Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Integrate Inline Email DLP with Trellix ePO

When using Inline Email DLP, Exchange Online remediation actions occur in real time so data never leaves your organization through Exchange Online email messages.

Components

The following components are required for this feature:

  • Exchange Online mail routing (connectors and rules)
  • Sky Gateway (mail is routed from Office 365 to Sky Gateway proxy)
  • Sky Link (API) connection to Exchange Online for quarantine and delete remediation actions

Email flow

Office 365 is configured to send messages through Sky Gateway so it can inspect the contents of the message. Sky Gateway acts as an SMTP proxy and as such never stores or queues messages. Messages are processed in real time and require an active inbound and outbound SMTP session to proxy both legs.

The email flow is as follows:

  1. A user in your organization sends a message.
  2. Based on mail routing rules configured in Exchange Online, messages are forwarded to the Sky Gateway SMTP server.
  3. The Sky Gateway SMTP server proxies the connection from Exchange Online server (2), performs DLP inspection, and proxies back the connection to Exchange Online server (4).
  4. Exchange Online receives the message.
  5. Exchange Online forwards the message onto one or more original destinations.

 

clipboard_e84123fd44716eaf75c656c82e3a2b3dd.png

 

Message Transport Error Handling

As the Sky Gateway acts as an SMTP proxy, it never accepts the SMTP connection unless the outbound leg can be established. Sky Gateway never queues or stores messages so both legs of the connection must be up for messages to flow. This ensures that Exchange Online handles any issues with connections. If a connection fails, the sending Exchange Online requeues the message and try again.

Error messages received from the receiving SMTP gateway are relayed back to the sending SMTP gateway so the sending gateway can re-queue the message for transport.

clipboard_e5ff3924e04270c3cdbf48922c7df8f99.png

 

Remediation Options

Because Inline DLP is done in real time, it requires the API-based Sky Gateway integration. Sky Gateway ensures that emails are blocked, deleted, or quarantined before they ever leave a sender's email account. For example, if you set up a DLP policy that deletes emails containing sensitive keywords, any message containing a specified word is deleted from a sender's mailbox. With Sky Gateway you can choose from the following options:

  • Block. When an email is blocked, the email remains in the sender's Sent folder, but the intended recipient does not receive the message. The Skyhigh CASB admin does not receive a copy of the email in the Quarantined folder. The email does not leave the sender's account.
  • Delete. When an email is deleted, the email is removed from the sender's Sent folder, and the intended recipient does not get the email. The Skyhigh CASB admin does not receive the email in the Quarantined folder. 
  • Quarantine. When an email is quarantined, the Skyhigh CASB Admin receives the email in the Quarantined folder. Emails are quarantined in real time, via API.
  • Notifications. You can choose to notify users and/or Skyhigh CASB admins via email when messages are blocked, deleted, or quarantined.
  • Block Failed. Block Failed indicates that no modifications are made to the incident response because the email has left the sender’s account, the block has failed, and the email has reached the recipients. 
  • Add X Header Failed. Add X Header Failed indicates that no header is added. No modifications are made to the incident response because the block has failed and the email has reached the recipients. 
  • Block Failed and Deleted. Block Failed and Deleted indicates that the block has failed, and the email has reached the recipients. The delete action performed on the sender’s sent items and the recipient's inbox is successful for one or more items.
  • Block Failed and Delete Failed. Block Failed and Deleted indicates that the block has failed, and the email has reached the recipients. The delete action performed on the sender’s sent items and the recipient's inbox has failed. 
  • Block Failed and Quarantined. Block Failed and Quarantined indicates that the block has failed, and the email has reached the recipients. The Quarantine action performed on the sender’s sent items and the recipient's inbox is successful for one or more items. 
  • Block Failed and Quarantine Failed. Block Failed and Quarantine Failed indicates that the block has failed, and the email has reached the recipients. The Quarantine action performed on the sender’s sent items and the recipient's inbox has failed.

 

Inline Email DLP Prerequisites

To configure Inline DLP, you need the following:

  • Skyhigh CASB tenant
  • A Microsoft Office 365 account with global admin permissions
  • An Exchange Online email account

Make sure that you have confirmed that you can send and receive emails before proceeding.

 

Integration Steps

  1. In Skyhigh CASB, select Settings | Integrations | ePolicy Orchestrator.
  2. Click Enable to begin to use Trellix ePO Exchange Online policies instead of any policies in Skyhigh CASB.
  3. Click Edit Users to add a user account associated with the Service Account that has the ePO Connector Role.
  4. In Trellix ePO connect to Skyhigh CASB. Then return to Skyhigh CASB and click I Did This.
  5. In Trellix ePO extend rules to Skyhigh CASB. Then in  Skyhigh CASB click I Did This.

 

Enabling inline DLP

There are five steps to enabling Inline DLP: set up Exchange Online in Skyhigh CASB, route email from Office 365 to Skyhigh CASB, route email back after scanning, create a mail routing rule in Office 365, and test the setup.

Before you begin:

To allow the proper flow of email traffic, set up a new connector in Office 365. You can learn more about connectors at Configure mail flow using connectors in Office 365.

1. Set up Exchange Online in Skyhigh CASB

  1. Select Settings | Service Management.
  2. Click Microsoft Exchange Online.
  3. If Exchange Online has been configured, click Default. Otherwise click New Instance.
  4. Click Setup, then click Configure.
  5. On the Business Requirements screen, select Inline Only. Click Next.
  6. Review the prerequisites, then select I have reviewed all prerequisites and click Next.
  7. Now add domains that are used for Skyhigh Security DLP. Add the Microsoft Exchange Online domains, then the email domain associated with your Skyhigh Security ePO deployment. Next, enter a value for Host Name and the Port. Make sure that the automatically generated Skyhigh CASB Email Server Domain is correct. Click Next.
  8. For Quarantine Settings, you can enter an optional email address where quarantined files are sent. To enable this option, select Quarantine Emails and Attachments, then type the email address. Click Next.
  9. On the Summary screen, make sure all settings are correct. Click Done.

2. Create mail connectors — route email from Office 365 to Skyhigh CASB

You need to create two mail connectors. The first connector sends emails from Office 365 to Skyhigh Security Skyhigh CASB for inspection, and the second accepts emails after they are scanned by Skyhigh Security Skyhigh CASB.

Before you begin:

Create a Security Group. To limit the impact of enabling Inline DLP, it is wise to set up a security group in Office 365 with a few email addresses that you can use to test. Once you are happy with the performance, you can then either add other security groups, or use Inline DLP with all email addresses in your organization. See Manage mail-enabled security groups for instructions.

Make sure to set the following:

  • Type: Mail-enabled security group
  • Name: SkyhighEmailDLP
  • Allow people outside of my organization to send email to this distribution group: OFF

To create mail connectors:

  1. Log in to Office 365 as a Global Admin and navigate to the Exchange Admin center.
  2. Select Mail flow, then connectors.
  3. Add a new connector. Follow the instructions you find here: Set up connectors to route mail between
  4. Office 365 and your own email server. Make sure to set the following options:
    1. Name the new connector Office 365 to Skyhigh CASB Email DLP.
    2. Make sure to select Only when I have a transport rule set up that redirects messages to this connector when setting up the new connector.
    3. Be sure to select Always use TLS and Any digital certificate, including self-signed when you are asked how to connect Office 365 to your partner's email server.

3. Create mail connectors — route email back after scanning

To route email back after scanning:

  1. Return to Mail flow, then connectors.
  2. Add a new connector.
  3. Under Select your mail flow scenario, set the following:
    • From: Your organization's email server
    • To: Office 365
  4. Click Next.
  5. On the New connector screen, enter the following:
    • Name: Skyhigh CASB Cloud Email DLP to Office 365
    • Description: Receives email after they are scanned by Skyhigh CASB DLP
  6. 6 Under What do you want to do after the connector is saved, select both of the following:
    • Turn it on
    • Retain internal Exchange email headers
  7. Click Next.
  8. On the Edit Connector screen, under How should Office 365 identify email from your email server, select By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization. Then type a list of all Source IP addresses.
  9. Click Next.

You should now have two connectors, one configured in each direction.

4. Create a mail routing rule in Office 365

To create a mail routing rule:

  1. Log in to Office 365 as a Global Admin and navigate to the Exchange Admin center.
  2. Select Mail flow, then rules.
  3. Configure a new rule as follows:
    • Name: Send to Skyhigh CASB Email DLP for inspection
    • Apply this rule if: The sender is a member of the [security group you created earlier in Step 2]
  4. Click More options.
  5. From the Do the following drop-down, choose Redirect the message to then choose the following connector.
  6. Select the Office 365 to {{product} Email DLP connector. Click OK.
  7. On the new rule screen, add an exception. Under Except if, choose A message header matches, then pick matches these text patterns. Click Enter text then type X-SHN-DLP-SCAN. Click OK.
  8. Type success in the text box, then click OK.
  9. Deselect Audit this rule with severity level, then click Save to save the rule.

5. Test the setup

To test outbound email:

  1. Log in to your Office 365 account using a user that is a member of the security group you created in Step
  2. Send a test email to your work email address and confirm it is received. Confirm the test message is relayed by Skyhigh CASB Email DLP.
  3. Use the message trace in the Microsoft Exchange admin center to verify that Inline DLP is functioning.
    1. Use a custom date range to filter out noise as required.
    2. Create a policy that triggers low (log only), medium (quarantine) and high (delete).
    3. Find the message you sent to yourself earlier, and double-click to review details.
    4. Review the message trace and confirm the email was sent out using the connector.
  • Was this article helpful?