Oakley offers rich tools for making user-defined policies, which are created with the Policy Builder wizard. For instance,
you can look for specific keywords, patterns, or metadata. I also added behavior, including specific system activity -- such
as document alteration -- during a particular time. When these attributes are combined using rules, it's less likely users
and auditors will be bothered by false notification. What would be helpful, however, are out-of-the-box policies that address
typical compliance legislation, such as HIPAA or SEC requirements. (Oakley plans to include predefined industry-specific and
government policies in first-quarter 2006.)
After encountering policy violations, SureView offers many response capabilities. Beyond alerts at the console, managers can
receive e-mail notices. Escalating this further, activities can be blocked, users can be locked-out from a workstation, and
a system can even be shut down.
SureView also has good forensic capabilities, where investigators can run full-text searches of communications currently stored
on the server and also data that's archived in the system's database.
Finally, this solution has respectable scalability. Although appliances handle 500 users each, they can be clustered. Policies
across these load-balanced devices are centrally administered. Plus, there's a single repository for all data, making auditing
no trouble.
Oakley Networks SureView 3.3 generally balances security and convenience. It enforces policies -- and collects data -- at
the source. The system monitors all common communications channels, including removable media. The one issue I'd like better
addressed is personal privacy, especially given that the capture and replay of communications is so thorough and could be
subject to misuse.
Reconnex iGuard 2.1
Reconnex -- the second top pick in our previous insider-threat product roundup -- took honors because of how well it gives
enterprises visibility into security problems. iGuard does this by reviewing and classifying all content objects it sees on
your network -- at gigabit-line speed -- and by sending security personnel real-time alerts about any violations to policies.
Simultaneously, the easily deployed 64-bit hardware stores all elements in the high-performance Reconnex File System while
metadata about each transmission is saved to a SQL database. The advantages are twofold. Using your predefined or custom rule
sets, reports query the database and show how you're doing in meeting governance or regulatory requirements, including Sarbanes-Oxley
and GLBA (Gramm-Leach-Bliley Act). Moreover, investigators can conduct immediate forensic searches of the database and link
directly to the file or text in question. This helps security staff spot leaks before data gets into the wrong hands.
In past testing, I found iGuard could work a bit easier and faster, and it could have more flexible roles -- areas iGuard
2.1 addresses.
Dashboards are more inclusive, now providing summaries of incidents, users, location, risk, and network traffic. What's more,
the Executive Summary more concisely presents the top problems, such as what policies were violated the most.
Administrators should find the Network Summary helpful in understanding any anomalies. For instance, after viewing a traffic
spike at the same time over several days, I performed an ad hoc search over the stored data to locate the suspect workstation.
Similarly, the Location Summary resolved all external IP addresses to a specific geography. This feature would be valuable
if you see data leaving your network and want to know whether it's destined for a particular country.
I easily navigated from these top-level reports down to lists of incidents, and finally to details about a particular violation.
Besides showing the meta information associated with the incident, iGuard now highlights the exact strings that matched. This
assists reviewers in deciding whether the incident is a false positive or requires a more thorough analysis. If the latter
is necessary, a details page presents all necessary facts, including links to e-mail attachments while indicating all policies
and rule sets that were violated.
Furthermore, this version communicates with DHCP servers, which correlate incidents to a particular machine name; normally
this would be difficult with only IP addresses because they frequently change.
Carried forward from the prior version are prebuilt compliance policies -- most everything from appropriate use and those
that address specific legislation -- to rules that define how these policies are applied. Both are easily modified or built
fresh. I can create, say, a rule for bank account information that sends a critical alert if California SB1386 or GLBA guidelines
are violated in an e-mail message. Rules, additionally, allowed me to set thresholds, which helped reduce the number of false
positives.
Although this interactivity is good, Reconnex plans further improvement, including search and filtering from the summaries,
as well as linking to case management.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
