Guard your data against insider threats

Oakley, Reconnex, Tablus, and Vontu prevent costly data leaks

U.S. companies exposed the personal information of more than 53 million people in 2005, according to the Privacy Rights Clearinghouse. Alas, the possibility of serious consequences for leakers doesn't seem to deter insiders from divulging private, protected information -- and for good reason: Statistics clearly show enterprises are ill-prepared to thwart them.

For all their good work, many security professionals are still saddled with first- and second-generation ITM (insider threat management) products. Typically, these are limited to monitoring certain communications channels, such as e-mail and Web browsing.

Today's solutions, however, cover almost anything traveling over your network. Furthermore, they often sense data manipulation -- such as modification of files -- and track inappropriate use of media, including USB drives and CDs at the desktop. Other solutions monitor the equally important world of data-at-risk residing on unsecured file shares and intranets. Finally, when problems in any of these areas surface, products offer real-time alerts followed by automatic remediation.

Using these requirements as guideposts, I tested upgraded versions of two network scanning products that InfoWorld first reviewed last June, along with two new agent-based approaches.

The network gateways Reconnex iGuard 2.1 and Vontu 5.0 show maturity and polish. iGuard now offers better dashboard reporting that the user customizes, faster performance, and more tools for investigators. Traditionally strong in offering complete compliance policies and high accuracy, Vontu now scans data at rest; the company is also out front in addressing worldwide employee privacy standards.

Agent technology was just awakening six months ago. After a good ride in U.S. government agencies, Oakley Networks now offers its SureView technology to commercial customers. It may have a little ways to go concerning policy administration, but the agents do an admirable job stopping violations at the desktop.

Tablus is still working on its Content Alarm 3.0 release, due out later this year. The solution unifies both agent-based and network gateway technologies. After looking at an early beta, I believe Tablus may pose a serious threat to the competition because of its comprehensive and integrated approach. In the interim, the company also has released a minimal agent solution, Content Sentinel 1.0, which finds files with potential compliance problems on desktops and file shares. Two other familiar names in this space, Verdasys and Orchestria, declined to participate.

Oakley Networks SureView 3.3

You likely haven't heard much about Oakley Networks' insider protection technology until recently, but there's good reason: The company's been busy securing vital-mission data for hush-hush projects with the U.S. Department of Defense and other government entities. This experience gives Oakley a lot of credibility as a supplier of ITM solutions for commercial enterprises.

Several attributes set SureView apart from its competition. Although the company's agent concept isn't exclusive, Oakley has some of the most extensive threat policy and rules management options. This yields better detection, fewer false positives, and increased flexibility. You can, for example, establish a rule where only an e-mail with an attachment using encryption sent to an external recipient signals an alert. As such, SureView is a fine solution for protecting against information leakage, collusion, fraud, and compliance violations.

SureView's tabbed Web Operator Interface makes it easy to establish policies and perform investigations. Similarly, agents get quickly deployed with common management tools, such as Microsoft SMS or Altiris. Oakley representatives indicated that many of their engagements begin with monitoring employee activities, rather than stopping threats immediately. The reasoning behind this is that after you spot usage trends, you can more accurately tune policies so they don't hinder legitimate business.

To test this process, I initially set SureView to always collect all data. Then, at several workstations, I performed Web browsing, sent proprietary information by instant messenger, and modified confidential files.

Back at the Operator Console, I launched an investigation and reviewed the gathered raw data. SureView groups collections, such as Web and IM, making it easy to spot broad trends. I then drilled down into the sessions and played back an exact recording of activities. From these initial reviews, security officers should see patterns of misuse.

For my next tests, I assumed employees would use Webmail to conduct insider trading and send confidential client data using corporate e-mail. After creating policies to sense these activities, I violated rules. The system accurately generated alerts when just these problems were trapped. Besides standard network communications, SureView monitors data transfer (say, copying to a clipboard), media use (USB storage, CD burning, and printing), and encrypting transmissions. In the last case, the system captures content pre-encryption and post-encryption.

Oakley offers rich tools for making user-defined policies, which are created with the Policy Builder wizard. For instance, you can look for specific keywords, patterns, or metadata. I also added behavior, including specific system activity -- such as document alteration -- during a particular time. When these attributes are combined using rules, it's less likely users and auditors will be bothered by false notification. What would be helpful, however, are out-of-the-box policies that address typical compliance legislation, such as HIPAA or SEC requirements. (Oakley plans to include predefined industry-specific and government policies in first-quarter 2006.)

After encountering policy violations, SureView offers many response capabilities. Beyond alerts at the console, managers can receive e-mail notices. Escalating this further, activities can be blocked, users can be locked-out from a workstation, and a system can even be shut down.

SureView also has good forensic capabilities, where investigators can run full-text searches of communications currently stored on the server and also data that's archived in the system's database.

Finally, this solution has respectable scalability. Although appliances handle 500 users each, they can be clustered. Policies across these load-balanced devices are centrally administered. Plus, there's a single repository for all data, making auditing no trouble.

Oakley Networks SureView 3.3 generally balances security and convenience. It enforces policies -- and collects data -- at the source. The system monitors all common communications channels, including removable media. The one issue I'd like better addressed is personal privacy, especially given that the capture and replay of communications is so thorough and could be subject to misuse.

Reconnex iGuard 2.1

Reconnex -- the second top pick in our previous insider-threat product roundup -- took honors because of how well it gives enterprises visibility into security problems. iGuard does this by reviewing and classifying all content objects it sees on your network -- at gigabit-line speed -- and by sending security personnel real-time alerts about any violations to policies.

Simultaneously, the easily deployed 64-bit hardware stores all elements in the high-performance Reconnex File System while metadata about each transmission is saved to a SQL database. The advantages are twofold. Using your predefined or custom rule sets, reports query the database and show how you're doing in meeting governance or regulatory requirements, including Sarbanes-Oxley and GLBA (Gramm-Leach-Bliley Act). Moreover, investigators can conduct immediate forensic searches of the database and link directly to the file or text in question. This helps security staff spot leaks before data gets into the wrong hands.

In past testing, I found iGuard could work a bit easier and faster, and it could have more flexible roles -- areas iGuard 2.1 addresses.

Dashboards are more inclusive, now providing summaries of incidents, users, location, risk, and network traffic. What's more, the Executive Summary more concisely presents the top problems, such as what policies were violated the most.

Administrators should find the Network Summary helpful in understanding any anomalies. For instance, after viewing a traffic spike at the same time over several days, I performed an ad hoc search over the stored data to locate the suspect workstation.

Similarly, the Location Summary resolved all external IP addresses to a specific geography. This feature would be valuable if you see data leaving your network and want to know whether it's destined for a particular country.

I easily navigated from these top-level reports down to lists of incidents, and finally to details about a particular violation. Besides showing the meta information associated with the incident, iGuard now highlights the exact strings that matched. This assists reviewers in deciding whether the incident is a false positive or requires a more thorough analysis. If the latter is necessary, a details page presents all necessary facts, including links to e-mail attachments while indicating all policies and rule sets that were violated.

Furthermore, this version communicates with DHCP servers, which correlate incidents to a particular machine name; normally this would be difficult with only IP addresses because they frequently change.

Carried forward from the prior version are prebuilt compliance policies -- most everything from appropriate use and those that address specific legislation -- to rules that define how these policies are applied. Both are easily modified or built fresh. I can create, say, a rule for bank account information that sends a critical alert if California SB1386 or GLBA guidelines are violated in an e-mail message. Rules, additionally, allowed me to set thresholds, which helped reduce the number of false positives.

Although this interactivity is good, Reconnex plans further improvement, including search and filtering from the summaries, as well as linking to case management.

A top concern with all insider-threat products is protecting employees' privacy. iGuard 2.1 tackles this with user and group accounts. These allowed me to restrict viewing and editing policies -- as well as what type of incidents appeared on each analyst's dashboard. However, Vontu 5.0 provides more control over what each registered user can view.

iGuard's 64-bit OS and specially engineered hardware performed extremely well in scanning known network protocols for suspicious communications. They accurately stored (indefinitely) all incidents that matched a policy, while allowing me to create a rolling time window for holding other traffic. The newfound processing power also enables real-time scanning of complex document types such as PDF, which wasn't possible before.

Reconnex continues improving iController, a system to register confidential information and then look for these documents -- in whole or in fragments -- flowing over the network. Although this does improve accuracy, finding data at rest would be a worthwhile addition.

At the end of the day, there's still a downside to accessing all of this data: trying to find that sliver of information to resolve a forensic investigation. Version 2.1 adds a powerful query language with auto-complete that enabled me to build a search query effortlessly. In a few seconds I found particular content sent using SMTP during a certain time range.

Reconnex iGuard 2.1 improves in many ways, including usability, performance, and the amount of intelligence provided about incidents. Rarely will you find a solution that analyzes both outbound and inbound traffic. Furthermore, this solution is fairly open, integrating with security management systems such as ArcSight Enterprise Security Manager.

Tablus Content Alarm 3.0 Beta

Tablus' second-generation Content Alarm NW product is a respectable network scanner, finding many data leakage and security breaches. Yet the company recognizes that traditional point security solutions often are not enough. Moreover, the most effective products are those that take the guesswork out of monitoring for compliance violations. Based on an early look, these requirements are satisfied in the forthcoming Content Alarm 3.0 suite.

Similar to Vontu's and Reconnex's, the new Tablus release features a Web-based executive dashboard with Top 10 reports. As such, a manager sees trouble spots at a glance, yet can easily drill down to incident details. Policies provide out-of-the-box protection against identity theft and regulatory compliance violations.

Enterprise incident management is new in Content Alarm 3.0. Within this area, Tablus delivers the important requirement to access incidents only on a need-to-know basis. For example, finance investigators can't view HR incidents. Furthermore, each group's access is restricted to certain information.

Tablus' real-time alerts keep managers updated about problems throughout the day. An uncommon capability delivers incident notifications via many channels, including e-mail, instant messenger, and RSS feeds.

Going the next step, built-in workflow allows investigators to open and close incidents, change priority, and assign cases to other analysts. This helps Tablus catch up with competitors.

Content Alarm DT, the new agent component that provides control over confidential information at the desktop, looks to give the company an advantage. In typical agent fashion, administrators prevent actions, such as copying and pasting, printing, or moving files to USB drives.

What's different, however, is that organizations centrally define policies across the whole suite, which should reduce administration. I also liked the system's adaptive policies, which change in real-time based on usage. For example, if Content Alarm notices someone downloading or uploading large files, then that user can be quarantined. Moreover, only trusted applications are permitted to interact with confidential data, which should offer an extra layer of protection against worms and viruses.

The desktop part also leverages Content Alarm's distributed architecture and load balancing, indicating it should hold up for large-scale deployments.

In the end, Tablus has the right strategy: network and desktop protection, while both monitoring activity and preventing data from leaving the enterprise at all borders. The design appears easy to deploy, manage, and maintain. Now it's up to Tablus to execute this strategy.

Vontu 5.0

Vontu 4.0 established a tough benchmark the last time I looked at data-loss prevention solutions; it tested excellent in protecting customer data, preventing information disclosure, and ensuring compliance with government regulations. Vontu 5.0 adds a missing piece: Vontu Discover scans files shares, Web content servers, and desktops for exposed confidential data, further reducing enterprises' risk.

Additionally, this updated version addresses global requirements for workplace privacy. For example, the system captures only data that violates company policy -- without revealing employee identity -- to meet European Union legal requirements. Existing functions were refreshed along the same line; role-based access controls prohibit investigators in a business unit from seeing incidents in another part of your organization. Combined with already fine accuracy, predefined policies, and scalability, Vontu 5.0 sets another standard.

Vontu renamed some functions and made Version 5.0 more modular, which gives enterprises more deployment flexibility. But the underlying two-tier architecture remains and contributes to this solution's scalability. Sitting on a secure corporate LAN, Vontu Enforce is the core management server. Also here is Vontu Discover. On the outer tier, Vontu Monitor scans network traffic while Vontu Prevent integrates with mail gateways to block transmissions of confidential data.

Importantly, Vontu Enforce allows you to centrally define and implement policies across multiple Discover, Monitor, and Prevent systems. Vontu's well-done user interface also delivers easy access to reporting and remediation functions.

As previously, Vontu 5.0 offers both prebuilt templates -- more than 50 for industry and government regulations -- and a simple-to-use policy builder. Templates for HIPAA, GLBA, CA 1386, and Visa PCI (Payment Card Industry) saved me a lot of time and possibly oversights because they are complete out-of-the-box. Yet I had no trouble adapting these standard policies to create company-specific rules.

On the detection side, Vontu handles both structured and unstructured data. The system relies on keywords, lexicons, pattern matching, indexed-document matching -- for fingerprinting whole or document fragments -- and exact-data matching (to handle databases of customer, patient, and employee information accurately). Used in combination, Vontu had little trouble detecting data-loss incidents. There were no false negatives and very few false positives.

Vontu Monitor's real-time network scanning worked across all the major business network protocols I tested, and it inspected Webmail, IM, and FTP transfers without any problem.

Moreover, when Enforce spots a policy infraction, the system gives enterprises many options. At the minimum level, I notified those who violated a policy; this alone can change employee behavior and help enforce compliance. Vontu then classifies each incident by severity.

Compared with the previous version, Vontu 5.0's real-time dashboards give executives even better insight into these trends, such as incidents by their business unit or departments. This doesn't take any special customization because Vontu integrates with active directory and respects access control privileges.

Role-based access extends throughout the system -- security and flexibility that betters the other products. For instance, I set up a role where certain investigators could only review incidents that violated customer data policies, another role for violations of HR policies, and a third "manager" role that received incidents that were escalated by the original analyst.

Within some of these roles I further limited access to attributes of the incident, such as hiding the sender's identity, which is critical for safeguarding employee privacy. Yet in each situation, analysts received the necessary information to see why the communication generated the incident, while Vontu's workflow ensured that it was handled by the appropriate person.

Still, I found you can confidently let Vontu run unattended. When I added Vontu Prevent into the mix, it automatically, and accurately, blocked e-mail and Web communications that contained confidential data. Alternately, based on policies I created, Prevent routed messages to an encryption gateway for secure delivery.

Discover applies Vontu's detection techniques and data security policies to networked servers and other spots where documents are stored. Without installing any agents, Discover quickly scanned several file shares, document management repositories, and desktops.

Vontu continues to be the standard-bearer in detecting and mitigating insider security risks. Enterprises can implement this solution in various ways -- from simple audits to give you a baseline risk profile all the way to full blocking of communications. This version's improvements in protecting personal privacy, finding noncompliant data-at-rest, and established accuracy represent a compelling mix.

Insiders, beware

Plugging data leakage is no longer a low-priority project for the corporate security department. It's one of the top 10 CEO challenges for 2006 and should be on the minds of every other executive, shareholder, board member, and employee.

Although no technology can guarantee 100 percent compliance, these four vendors show they know how to abate insider threats. Their products provide strong visibility and control over confidential information flowing over your networks -- and now on the desktop and internal servers. Still, with this awesome control comes the next beachhead: personal privacy.

Content Alarm 3.0 sets ambitious goals of network and desktop protection, while monitoring for and preventing leaks, which will put other vendors on notice if delivered. Tablus Content Sentinel, meanwhile, performs adequately in finding exposed data at rest.

I like Oakley SureView for its straightforward deployment model and flexible rules. Just slightly ahead is Reconnex, because of its improved reporting and forensic capabilities.

Although Vontu may be a bit more complex to setup, owing to various hardware components, the payoff is smooth, centralized operation, while leaving no exit points uncovered. Yet what edges this solution ahead are its privacy safeguards along with a lack of noticeable functional gaps.

InfoWorld Scorecard
Scalability (10.0%)
Performance (20.0%)
Features (20.0%)
Ease of use (20.0%)
Value (10.0%)
Reliability (20.0%)
Overall Score (100%)
Oakley Networks SureView 3.3 8.0 9.0 9.0 9.0 8.0 9.0 8.8
Reconnex iGuard 2.1 9.0 9.0 9.0 9.0 8.0 9.0 8.9
Tablus Content Alarm 3.0 Beta 0.0
Vontu 5.0 9.0 9.0 10.0 9.0 8.0 9.0 9.1
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies