Documentation
Start typing to search…

Email Data Loss Prevention (DLP) Public Beta

Overview

Email Data Loss Prevention (DLP) is a cybersecurity strategy designed to prevent the unauthorized exposure of sensitive information via email. 

Sublime's email DLP solution empowers organizations to safeguard sensitive data such as personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) data, financial reports, intellectual property, and business secrets from accidental disclosure, malicious leaks, or unauthorized access.

Use cases

For customers that are interested in blocking messages from delivery, Sublime's email DLP capabilities offer an easily-deployed solution that takes minutes to set up with no MX record changes.

Some common reasons we see customers opting for an email DLP solution include:

Preventing data breaches and insider leaks/threats

  • Accidental data loss: Employees may mistakenly send sensitive data (e.g. customer PII, financial data, trade secrets) to the wrong recipient.
  • Malicious insider activity: Employees could attempt to exfiltrate sensitive data intentionally before leaving the company.
  • External threats leveraging insiders: Attackers might compromise accounts and try to send sensitive data out of the organization.

Use Sublime to detect and block these risky outbound emails, reducing the chance of data exfiltration.

Regulatory and compliance requirements

  • Prevent regulated data from leaving the organization without encryption or authorization to meet industry-specific regulations (e.g. HIPAA, PCI DSS, GDPR, CCPA, SOX).
  • Generate auditable logs and reports, proving compliance during security audits.

Protecting Intellectual Property (IP)

  • Monitor and block proprietary code, product designs, strategy documents, etc that's leaving the organization via email.
  • Scan outgoing mail the same way that you scan incoming mail using Sublime's DLP Rules.

💻

Enable by mailbox

Email DLP can be enabled for any subset of your end-user mailboxes — from 1 mailbox to your entire tenant. This is valuable for testing DLP capabilities on a small subset of mailboxes before rolling out to all mailboxes and for users that only want coverage for a subset of mailboxes.

Getting started

Getting email DLP set up in your environment is straightforward — with transport/routing rules in your email provider, we can begin DLP processing in minutes! Given that email DLP impacts critical path analysis and remediation of messages, Sublime provides complimentary white-glove enablement to all interested customers.

To get started with email DLP in your environment, let anyone on your Sublime account team know that you’re interested!

We recommend that all organizations use a phased rollout approach, starting with a testing phase in non-critical mailboxes before moving to an active rollout phase with more/all mailboxes.

Technical Implementation

To set up email DLP, your Sublime team will set up a series of transport or routing rules alongside a super-admin from your organization. The process is dependent on your email provider:

  • Microsoft365 customers need to configure connectors and skiplisting, and add transport rules. Microsoft365 customers can alternatively run a script that will configure their settings automatically.
  • Google Workspace customers need to add mail route, inbound gateway, and compliance rule in GW.

The Sublime team will walk you through testing email DLP and setting up alerts for message delays and failures.

Enabling DLP

Passive-only

All Enterprise and Email DLP customers can passively monitor for data loss by simply running Sublime's DLP Rules without the Block Delivery remediation Action.

Generally, we recommend that organizations interested in email DLP run some DLP Rules in this way to understand the capabilities.

Enabling remediation

You can block the delivery of a message to the intended recipient with the Block Delivery Action on any DLP Rule or an Automation with the trigger "DLP Rule matched".

  • Block Delivery cannot be added to Detection Rules. Only DLP Rules are eligible for the Block Delivery Action.
  • Block Delivery can also be added to Automations with the trigger DLP Rule Matched. You cannot add the DLP blocking Action if that trigger is not selected.

Install DLP Rules

You can write any number of DLP Rules in addition to the Sublime DLP Rule Feed that's available for installation. To set up the DLP Feed, you'll want to fill in the Feed parameters as follows:

  • Type: Public
  • Feed name: Sublime beta DLP Feed (or whatever you'd like!)
  • Git URL: https://github.com/sublime-security/sublime-rules
  • Git branch: main
  • File filter for MQL DLP Rule files: dlp-discovery-rules/*.yml

Updated about 2 hours ago