How to Create an Email Protection Policy

Part 1 — Policy Overview

The Avanan Cloud Security Platform offers the industry’s most complete cloud security solution with defense-in-depth capabilities to make your SaaS or IaaS both safe and compliant. We protect your users and files in any cloud environment, from Office365 to Gmail, Amazon to Azure. This guide describes Avanan’s group based policy frame work that can be leveraged to continuously help protect data that sits in the cloud.

Avanan offers three modes of protection for email outlined below:

  1. Monitor only
  2. Detect and Protect
  3. Protect (Inline)

Monitor Only mode provides visibility into the cloud-hosted email leveraging publicly available API’s and a journal entry from the SaaS email provider. Scan results are provided from 60+ best of breed security tools. In this mode manual and automated query based quarantines are available after delivery to the user mailbox.

  1. Incoming email passes through email provider’s spam filter. Emails are sorted accordingly,
    1. Rejected
    2. Accepted, Moved to Junk
    3. Accepted, Moved to Inbox
  2. Manual and automated query based quarantines are available after delivery to the user mailbox.

Detect and Protect mode provides an increased level of protection that scans email via journaling leveraging the same SaaS email provider API’s. This mode adds an automated policy action to quarantine malware, phishing attacks etc. based on the results of the best of breed security stack. In this mode user notifications and release workflows are available.

  1. Incoming email arrives in respective mailbox folder.
  2. Avanan detects new email and scans (10 sec - 5 min).
  3. If malicious, Avanan takes automatic action, otherwise, leave the email alone.
  4. Optional user notifications and release workflows are available.

Protect mode provides the highest level of protection and scans email prior to delivery to the end user’s inbox. Leveraging the same SaaS email provider API’s and implementing mail flow rules Avanan can scan email with a best of breed security stack to protect end users from malware, data leaks, phishing attacks and more. Scanning and quarantining takes place before email is delivered to the user’s inbox. This mode insures that threats are detected and remediated before the user has access to the email.

  1. Incoming email heads to the mail flow.
  2. Avanan redirects the mail to the Avanan platform for scanning (10 sec - 5 min).
  3. If malicious, Avanan takes action, otherwise, returns email to the mail flow.
  4. User notifications and release workflows are defined in policy.

Part 2 – Policy Configuration

Before group based policy is configured you must configure a dedicated quarantine mailbox that will be used to store any emails or attachments that are quarantined during the scanning process by policy or via manual actions. The configuration is located under the Cloud App Store under your cloud-based email platform. This must be a full licensed mailbox it cannot be a shared mailbox.

You must also specify a restore request approver email account. This will be a current administrator in the Avanan platform. This account is used to notify administrators when there is a user requesting an email to be released from quarantine.

Email policy is configured from the policy console location on the left-hand panel of the Avanan dashboard.

Step 1

Select the SaaS platform you want to set policy for Office 365 Emails or Gmail. Click the + to configure a new policy.

Step 2

Select the Threat detection for security. Threat detection will cover AV, Malware and Phishing protection in the policy.

Step 3

Rule State should be set to running and you can change the default name of the rule. Severity can be set to Auto or a predetermined level. You must also select the desired mode Monitor Only, Detect and Protect or Protect (Inline).

Step 4

Select the scope of users and/or groups to be covered by the policy. All users can be protected by selecting all users and groups.

Step 5

Under the advanced tab you can select the security tools that are running for this specific policy. Available security tools are configured in the Security App Store under configuration.

Note - If you select either Detect and Protect or Protect (Inline) mode you will see additional configuration screens that allow customization of the user level email notifications in the advanced configuration. Workflow and Notification options are outlined in the next section.

Step 6

Alerts can be configured to be sent to the configured Administrators, (Admins can opt in under user management) or to specified email addresses. Alerts are available separately for Malware and Phishing. Email alert templates can be customized by clicking on the gears to the right of the alert.

Step 7

Once the policy is configured hit the Save and Apply button to apply the policy to the configure user population. Policies are based on precedence so make sure your rules are applied in the proper order. The order can be adjusted from the policy console.

Workflows and Notification

Detect and Prevent Mode and Protect (inline) Mode both offer three separate workflows to manage Malware and Anti-Phishing attacks in the platform. The only difference is when the workflow is invoked. Detect and Prevent scans email after delivery of email to the user and Protect (inline) scan just prior to delivery.

Malware
Anti-Phishing
Suspicious Phishing affects

Advanced options are available to customize all messages and notifications to the end users

Manual Notification settings

To take actions outside of the policy frame work actions can be taken from the email profile or be set through queries. Advanced options are available to customize all manual generated messages and notifications to the end users. These notifications are set in the Cloud Store under your cloud email service.

Part 2 — End-user experience

Malware End-user workflow

Email to the user is scanned and when found malicious the subject is replaced with a quarantined notice and the original subject is provided in brackets. The body of the message is replaced with a customizable message to the user along with a link to release the file if a false positive is suspected. The attachment is also stripped and noted in the replaced body. In this mode, the user is authorized to perform their own release of the attachment. Using the link in the email end-users can release quarantined attachment. The original email and attachment will be immediately delivered back to the inbox.

Email to the user is scanned and when found malicious the subject is replaced with a Quarantined notice and the original subject is provided in brackets. The body of the message is replaced with a customizable message to the user along with a link to release the file if a false positive is suspected. The attachment is also stripped and noted in the replaced body. The Malware will be zipped, password protected and delivered to the Restore request approver.

About

Front Template is built by the team that has customers in the background, like Stanford University, The University of Maryland, University of Victoria and others. In the last 5 years we have sold more than 35k template copies and learned the best way to build, maintain, and support our templates. During this time we have closed over 7k+ support question. Our mission in both developer and designer ways to make your life easier. Here's how we do it:

Did you know that in our Htmlstream.com website, we offer Freebies and other cool stuff? Do not miss out!