Introduction
I would like to show you how to detect internal fraud (unauthorized removal of information) via Gmail. There are various products that can approach this risk, but this time I'll be using Netskope's API Introspection feature.
Assumed Scenario
In this article, I am assuming a scenario where I am using my own tenant of Gmail to take out information by sending emails to external parties.
What is Netskope API Introspection?
Netskope API Introspection is a function that connects to cloud services such as Google Drive, Microsoft Office 365 OneDrive, Box and Slack via API from Netskope Cloud to apply policies and inspect content. Netskope API Introspection covers a different range of logs than Netskope Client scanning (*2), so using them in parallel allows for more rigorous risk management.
Please refer to the help page for the cloud services that Netskope API Introspection currently supports.
Prerequisites
- You will need an optional license of "Netskope API Introspection (Gmail)" to use this feature.
- This feature (Netskope API Introspection) detects the removal of information based on the "detection logic defined by the administrator in advance. Therefore, it is not possible to detect the information being taken out just by installing it, and it needs to be configured (tuned) after installation.
- This feature (Netskope API Introspection) does not support the scenario of information leakage in the form of uploading files to private Gmail. However, Netskope as a whole can attempt to detect it by using the Netskope Client to scan communications. (As mentioned in "What is Netskope API Introspection? (As mentioned in "What is Netskope API Introspection?", the two have different coverage and can be used together for better results.
- The settings described in this article are for reference only. "It does not mean that you can always detect outgoing mail via Gmail by using this setting. Please make sure to configure the settings according to your company's rules (e.g. labeling rules) and business operations when actually using the system.
Features of Netskope API Introspection for Gmail
1. Inspect email body and attached files.
With Netskope API Introspection (Gmail), you can check and alert on the body and attachments of emails sent by your tenants to see if they meet the predefined detection logic. The conditions for raising an alert (detection logic) are set using Netskope's DLP, which is explained in the "Individual Settup" section of this article.
Alerts include information such as the sender's e-mail address and the name of the attachment (only if the e-mail body and attachment fall under the predefined detection logic), so that e-mails suspected of carrying information can be detected.
2. Download and examine the body and attachments of the offending email.
You can download and inspect the body and attached files of the email detected in the above. Although it is difficult to identify highly forged emails from the destination address and attachment name, downloading and checking the body and attachments will help you determine whether the email is sending or taking out information necessary for business.
As shown in the figure below, select an individual alert from the top page of [API-enabled Protection Dashboard] > [Gmail] > [Email wth Violations] to download the body and attachment.
However, it is important to note that this feature can cause problems in terms of employee privacy or users with administrative privileges being exposed to more information than necessary. Therefore, it is recommended to define the division of duties and design the operation in advance before implementing this function. In that case, it is a good idea to use Netskope's ability to customize the browsing range of administrative users to limit it.
Basic Setup
Basic Setup Overview
To configure DLP in Netskope API Introspection, you need to follow three steps: "Create DLP Rule", "Create DLP Profile", and "Create API Introspection Policy".
Step1. Creating a DLP Rule
Create a DLP Rule from [Policies] > [DLP] > [Edit Rule] > [Data Loss Prevention Rules] > [NEW RULE].
After creation, use [APPLY CHANGES] to activate the policy. 2.
Step2. create DLP Profile
Create a DLP Profile from [Policies] > [DLP] > [NEW PROFILE]. In this section, we will attach the DLP Rule that was created in step 1.
Step3. Configure the API Introspection Policy
Create an API Introspection Policy from [Policies] > [API Data Protection] > [NEW POLICY]. In this section, we will attach the DLP Profile that we created in step 2.
Once created, use [APPLY CHANGES] to activate the policy.
Individual Setup
Overview of Individual Setup
In the "Basic Setup" section, we did not discuss the detailed settings, but now we would like to talk about the specific detection cutoffs (detection logic). In the process of implementing the "Basic Settings" described above, you can define the cutoffs for detection by implementing the settings described below.
By combining one or more of these, you can aim to detect the offending e-mails.
Pattern 1: Detection of specific character strings
If an email contains specific strings such as "confidential" or "strictly confidential", DLP will detect it, and it will be effective if it is registered according to the rules of "labeling of information", which is a common practice in ISMS. In addition to simple strings, regular expressions and user-registered dictionaries can also be used.
1. Select [Policies] > [DLP] > [Edit Rule] > [Data Loss Prevention Rules] > [NEW RULE]. (This is the basic configuration, "Create DLP Rule.")
2. Enter the string you want to detect in the [CUSTOM] section.
In this verification, we set up an alert to be raised when the file matches "Confidentiality 1".
Pattern 2: Detection based on the size of the attached file
We will use DLP to detect when an attached file is larger than a certain size.
1.When creating a DLP Profile, select [FILE PROFILES] > [NEW FILE PROFILE]. (This is the basic setting, "Creating a DLP Profile.") 
2. Select [File Size] and enter any number.
Pattern 3: Detect if the attached file has a password
If the attached file has a password (e.g. zip password, Ofiice password function, etc.), DLP will detect it. We introduced detection by a specific string in pattern 1), but this will not work if the file has a password, so it is effective to set this in parallel with pattern 1).
1. When creating a DLP Profile, select [FILE PROFILES] > [NEW FILE PROFILE]. (This is the basic setting, "Creating a DLP Profile.") 
2. select [Protected/Encrypted] and check the box for [File is password-protected].
Pattern 4: Detect when the file extension is a specific one
If the attached file has a specific file extension, DLP will detect it.
1. In [API Data Protection Policy], go to [New API Data Protection Policy]. (This is the "Create API Introspection Policy" in the Basic Settings.)
3.Select the file type that you want to be detected by the DLP policy, and press [SAVE]. As of September 29, 2021, there were 25 file types that can be set.
Pattern 5: Detection by the destination domain of e-mail attachments
If the destination of the attached file is a specific domain, DLP will detect it.
1. In the [API Data Protection Policy], go to [New API Data Protection Policy]. (This is the "Create API Introspection Policy" in the Basic Settings.)
2. In the [EMAIL OPTIONS] section, select [SCAN EMAIL SENT TO] > [Domain Profile] > [Create New].
4. In the [EMAIL OPTIONS] section again, from [SCAN EMAIL SENT TO] > [Domain Profile], select the "Domain Profile" you just created.
5. After configuring the other settings, select [SAVE] in the upper right corner.
Conclusion
I believe that taking information out via email is a risk that can occur in any organization, so if you have not yet taken action, I hope you will find this useful. If you have not yet taken action, please refer to this article.
Comments
Post a Comment