Enable DLP for outgoing emails in Cisco Iron Port

Data Loss Prevention prevents the sensitive organization’s proprietary information by detecting before transit through ex-filtration transmissions and continuously monitors them to protect all types of data loss. The organizational data leak mostly happens when the end users unintentionally emailing sensitive data from our network which leads to Data leak Incidents.
There are many ways to achieve this and in this article we will look into how to prevent the data loss with the options present in Cisco Iron Port Email Gateway Solution.

Basically in any DLP there will be two actions involved :

Data Match: Where the DLP application scans the email body, header and attachments for the sensitive content created based on the DLP policy rules.

Action: Once any emails are identified to be sensitive, based on the DLP policy where it was blocked action types can be drop,quarantine or deliver with disclaimer and notify an admin or manager or recipient based on the policy and document classification.

Below are the steps to enable DLP on Cisco Iron Port-

Login to Cisco Iron Port – Select security Services – Click on Data Loss Prevention

DLP

By Default this option will be enabled – but now we need to creation DLP policies and action types based on our requirement.

Better to enable Content logging which will appear in message tracking and better in troubleshooting.

DLP1

In this example we will run through the DLP wizard which will have few popular policies which are common. Adding custom policies are very much possible via cisco ironport and there are more options to add custom.

An Example of enable matched content logging when DLP is enabled. This will help Admins to debug and find the reason why the email was blocked.

DLP2

There are more common used cases and in our example we can choose PCI-DSS which is most sensitive and must be enabled  especially for the Finance teams.

DLP3

Here we have an option to enable the DLP reports

DLP4

Once done in the outgoing mail policies will be configured for PCI-DSS we created.

DLP6

And in this policy we can edit and choose the inbuilt DLP  dictionaries based on our requirement.

DLP7

There is an option to add custom also.

DLP8

In Mail Policies there is an option to apply only for few users sent or in the recipient list.

DLP9

Options to add attachments is present

DLP10

The Severity settings can be altered below

DLP12

The severity scale can be altered based on the policy and our requirement

DLP13

Custom classifier can be added

DLP14

In the classifier we have an option to choose templates from dictionary and entity

DLP15

DLP16

Once Done based on the policy and action DLP will be working for outgoing emails.

Imp Notes:

    1. Before implementing DLP in any environment it requires lot of study in multi phase , closely working with security team and implementing purely based on the document classification.
    2. Need to understand how the sensitive data is currently handled by all the teams, identify the current risks. Post analysis the required action plan of creating policy and action must be done.
    3. End user awareness session is very important to deal with DLP. Advising to use more secure channels in Enterprise File Share DRMS solutions only for dealinig with sensitive documents for finance teams can be advised.
    4. Any DLP policies we create must have Audit and notify manager which will create awareness on employees and easier for tracking.

Thanks & Regards
Sathish Veerapandian

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: