Lookout Cloud Security

January 25, 2022

min read

How a Financial Services Firm Protects Data Leakage with Lookout

Regardless of the industry or organization, corporate email is the main cause of unauthorized and accidental data leaks. Employees are constantly sending emails to external parties that may contain sensitive company data, personally identifiable information (PII), trade secrets and other intellectual property. 

Reducing the risk of sensitive data exposure via corporate email can be tricky, especially when a company migrates from on-premise email to a cloud-hosted email service, such as Gmail and Microsoft Exchange Online. The relocation of email to the cloud often leaves behind legacy support applications, such as data loss prevention (DLP) for email, deployed as on-premise hardware appliances. Integrating these local appliances with cloud email services creates complexity and inefficiencies.

One large financial services company realized this issue when they moved their email service to Microsoft Exchange Online and paired it with the Microsoft Outlook client. To complicate matters, their legacy email security solution from Symantec operated on-premise, making their email workflow far more convoluted. To simplify their network design and assure the efficiency of this new cloud-delivered model, they turned to the Lookout Secure Email Gateway (SEG).

Lookout SEG is hosted in the cloud and deployed as an SMTP-based mail transfer agent (MTA) gateway in line with the customer’s outbound cloud-hosted email from Exchange. Contrary to the proxy-based approach employed by others, our SEG requires no additional software components. Because it's built on our integrated platform, it employs all our embedded data protection elements, including modern DLP and Enterprise Digital Rights Management (EDRM), to protect information both inside and outside of the organization’s perimeter.  

The challenge of protecting data in email

This high-profile customer processes volumes of sensitive data for its financial market customers every day. The data can be shared with as many as 5,000 trusted web domains, often through an email exchange with multiple recipients at the same time. 

To operate effectively, they needed to secure sensitive data without increasing complexity or limiting productivity. But the move to Microsoft Exchange Online with the Microsoft Outlook client was not without its challenges.

Message traffic backhauling: clumsy and inefficient

While a cloud-hosted email solution offered many benefits, pairing it with their legacy on-premises email security solution from Symantec was both clumsy and inefficient. All outbound/egress email messages now had to travel from Microsoft Exchange Online in the cloud back to a central on-premises data center where security policies are enforced. Only then could the message be sent back through the cloud and onward to the internet. You don’t have to be a network engineer to realize this traffic backhauling approach puts a strain on expensive network elements. In addition, extending Symantec’s DLP capabilities meant purchasing even more legacy on-premises equipment, along with the requisite maintenance contract.

Securing email traffic with Lookout Secure Email Gateway (SEG)

Lookout SEG, hosted in cloud, was deployed as an SMTP-based MTA gateway in line with the customers outbound/egress cloud-hosted email from Exchange. With the shift to cloud-hosted email, one of the great attractions of the Lookout SEG was that it eliminated backhauling and dramatically simplified the clients network design. 

As part of the integrated Lookout Security Service Edge (SSE) platform, it also enables customers to apply unified DLP policies across every app or platform in use. Critical capabilities include:

Advanced data recognition and classification

The first step in securing email is to identify and classify sensitive data in the message. This is where Lookout really outperformed its competitors. As one of the more advanced DLP solutions on the market, we support almost 300 file types, embedded content and multiple languages. 

The platform scans deep into attached files to extract attachments and other objects. Take the case of an Excel spreadsheet embedded in a zipped Word file. In this example, our sophisticated DLP software looks into the zipped file, reads the Word document, analyzes it, finds and reads the Excel data and analyzes it. It’s also able to inspect various image types such as JPEG, BMP, PNG and SVG, as well as scanned documents such as PDFs for sensitive data using our Optical Character Recognition (OCR) software. In short, our integrated DLP acts as a guardrail that identifies sensitive data before it's unintentionally exposed.

Automatically block unauthorized recipients

One of this customer’s top concerns was the accidental forwarding of sensitive data to unauthorized third parties. To address this issue, the SEG enables IT security teams to define and enforce policies based not only on content inspection, but contextual analysis as well.

While content awareness involves peering into the message to inspect the actual data being sent, context includes external factors such as the sender and recipient, message header, size and format, which can be used to gain more intelligence about the content. Our ability to mix and match both content and context of the message provided another value proposition over competitive solutions.

Now, when an employee mistakenly sends an email to an unauthorized party, the SEG automatically removes that recipient before the message is sent without impacting other authorized parties. Questionable messages can be moved to a quarantine area for further analysis.

Enable secure productivity with a broad range of remediation options 

Accurately identifying sensitive data the customer needed to secure was only half the problem.  The ability to take remediation action was a critical requirement needed to strike the right balance between productivity and security. Lookout SEG offered extensive data remediation options, including:

  • Allow and log
  • Redact
  • Watermark
  • Block email
  • Replace with marker
  • Apply data classification labels
  • Quarantine
  • Encrypt
  • Add disclaimer
  • Mask 
  • Remove recipients

Make email security part of every SSE solution 

While the customer reviewed several vendors as part of its evaluation, the Lookout SSE solution was selected because of its native data protection capabilities that extend to email through the use of SEG. 

By implementing Lookout SEG, the customer was able to remove their on-premises email gateway appliance with confidence. Now their entire email workflow resides in the cloud. With business information traveling freely between employees and partners, the number of places sensitive files can spread expands, making it increasingly difficult to guarantee a safe information boundary. This customer was able to reduce the probability of a data breach and thus the business risk associated with it.

To learn more about the Lookout SEG and the broader SSE platform, contact us today.