Reconnex’s storage of all traffic (as much as the 1.5TB disk space in each appliance) benefits forensic investigations. For
example, you can search past violations, not just for a particular sender, recipient, or IP address, but also for all objects
in the same classification, even if they were not involved in past violations. This data store is also handy for making sure
testing policies behave as expected before they’re used against live traffic.
Reconnex iGuard does a fine job of analyzing traffic in real time and has the uncommon ability to store everything to disk
for post-analysis. Policies address all necessary compliance and data-security needs. Add in high accuracy and incident workflow,
and the solution gets high all-around marks. Keeping it from the top spot is the lack of certain features, planned for future
releases, including inline blocking, quarantine (which are now accomplished by integrating with third-party applications),
and improved usability.
Tablus Content Alarm NW 2.1
Tablus’s turnkey solution has a lot in its favor, including strong structured content analysis augmented by integrated ILM
(information lifecycle management), which automatically maintains a catalog of confidential documents, and by multiple scanning
engines, which review unstructured data for compliance issues. The system lacks formal policies for specific legislation,
but you can comply with regulations by building pattern-matching and related rules. E-mail blocking and quarantine features
will be added later this summer.
The solution has three standard components. Content Alarm Controller, aka the S-200, is the main appliance. It maintains information
about confidential data and content transmission policies. There’s also a Windows-based application for configuring the controller,
and crawlers that run on other systems to automate content classifications. The enterprise edition I tested adds a fourth
component: sensors, called S-100s, placed at network exit points. These sensors scale Content Alarm for larger enterprises.
Appliances run a hardened Linux with minimal services. After connecting them to my network and providing some basic information,
I began immediately using the Administrator Console to identify protected content and define audit policies and notifications.
This solution stresses accuracy, accomplished in several ways. First, Content Alarm infers protocols based on the data it
senses, rather than on a specific port, so you don’t have to specify, for example, FTP on port 21.
For unstructured content scanning, Tablus’ linguistic analyzer augments monitoring of attributes, keywords, phrases, and signatures.
More than 300 document types are inspected along with messages. Without tinkering with the system, scan results were good.
Only a few messages containing unique keywords slipped out.
Fine-tuning the included policies and creating new ones isn’t straightforward; you need to wade through several forms and
pop-up windows. Yet you get a lot of flexibility. It didn’t take me long to create pattern matches for Social Security numbers
or to look for file attachments of more than a specified size. At this stage I was confident that almost all the remaining
bad communications were recognized.
Significantly, Content Alarm further bolsters accuracy with a file crawler — an application that runs on any file server and
watches directories of documents, source code, databases, or other data you don’t want transferred out of your network. Once
the system spots this “DNA” during a crawl, it registers the signatures on the main controller.
The crawling process notices specific structured data, Tablus identified source code, and other proprietary data that otherwise
went unnoticed. Moreover, a document such as a financial press release might be confidential one day and moved to a public
folder the next morning. Automatic crawling picks up this status change, eliminating the need for manual document lifecycle
management, and this lowers Tablus’ TCO.
On the management side, I received e-mail alerts about policy violations. After logging in to the application as an auditor,
I reviewed event details, including message body, attachments, originator’s MAC (media access control) address, security policy
information, and markup, which clearly showed why the transmission violated policy. Content Alarm places these results in
an encrypted, access-controlled repository for later forensic needs. A planned update will allow reviewers to perform these
tasks from a browser.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
