Description


Data Loss Prevention (DLP) allows to easily detect sensitive information and generate security alerts in Avanan through DLP policies. 

Avanan enables you to create universal policies across multiple cloud applications to control how files are shared amongst internal and external users.



DLP will action the following: 

  • Scan emails and files for sensitive information with ease, by using a common solution for all platforms.
  • Stop data leakage by using automated actions.
  • Generate actionable alerts.
  • Use an integrated solution for DLP and other types of attacks, such as phishing and malware.



Requirements


Login to the Avanan Portal



The Process

1 - Configure the DLP policy for Outgoing Emails:


1. Go to Policy.


2. Click Add a New Policy Rule.


3. Select the desired SaaS application under Choose SaaS drop-down.


4. Select DLP under Choose Security drop-down and click Next.


5. Select Protect (Inline) or Monitor only mode.


6. Select the Scope of the policy:

     a. Select Outbound Emails.

     b. Select the Specific Sending Users and Groups, the policy applies to.


7. In the DLP Criteria section, do these:

     a. Select the required DLP Categories.

     b. Select the required Sensitivity Level. See DLP Policy Sensitivity Level.

     c. If you need to add a subject regular expression as the matching criteria to the DLP policy, under
        Advanced, enable the "Enable matching based on subject regular expression" checkbox and enter the  

        regular expression. See DLP Subject Regular Expression.



8. In the DLP Workflow section, select the required DLP workflow.
Note - This option is available only in Protect (Inline) mode.


9. Select the required Severity.


10. Select the required DLP Alerts


11. Click Save and Apply.
Note - Applying a Prevent (Inline) rule could take up to an hour to take effect, depending on the number of protected users in the Avanan account.



For more information about the DLP workflows and alerts for Outgoing Emails: MPmail Avanan - DLP Workflows


Prerequisites to Avoid Failing SPF Checks

For Office 365 Mail: 

If Protect (Inline) Outgoing Traffic is enabled in the DLP or Threat Detection policy, Avanan gets added to the email delivery chain before reaching external recipients 

Note: Email flow = Internal email sender > Microsoft 365 > Avanan > Microsoft 365 > External recipient


The recipient's email security solution sees the Avanan IP address as part of the delivery chain. If the recipient's email security solution fails to recognize the original IP address, it may consider the Avanan IP address as the IP address from which the email was sent.


If you do not configure the SPF record in your DNS to allow Avanan IP addresses to send emails on behalf of your domain, your emails might fail SPF checks and may be rejected. Avanan recommends you add the Avanan IP addresses to your SPF record before you enable Protect (Inline) Outgoing Traffic for outgoing emails.


To prevent outgoing emails from failing SPF checks and being quarantined, you must add include:spfa.cpmails.com to your SPF record.


Note - The above statement includes several IP addresses and networks, some outside your Avanan portal's data region. This is done for uniformity and consistency in all Avanan SPF records regardless of your data region. Avanan sends the emails only from one of the IP addresses in your region.


2 - DLP Policy Sensitivity Level


The Sensitivity Level for a DLP policy is the minimum number of times all the Data Types in the selected categories need to match (hit count) for the policy to trigger the DLP workflow.


You can select these Sensitivity Level for every policy rule.

  • Very High (hit count > 0)
  • High (hit count > 2)
  • Medium (hit count > 5)
  • Low (hit count > 10)
  • Very Low (hit count > 20)
  • Custom (and enter the minimum hit count (Hit count higher than) required for the policy)

For example, a DLP policy includes only the PII category and you selected the Sensitivity Level as High.

  • If all the Data Types in PII were matched only once - the rule does not trigger the selected DLP workflow.
  • If all the Data Types in PII were matched three times - the rule triggers the selected DLP workflow.



3 - DLP Policy for Incoming Emails

  1. Go to Policy.

  2. Click Add a New Policy Rule.

  3. Select the desired SaaS application under Choose SaaS drop-down.

  4. Select DLP under Choose Security drop-down and click Next.

  5. Select Protect (Inline) mode.

  6. Select the Scopeof the policy:
    1. Select Inbound Emails.
      Note - This option is available only in Protect (Inline) mode.
    2. Select the Specific Receiving Users and Groups to which the policy applies.

  7. In the DLP Criteriasection, do these:
    1. Select the required DLP Categories.
    2. Select the required Sensitivity Level.

  8. Select the required DLP Rules.

  9. Select the required DLP workflow.

  10. Click Save and Apply.
    Note - Applying a Prevent (Inline) rule could take up to an hour to take effect, depending on the number of protected users in the Avanan account.

DLP Workflows for Incoming Emails

  • Email is blocked. User is alerted and allowed to request a restore (admin must approve) (default)
    - Detected email will not be delivered to the recipient and will be moved to quarantine mailbox. The
    user will receive an email with an alert of the quarantine action, and will be able to request to restore
    the original email (send the original email to the recipient).

  • Email is blocked. User is alerted and allowed to restore the email - Any detected email will not be
    delivered to the recipient and will be moved to quarantine mailbox; the user will receive an email with
    alert of the quarantine action, and will be able to restore the original email (send the original email to
    the recipient).

  • Do nothing - Any detected email will be delivered to the recipient without any changes.

  • User receives the email with a warning - The email is delivered to the user with a warning banner inserted in the body of the email. To customize the banner (text, background color, etc.), click the gear icon next to the workflow.


DLP Alerts for Incoming Emails

You can configure alerts for incoming emails detected to contain a DLP violation:

  • Send alert on this violation to specific mailboxes.
  • Alert the external sender about the violation when the email is quarantined.

Creating Custom DLP Data Types

Regular Expression DLP Data Types

Data Types based on regular expressions are data types that will add a hit count to their parent category every time a string in the inspected email/file/message is matched against the defined Regular Expression.

To create a regular expression Data Type:

  1. Navigate to Configuration > DLP Data Types.
  2. Click Create Data Type.
    Create Custom DLP Data Type section appears.
  3. Enter the required Name and Description for the Data Type.
  4. Under Match type, select Regular Expression and enter the required regular expressions.
    Note - Avanan supports Regular Expression 2 syntax.
  5. Click Save.

Dictionary DLP Data Types

A dictionary is a list of custom strings. These Data Types add a hit count to their parent category every time a string in the inspected email/file/message matches one of the strings in the dictionary.

To create a Dictionary DLP Data Type:

  1. Navigate to Configuration > DLP Data Types.
  2. Click Create Data Type.
    Create Custom DLP Data Type section will appear.
  3. Enter the required Name and Description for the Data Type.
  4. Under Match type, select Dictionary and add the required keywords:

    • To add a keyword to the dictionary, enter the required keyword and click "Add Keyword"
    • To import keywords to the dictionary from a CSV file:
      • Click Import dictionary.
      • Under Upload Dictionary File, select the required CSV file.
      • To override the existing keywords, enable the Override all existing wordscheckbox.

        Note - To export the keywords in the dictionary to a CSV file, click Export dictionary

  5. Click Save.

Compound DLP Rules

Compound DLP Rules are parent DLP rules that contain other child DLP rules, divided into two groups:

  • Triggers – DLP rules that must match otherwise, the parent DLP rule will not match
  • Children – DLP rules that could match and add to the parent DLP rule hit count.

In addition, each Compound DLP Rule has a Minimum Match Type Count of its own so that the number of matches across all contained data types must be above it for the parent DLP Rule to match.

For example, you can create a compound DLP Rule named MyCompany Internal Documents the following way:

  1. Triggers
    1. A string “MyCompany”
    2. A string “Confidential”

  2. Children
    1. Source Code
    2. Bank Swift routing numbers

  3. Minimum Match Type Count = 4


Creating a Compound DLP Rule

To create a compound DLP rule:

  1. Navigate to Configuration > Security Engines.
  2. Click Configure for SmartDLP.
  3. Scroll down and find Compound Info Types.
    SmartDLP-Compound-Info-Types
  4. Edit the "Triggers, Children, and Minimum Match Type Count"
  5. Add Patient Information to one of the DLP Categories so that it can be used in the DLP policy rules. For more information - see MPmail Avanan - DLP Data Types

  6. Click Save.