This solution performed admirably in all the monitoring and blocking tests. First, the combination of exact data matching,
contextual analysis, and natural language processing caught SMTP e-mail with attachments as well as customer data in the body
of the message. I also liked the easy approach to adjusting a policy’s threshold. For instance, I allowed one mention of a
generic keyword to pass without an alert, cutting down on false positives.
Second, HTTP content monitoring detected financial data sent to an outside e-mail address. I also tried mailing code snippets
to both an unknown e-mail address and an approved vendor. This conditional blocking worked as I had written the policy — stopping
the message to the unapproved recipient and creating an incident — without any performance hit to my network.
Lastly, Vontu 4.0 identified IM conversations that discussed an unreleased project and blocked instant messages containing
employee Social Security numbers.
On the reporting side, this solution is just as strong. Role-based access control allowed me to restrict viewing incidents
of a certain nature (such as financial disclosure) to particular analysts. Next, the Incident Snapshot function allowed analysts
to easily review and remediate problems. Using clear hyperlinked navigation, I jumped to individual Web page reports containing
complete incident content and context, including message body, attachment, sender and recipient, timing, and policy information.
Matches are highlighted, so I clearly saw why the message generated an incident.
Vontu thought through the workflow, which includes a variety of commands. You can escalate an incident, add comments, or resolve
an incident on the spot by allowing the quarantined message to go through. As a result, organizations should be able to keep
analyst time and resource expenditures to a minimum.
Top-line reporting gives senior managers data-loss dashboards, which measure overall risk and compliance; these show both
incident history and trend analysis. From these displays, I drilled down to reports that organized incidents by business units
and departments during a date range (the system stores and reports on years’ worth of complete historical incident data).
Vontu 4.0 also ships with preconfigured reports, which demonstrate compliance with government regulations. Reports can be
created, saved, and run on schedule for any combination of incident attributes, which is useful for weekly or monthly security
review meetings.
Vontu 4.0’s data-loss-prevention solution is scalable (individual monitors handle about 40,000 employees and perform exact
data matching for as many as 2 billion cells). It accurately detects and blocks bad communication in real time, and its highly
usable design should ease the work of security auditors. Those factors and others, such as integration with PGP to enforce
enterprisewide encryption and enforcement policies, combine to make this the solution to beat.
Tough choices
No one would dispute that you now need to have a process in place for managing and stopping insider threats. Yet there’s a
good deal of disagreement about the best way to meet this goal. Some experts say recognizing the problem is enough; but my
take is that trying to stop the horse after it’s out of the barn is not the right approach. And judging by most vendors’ plans
to add blocking (if they don’t have it already), that’s what customers and regulators want, too. But for that first step —
recognition — any of these products is acceptable.
I like Vericept’s overall implementation, but you’ll have to wait until later this year for the company to introduce more-thorough
message handling and compliance-specific policies. If your main interest is monitoring and blocking e-mail and instant messages,
iLumin is the dark horse of the group. As reviewed, Tablus’ network-monitoring product neither blocks nor quarantines messages.
Still, the scalable and centrally managed Content Alarm NW automatically crawls all sorts of data repositories, reducing both
false positives and administrator workloads.
Reconnex demonstrates a clear understanding of the networking and management issues security staff face: This system stores
all network traffic and goes beyond the requisite analysis functions. Only a lack of native message blocking keeps it from
the top spot.
Vontu stands out with its “Goldilocks” solution: It has just the right mix of features and usability. Although it’s one of
the pricier solutions out-of-the-gate, if you believe that the key to handling insider threats is not just reporting but also
blocking, then it’s hard to miss with this product. When it comes to protecting confidential information from exposure, I
envision a blended approach, with agents at the desktop serving as the first line of defense and inline network monitoring
serving as the last line of defense, as you’ll find in Tablus’ overall solution. Other vendors will likely follow.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
