Get a grip on communications slips

Code Green, InBoxer, MessageGate, and Palisade compete to prevent costly data loss

[This story has been updated for clarity since it first posted.]

We've been emphasizing data leak reviews lately, and with good reason. Sure, IDC expects the outbound content compliance market to grow to $1.9 billion by 2009. But we're really spotlighting this topic because of the ongoing business risk if enterprises don't take aggressive steps toward e-mail and other forms of electronic communications governance.

[ See the slideshow: Data-leak pluggers square off ]

This time around, I'm looking at four products: Code Green Networks Content Inspection Appliance 1500 (CI-1500); InBoxer; MessageGate Enterprise Email Governance 4.2.1; and Palisade PacketSure 5.5. All four scan for, and often block, known data exposures that would put your organization in violation of HIPAA, Sarbanes-Oxley, SEC regulations, and other legislation. Because smaller organizations (even nonprofits) aren't exempt from these various rules, Code Green Networks, InBoxer (which InfoWorld snagged for this exclusive review), and Palisade all ship as easy to set-up and use appliances.

These systems have gotten much better at discovering leaks of personal information and intellectual property. For example, my testing showed that advances in data fingerprint and analytics caught more security violations than early-generation products.

At the same time, vendors are targeting Rule 26 of the U.S. Federal Rules of Civil Procedure. Both InBoxer and the fourth product reviewed, from MessageGate, intelligently classify e-mails prior to archiving. IT executives and legal counsel please pay special attention: This feature helps locate e-mails sent and received by certain individuals that would be required to be disclosed on short notice as part of lawsuits.

None of these products (or any of the many others we've tested so far) will solve every insider threat problem. However, we point out where each fits best. With this strong lineup, there's no reason for delay in fulfilling your obligation to keep communications secure.

Code Green Networks CI-1500

Code Green Network's appliance targets organizations with up to 5,000 users; optionally, a low-end model handles 250 users, while a tricked-out server supports unlimited users. All provide enterprise-class content protection typical of large-scale software solutions -- without requiring technical skills to install and maintain the system. Setup simply involves plugging in the appliance at a network egress point and defining policies using a Web GUI (or loading a default policy set).

The CI-1500, like most data leak products, employs algorithms that look for patterns of identity numbers and other restricted content in outbound communications. But this solution differs from others in how it precisely identifies restricted content. Deep Content Fingerprinting registers up to 1TB of confidential content found in more than 390 formats and all languages; crawling works with file shares as well as content management system repositories from EMC Documentum and Stellent.

The middle-of-the-line appliance I tested (a late-model Dell PowerEdge server with dual Intel Xeon CPUs, 1.2TB of RAID-5 disk space, and 8GB RAM), executed an excellent performance -- from policy and incident management through content-stream inspection and policy enforcement.

Supplied policies cover all the main data privacy laws and help you comply with the content control provisions of Sarbanes-Oxley. Policies are based on reusable components, which I quickly adjusted (with simple tabbed dialogs) and combined to make new policies.

thumb87635.gif
Click for larger view.

During testing, Deep Content Fingerprinting precisely registered Microsoft Office documents, PDF files, and C++ source code. This process works by scanning file systems or content repositories -- plus, it does on-the-fly assessment of e-mail attachments and Web uploads. Interestingly, fingerprinting works with Click for larger view. content written in any language or character set (including non-Roman ones, such as Japanese). The resulting highly compressed fingerprints (1TB of data typically reduces to a 5GB pattern-matching file), combined with this systems' standard pattern matching (for detecting, say, common U.S. and European identity numbers) reduced false positives to zero in my evaluation.

thumb87607.gif
During testing, Deep Content Fingerprinting precisely registered Microsoft Office documents, PDF files, and C++ source code. This process works by scanning file systems or content repositories -- plus, it does on-the-fly assessment of e-mail attachments and Web uploads. Interestingly, fingerprinting works with Click for larger view. content written in any language or character set (including non-Roman ones, such as Japanese). The resulting highly compressed fingerprints (1TB of data typically reduces to a 5GB pattern-matching file), combined with this systems' standard pattern matching (for detecting, say, common U.S. and European identity numbers) reduced false positives to zero in my evaluation.

Additionally, fingerprints infallibly detected when I copied parts of a protected document into another, compressed the new file, and modified the original text. Yet the system is smart enough to know that insignificant noise, such as added spaces, should not trigger alarms. Additionally, the system inspects encrypted objects.

Depending on the policies I'd set, the Content Inspection Appliance blocked messages, put e-mail in a quarantine queue for later action by the proper authority, or re-routed mail to another Mail Transfer Agent server for processing (such as adding encryption or applying digital rights management). This worked without any noticeable delay when sending from Microsoft Outlook, communicating with instant messenger, using Web mail, or transmitting files via FTP.

With blocking, the originator can be informed of the reason for the action, which helps to educate employees and further reduces risk of accidental disclosures.

When security violations happened, incidents were recorded, and the manager I specified was immediately notified to act using the Content Protection Dashboard. Importantly, CI-1500's own security ensures that incidents related to one department (say HR or finance) can't be viewed by others. In one section of the dashboard, color-coding highlighted the most severe problems so I could review them first. Reports let me see the details of the incident, record a comment, take appropriate action (such as releasing a message from quarantine), and close the task. This workflow's flexible, which let me quickly re-route some incidents to others for action.

Other dashboard functions let me generate custom alerts and reports, display graphs of incident trends, and see risk metrics. Although the CI-1500 lacks some the sophisticated report functions found in its competitors (generating and e-mailing reports on schedules, for instance), what it offers is still above the norm.

Similarly, on the forensic side, reviewers can view the audit history of incidents and sort them by different criteria to help spot patterns. That said, the CI-1500 doesn't retain information about all communications it monitors, so it's not perfect if you need to go back and see messages that might have been missed.

Code Green Networks offers multiple reasons for its high score, including registering confidential structured and unstructured data, audit reports and forensic analysis, negligible impact on network performance, and easy administration.

InBoxerAnti-Risk Appliance

Many data leak products start to look similar in features and operation, but InBoxer has some truly unique differences that make it a superior investigation tool. Foremost, it archives every e-mail message (including attachments), which are immediately indexed for later searches. Besides working with Microsoft Exchange, InBoxer was just qualified for IBM Lotus Domino.

Second, InBoxer scores each message on a scale of 1 to 100 for inappropriate content, privacy violations, and other metrics.

While the product doesn't block communications, you can create policy management alarms based on one of InBoxer's 70 predefined categories (or other criteria) -- responding to the sender or notifying a compliance officer. What's more, the system's fine search and reporting greatly cuts investigation time.
thumb87608.gif
Click for larger view.

I had the Anti-Risk Appliance set up in 30 minutes, which is a credit to the system's language analysis. Rather than spending time setting up policies, InBoxer automatically applies language modeling techniques (originally developed for speech recognition) to determine if a message requires action. Used in combination with the predefined categories, this solution found all the problems in my test messages, including privacy violations (credit card numbers), medical technology (for HIPAA compliance), offensive content (adult content and profanity), and confidential documents.

For absolute precision, InBoxer provides a commonplace feature where you can specify (through the Web interface) match lists. Here, I entered files of exact customer numbers and patient identifiers. I also specified regular expressions (for finding text that matched particular patterns), which was helpful in spotting unusual bank account number formatting.

The system will also examine attachments, such as word processing documents and spreadsheets (and it peers inside of compressed ZIP files). However, it doesn't handle encrypted communications or files -- and it can't crawl file shares or databases to register content.

On the flip side, InBoxer scans inbound, outbound, and internal communications, delivering a level of thoroughness other products don't necessarily provide. Checking internal messages is often mandated in financial institutions where certain departments must stay removed (e.g. a Chinese wallrequirement) or in cases of harassment.

You can set alerts for any number for circumstances. For instance, I notified a compliance officer when messages containing confidential information, such as the code name for an internal project, were sent to an external e-mail address. Similarly, you could inform executives when messages containing names from a customer list were e-mailed externally.

InBoxer saves messages with their format and metadata intact, as required by the Federal Rules of Civil Procedure. This includes desktop, Web-based, and BlackBerry messages sent and received using your corporate mail server. Also, I easily put messages on "litigation hold" so they were not deleted. InBoxer even keeps these messages in the appliance in case they might be deleted from your archive -- a feature I haven't seen elsewhere.

Also of note, InBoxer's archiving system works with most standard backup systems (such as old-style tapes), not just sophisticated archive applications.

InBoxer's Anti-Risk Appliance AJAX-style reporting interface also impressed me. I merely dragged "droplets" (on-screen objects) to the dashboard, which quickly generated lists of messages with privacy, medical, and other types of questionable content. Clicking on a message provides details of InBoxer's scores, categories the message fits, full message, and actions you can take.

Likewise, I created Favorites -- reports of, say, personal use and employment-related messages. Yet where this solution hits a home run is through custom searches, which are also simple to build with droplets. A few of the tests I ran identified employees who sent potentially harassing e-mail; found messages sent to a competitor's domain, and by whom; located messages to top investors; and determined top external domains sending employment information to employees. All reports can be run on a schedule and contents e-mailed to you.

InBoxer got a lot of recognition after the brilliant move of processing all Enron e-mails and making them publicly searchable with an Anti-Risk Appliance. Marketing aside, the substance behind that exercise can help any organization avoid fines and reduce risk. This solution's well-done e-mail archiving and searching, plus real-time policy management alerts, makes it fast and easy to stay in compliance and conduct investigations.

MessageGate Enterprise Email Governance 4.2.1

MessageGate's product takes a very sensible approach to this specific, albeit biggest, insider data-leak conduit. After operating in passive mode that captures all e-mail communications, you develop policies specific to your organization's culture and any problems uncovered. Also, unlike the other three products, MessageGate is a software solution with multiple components that you implement as needed. Besides flexibility, its distributed architecture is very scalable; a minimal three-server setup handles about 250,000 messages a day.

At this solution's hub you'll find CORE (Console, Operations, and Reporting Engine) delivering Web-user interface and managing the remaining components. These pieces include a Message Adapter, for intercepting messages from your mail server; Message Analysis Service, which evaluates evidence provided by the adapter and then processes the necessary policy; and a Mailout component, for placing messages back into the mail stream after they're processed. (SenderConfirm's a standalone application based on the main policy enforcement engine; it flags e-mails that are out of compliance, notifies the sender, and lets the person either send or delete the message).

thumb87609.gif
Click for larger view.

Although there are potentially several applications to install, my experience indicates MessageGate can be running in a day and generating assessment reports. Here you get a high-level view of e-mail activities, such as who sends the most messages and what type of files are attached.

After reviewing this scorecard, I was off to the Web console creating policies. Although policies can get extremely complex, there's noting involved in using the Policy Builder. Starting with basic routing (inbound, outbound, or internal messages), I quickly layered on criteria, like removing attachments of a certain file format that were not password protected.

I particularly liked the completeness of these actions (16 in total), which range from sending a confirmation notification to the originator and adding a disclaimer to placing the suspect e-mail in a review queue. Another nice touch is Enterprise Email Governance's policy test mode; this feature let me run real messages through a policy to make sure it's working right without actually invoking actions.

The software improves detection accuracy through dictionaries, where you enter specific terms or create regular expressions for, say, matching social security or bank routing numbers. Further, you can register content in text files and have MessageGate refresh this information on set schedule. That said, the system doesn't crawl document libraries, databases, or content repositories.

When I switched MessageGate to live mode, the software acted on my policies exactly as I'd designed them. For example, outbound messages marked as company confidential were rejected, and a note was relayed to the sender explaining what was wrong. In other cases, messages were sent to a queue where risk managers could review the e-mails and decide if they should be released.

I also viewed both real-time and historical charts, such as internal messages by disposition (blocked, notified, reviewed, routed, modified, not archived, and archived). The company also provides MessageGate Activity Profiles (MAPs). These provide a detailed comparison of current e-mail traffic, policies, and e-mail archive content -- which provide a very good picture of any outstanding compliance risks or places where policies and processes could be more efficient.

The archive option is especially important. First, MessageGate decides if e-mail should be retained. If so, Archive Categorization tags messages with information you configure, such as department codes or litigation holds. At this point, messages are sent to a designated spot (such as a Microsoft Exchange Journal folder), where the e-mail is archived as part of standard backup procedures. I was initially concerned that adding the meta information changes the message so it might not meet the evidence requirements of the Rules of Civil Procedure. Upon further examination, however, I've changed my view. Although  MessageGate does add metadata to the x-header of the message to indicate how it is archived, I could see nothing that indicated the message itself was altered in any way.

MessageGate Enterprise Email Governance provides very effective e-mail management and control. It lets you educate users with informative messages when policies are broken -- and actively handle some problems on the spot, such as inserting disclaimers into messages. The system also takes a more proactive stance whenever necessary, such as blocking message transmissions that are out of bounds.

Although the system doesn't have the elaborate data registration of other solutions, policies can cover most compliance needs; they worked accurately in my testing. MessageGate also has some of the most sophisticated categorization for message archiving. However, this solution doesn't provide for monitoring of Web mail, instant messaging, or other forms of network traffic.

Palisade PacketSure 5.5

Palisade Systems is a long-timer in the content monitoring and filtering market, and that experience is evident in the latest release of the PacketSure data-loss prevention solution. This single appliance audits, blocks, encrypts, and reports when sensitive enterprise data is compromised.

thumb87610.gif
Click for larger view.

New to version 5.5 is SMTP e-mail analysis, plus options to block or encrypt the e-mail when violations are detected. Also, Palisade Systems added lexicons of common words and phrases used in the health care and financial industries, which improves detection accuracy. And the Web user interface was reorganized, making setup and configuration easier.

The PacketSure appliance, similar to other solutions, quickly connects to a network port or tap. I used the latter method to fully test the system as an e-mail proxy so messages could be blocked or encrypted.

Rather than specific policies, PacketSure ships with a long list of default rule sets and file analysis enabled; these range from monitoring HTTP file transfers and trapping file-sharing application to checks of instant messaging and Web-based mail. I tweaked various rules with a Web form, such as blocking Hotmail when files over a certain size were encountered. If you want to make more global changes, the Rules Wizard saves time. For instance, I selected the main Instant Message category (which covers all the major IM clients and protocols), allowed communications, and in the final step selected the type of content analysis to apply.

Beyond the system's general multi-step identification algorithms, you can match specific data, such as structured information, in databases. The process isn't as extensive as I'd like; for instance, PacketSure does not crawl document repositories. Still, this feature ensured that my test list of client account numbers was available for matching. I liked Version 5.5's recognition of private health care information -- a feature that's turned on with a single checkbox.

The ERE (Extended Regular Expression) function recognized Social Security numbers, and it can be customized to look for other types of structured data. Moreover, the Web Filter function contains approximately 14 million Web sites (organized by category) that you can block, monitor, or ignore.

The overall Web interface, while certainly functional and generally easy to navigate, could still use some improvement. For instance, lists of rules and reports are especially long, which sometimes makes it hard to find specific information.

In running through my test scripts (Outlook IMAP E-mail, Hotmail, MSN Messenger, and FTP), PacketSure did a very good job logging, blocking, or allowing communications based on rules. In addition to recognizing risky message content, the system correctly analyzed different files types for private content, including Microsoft Office documents, AutoCAD drawings, and MP3 audio files.

When a violation occurs, PacketSure notifies the sender and (optionally) an administrator. On the presentation side, 60 predefined reports can be customized as needed and saved. I created a query that displayed matches by several rule names and had PacketSure e-mail me this report each day. However, I would like to see a search function to find particular incidents.

As I delved into online versions of different reports, the software showed specifics of each security problem, including the content of attachments that triggered the incident. Yet performing these steps did involve opening different windows and PacketSure lacks the formal workflow of Code Green Networks. Other reports provide summary and trend charts so you can track how your compliance efforts are going along with the underlying details that may be required for compliance audits.

The PacketSure network appliance holds several advantages, including visibility into everything going over your network and the ability to eliminate unwanted protocols and applications. This system helps protect private data by monitoring for several types of information and blocks where appropriate. Therefore, it's appropriate for complying with many government regulations and keeping intellectual property secure. Still, compared to other products, it doesn't have the same level of resolution functions and forensics.

This roundup showcased the many facets of data loss prevention. For clamping down on badly behaved applications or protocols, Palisade PacketSure's got you covered. InBoxer and MessageGate focus on e-mail governance with a vengeance. Yet it was the all-around protection and performance of Code Green Networks' Content Inspection Appliance that nudged it ahead.

InfoWorld Scorecard
Accuracy (20.0%)
Features (20.0%)
Performance (20.0%)
Ease of use (20.0%)
Scalability (10.0%)
Value (10.0%)
Overall Score (100%)
Code Green Networks Content Inspection Appliance 1500 9.0 9.0 9.0 9.0 8.0 8.0 8.8
InBoxer Anti-Risk Appliance 9.0 8.0 8.0 9.0 8.0 9.0 8.5
MessageGate Enterprise Email Governance 4.2.1 8.0 8.0 9.0 9.0 9.0 9.0 8.6
Palisade PacketSure 5.5 9.0 9.0 8.0 8.0 9.0 8.0 8.5
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies