*** NOTICE ***

• Documents here contain information on how to complete an Avanan POC/deployment for a customer.
• This guide is meant to serve as a guide with examples ONLY that you can tailor to fit your needs.

Tenant Creation

Creating Tenant

This should not be done until you are ready to set it up as it will start the POC counter!

Tenant Creation

1. Click the BLUE Add Tenant button and fill in the following information:
   1. MSP: Select the applicable MSP from the drop down.
   2. Email Address: Fill in the MSP email address.
   3. Tenant: This will be the URL of the tenant. It can be different from any other field.
   4. Name: Name of the admin for this tenant.
   5. Phone: Enter the partner’s phone number.
   6. Company: Enter the Company Name for this tenant.
   7. Country: Client’s physical location
   8. Region: Select the applicable region.
   9. Click Save

2. The tenant will take a couple of minutes to provision but then will be available for you to click into after it goes from Creating to Active on the right-hand side.

Tenant Configuration

Setting Up SaaS Applications

• SaaS Applications are defined as the product Avanan is integrating with; O365, GSuite, OneDrive, etc.
• During the initial call, we will help setup 1 SaaS application (normally 365 or GSuite email) however, customers are free to setup as many SaaS applications during the trail as they would like.

The first time you log into a tenant, you will be presented with the welcome page. Follow the below steps:

Let's Get Started

1. Click the BIG Let’s Get Started button and you will be taken to the SaaS Selection page. Click Start for the SaaS application you are setting up and proceed to setup the SaaS App.

2. Click Start for the applicable mail service and follow the steps in one of the below sections to setup the applicable SaaS App.

Microsoft Office 365

1. Follow the Avanan Office 365 Email - Onboarding

Google GSuite

1. Follow the Avanan: Gmail Install Process Page

Policy Setup and Configuration

The below policies need to be setup for every SaaS application integrated with Avanan, but for now we will setup the different policies for email protection.

Threat Protection Policy

Threat Protection Policy

Edit the default Threat Protection policy and configure it according to the best practices below:

1. Protection Mode: Monitor Only (48hrs to allow Rules and Connectors to be configured).
2. Scope: All Users and Groups
3. Alerts:
   1. Alert Recipient about Malware: Enable
   2. Send Email alert to: Enter email that will receive alerts for this policy.
   3. Send email alert to admin(s) about malware: Enable and if different than the default admin user, select users that will receive these alerts for this policy.
   4. Send email alert to admin(s) about phishing: Enable and if different than the default admin user, select users that will receive these alerts for this policy.
   5. Send email notifications to Admin on blocklisted items: Enable
   6. Send email notifications to User on blocklisted items: Enable

DLP

Only if the tenant is licensed for Full Suite protection (Tier 3)

DLP

Create a new “DLP” policy and configure it according to the best practices below:

1. Protection Mode: Monitor Only
2. Scope: All Users and Groups
3. DLP Criteria
   1. DLP Categories: Select All
   2. Sensitivity Level: High (hit count >2)
4. Severity: Auto
5. Alerts
   1. Send email alert to admin(s): Enable
   2. Send Email alert to: Enter email that will receive alerts for this policy.
   3. Alert Sender: Enable

Additional/Other SaaS Applications

Other SaaS applications (Teams, OneDrive, SharePoint, etc.) can be setup during the POC. They will need the same Detect/Monitoring Only policies setup as above.

There should be Threat Protection & DLP policies setup for every SaaS application connected to Avanan.

Configure Security Engine Settings

On the Configuration → Security Engines page, configure the following engine settings

Smart DLP

Only if the tenant is licensed for Full Suite protection (Tier 3)

Smart DLP Recommendations

1. Enable Unique detections only

Smart-Phish

Smart-Phish Recommendations

Phishing Confidence Level

• Confidence level is how sure Avanan is that a message is phishing or spam
• The higher the Confidence Level, the fewer messages identified but the messages we flag we’re more confident
• Recommendation: Medium

• Changes needed: Only when dealing with large amounts of false positives but this reduces the number of messages caught.

Detect nickname impersonations attempts from:

• This setting is used to determine whom to provide nickname impersonation protection
• Recommendation: Any internal User

• For any legitimate impersonations, add just the domain to “Except when coming from domains” 
  • These are separated by a comma then a space: Domain1.com, domain2.com, domain3.com

Important/key-people group

• This section is used if you want to define a specific group/people

• This isn’t needed if using “Any Internal Users”

When a nickname impersonation is detected

• Recommendation: “Trigger “Phishing” workflow”

• Recommendation: Enable the following:
  • Detect impersonation attempts only for human names
  • Detect impersonation attempts only from new/first-time sender
  • Detect impersonation to disabled accounts
  • Detect impersonation to deleted accounts
  • Include suspected self-impersonation in impersonation-detection algorithm
  • Allow end users to whitelist senders they trust via in-mail link

SMTP host/s acting as Mail Transfer Agent/s (MTA)

• Recommendation: Enable the following:
  • Enable phishing protection for disabled email accounts

When a newly registered domain sends an email, apply the following workflow:

• Recommendation: “Trigger “Suspected Phishing” workflow”.

Minimum age of newly registered domain (in days)

• Recommendation: 15

When the sender domain resembles the domain of a partner

• Recommendation: “Consider as an indicator in the standard Anti-Phishing inspection”.
  • “Trigger Suspected Phishing workflow” can be good for an initial gauge if you’re wanting the more secure “Phishing” workflow.
  • "Trigger Phishing workflow” can be more aggressive but could lead to false positives initially.

Email Bomb - Workflow

• Recommendation: “Evaluate each email separately for spam/phishing”
  • If the organization has experienced bombing campaigns before, you can just trigger the spam workflow to check for any false positives.

Email Bomb - Threshold

• Recommendation: 50

When emails fail DMARC with action reject/quarantine

• DMARC failures are the failure of both SPF and DKIM to establish the identity of the sender
• A CSV of failed DMARC for a specific domain can be requested from Support
• Recommendation: “No Extra Action”
  • Utilize “Trigger “Suspicious” workflow “while addressing DMARC failures

Secured (encrypted) emails

• Triggers the following workflow for incoming emails, where in order to see the content of the email, the user needs to click a link and authenticate
  • Recommendation: Trigger Suspected Phishing workflow for recurring first-time senders
  • “Recurring first-time senders” are senders detected as sending multiple emails in which they are considered first-time senders, across all Check Point customers.

Mark incoming emails with encrypted attachment as

• Recommendation: Enable the following:
  • Enable phishing detection for internal-to-internal emails
  • Follow file sharing links

Mark emails from your domains(s) as phishing when

• This only applies to your domains / the tenant domains
• Hard Fail vs. Soft Fail
  • Depends on how the domains server is set up
  • Soft Fail usually means to send to spam while hard fail means the message should be discarded
  • Recommendation: “No Extra Action” to start.
    • SPF = Fail, only after all SPF issues have been addressed

Spam Confidence level

Recommendation: “High”

• Match nicknames by email address
  • Useful for identifying someone trying to add another email address to the nickname field
  • Recommendation: Enable
• Treat marketing emails as spam
  • Helpful for dealing with customers that receive large amounts of spam
  • Recommendation: Wait to enable until confirmed that the customer still has issues with large number of spam after going Inline with Avanan

Anti-Malware

Anti-Malware Recommendations

1. If you would like to manually choose the OS that Malware is emulated on, you may adjust here.

Anomaly Detection

Anomaly Detection Recommendations

1. Configure the following Anomaly Detection settings:
   1. It is recommended NOT to enable Intra-Country geo-suspicious events as false positives can occur due to inaccurate 3rd party GEO-IP services.
      1. Note: Automatically block user is only available after Learning Mode has completed.

SmartVault

Only if the tenant is licensed for Full Suite protection (Tier 3)

Avanan supports either Microsoft or SmarVault for secure email transmission. For more information about Avanan’s DLP & email encryption, see our Avanan: Frequently Asked Questions (solutionsgranted.com) page.

The below settings are recommended when using SmartVault.

SmartVault Recommendations

1. Email lifetime in days: 14
2. Code expiration in minutes: 10
3. Cookie expiration in days: 30
4. Link expiration in hours: 10

SIEM Integration

This SIEM Integration is for partners that would like to send Avanan syslogs to an external SIEM.

Creating Tenant users (If needed)

• Users at the tenant level will only be able to log into the tenant in which they were created using the unique Tenant URL.
• An important consideration when creating users is if they will be reviewing messages or not
• Any user that is expected to investigate malicious messages should have the option Allow drill-down into user data enabled

• With this option enabled, users get the ability to view the body of the raw email as well as download the message from the “Email Profile” section

• Having this enabled also shows the “AI textual analysis of the email body” section for the message which can be imperative in understanding the “Text analysis” aspect of the AI model

• This can be turned on at the MSP level but at the tenant level we can also define if we can only see when a Detection exists

To setup tenant users:

1. From inside of the Tenant, navigate to the User Management page under System Settings and click the Create New User button at the top right-hand side.
2. Fill in the user’s information, select the applicable permissions, and click Create.
3. The user will receive and email from Avanan to create their password and log into their account.

Monitoring Mode

• During the POC, all policies are set to Monitoring ONLY mode to provide alerts about what it finds and could have potentially stopped. This means is does not sit Inline of your mail flow and thus does not affect it.

Learning Mode

• Learning mode is a set of automated processes that run right after onboarding to provide enhanced phishing detections from day one. Among other things - analyzes 13 months of historical email correspondence to establish crucial baseline to optimize phishing detection. 
• It is entirely automatic and is kicked-off immediately after the connection to Microsoft 365 Mail or Google Gmail is established. This analysis takes minutes in small environments and up to one day in very large environments. - Enhanced Phishing Detection with Post-Onboarding Learning Mode (avanan.com)

Initial Scanning

• After Learning Mode is complete, a post-onboarding retroactive scan will take place. This will only for customers with under 500 users.
• Avanan will start collecting emails and metadata during the initial tenant integration. During the next 24 hours, Avanan will scan and collect information on as many historical emails as possible. For small environments, this could be a years worth of email, but for larger environments, it could be as little as a couple of days. It’s completely dependent on the size of the environment.

Wrap Up

At this point we need to let Avanan complete the initial scan and learn about the environment.

1. While OTP with the customer, schedule a Mid-POC review call 3-5 business days from today.
   • That call will consist of:
     • Reviewing the findings
     • Converting to production licensing
     • Changing policies to protect mode
     • Answering any additional questions.

At this point you are done with the call unless the customer has additional questions