Many content monitoring and filtering and information leak prevention solutions attempt to stop insider threats by reversing the old firewall strategy: They completely block a particular outbound communications channel, such as instant messaging.

The Bottom Line Oakley Networks SureView 4.0 Oakley Networks, oakleynetworks.com Excellent  8.7 criteria score weight Ease-of-use 9 20% Features 8 20% Performance 9 20% Reliability 9 20% Scalability 9 10% Value 8 10% Cost: Full-service investigation packages start at $85,000 Platforms: HP-based appliance running Red Hat Enterprise Linux and Apache Tomcat Bottom Line: This suite of appliances and end point agents team up to detect and stifle content risks. Beyond identifying insider threats and stopping devious behavior, SureView 4.0 observes what happens on the desktop and collects video of these incidents. Reports now include detailed incident lists and executive summaries; the system collects information from more sources, including Lotus Notes; and there's improved incident search. About our Reviews and Scoring Methodology

Oakley Networks approaches the problem differently by helping enterprises get at the root cause of insider threats. Rather than take the all-or-nothing approach, the system's designers fundamentally believe that bad behavior is perpetrated by certain individuals in specific situations and should be addressed accordingly. For example, SureView policies recognize that online shopping during work causes lost productivity; this might trigger informative messages to users and reports to management that indicate the need for awareness training. However, someone creating a hostile work environment through offensive e-mail or deliberate customer data theft would trigger an aggressive response, including capturing all keystrokes at the offending workstation and then shutting it down.

This solution's basic architecture remains from when I reviewed Version 3.3. There's a master appliance and collectors that monitor managed clients, including desktops and laptops running the SureView agent. With Version 4.0, Oakley Networks improved or overhauled most areas of the product. Agents require fewer system resources, information is collected from more browsers, and administration is easier because SureView uses LDAP or Active Directory group and member information.

SureView's Web operator interface has a contemporary look, logically organizing functions within tabbed areas. Clicking around unearths dialogs to maintain the server and create policies, along with interfaces for conducting investigations and building reports.

Click for larger view.

You'll probably need some training to create or maintain polices; that's not a usability gripe, rather an indication of how much flexibility and accuracy is in store. To test SureView, I created policies that detected encryption, protected intellectual property, enforced regulatory and privacy regulations, and monitored for workplace harassment.

Polices represent an ecosystem of categories, triggers, rules, and data filters that must be understood and tuned. To give you a sense of how this works, consider intellectual property leakage. Here I wanted to precisely detect when source code was copied to a USB device at certain laptops. Working through different wizards, I defined the type of data, who would be notified of an infraction, and any results, such as capturing several minutes of video to document the event.

To test flexibility, I built several Federal Tax ID triggers; these fired when a Social Security number was sent by e-mail or copied to the clipboard, but not when a user input the number into a Web form of a secure intranet application.

In practice, the system recognized all my restricted actions and triggered the appropriate response. SureView correctly stopped peer-to-peer networking, alerted an administrator when stock information was sent using IM, and caught a profane e-mail.