can review it or until a specified amount of time passes. Figure 21 - View of IronPort Quarantine www.titus.com Titus and Cisco IronPort Integration Guide 20
Figure 22 - Viewing Quarantined Message Details and Available Actions The preceding scenario is a preventative control, since the email was not delivered to the intended recipient. An example of a detective control would be to use the duplicate message option in the Quarantine action (see Figure 23) and to allow the original message to be delivered. The quarantined copy could be used in subsequent investigations if required. Figure 23 - Duplicate Message Option in Quarantine Action www.titus.com Titus and Cisco IronPort Integration Guide 21
6.2 Inbound Sensitive Email, Automatically Tagged at Gateway A number of use cases can be described where it is useful to be able to tag inbound email appropriately to ensure proper handling and controls as internal users process and share the information. One example is inbound resumes. Whether they are sent to an HR inbox, or directly to employees of the company the documents are considered privacy protected documents under many countries regulations. Adding appropriate header information to the message right at the email gateway seamlessly enables the visual privacy protection cues and controls made possible with the TMC desktop client. Figure 24 - Simple Filter to Detect Incoming Resumes Figure 24 above shows a basic filter to detect attached resume files in incoming email. The filter was created using variations of the steps described above in the Step By Step Demonstration Configuration section. Condition 1 uses a regular expression to search the message body and attachment content for variations of the words resume or CV (the simple RegEx used here is [Rr]esume CV, without quotes). Condition 2 requires that a file attachment is present. Note that both of these conditions must be true for the defined action to be taken. To do this select Only if all conditions match from the drop-down provided beside Apply rule:. www.titus.com Titus and Cisco IronPort Integration Guide 22
The action taken is to add header information. Here the standard TMC x-header (x-tituslabsclassifications-30) is added with a value of Classification=CONFIDENTIAL;Sensitivity=HR; to indicate that the information is confidential and HR related. Figure 25 - TMC Detects the X-Header Added By IronPort Figure 26 - Titus X-Header As Applied by IronPort Figure 25 shows that the original internal recipient of the email can see that the email is classified as Confidential with HR sensitivity and Figure 26 shows the x-header information that was added by the IronPort filter. www.titus.com Titus and Cisco IronPort Integration Guide 23
Figure 27 - Labels Are Applied on Forward or Reply Figure 27 shows that appropriate labels are applied when the email is shared with other users. 6.3 Outbound Uncategorized Email, Automatically Tagged at the Gateway Where organizational security policy, or the policy of a partner network requires that all email be classified and labeled, appropriate controls should be put in place at the outbound gateway to verify and enforce this. The use of TMC on user desktops for classification and labeling provides a high degree of coverage but some internal systems generating automated emails may not apply appropriate labels. As an example of what is possible with IronPort filtering the following scenario explores how to detect and act on outbound unclassified email during a transition period. A copy of all email without appropriate classification headers is sent to a defined email address, but the original email is allowed to proceed. In this way it is possible to identify any sources of unclassified email without impeding the flow of business. In addition to the web-based interface shown previously the IronPort AsyncOS provides a powerful Command Line Interface (CLI). This example will configure and apply a message filter to detect and act on unclassified messages using the CLI. An SSH client is required to connect and login to the IronPort appliance, and the SSH service must be enabled on at least one IP Interface. www.titus.com Titus and Cisco IronPort Integration Guide 24
The sample filter acts on email that does not include the Titus x-header. Actions taken are: insert an x-header with a value of UNCLASSIFIED, insert UNCLASSIFIED at the beginning of the subject line, and send a copy of the message to the Policy quarantine. The following is a transcript of an SSH session to add and enable the filter through the CLI. Typed commands and content is in bold. Last login: Mon Aug 30 11:56:45 2010 from 192.168.201.177 Copyright (c) 2001-2009, IronPort Systems, Inc. AsyncOS 7.0 for IronPort C160 build 102 Welcome to the IronPort C160 Messaging Gateway(tm) Appliance ironport.tlmcdc.com> ironport.tlmcdc.com> filters Choose the operation you want to perform: - NEW - Create a new filter. - IMPORT - Import a filter script from a file. []> new Enter filter script. Enter '.' on its own line to end. No_Classification_Headers: if(not header("x-tituslabs-classifications-30")) { insert-header("x-tituslabs-classifications-30","unclassified"); edit-header-text ("Subject","^\\s*","[UNCLASSIFIED] "); duplicate-quarantine("policy"); }. 1 filters added. Choose the operation you want to perform: - NEW - Create a new filter. - DELETE - Remove a filter. - IMPORT - Import a filter script from a file. - EXPORT - Export filters to a file - MOVE - Move a filter to a different position. - SET - Set a filter attribute. - LIST - List the filters. - DETAIL - Get detailed information on the filters. - LOGCONFIG - Configure log subscriptions used by filters. - ROLLOVERNOW - Roll over a filter log file. www.titus.com Titus and Cisco IronPort Integration Guide 25
[]> ironport.tlmcdc.com> commit Please enter some comments describing your changes: []> Added No Classification Header filter Changes committed: Mon Aug 30 12:44:03 2010 EDT ironport.tlmcdc.com> Figure 28 - Unclassified Email In Quarantine Figure 28 shows an email that has triggered the message filter and has been copied to the Policy quarantine. Note that the subject line and header modifications defined in the filter were done prior to sending the message copy to the quarantine. www.titus.com Titus and Cisco IronPort Integration Guide 26
7.0 Summary The scenarios discussed in this paper covered a few simple use cases to illustrate how Titus Message Classification and Cisco s IronPort Email Security Appliance can be used together to enable better security controls on outbound and inbound email. Information security management is not one size fits all. Whether you are complying with government regulations and directives or protecting sensitive commercial information, Titus Message Classification and Cisco s IronPort Email Security are a powerful combination, providing the tools and flexibility you need to implement suitable controls in your environment. To learn how Titus can help your organization promote better security, please visit www.titus.com Titus 343 Preston Street, Suite 800, Ottawa, ON, Canada. Call us: (613) 820-5111 ext.127 Toll Free 1-866-530-5111 or email us: info@titus.com www.titus.com Titus and Cisco IronPort Integration Guide 27