Exchange Online Protection In-Depth Mike Crowley Baseline Technologies
Session Agenda Introduction to EOP Administration DMARC, SPF & DKIM Advanced Threat Protection EOP Deployment Tips
Introduction to EOP 3 use cases: Standalone With Exchange Online With Exchange Hybrid Purchase options Standalone Included with Exchange Online (free for EDUs) Exchange Enterprise CAL with Services
Introduction to EOP Office 365 service comparison Tool technet.microsoft.com/ dn788955
EOP Features
EOP Features cont'd Introduction to EOP
Introduction to EOP Is it any good? Gartner: Magic Quadrant for Secure Email Gateways
Introduction to EOP SMTP Pipeline Filters optimized for performance This flowchart may help answer the question: Why is this button so far from that one?
Senders Analysts, Engineering, and Support Data Mail Process Automation and Response Tools Detection Tenant Specific Configuration Response Recipients Sender Support Edge Protection Reputation and spam detection engine Anti Malware Boomerang DKIM / DMARC / SPF Transport Rules and Admin configuration Tenant and Mailbox specific behavior IP/Domain Block Lists Throttling Quarantine Recipient Feedback Loop Data Sources JMRT Subscriptions Internal Data
Administration EAC (/ecp) Good for: Initial setup Infrequent configurations n00bs EOP cmdlets: Good for Recipient management Complex message tracking / Reporting Consistent Transport Rule creation Advanced configurations, not exposed in the GUI (e.g. Azure RMS) Cmdlet reference: technet.microsoft.com/ dn621038 On-Premises Active Directory: Recipient Management, if using Directory Synchronization
EAC Demo: Accepted Domains Connectors Rules Message Trace Filters Malware Connection Spam Quarantine Administration
PowerShell: Like any tool, it is only useful once you learn how it works. Web portals change frequently; PowerShell cmdlets are more stable. Naturally encourages consistent configurations PowerShell automates virtually every Microsoft product Useful for documentation Administration
Data Loss/Leak Prevention ExO P2 or Ent. CAL required Not limited to Exchange (SPO, OneDrive, Office Apps) DLP policies contain 1 or more rules Rule = Condition + Action ~40 Built-in templates exist (e.g. PCI DSS) Templates importable from 3 rd parties Build your own Administration
Data Loss/Leak Prevention cont'd Document Fingerprinting Looks attachments that resemble your org s forms: Government forms Health Insurance Portability and Accountability Act (HIPAA) compliance forms Employee information forms for Human Resources departments Custom forms created specifically for your organization Used in policy rule conditions Policy Tips Auditing Reports Real-time notifications (via email & CRM) DLP Search in SPO Administration
On-Demand Ignite Webcast: End-to-End Data Loss Prevention channel9.msdn.com/eve nts/ignite/2015/brk3181 Administration
DLP content detection flow in Exchange Transport rule agent Integrated into Exchange Transport Rule (ETR) engine Text extraction Classification
Sender Policy Framework (SPF) Tell the internet who is authorized to send mail on behalf of <your domain here> Validates 5322.From Limits spoofing and phishing Protect others: DNS TXT records - easy to create with the help of numerous online wizards Protect yourself: Enable SPF filtering EAC\Protection\Spam Filter\<policy>\Advanced Options\SPF record Hard Fail PowerShell> Set-HostedContentFilterPolicy default -MarkAsSpamSpfRecordHardFail On DMARC, SPF & DKIM
DomainKeys Identified Mail (DKIM) EOP Scans inbound DKIM Authentication-Results DKIM-Signature X-DkimResult-Test Outbound is still being rolled out http://success.office.com/ en-us/roadmap DMARC, SPF & DKIM
DMARC, SPF & DKIM DMARC Validates 5322.From DMARC, SPF, DKIM Gotchya s: False negatives are common in complex organizations which send mail from many systems or services Legitimate distribution lists can mess with SMTP headers Some DNS servers don t support TXT records Not all recipient systems are going to bother reading your records
DMARC, SPF & DKIM On-Demand Ignite Webcast: Deep Dive into How Microsoft Handles Spam and Advanced Email Threats channel9.msdn.com/events /Ignite/2015/BRK3106
Problem Solution
Advanced Threat Protection Aims to thwart: Unknown malware Phishing Per-user license Requires EOP (does not require ExO) $2 extra, per user Cheaper for government Not available for edu or non-profit
Advanced Threat Protection Safe Attachments Routes messages which meet the criteria to a sandbox. Scans for: Executables Registry calls Privilege escalation etc. Safe Links Re-writes (not proxies) URLs. Like a filtering version of bitly.com or tinyurl.com Inspects Exchange Online Exchange On-Prem SharePoint in the future* Reporting See who is being targeted & how the phishing messages are crafted *https://channel9.msdn.com/events/ignite/2015/thr0136
Protection against unknown malware/virus Behavioral analysis with machine learning Admin alerts Time of click protection Real time protection against Malicious URLs Growing URL coverage Rich reporting and tracing Built-in URL and message trace Reports for advanced threats
Sender Detonation chamber (sandbox) Executable? Registry call? Elevation?? Attachment Supported file type Clean by AV/AS filters Not in Reputation list Links Multiple filters + 3 antivirus engines with Exchange Online protection Unsafe Safe Recipient
EOP user without ATP EOP user with ATP
Advanced Threat Protection Safe Attachments
EOP user without ATP Rewriting URLs to redirect to a web server EOP user with ATP
Safe Links Advanced Threat Protection
Reporting Advanced Threat Protection
EOP Deployment Tips Microsoft s Best Practices technet.microsoft.com/jj723164 Use a test domain Synchronize recipients SPF record customization Set anti-spam options (Start with Test Mode) Set anti-malware options Create transport rules Reporting and troubleshooting
VIPS Multi-Lane Normal Outbound Mail NDR SPAM Bulk
EOP Deployment Tips Other Best Practices Read the service descriptions EOP should not be daisy-chained Create firewall rules, allowing SMTP only from EOP s IP ranges Subscribe to the rss feed Route mail out through EOP as well Helps with backscatter, <your> IP reputation, reporting Simplifies mail flow For high-confidence spam: Quarantine For med/low-confidence spam: Consider the end-user interactions Central quarantine or delete all spam? Regular report? Personal quarantine? Junk folder routing? Use PowerShell
Additional Resources TechNet/MSDN Articles ExO & ATP Service Descriptions https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx ATP Video https://channel9.msdn.com/events/ignite/2015/thr0136 3 rd party migration resources technet.microsoft.com/jj723140 Tools DMARC Deployment Tools https://dmarc.org/resources/deployment-tools DMARC Inspector https://dmarcian.com/dmarc-inspector MX Toolbox http://mxtoolbox.com/supertool.aspx RCA https://testconnectivity.microsoft.com SPF Record Creation Wizard http://www.spfwizard.net/ SPF Record Testing Tool http://www.kitterman.com/spf/validate.html Blogs EOP Field Notes http://blogs.technet.com/b/eopfieldnotes/ Terry Zink: Security Talk http://blogs.msdn.com/b/tzink/ Brian Reid s articles on ATP http://www.c7solutions.com/category/atp
Rate This Session Now! Tell Us What You Thought of This Session Rate with Mobile App: Select the session from the Agenda or Speakers menus Select the Actions tab Click Rate Session Rate with Website: Register at www.devconnections.com/logintoratesession Go to www.devconnections.com/ratesession Select this session from the list and rate it Be Entered to WIN Prizes!
TOPIC DIVIDER