Vontu 7 covers your end point

On top of end point monitoring, new version adds configurable dashboards, database encryption

Information leak prevention solutions have evolved predictably. First, they identified, and then blocked, sensitive data moving around your networks. Next, the cycle repeated with information resting in data repositories. The latest installment safeguards data at end points. This is especially important for mobile workforces with sensitive files residing on laptops and other portable devices; if the unit is stolen or otherwise compromised, data loss is clearly a major problem.

[ Vontuwas selected for an InfoWorld Technology of the Year award. See the slideshow to view all winners in the security category. ]

When InfoWorld last reviewed Vontu, Version 5 was at the midpoint of this cycle, offering full network coverage and the capability of discovering sensitive information in file systems, database, and e-mail archives. Vontu 6 included data-at-rest protection for these repositories. Now, with the introduction of Vontu Endpoint Monitor (which checks for sensitive data on removable media, USB devices, iPods, external drives, and data downloads), Vontu 7 is a near-total solution for guarding confidential customer and company information.

img91944.jpg
When InfoWorld last reviewed Vontu , Version 5 was at the midpoint of this cycle, offering full network coverage and the capability of discovering sensitive information in file systems, database, and e-mail archives. Vontu 6 included data-at-rest protection for these repositories. Now, with the introduction of Vontu Endpoint Monitor (which checks for sensitive data on removable media, USB devices, iPods, external drives, and data downloads), Vontu 7 is a near-total solution for guarding confidential customer and company information.

Other leak-prevention products block at the end point, such as prohibiting files from being copied to external devices. Version 8 will include this feature, according to Vontu. Otherwise, there's enough solidity in Vontu 7 to make it a prime choice for financial institutions, manufacturers, technology companies, and retailers.

Eye on the data prize
Vontu Enforce is the glue of Vontu 7. This server provides centralized policy management, unified reporting of incidents from the five monitoring and prevention modules, automated policy enforcement, and remediation workflow.

Key to preventing data loss is accurately detecting confidential data -- the first half of a policy. (The second half is response rules, which I'll discuss further on.) Vontu 7 ships with more than 60 policies; these certainly provide you with an excellent starting point and best practices for setting up your own policies. However, what makes Vontu Enforce so strong is its three types of underlying detection technology and how they can be customized and combined for near-perfect detection performance.

thumb91939.jpg
Click for larger view.

I started testing Vontu 7 at the Vontu Enforce Web console by fingerprinting a text file with 1 million rows of customer names and associated Social Security numbers -- a process called EDM (Exact Data Matching), the first of the three underlying detection technologies. Additionally, I registered content from several SQL Server databases.

Next I uploaded 1,000 documents containing sensitive data to test IDM (Indexed Document Matching). The third technology, DCM (Described Content Matching) uses keyword lexicons, Boolean logic, and data identification patterns (for example, ABA routing numbers or credit card magnetic stripes) to look for information in nonindexable data (such as e-mail messages). Vontu states a single Enforce server can handle more than 500 million rows of data for EDM and upward of 2 million documents for IDM.

I especially like Vontu's granular detection capabilities. Using just a few forms, I added rules that employed the files previously registered -- for example, if an e-mail had "confidential" in the text, it was blocked from being sent to an external address. During this process, I also defined severity levels for various conditions, such as the number of complete or partial matches that must be found to trigger a response. Importantly, a single policy covers all three Vontu product lines, which in addition to Endpoint Monitor include Vontu Discover and Protect and Vontu Network Monitor and Protect.

In previous testing, I'd focused on Vontu Network Monitor and Vontu Network Prevent, which protect data in motion. In this round, I looked primarily at how well some new additions in these modules worked, including preventing leaks via FTP, HTTPS, and instant messaging over HTTP tunneled protocols.

For data at rest (Vontu Discover and Protect), I scanned Lotus Notes databases and looked at another new feature that discovered the ownership of information (who created the file). And for Endpoint Monitor, my exercises involved monitoring what was copied to removable media on a laptop and monitoring files downloaded at this end point.

The combination of multiple rules, detection technologies, severity levels, and exceptions resulted in no false positives in my evaluation, and all communications containing restricted information were found. I believe a large live implementation should mirror these results; representatives of one large Fortune 100 insurance company using Vontu related they hadn't seen a false positive in six months.

Responding appropriately
The second part of a strong information protection policy involves response rules. For most incidents, I instructed Vontu Enforce to handle these automatically, such as sending e-mail notifications to end-users, stating which policy was violated and how to follow company procedures. Additionally, Vontu Network Prevent successfully blocked FTP and HTTPS transmissions. Vontu 7, as in past versions, routes e-mail through standard encryption gateways.

Vontu integrates with several other third-party products, including Blue Coat's SG Proxy, Cisco Content Engine, and Network Appliance Netcache, but I did not have the opportunity to test these.

Vontu Protect worked properly in copying sensitive files found on a LAN file share to a secure area on the Vontu server. Importantly, the system left a marker in the file's original location so that users knew what happened and where the file currently resided.

In cases where security incidents required manual intervention, Vontu 7's workflows were quickly built and convenient for security staff. For example, I crafted an e-mail to an HR department first responder that provided all necessary context: the type of incident by protocol; the offending file, policy, and detection rule that was violated; and even information showing how the incident correlated to similar incidents by the sender. Clicking a link within the e-mail took the incident team member directly to the full incident report for appropriate action.
thumb91940.jpg
Click for larger view.

Besides these incident lists, Vontu provides an executive dashboard and incident summaries that identify security trends within an organization. Moreover, Vontu 7 includes more than 50 new system reports. These prebuilt templates include compliance reports, such as Sarbanes-Oxley, HIPAA, and PCI security standards. In addition to the breadth of reports, I liked the new multidimensional summaries. For instance, I displayed a report of all data-in-motion incidents and filtered it to see just high-severity incidents last month. I then summarized the results by business unit and policy violated to pinpoint the location of data loss risk and the precise type of risk.

On the technology side, Vontu continues to be very scalable and flexible. I really like the ability to deploy the software on existing Windows or Linux servers. Vontu 7 also adds database encryption to prevent anyone with database server administration privileges from directly accessing the Vontu database without a trace; this is especially important for overall system integrity and auditing because no one can make changes to records without the edits appearing in Vontu logs.

Vontu 7 maintains its accurate detection of security breaches, and it now handles 32 Western and Asian languages. With the exception of blocking at the end point, the various modules provide thorough data leak protection. Also important is how well Vontu integrates the modules (which were all developed in-house). The resulting centralized policy management makes the system easy to maintain while producing reports covering all possible data leak pathways.

InfoWorld Scorecard
Ease of use (20.0%)
Scalability (10.0%)
Performance (20.0%)
Management (20.0%)
Value (10.0%)
Features (20.0%)
Overall Score (100%)
Vontu 7 9.0 9.0 9.0 9.0 9.0 8.0 8.8
Join the discussion
Be the first to comment on this article. Our Commenting Policies