Data Leak Prevention systems provide good functionality to reduce the unintended outflow of data via
prevent e-mail. The systems are switched inline into the mail flow and receive all e-mails via SMTP. But how should internal emails be verified?

 

There are two ways to check outgoing emails. The first option is to check on the author’s client. At first glance, this possibility seems very promising: emails are checked as early as typing. At a second glance, however, this variant also has major disadvantages: The check must be rolled out to all e-mail clients, for example also to mobile devices. The DLP rules must also be installed on the client and kept up-to-date. Last but not least, the re-medation is also difficult. If an email is incorrectly blocked on the client, the incident handler cannot release it. Other mechanisms must be implemented there.

The more elegant option is to check the e-mails in the perimeter of the corporate network. Outgoing e-mail is validated by a central component. Specialized DLP systems such as those from McAfee or Symantec provide such components. These components are installed inline in the e-mail flow and receive the e-mails via SMTP for verification.

If a violation is detected, an incident is generated in the central DLP Management System and the stored processes are initiated. If an e-mail message is blocked, it is moved to a mail quarantine. If the result of the check turns out to be false positives, it can be released from there by the incident handler.

The solution shown in the figure above impresses with its ease of operation and excellent ways of adapting processes to the needs of companies.

Especially larger companies are divided into different areas. These areas represent not only organisational but also legal units. For this reason, e-mail traffic between areas must also be checked. Typically, the different areas share an Exchange infrastructure. When e-mail is sent from one area to another, it never leaves the Exchange infrastructure and cannot be verified by the DLP Scanner. Inevitably, this circumstance poses major challenges for the IT departments, because internal e-mails cannot be easily sent via SMTP. At the same time, DLP scanners cannot look into Exchange’s internal e-mail flow. So how should this dilemma be dealt with?

Microsoft offers board means to investigate e-mail for violations. In Exchange, you can define flow rules that can be used to validate e-mail, including internal e-mail. Unfortunately, this solution has significant disadvantages compared to specialized DLP systems. The fact that the solution in the current version only supports regular expressions and static blacklists to detect violations is still manageable in most cases.

Much more serious is the fact that the means for re-meditating incidents have a modest existence: violations are sent as a report to a mailbox. Automated processes cannot be implemented or are very difficult to implement. To make matters worse, checking e-mails throughout the security concept is an important building block, but it is usually not the only one in the context of DLP. Checks on file servers or Internet data are now standard. A central re-meditating of all incidents is therefore a must.

In search of a creative solution to this problem, e3 AG has combined microsoft and McAfee solutions at a Swiss bank.

The solution shown in the figure above impresses with its ease of operation and excellent ways of adapting processes to the needs of companies.

Especially larger companies are divided into different areas. These areas represent not only organisational but also legal units. For this reason, e-mail traffic between areas must also be checked. Typically, the different areas share an Exchange infrastructure. When e-mail is sent from one area to another, it never leaves the Exchange infrastructure and cannot be verified by the DLP Scanner. Inevitably, this circumstance poses major challenges for the IT departments, because internal e-mails cannot be easily sent via SMTP. At the same time, DLP scanners cannot look into Exchange’s internal e-mail flow. So how should this dilemma be dealt with?

Microsoft offers board means to investigate e-mail for violations. In Exchange, you can define flow rules that can be used to validate e-mail, including internal e-mail. Unfortunately, this solution has significant disadvantages compared to specialized DLP systems. The fact that the solution in the current version only supports regular expressions and static blacklists to detect violations is still manageable in most cases.

Much more serious is the fact that the means for re-meditating incidents have a modest existence: violations are sent as a report to a mailbox. Automated processes cannot be implemented or are very difficult to implement. To make matters worse, checking e-mails throughout the security concept is an important building block, but it is usually not the only one in the context of DLP. Checks on file servers or Internet data are now standard. A central re-meditating of all incidents is therefore a must.

In search of a creative solution to this problem, e3 AG has combined microsoft and McAfee solutions at a Swiss bank.