Writing Style Best Practice Guide Micro Cloud App... · After CAS finishes the training mode build,...
Transcript of Writing Style Best Practice Guide Micro Cloud App... · After CAS finishes the training mode build,...
Writing Style Best Practice Guide | August 2018
Page 2 of 15| Trend Micro Writing Style Best Practice Guide
Contents About This Book ............................................................................................................................................ 3
Preface ...................................................................................................................................................... 3
Authors ...................................................................................................................................................... 3
TMCAS Writing Style Introduction ................................................................................................................ 4
How TMCAS Trains the Writing Style Model ................................................................................................ 6
The Training logic in TMCAS ...................................................................................................................... 6
How to Configure TMCAS Writing Style Prevention Feature ........................................................................ 7
Configure High Profile User Exception List ............................................................................................. 11
Configure Advanced Spam Prevention Approved/Blocked Send List ..................................................... 11
Enable Smart Protection Network Feedback .......................................................................................... 12
How to View Writing Style Detection Result On CAS Admin Console ........................................................ 13
How to Troubleshoot With Writing Style Issue .......................................................................................... 14
False Negative Issue ................................................................................................................................ 14
False Positive Issue .................................................................................................................................. 14
FAQ .............................................................................................................................................................. 15
Writing Style Best Practice Guide | August 2018
Page 3 of 15| Trend Micro Writing Style Best Practice Guide
About This Book
Preface Welcome to the Trend Micro Cloud App Security Writing Style Best Practice Guide. This document serves
as a guideline to help customers develop a set of best practices when using TMCAS Writing Style as an
additional level prevention against of the BEC attack.
This document provides in-depth information about CAS Writing Style architecture, configuration as well
as troubleshooting.
Authors This Best Practice Guide is written by Nickel Xu. Additional information was provided by members of
TMCAS Engineering groups, including: Iceking Chen, Jing Liu, Zhi Zhang, as well as TMASE team.
Writing Style Best Practice Guide | August 2018
Page 4 of 15| Trend Micro Writing Style Best Practice Guide
TMCAS Writing Style Introduction
Cloud App Security integrates with Trend Micro's Writing Style DNA technology to scan the English email
messages of a desired individual to learn their particular Writing Style and generate a Writing Style
model. It then uses the model to compare with the incoming English email messages claimed to be sent
from the individual in your organization’s protected mailboxes to detect probable BEC attacks.
TMCAS integrates TMASE (TrendMicro AntiSpam Engine) to realize Writing Style analysis feature. It gets
the mails from “Sent Items” of the specific High Profile User(HPU) to build the Writing Style model.
For Example:
The admin added the CEO into the CAS’s high-profile users list, and enable the Writing Style prevention.
Firstly, CAS will get the mail meta data from CEO’s Sentbox, and send the mail meta data to Writing
Style backend to build the Writing Style mode.
After CAS finishes the training mode build, the Writing Style detection for CEO is ready now.
When a hacker uses the CEO’s name as a display name of an external mailbox to perform an attack on
the internal users, it can be detected by CAS’s Writing Style.
Writing Style Best Practice Guide | August 2018
Page 5 of 15| Trend Micro Writing Style Best Practice Guide
Additionally, each Writing Style training model is unique and associated with
the customer’s license and the mailbox
Writing Style Best Practice Guide | August 2018
Page 6 of 15| Trend Micro Writing Style Best Practice Guide
How TMCAS Trains the Writing Style Model
The Training logic in TMCAS
TMCAS gets mails from the High Profile User’s “SendItem” to build the Writing Style model.
If it is the first time for CAS to train from a specific user, CAS will get around 800 mails at most
from the “Sent Item” for training.
If it is not the first time and the Writing Style model is Not Completed, then CAS will get the
latest mails to train about every 2 hours.
If it is not the first time and the Writing Style model is Completed, then CAS will get the latest
mails to train about every 24 hours.
Writing Style Best Practice Guide | August 2018
Page 7 of 15| Trend Micro Writing Style Best Practice Guide
How to Configure TMCAS Writing Style Prevention
Feature
1. Add the High Profile User (HPU).
Add the HPU one by one.
CAS Admin Console Administration High Profile Users Add User
Add the HPU From Group
CAS Admin Console Administration Global SettingsHigh Profile Users Add
From Group
Writing Style Best Practice Guide | August 2018
Page 8 of 15| Trend Micro Writing Style Best Practice Guide
2. Enable Writing Style.
CAS admin console Exchange Online Policies Select the policy Advanced Spam
Protection Writing Style Analysis for BEC
Then check “Enable Writing Style analysis” to enable Writing Style scanning.
3. Configure the Scan Action.
The action can be configured as “Tag Subject”, “Add disclaimer” or “Pass”
Writing Style Best Practice Guide | August 2018
Page 9 of 15| Trend Micro Writing Style Best Practice Guide
Tag Subject
Add Disclaimer
4. Notify supposed sender (Optional)
CAS supports two ways to notify the supposed sender.
Attach the original email message
Writing Style Best Practice Guide | August 2018
Page 10 of 15| Trend Micro Writing Style Best Practice Guide
Allow the supposed sender to provide feedback
5. Notify administrator (Optional).
6. Save the settings to finish the TMCAS Writing Style configuration.
Writing Style Best Practice Guide | August 2018
Page 11 of 15| Trend Micro Writing Style Best Practice Guide
Configure High Profile User Exception List
In order to reduce the noises for Writing Style function, CAS supports the Admin to add the HPU
exception list. Here we can add the HPU’s personal email address or system email address which can
generate the notification to the HPU to the exception list to reduce the false positive detection.
CAS Admin Console Administration Global Settings High Profile User Exception List
Configure Advanced Spam Prevention Approved/Blocked Send List
In addition to reducing the noises for Writing Style function, the general approved sender list that still
works well with the personal email addresses and the system-generated email addresses, can help
reduce false positive incidents. The setting is applied for the whole CAS’s advanced spam prevention
feature.
CAS Admin Console ATP | Exchange Online Policy Advanced Spam Protection Approved/Blocked
Sender list
Writing Style Best Practice Guide | August 2018
Page 12 of 15| Trend Micro Writing Style Best Practice Guide
Enable Smart Protection Network Feedback It is recommended to encourage the customer to enable this function, to allow Trend Micro to collect
suspicious email information to improve its detection capabilities.
CAS Admin Console ATP | Exchange Online Policy Advanced Spam Protection
Writing Style Best Practice Guide | August 2018
Page 13 of 15| Trend Micro Writing Style Best Practice Guide
How to View Writing Style Detection Result On
CAS Admin Console
From The Security Logs
CAS Admin Console Logs Security Risk Scan
\
From the Dashboard
Top 5 Writing Style Analysis Violations by Recipient
Top 5 Targeted High Profile Users
Writing Style Best Practice Guide | August 2018
Page 14 of 15| Trend Micro Writing Style Best Practice Guide
How to Troubleshoot With Writing Style Issue
False Negative Issue If a mail with Writing Style violation which cannot be detected. It is recommend to check the following
items:
1. Whether the training mode of the HPU is completed.
2. The configured HPU with mail address should has the same/similar display name with the
display name of the sender.
3. The Advanced spam prevention and Writing style must be enabled. In addition, the policy must
be applied to this target recipient.
4. The sender address of the mail should not be in the exception list.
5. The sender address is not in the advanced spam prevention approved sender list.
6. The mail sender is not in the internal domain
7. If above are all OK, Please help collect the mail sample and contact Trend Micro Technical
Support for further help.
False Positive Issue If the mail is detected by CAS Writing Style as false positive. It is recommend to check the items below:
If it is a HPU’s personal email or trusted system generated notification mail or trusted external
mail sender with the same display name of HPU, then you can add the mail sender address to
HPU Exception List.
8. For more concern about the samples, please help collect them and contact Trend Micro
Technical Support for further help.
Writing Style Best Practice Guide | August 2018
Page 15 of 15| Trend Micro Writing Style Best Practice Guide
FAQ
Is the Writing Style only in CAS and SMEX products?
Yes. Currently it is only available in CAS and SMEX
What will happen if the user moves all sent items to the pst?
Currently CAS only read mail from Sent Items.
If the Writing Style model is not completed. CAS will read the latest mails in Sent Items, about every
2 hours.
If the Writing style model is completed. CAS will read the latest mails in Sent Items, about every 24
hours.
Is the first name & last name case sensitive?
No. It is not case sensitive.
Do we have a list of the meta data that we share back with our backend?
The followings will be shared with backend:
(1) From address (Train & Scan) (2) Subject (Train & Scan) (3) Features of Mail body: TMASE will get the features of mail body. (Train & Scan) (4) Mail message ID (Currently CAS only upload this meta data when do scan)
How the WS is meets the GDPR policy?
CAS has reviewed Writing Style feature with legal team, and legal team confirmed it is compliant.
To which email address will the feedback button be sent? Reply to? Or display email?
The feedback button is just a URL. After clicking, the feedback is completed to TMASE backend. The
URL contains the information which can specify the scanned mail in Writing Style backend.
How many users are supported by HPU?
A maximum of 500 high profile users is supported.