Data Loss Prevention

 View Only

  • 1.  Monitor/block emails with protective marking when leaving the company - Endpoint Prevent

    Posted Sep 22, 2016 09:05 AM

    Hi,

    Use case: Monitor/block emails with protective marking when leaving the company - Endpoint Prevent

    I believe there was similar question, but without solution. What I am trying to do is to read/extract Metadata (Boldon James Classification) from email x-header and apply DLP policy. I successfully tested this scenario with Office and PDF documents.

    Outlook client is 2016 - I am using Office 365. DLP is v14.5. Windows 10 is endpoint.

    When looking at the source code of an email tagged with Boldon James we see two headers. One is the x-bjprotectivemarking header that contains the XML tag, and it should be readable by DLP Endpoint Prevent Agent.

    This is XML from email x-header

    x-bjprotectivemarking: <?xml version="1.0" encoding="us-ascii"?><sisl 
     xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" sislVersion="0" 
     policy="44f32080-3e64-4622-8077-881f70ed6243" origin="userSelected" 
     xmlns="http://www.boldonjames.com/2008/01/sie/internal/label"><element 
     uid="a0a6e195-c794-46be-ab8a-4dc3e215dcde" value="" /></sisl>
    classification: Internal

    To be able to detect on those protective markings two strings need to be extracted from the Boldon James configuration files.

    • policy ID: (policy="44f32080-3e64-4622-8077-881f70ed6243") 
    • uid ID (uid="a0a6e195-c794-46be-ab8a-4dc3e215dcde" ) - refers to classification: Internal

    Metada and Header detection are enabled on Enforce SRV.

    Policy detection strategy:

    The BoldonJames tag is seen by DLP as a XML data string. In this data string there is a reference to the Boldon James policy ID and an element uid ID that defines the the classification level / protective marking. All other information in the XML string are not of value for the task of detecting a Boldon James tag. It can be assumed that the string defining the policy ID and the classification label uid appear within a certain range of words in this string so the approach is to use the “Keyword Proximity Matching” option in the “Keyword” rule of DLP to detect the appearance of the policy ID and the classification label uid within a number of words distance. This distance cannot be clearly defined as it is not exactly defined when DLP defines a tag within the XML string as a “word”, so the test were successfully performed by using the number 20 as distance.

    In this example I defined the policy  to match on the following two expressions appearing within the range of 20 words:

    • Expression A: policy="44f32080-3e64-4622-8077-881f70ed6243"
    • Expression B: uid="a0a6e195-c794-46be-ab8a-4dc3e215dcde" 

    The following screenshots show examples on how to define a policy to match on a Boldon James tag:

    DLP.jpg

    This works perfectly with Office docs, PDFs...except Outlook. It also works with attachement in Outlook emails.

     

    Anyone with similar scenario? Any solution?

    Thanks in advance

    Regards

    D.



  • 2.  RE: Monitor/block emails with protective marking when leaving the company - Endpoint Prevent
    Best Answer

    Posted Sep 22, 2016 09:50 AM

    Hello,

     

    I tested some time ago Boldon James and DLP with smtp/outlook so will give an insight on this:

    Tagging the x-header of your emails won't be enough to prevent from leaving the company since this information is only added to the email metadata once the emails are sent so the agent won't be able to detect it (using Endpoint Prevent license).  However you will be able to detect the x-header on network traffic, so if you use for example Network Prevent license you can control (block/retain) the email.

    The most common practise here with Boldon James is to insert a tag in the “first line of text” of the email body or subject. Then the agent will be able to extract the information and block it before be sent.

     

    BR,



  • 3.  RE: Monitor/block emails with protective marking when leaving the company - Endpoint Prevent

    Posted Sep 22, 2016 10:28 AM

    Great! Thanks! it solves this.

     

    BR



  • 4.  RE: Monitor/block emails with protective marking when leaving the company - Endpoint Prevent

    Posted Oct 16, 2016 05:35 AM

    Hello Tasa,

    I need to extract hidden bookmark information from Word documents. The customer is marking confidential documents with bookmark.

    Do you know how can I extract it from metadata? I have tried with keyword matching also, but it didn't work.

    Also, your picture with the policy is not clear, can you repost it please?

    Thanks,

    Nikola



  • 5.  RE: Monitor/block emails with protective marking when leaving the company - Endpoint Prevent

    Posted Oct 18, 2016 07:52 AM

    Hi Nikola,

    I haven't worked with bookmarks, only with Data Classification tolls. What is shown on the picture is metada from Data Classification XML Policy configuration:

    policy="44f32080-3e64-4622-8077-881f70ed6243"

    uid="a0a6e195-c794-46be-ab8a-4dc3e215dcde" - this refers to Internal document classification

    Untitled.jpg

    Regards

    D.