Guard your data against insider threats

A top concern with all insider-threat products is protecting employees' privacy. iGuard 2.1 tackles this with user and group accounts. These allowed me to restrict viewing and editing policies -- as well as what type of incidents appeared on each analyst's dashboard. However, Vontu 5.0 provides more control over what each registered user can view.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

iGuard's 64-bit OS and specially engineered hardware performed extremely well in scanning known network protocols for suspicious communications. They accurately stored (indefinitely) all incidents that matched a policy, while allowing me to create a rolling time window for holding other traffic. The newfound processing power also enables real-time scanning of complex document types such as PDF, which wasn't possible before.

Reconnex continues improving iController, a system to register confidential information and then look for these documents -- in whole or in fragments -- flowing over the network. Although this does improve accuracy, finding data at rest would be a worthwhile addition.

At the end of the day, there's still a downside to accessing all of this data: trying to find that sliver of information to resolve a forensic investigation. Version 2.1 adds a powerful query language with auto-complete that enabled me to build a search query effortlessly. In a few seconds I found particular content sent using SMTP during a certain time range.

Reconnex iGuard 2.1 improves in many ways, including usability, performance, and the amount of intelligence provided about incidents. Rarely will you find a solution that analyzes both outbound and inbound traffic. Furthermore, this solution is fairly open, integrating with security management systems such as ArcSight Enterprise Security Manager.

Tablus Content Alarm 3.0 Beta

Tablus' second-generation Content Alarm NW product is a respectable network scanner, finding many data leakage and security breaches. Yet the company recognizes that traditional point security solutions often are not enough. Moreover, the most effective products are those that take the guesswork out of monitoring for compliance violations. Based on an early look, these requirements are satisfied in the forthcoming Content Alarm 3.0 suite.

Similar to Vontu's and Reconnex's, the new Tablus release features a Web-based executive dashboard with Top 10 reports. As such, a manager sees trouble spots at a glance, yet can easily drill down to incident details. Policies provide out-of-the-box protection against identity theft and regulatory compliance violations.

Enterprise incident management is new in Content Alarm 3.0. Within this area, Tablus delivers the important requirement to access incidents only on a need-to-know basis. For example, finance investigators can't view HR incidents. Furthermore, each group's access is restricted to certain information.

Tablus' real-time alerts keep managers updated about problems throughout the day. An uncommon capability delivers incident notifications via many channels, including e-mail, instant messenger, and RSS feeds.

Going the next step, built-in workflow allows investigators to open and close incidents, change priority, and assign cases to other analysts. This helps Tablus catch up with competitors.

Content Alarm DT, the new agent component that provides control over confidential information at the desktop, looks to give the company an advantage. In typical agent fashion, administrators prevent actions, such as copying and pasting, printing, or moving files to USB drives.

What's different, however, is that organizations centrally define policies across the whole suite, which should reduce administration. I also liked the system's adaptive policies, which change in real-time based on usage. For example, if Content Alarm notices someone downloading or uploading large files, then that user can be quarantined. Moreover, only trusted applications are permitted to interact with confidential data, which should offer an extra layer of protection against worms and viruses.

The desktop part also leverages Content Alarm's distributed architecture and load balancing, indicating it should hold up for large-scale deployments.

In the end, Tablus has the right strategy: network and desktop protection, while both monitoring activity and preventing data from leaving the enterprise at all borders. The design appears easy to deploy, manage, and maintain. Now it's up to Tablus to execute this strategy.