Titus and Cisco IronPort Integration Guide Improving Outbound and ...

Information in this document is subject to change without notice. Complying with all applicable copyright laws is theresponsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronicor mechanical, for any purpose, without the express written consent of TitusTitus may have patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in thisdocument.Copyright 2008-10 TitusImage of Cisco IronPort Email Security Appliance courtesy of Cisco Systems, Inc. Unauthorized use not permitted.IronPort, the IronPort logo and SenderBase are registered trademarks of Cisco Systems, Inc. or its affiliates.Microsoft Windows, Windows 2000, Windows XP, Windows Server 2003, Microsoft Windows Rights Management Services, andMicrosoft SharePoint are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or othercountries.At Titus we work to help businesses better manage and secure valuable corporate information. Our focus is on building policymanagement solutions that make it easier for IT administrators to protect and manage corporate correspondence includingemail and documents.For further information, contact us at (613) 820-5111 or email us at info@titus.comwww.titus.comwww.titus.com Titus and Cisco IronPort Integration Guide | 2

1.0 | AbstractInformation classification is an important foundation for a comprehensive information securitymanagement plan. When information is properly classified it enables organizations and the peoplewithin them to more effectively enforce security controls at the same time it simplifies informationsharing through various communication channels, most notably through email.While email has become an indispensable tool of modern communications its use has also been at thecenter of numerous security and privacy breaches in government and commercial organizations. Inresponse regulatory frameworks and organizational best practices for email security controls haveevolved considerably over the past five years, as have the tools that enable them.This paper will focus on email security controls enabled through the use of email and documentclassification with a particular focus on technical integration of the Titus Message Classification productand IronPort Email Security Appliance. The use of these two products together enables morecomprehensive security controls while providing the flexibility to ensure productivity is not undulyimpacted. To illustrate how these products can be used together several usage scenarios relevant toemail security controls are described and configuration guidance is provided to enable them.www.titus.com Titus and Cisco IronPort Integration Guide | 4

2.0 | What is Classification?Classification is a technique for adding labels or protective markings and metadata to email anddocuments. If applied judiciously, it offers an effective strategy for managing and controlling email anddocument content.Often referred to as “Classifications” or “Labels” or “Tags”, this information can take many differentforms and vary in complexity between businesses, often dependent on the regulatory requirementsbeing imposed upon the industry.In their simplest form they are labels or visual markings found in prominent locations in emails anddocuments to inform the reader to the sensitivity with which the asset should be considered.The most common locations in emails are:• Email Subject (prefix, postfix, abbreviated);• Email Body (prefix, postfix, custom fonts, supports HTML); and• Metadata within the MAPI property or SMTP message header (x-header).Figure 1 - Locations for Email Classification InformationThe most common locations in documents are:• Within the document header & footer sections;• As a watermark across the document; and• Metadata within the custom properties of the document.www.titus.com Titus and Cisco IronPort Integration Guide | 5

Figure 2 - Locations for Document Classification Informationwww.titus.com Titus and Cisco IronPort Integration Guide | 6

3.0 | Business DriversGovernment agencies and the military have historically faced higher expectations than otherorganizations in the handling of information. Governments hold sensitive information in the public trustand are ultimately answerable to the public. As such they place stringent safeguards on the handling andsafeguarding of that information in the traditional ‘paper’ world and have been early adopters ofclassification concepts in the digital world as well.Classifying emails by applying labels and metadata presents an obvious opportunity for governments’efforts to manage and control electronic communications. Through the use of security procedures andserver-based content scanning which complement user-based classification, governments can ensurethat private or confidential information is protected from unintended or illegal disclosure, whileensuring citizens’ timely and cost effective access to public records and personal information under fairdisclosure legislation.Some governments, such as the United State (US), United Kingdom (UK), and Australian governments,have specifically required various forms of email classification for their departments.In the US the White House has issued a Memorandum called “Designation and Sharing of ControlledUnclassified Information” (CUI) that requires Federal Agencies and Departments to take action todesignate and safeguard information in a consistent way to allow more secure and more efficientcollaboration throughout government.In the United Kingdom, the Government Protective Marking Scheme (GPMS) requires that broad classesof government-generated information, including email, be marked with an appropriate security markingand handled appropriately. The UK Government Connect Secure Extranet (GCSx) is a programme toprovide secure communications between various departments and levels of government within Englandand Wales. Departments and Local Authorities are required to demonstrate compliance with the GCSxCode of Connection (CoCo) requirements, which include labeling email with protective markings.The Australian government has taken a more pointed approach to government email. Amendments tothe Australian Defense Signals Directorate’s Communications Technology Security Manual require thatall email originating in federal agencies carry markings in compliance with its Electronic Mail ProtectiveMarking Policy. These markups establish a maximum-security classification and accompanying caveatsfor the message.On a global level there is a growing recognition that organizations outside of government must alsoimplement appropriate information security policies and systems. As an example, ISO 27001 is apublished standard for an Information Security Management System (ISMS) that is intended to bringinformation security under explicit management control. The use of classification and labeling on emailand documents helps organizations become ISO 27001 certified by enabling controls for the handlingand management of information.Titus has a number of white papers available that go into greater depth regarding specific businessdrivers and relevant regulations.www.titus.com Titus and Cisco IronPort Integration Guide | 7

4.0 | Combining Desktop Classification withGateway ControlsThe use of Titus Message Classification (TMC) and Titus Document Classification (TDC) on the desktop isan excellent method of building security awareness. These tools ensure that users creating contentconsider security implications before sharing the information. The visible labels applied to emails anddocuments serve to inform recipients of the sensitivity of the information and help them makeappropriate handling decisions.In a similar way, the classification metadata applied to emails and documents can be used by automatedsystems to implement information handling controls.An excellent example of a system that can provide such controls in combination with the TMC/TDCdesktop tools is the Cisco IronPort Email Security Appliance series of products. The combineddeployment of these two products enables more effective controls than either used alone.The following table describes some of the capabilities enabled through this combination.CapabilityDescriptionUser BasedClassification /MarkingThe Titus Message Classification and Document Classification solutions allowthe end user to classify & mark emails and documents while they are beingcreated.Automated Marking ofAttachmentsThe use of Titus Document Classification on the desktop enables classificationand marking of documents which can then be appropriately detected andcontrolled as message attachments by IronPort filters.Immediate UserFeedback on PolicyViolationTitus Message Classification can analyze and provide immediate feedback tothe user about sensitive content and policy violations before the email is sent.This reduces the number of inappropriate or compromising emails processedand streamlines the remediation process by suggesting corrective action thatcan be taken while the email content is still open.Policy Enforcement onInternalCommunicationsBy including Titus Message Classification in desktop deployments the solutioncan also enforce policy controls on internal communications which do notpass through the outbound email gateway.www.titus.com Titus and Cisco IronPort Integration Guide | 8

Visual Marking ofInbound MessagesIn many cases inbound content is sensitive or privacy protected and shouldbe handled appropriately, but it may not arrive with appropriate markingsor labels. To address these scenarios, IronPort message filters canautomatically classify inbound emails which can then be detected andvisually labeled by Message Classification.Layered approachDeploying policy controls at the desktop (Titus) and outbound gateway(IronPort) in combination increases the flexibility of policies to allow businessto continue as smoothly as possible while reducing the likelihood of dataleakage much more than using either approach exclusively.Control labelling onrepliesUsing TMC as part of the solution enables greater control over contentclassification, for example ensuring replies to a message retain the equivalentor higher classification.Email EncryptionOptionsUsing TMC with IronPort adds TLS and secure web envelopes (Cisco RES) tothe supported methods for automated secure delivery of sensitiveinformation.Advanced MessageRoutingThe IronPort appliance can quarantine or intelligently route email throughdifferent networks based on classification applied by Message Classificationat the desktop, and on recipient domain or address.Recipient ValidationThe combined solution can enforce controls on external delivery based onuser classification and recipient address or domain.www.titus.com Titus and Cisco IronPort Integration Guide | 9

5.0 | Step By Step Demonstration ConfigurationThis document will refer to a simple demonstration configuration to illustrate how Titus MessageClassification, Titus Document Classification, and the IronPort Email Security Appliance can interact in atypical environment.The following instructions and screen captures show the process of configuring and deploying a basiccontent filter on the IronPort appliance to detect and take action based on the presence of Titusmessage headers (x-titus-classifications-30) in outbound messages. For the purposes of the example theuser has selected a classification of Confidential and the action taken is to automatically encrypt theemail prior to delivery.The steps listed below assume a working installation of the IronPort appliance appropriately configuredin your environment with inbound and outbound mail flows. IronPort AsyncOS v7.0.1 was installed onthe appliance used.The instructions also assume that the Titus Message Classification is installed and a number ofclassification labels are defined, including a ‘Confidential’ label (see Figure 3). Titus MessageClassification/Document Classification v3.2.55 was installed on the desktop and used with MicrosoftOutlook 2007.Figure 3 - Add a CONFIDENTIAL Classificationwww.titus.com Titus and Cisco IronPort Integration Guide | 10

Figure 3 shows the CONFIDENTIAL Classification Control Definition (left side) that has been dragged anddropped onto the Outlook Definitions Control Structure (right side) to enable the classification andmarking used throughout the following example.Step 1 – Create An Outgoing Content FilterFigure 4 - Select Outgoing Content Filters under the Mail Policies menuClick on the Mail Policies menu and then on Outgoing Content Filters as shown in Figure 4.Figure 5 - Click on 'Add Filter...'To create the new filter click on Add Filter as shown in Figure 5.www.titus.com Titus and Cisco IronPort Integration Guide | 11

Figure 6 - Name and describe the new filter. Click on "Add Condition..."Name the new filter and provide a short description of its purpose. Once done, click on Add Conditionas shown in Figure 6.Step 2 – Define the Content Filter ConditionsFigure 7 – Define A Condition For the FilterFrom the Add Condition dialog that appears select the “Other Header” tab and enter the Header Nameas "x-titus-classifications-30". Then select “Header value” and the operator “Contains” before typing inthe search term “CONFIDENTIAL” as shown in Figure 7.www.titus.com Titus and Cisco IronPort Integration Guide | 12

Step 3 – Create the Corresponding ActionFigure 8 – Adding an Action To the FilterReview the Conditions settings in the filter overview page that follows, and then click on Add Action asshown in Figure 8.Figure 9 – Adding an Encrypt on Deliver Action To the Filterwww.titus.com Titus and Cisco IronPort Integration Guide | 13

For this example the chosen action to take when a message matches the defined conditions is to deliverthe message using IronPort encryption services. As shown in Figure 9, IronPort also provides a widerange of other actions Such as Quarantine and Strip Attachment.Figure 10 - IronPort Email Encryption ConfigurationSetting up an encryption profile using Cisco’s hosted Registered Envelope Service(RES) is outside of thescope of this document, but is relatively straightforward. The configuration process is started using theAdd Encryption Profile button on the IronPort Email Encryption page found under the Security Servicesmenu item.www.titus.com Titus and Cisco IronPort Integration Guide | 14

Figure 11 – Final Filter SettingsReview the finalized filter settings as shown in Figure 11, click Submit, and then Commit Changes.Step 4 – Apply the Outbound content filter to the Outbound Mail PoliciesFigure 12 - Select Outgoing Mail Policies from under the Mail Policies menuNow that the filter is defined the next step is to add it to an outgoing policy. To begin, select OutgoingMail Policies from under the Mail Policies menu as shown in Figure 12.www.titus.com Titus and Cisco IronPort Integration Guide | 15

Figure 13 - Click on the 'Disabled' link under 'Content Filters' in the ‘Default Policy’ row item.For this exercise the content filter will be added to the pre-defined Default Policy. Content Filters areinitially disabled on this policy, so click on the ‘Disabled’ link to begin changing settings as shown inFigure 13.Figure 14 - Select 'Enable Content Filters (Customize settings)' from the drop down menu.Click on the drop down menu as shown in Figure 14 and select ‘Enable Content Filters (Customizesettings)’. Once that selection is made the Titus-CONFIDENTIAL filter created earlier will be visible.www.titus.com Titus and Cisco IronPort Integration Guide | 16

Figure 15 – Enabled the Titus-CONFIDENTIAL filterClick 'Enable' beside the filter as shown in Figure 15, click Submit, and then Commit Changes.Figure 16 - The new policy and filter are now enabled.Figure 16 shows the filter enabled as part of the Default Policy. At this point any email sent outside theorganization labeled as confidential will be encrypted prior to delivery.www.titus.com Titus and Cisco IronPort Integration Guide | 17

Figure 17 - Confidential Email Being Forwarded Outside OrganizationFigure 17 shows a sample email classified as confidential and addressed to a recipient outside of theinternal domain.Figure 18– Confidential Email Automatically Encrypted For DeliveryFigure 18 shows the encrypted email as it arrives in the external recipient’s mailbox when using CiscoRES encryption.www.titus.com Titus and Cisco IronPort Integration Guide | 18

6.0 | Additional Deployment ScenariosOnce the basics of integration between the Titus classification solutions and IronPort are understood itis possible to construct any number of control and remediation scenarios. These capabilities can begrouped as preventive, detective, or corrective controls.Automatic encryption of an email based on classification metadata was shown in the previous section.This can be thought of as a preventive control, since information leakage was prevented by automatedencryption of the sensitive information.A few additional example scenarios are described here.6.1 | Outbound Sensitive Email, Automatically Quarantined forApprovalThis scenario is very similar to the one described in the previous section, 5.0 | Step By StepDemonstration Configuration. Instead of automatically encrypting the confidential email it will bequarantined for administrator review.Figure 19 - Edit Titus-CONFIDENTIAL Filter To Use QuarantineFigure 19 Shows Quarantine selected instead of Encrypt on Delivery while editing the Titus-CONFIDENTIAL filter defined in Step By Step Demonstration Configuration. The IronPort defaultwww.titus.com Titus and Cisco IronPort Integration Guide | 19

installation includes several pre-defined quarantines to hold email until they can be reviewed. Here the‘Policy’ quarantine is used.Figure 20 - Titus-CONFIDENTIAL Filter Changed to Use Quarantine ActionFigure 20 shows the modified filter now using a Quarantine action. With this modified filter email foundto have the CONFIDENTIAL classification within the TMC x-header will be held by the IronPort applianceuntil an administrator can review it or until a specified amount of time passes.Figure 21 - View of IronPort Quarantinewww.titus.com Titus and Cisco IronPort Integration Guide | 20

Figure 22 - Viewing Quarantined Message Details and Available ActionsThe preceding scenario is a preventative control, since the email was not delivered to the intendedrecipient. An example of a detective control would be to use the duplicate message option in theQuarantine action (see Figure 23) and to allow the original message to be delivered. The quarantinedcopy could be used in subsequent investigations if required.Figure 23 - Duplicate Message Option in Quarantine Actionwww.titus.com Titus and Cisco IronPort Integration Guide | 21

6.2 | Inbound Sensitive Email, Automatically Tagged at GatewayA number of use cases can be described where it is useful to be able to tag inbound email appropriatelyto ensure proper handling and controls as internal users process and share the information.One example is inbound resumes. Whether they are sent to an HR inbox, or directly to employees of thecompany the documents are considered privacy protected documents under many countries’regulations.Adding appropriate header information to the message right at the email gateway seamlessly enablesthe visual privacy protection cues and controls made possible with the TMC desktop client.Figure 24 - Simple Filter to Detect Incoming ResumesFigure 24 above shows a basic filter to detect attached resume files in incoming email. The filter wascreated using variations of the steps described above in the Step By Step Demonstration Configurationsection.Condition 1 uses a regular expression to search the message body and attachment content for variationsof the words resume or CV (the simple RegEx used here is “[Rr]esume| CV”, without quotes). Condition2 requires that a file attachment is present. Note that both of these conditions must be true for thedefined action to be taken. To do this select “Only if all conditions match” from the drop-down providedbeside “Apply rule:”.www.titus.com Titus and Cisco IronPort Integration Guide | 22

The action taken is to add header information. Here the standard TMC x-header (x-tituslabsclassifications-30)is added with a value of “Classification=CONFIDENTIAL;Sensitivity=HR;” to indicatethat the information is confidential and HR related.Figure 25 - TMC Detects the X-Header Added By IronPortFigure 26 - Titus X-Header As Applied by IronPortFigure 25 shows that the original internal recipient of the email can see that the email is classified asConfidential with HR sensitivity and Figure 26 shows the x-header information that was added by theIronPort filter.www.titus.com Titus and Cisco IronPort Integration Guide | 23

Figure 27 - Labels Are Applied on Forward or ReplyFigure 27 shows that appropriate labels are applied when the email is shared with other users.6.3 | Outbound Uncategorized Email, Automatically Tagged at theGatewayWhere organizational security policy, or the policy of a partner network requires that all email beclassified and labeled, appropriate controls should be put in place at the outbound gateway to verify andenforce this.The use of TMC on user desktops for classification and labeling provides a high degree of coverage butsome internal systems generating automated emails may not apply appropriate labels.As an example of what is possible with IronPort filtering the following scenario explores how to detectand act on outbound unclassified email during a transition period. A copy of all email withoutappropriate classification headers is sent to a defined email address, but the original email is allowed toproceed. In this way it is possible to identify any sources of unclassified email without impeding the flowof business.In addition to the web-based interface shown previously the IronPort AsyncOS provides a powerfulCommand Line Interface (CLI). This example will configure and apply a message filter to detect and acton unclassified messages using the CLI. An SSH client is required to connect and login to the IronPortappliance, and the SSH service must be enabled on at least one IP Interface.www.titus.com Titus and Cisco IronPort Integration Guide | 24

The sample filter acts on email that does not include the Titus x-header.Actions taken are:• insert an x-header with a value of UNCLASSIFIED,• insert UNCLASSIFIED at the beginning of the subject line, and• send a copy of the message to the “Policy” quarantine.The following is a transcript of an SSH session to add and enable the filter through the CLI. Typedcommands and content is in bold.Last login: Mon Aug 30 11:56:45 2010 from 192.168.201.177Copyright (c) 2001-2009, IronPort Systems, Inc.AsyncOS 7.0 for IronPort C160 build 102Welcome to the IronPort C160 Messaging Gateway(tm) Applianceironport.tlmcdc.com>ironport.tlmcdc.com> filtersChoose the operation you want to perform:- NEW - Create a new filter.- IMPORT - Import a filter script from a file.[]> newEnter filter script. Enter '.' on its own line to end.No_Classification_Headers:if(NOT header("x-tituslabs-classifications-30")) {insert-header("x-tituslabs-classifications-30","UNCLASSIFIED");edit-header-text ("Subject","^\\s*","[UNCLASSIFIED] ");duplicate-quarantine("Policy");}.1 filters added.Choose the operation you want to perform:- NEW - Create a new filter.- DELETE - Remove a filter.- IMPORT - Import a filter script from a file.- EXPORT - Export filters to a file- MOVE - Move a filter to a different position.- SET - Set a filter attribute.- LIST - List the filters.- DETAIL - Get detailed information on the filters.- LOGCONFIG - Configure log subscriptions used by filters.- ROLLOVERNOW - Roll over a filter log file.www.titus.com Titus and Cisco IronPort Integration Guide | 25

[]>ironport.tlmcdc.com> commitPlease enter some comments describing your changes:[]> Added No Classification Header filterChanges committed: Mon Aug 30 12:44:03 2010 EDTironport.tlmcdc.com>Figure 28 - Unclassified Email In QuarantineFigure 28 shows an email that has triggered the message filter and has been copied to the Policyquarantine. Note that the subject line and header modifications defined in the filter were done prior tosending the message copy to the quarantine.www.titus.com Titus and Cisco IronPort Integration Guide | 26

7.0 | SummaryThe scenarios discussed in this paper covered a few simple use cases to illustrate how Titus’ MessageClassification and Cisco’s IronPort Email Security Appliance can be used together to enable bettersecurity controls on outbound and inbound email.Information security management is not one size fits all. Whether you are complying with governmentregulations and directives or protecting sensitive commercial information, Titus’ Message Classificationand Cisco’s IronPort Email Security are a powerful combination, providing the tools and flexibility youneed to implement suitable controls in your environment.To learn how Titus can help your organization promote better security, please visitwww.titus.comTitus343 Preston Street, Suite 800, Ottawa, ON, Canada.Call us: (613) 820-5111 ext.127Toll Free 1-866-530-5111or email us: info@titus.comwww.titus.com Titus and Cisco IronPort Integration Guide | 27