clearswift ccpsp clearswift argon for email. 2 what is argon for email? adaptive redaction solution...
TRANSCRIPT
ClearswiftCCPSP Clearswift ARgon for Email
2
What is Argon for Email?
• Adaptive Redaction solution
• Complements existing email security and Data Loss Prevention (DLP) solutions
• Addresses issues with traditional DLP solutions
• Delivers enhanced– Risk mitigation
– Critical information protection
3
Clearswift ARgon for Email
Users
Users
Email Gateway/Managed Service
Internet
Email ServerClearswift ARgon
for Email
4
Complementary, Not Duplication
Anti Virus Anti Spam ReportingDLP
PoliciesData
Redaction
Document Sanitizatio
n
Structural Sanitizatio
n
3rd Party Email
Gateway
(Additional Feature)
û û û
ARgon for
Emailû û
Augments existing email gateway technologies
Adaptive Redaction
5
What’s the value to you?
• Overcome “we’ve got one already” objection
• Complements existing portfolio
• Faster sales
• Growing market– DLP 26%
– SEG 2%
– SWG 7% – Source: Gartner “Forecast: Information Security, Worldwide,
2012-2018, 2Q14 Update”
6 © Clearswift 2015
CCPSP Clearswift ARgon for EmailWhy Does a Client Need ARgon for Email?
7
New Information Risks
• Targeted attacks
• Hidden information
Users
Users
Email Gateway/Managed Service
Internet
Email Server
Document+ Malicious Active
Content
Document+ Malicious Active
ContentDocument
+ Malicious Active Content
Document + Sensitive Information
Document + Sensitive Information
Document + Sensitive Information
8
Traditional DLP Pain Points
Long time to become effective
Stops the whole transmission
Large manual processing overhead
Can miss “hidden” sensitive
information
9
Clearswift ARgon for Email
• Instant risk mitigation
• Protects critical information, reduces traditional DLP false positives and enables secure continuous collaboration
Users
Users
Email Gateway/Managed Service
Internet
Email ServerDocument + Sensitive Information
Clearswift ARgon for Email
Document+ Malicious Active
Content
Redacted and Sanitized Document
Sanitized Document
10
Adaptive Redaction
• Data redaction– Remove sensitive information
• Document sanitization– Remove meta-data, version and document history
• Structural sanitization– Removes active content
11
Data Redaction
• Risk that confidential information may be shared inappropriately
• Business stops due to conventional DLP ‘stop and block’ functionality
• Real risks lost amongst noise
Problem
Solution
• Automatically remove sensitive information from emails and documents
• Share information without breaking legislative requirements (e.g. PCI DSS)
• Avoid unnecessary barriers
• Identify real risks
12
Data Redaction
• Detects sensitive information and removes it
• Redacted document delivered
• Policy driven
• Automated
• Works in both directions
How
**** **** ****
Senders
RecipientsClearswift ARgon
for EmailDocument + Sensitive Information
Redacted Document
Email ServerEmail Gateway/
Managed Service
13
Supported File Types
File Type Extensions
HTML .htm .html
Microsoft Word document (2007+) .docx .docm .dotx .dotm
Microsoft Excel spreadsheet (2007+) .xlsx .xlsm .xltx
Microsoft PowerPoint presentation (2007+)
.pptx .pptm .potx .ppsx .ppsm .thmx
OpenOffice Writer .odt
OpenOffice Calc .ods
OpenOffice Impress .odp
OpenOffice Graphic .odg
OpenOffice Master .odm
OpenOffice Math .odf
Adobe PDF (portable document format) .pdf
Rich Text Format encoded document .rtf
Notepad/Plain text .txt
14
Document Sanitization
• Organizations need to collaborate with third parties
• Sensitive information can be exposed in meta-data, track changes, quick save, etc.
• Users often not aware of risk
Problem
Solution
• Automatically detect and remove sensitive information from documents
• Prevent embarrassing disclosures
• Users can still share documents without unnecessary barriers
15
Document Sanitization
What they thought they sent
What they actually sent
What we sent for them
16
Document Sanitization
• Detects and removes– All/selected document properties
– Revision histories
• Policy driven
• Automated
Senders
RecipientsClearswift ARgon
for EmailEmail Server Email Gateway/
Managed Service
Document + Sensitive Information
Sanitized Document
17
Supported File Types
File Type Extensions
Microsoft Word document (2007+) .docx .docm .dotx .dotm
Microsoft Excel spreadsheet (2007+)
.xlsx .xlsm .xltx
Microsoft PowerPoint presentation (2007+)
.pptx .pptm .potx .ppsx .ppsm .thmx
OpenOffice Writer .odt
OpenOffice Calc .ods
OpenOffice Impress .odp
OpenOffice Graphic .odg
OpenOffice Master .odm
OpenOffice Math .odf
Adobe PDF (portable document format)
18
Structural Sanitization
• Risk of malware embedded in common file formats
• Threat increasing
• Common vector for exploits leading to loss of data
Problem
Solution
• Automatically detect and remove active content
• Improved defense from malware
• Users can still transmit/receive valid content
19
Structural Sanitization
• Removes active content from communications
• Protects against embedded APTs
• Ensures information is shared safely and without disruption
Recipients
SendersClearswift ARgon
for EmailEmail Server Email Gateway/
Managed Service
http://xxxxxxstralia.com.au/flash/uss05.exe
All active content removed
Document + Macros
+ Embedded DLLs
Sanitized Document
20
Supported File Types
File Type Extensions
HTML .htm .html
Microsoft Word document (2007+) .docx .docm .dotx .dotm
Microsoft Excel spreadsheet (2007+)
.xlsx .xlsm .xltx
Microsoft PowerPoint presentation (2007+)
.pptx .pptm .potx .ppsx .ppsm .thmx
OpenOffice Writer .odt
OpenOffice Calc .ods
OpenOffice Impress .odp
OpenOffice Graphic .odg
OpenOffice Master .odm
OpenOffice Math .odf
Adobe PDF (portable document format)
Rich Text Format encoded document
.rtf
21
ARgon Benefits – No DLP
• Not disruptive
• Quickly reduce risk posture
• Reduce management overhead
• Identify real issues
• Rapid ROI
22
ARgon Benefits – Existing DLP
• Complementary
• Quickly reduce risk posture
• Reduce management overhead
• Identify real issues
• Rapid ROI
23
Why don’t I just sell a SEG/SXG?
SEG Argon for Email SXG
3rd party gateway compatibility û
Inbound email
Outbound email
Internal email û û
Anti-virus ü û Cost option
Anti-spam û û
Reporting AR focused
DLP policies
Adaptive Redaction Cost option Cost option
Default AR policy û û
Encryption Cost option TLS only û
IG Server integration Roadmap
24
Included and Excluded Features
Included Excluded
Data Redaction SpamLogic
Document Sanitization ImageLogic
Structural Sanitization Attachment Limiter
Analyze Properties Message size limiter
Lexical Analysis Structural Validation
Detect Media Type Message Archiving (Relay and BCC)
Detect Filenames
25
ARgon Deployment - Platforms
• Developed on SEG V4 core technology– Red Hat Enterprise Linux x64 6.6
– 64 bit operating system
• Physical/soft appliance
• Virtual appliance– vSphere
– Hyper-V
• No hosted service at launch
26 © Clearswift 2015
CCPSP Clearswift ARgon for EmailBuilding a Business Case
27
Building a Business Case
• Risk of new threats and critical information protection
• Probability of incident
• Accidental and malicious
• Complementary offering
• Research
• Push PoV
28
ARgon Sales Cycle
PoV Results & Business case
Report
PoV
Awareness and Value Meeting Operational
System Installed
Cost/Benefit Analysis
29
ARgon Deployment – Proof of Value
IronPort C160™ Email Security Appliance
Exchange Server
Most boundary gateways can deliver original message AND
duplicate message for processing on ARgon platform to demonstrate value without
interrupting email flow
----------------------------------------------------------------------
DMZ
LAN
Email Hygiene GatewayARgon for Email
• Side car deployment
• No impact to business email
• Copies of all live email sent to ARgon for analysis
• Shows “What would have happened”
30
ARgon Deployment – Live Deployment
IronPort C160™ Email Security Appliance
Exchange Server
Email Hygiene Gateway
ARgon for Email
DMZ
---------------------------------------------------------------------------------------
LAN
• Located downstream from the existing email filtering solution
• Located within the internal network
• Message management controlled by business units and security
31
Filtering Rules
IronPort C160™ Email Security Appliance
Exchange Server
AV + ASHygiene rules
Outbound Rules
Inbound AR Rules
Outbound AR Rules
32
Message Holding Areas
IronPort C160™ Email Security Appliance
Exchange Server
Hygiene
AR
IT Admins
Business Admins
33
Services
• Installation and configuration– Out of the box policy
– Keep cost of purchase low
– Average duration: 1 day
• Advanced policy definition– Includes AR Policy Definition Workshop
– Advanced policy configuration
– Average duration: 3 days
• Health check– System and policy review
– Average duration: 1 day
• Training– Duration: 1 day
34
Objection Handling
Competitor Approach
“We’ve got a manual process.”
• People forget and make mistakes• Need to ensure employees are trained on
latest polices and how to implement them properly
“We’ve already got an email gateway/managed service.”
• Push new threats and critical information protection
• Highlight benefit of reducing management of false positives and “standard” sensitive items
“We use encryption to protect against data loss.”
• Highlight that this is only useful when it’s appropriate for that data to be shared with that person
• Doesn’t protect against accidental/malicious data loss
35
Objection Handling
Competitor Approach
“We’re considering a DLP suite.”
• Emphasise that can complement whatever solution they eventually choose
• Stress that ARgon can start to mitigate risk from day one
• Push new threats and critical information protection
• Position away from a full DLP solution
“We’ve got a DLP suite.” • Push new threats and critical information protection
• Emphasise that can complement whatever solution they have
• Highlight benefit of reducing management of false positives and “standard” sensitive items
36
Competitors
Competitor Approach
Glasswall • Only Structural Sanitization
Symantec • Only Structural Sanitization • Not on all products (e.g. cloud)
NextLabs • Data Redaction and Document Sanitization at end point (works within email clients)
OpenText • Data Redaction and Document Sanitization • Manual/automated process
Mimecast • Document Sanitization • Performed in the cloud solution• Uses the Microsoft Document Inspector and
removed revision history, etc.• Can convert file to pdf
Titus • Data Redaction• Manual process that only ‘blacks out' sensitive
content
37
Competitors
Competitor Approach
McAfee Endpoint DLP
• Can automate sensitive data [creates clear text]• Authorized user can then review redacted content
via ePO
Microsoft Document Inspector
• Removes revision history• Manual process
Websense • Data Redaction• Part of Data at Rest DLP function
Adobe Acrobat Pro
• Redact text and images• Manual process
Appligent • Redax product automatically redacts content in PDF documents
OmniX • Automated text redaction for litigation services
38 © Clearswift 2015
CCPSP Clearswift ARgon for EmailInstallation
39
Clearswift ARgon for Email
Users
Users
Email Gateway/Managed Service
Internet
Email ServerClearswift ARgon
for Email
40
Platforms
• Hardware– Any platform supported by Red Hat Enterprise Linux x64 6.6
• Virtual– VMware vSphere 5.5
– Microsoft Hyper-V 2008 R2 server
– Microsoft Hyper-V 2012 R2 server
41
ARgon for Email Sizing
Message Volume
Processor
Number of
Processors
Memory Disk Raid
Low
(<20,000 per hour)Dual Core 1 4GB
320GB+ SATA/SCSI
Optional
Medium
(<50,000 per hour)
Dual/Quad Core Xeon
1 4GB320GB+
SATA/SCSIOptional
High
(<60,000 per hour)
Dual/Quad Core Xeon
1 6GB 2 x SAS 15k RPM Yes (1)
Very High
(>60,000 per hour)
Quad Core Xeon
2 6GBMultiple SAS 15k
RPMYes (1, 10)
42
Ports and Protocols – External Connections
Description Protocol Port Hostname/URLCurrent IP Address
DNS UDP 53
Product updates TCP 80 repo.clearswift.net
Online help TCP 80 apphelp.clearswift.com 79.125.18.99
RSS Feed TCP 80 www.clearswift.com 162.13.22.202
Service availability list
TCP 80
services1.clearswift.net
services2.clearswift.net
services3.clearswift.net
72.21.192.0/19
207.171.160.0/19
87.238.86.0/23
178.236.4.0/19
89.21.228.84
43
Ports and Protocols – External Connections
Description Protocol Port Hostname/URLCurrent IP Address
NTP server
UDP 123
time.clearswift.net Forms part of the
NTP Pool project
License key validation
TCP 443 applianceupdate.clearswift.com
213.146.158.142
46.227.51.215
Managed list downloads
TCP 443 applianceupdate.clearswift.com
213.146.158.142
46.227.51.215
44
Ports and Protocols – Internal Connections
Description Protocol Port Comment
FTP TCP 20,21 For backing up and restoring the system
SSH TCP 22 Secure console access
SFTP Lexical data import
TCP 22 To the server containing the lexical data
HTTP TCP 80 Browser access to the Manage via Inform UI
SNMP alerts UDP 162 SNMP alerts from the system
45
Ports and Protocols – Internal Connections
Description Protocol Port Comment
LDAP (Address lists)
TCP
389
3268
3269
For accessing directory servers
Accessing Global Catalogue server (normal and secure)
HTTP/S TCP 443Browser access to the management UI
Peer communications
SYSLOG export TCP 514 To the central SYSLOG server
FTPS Lexical data import
TCP 990 To the server containing the lexical data
46
Installation
• ARgon for Email ISO stored on either– Removable USB drive
– Clearswift AR V4 DVD
• Minimum– 4 GB RAM
– 200 GB hard drive
47
Install RHEL 6.6
• Insert ARgon for Email disc and reboot
• Select Install ARgon for Email option
• Configure network settings
• Select language
• Select keyboard type
• Select time zone– Recommend select System
clock uses UTC option
• System will reboot
48
ARgon for Email Console
• Default credentials– User: cs-admin
– Password: password
• Use the menu to – Change network settings
– Download and apply updates
– Reset the user interface access control settings
– Reset the admin, or cs-admin passwords
– Access the command line
49
Post Installation Wizard
• Corporate email servers
• Boundary email solution
• Web proxy
• Passwords
50 © Clearswift 2015
CCPSP Clearswift ARgon for EmailDefault Policy
51
Default Policy
• Monitor routes– Detect active content
– Lexical analysis
• Remediate routes– Structural Sanitization
– Document Sanitization
– Data Redaction
52
Default Policy - Inbound
• Sanitize Inbound Active Content
• Fail to Modify a Message
• Fail to Process a Message
53
Default Policy - Outbound
• Sanitize Outbound Active Content
• Detect and Redact Outbound PCI Text
• Detect and Redact Outbound PII Text
• Detect and Redact Confidential Material Outbound
• Sanitize Outbound Document Properties
• Fail to Modify a Message
• Fail to Process a Message
54
Best Practice
• Data Redaction, Document Sanitization and Structural Sanitization rules are always enforced
• Position within content rules table does not matter
• Unless need to deliver and keep copy– Position towards bottom of table
– Below quarantine rules
55
Best Practice – Disposal Actions
• When adding Data Redaction, Document Sanitization and Structural Sanitization rules– On successful
– On unsuccessful
– Annotations
– Informs
56
Message Management
• Original message– No redaction or sanitization
• Modified message– All redaction and sanitization
57
Single Quarantine
• Client may wish to manage quarantined messages from existing boundary email solution
• Configure content rule– Primary disposal action: Deliver
– What else to do: add X-Header or annotate message
• Scan for X-Header/annotation on existing email solution
• Not suitable for Data Redaction, Document Sanitization and Structural Sanitization rules
58 © Clearswift 2015
CCPSP Clearswift ARgon for EmailLexical Expression Qualifiers
59
Lexical Expression Qualifiers
• Search for items which match specific entries in a source file (e.g. Patient ID numbers, credit card numbers, etc.)
• Offer improved DLP capabilities
• Reduced false positives
• Support for 10 million items
• Configure qualifier to reference particular data set and unique Key Field
Database Windows Platform
TSV File Obfuscated File
Clearswift ARgon for Email
60
Preparing Your Data
• Use ffcreate utility to convert TSV files into Gateway compatible data sets
• Input files must– Be a flat tab-delimited file
– Be encoded in UTF-8
– Not contain column headers
– Consist of entries on separate rows
– Not contain header properties
61
Preparing Your Data Set
• To convert an input file to a data set– Prepare input file as tab-separated data
– Save file in a directory
– Run ffcreate command line utility in same directory
– You need to install one of the following packages:• 32 bit: http://www.microsoft.com/en-us/download/details.aspx?id=5555
• 64 bit: http://www.microsoft.com/en-us/download/details.aspx?id=14632
– Configure the key fields and the structure of your output file using the command line:
• ffcreate -k <key_name> -s <schema> -i <input_file> -o <output_file>
• <key_name> - must consist of alphanumeric characters only: a-z, A-Z and 0-9
• <schema> - index of the columns available in your input file
• <input_file> - must include the file extension
• <output_file> - must append with the extension .leq
– Each Key field must match a unique reference in the schema
– Import the data set• Automatically
• Manually
62
Importing Your Data
• Use the Lexical Data Import page to configure how and when the Gateway imports your data– Import Schedule
• Specify time of day for import
– Server Settings• Server type
• Address
• Port
• Use authentication
• User name
• Password
• Use untrusted certificate
– Import Files• Select the paths required to
• locate your input files
63
Creating a Lexical Expression Qualifier
• From the Policy Center Home page, click Lexical Expressions
• Select the Lexical Expression Qualifiers tab
• Click New
• Use the Overview section to name your qualifier
• Use the Manage Lexical Expression Qualifier panel to configure:– Data Set: the *.leq file
containing your data
– Key Field: the column (key) in the data set which you want the qualifier to use
• Click Save
64
Adding a Qualifier to an Expression
• You can only use lexical expression qualifiers with Custom Expressions
• To add a qualifier to an expression:– From the Policy Center Home page, click Lexical Expressions
– Select the Lexical Expressions tab and edit an expression list/create a new one
– Select Custom Expression from the Use drop-down menu
– Enter your custom lexical expression, using a Predefined or User defined pattern
– The qualifier must be inserted after the PATTERN and before the closing period.
• For example: .PATTERN=CCNUMBER|.
– Use the Qualifiers tab to select your qualifier and add it to the expression
– Click Add
65 © Clearswift 2015
CCPSP Clearswift ARgon for EmailCollateral and Roadmap
66
Collateral
• Sales presentation
• Solution paper
• Use case white paper
• ARgon vision slides and paper
• Objection handling FAQs
• Competitive positioning
• Telemarketing scripts
67
Roadmap
Note: All dates and functionality subject to change
Apr – May – Jun Jul – Aug – Sep
2015
Oct – Nov – DecJan – Feb – Mar
2016
ARgon for Web V1.0
• Adaptive Redaction• IGS integration• English and Japanese
ARgon for Email V1.1
• Japanese
ARgon for Email V1.0
• Adaptive Redaction• English only
ARgon for ICAP V1.1
• IGS integrationARgon for Exchange V1.0
• Adaptive Redaction• English and Japanese
ARgon for Email V1.2
• IGS integration
ARgon for ICAP V1.0
• Adaptive Redaction• English and Japanese
ARgon for Exchange V1.1
• IGS integration
68 © Clearswift 2015
CCPSP Clearswift ARgon for EmailFrequently Asked Questions
69
FAQ
• What vendors’ solutions does ARgon work with?– Any solution that can pass SMTP emails to ARgon
• Does the client need to purchase all 3 AR features?– Yes, they are all included in the subscription cost
• Can I peer an ARgon with an SEG/SWG/SXG/SIG?– No, only other ARgon systems
• Can I upgrade an ARgon to a SEG?– No direct upgrade path, will require a new installation
– Potential to offer service to migrate policy and add hygiene components
70 © Clearswift 2015
CCPSP Clearswift ARgon for EmailSummary
71
Clearswift ARgon for Email
• Adaptive Redaction solution
• Complements existing email security and Data Loss Prevention (DLP) solutions
• Addresses issues with traditional DLP solutions
• Delivers enhanced– Risk mitigation
– Critical information protection
Selling Clearswift ARgon for Email
“Providing organizations a solution to rapidly protect their critical information without harming productivity, or replacing their current operational infrastructure.”