Oakley SureView puts insider threats in context
With broader app support and improved reporting, Version 4.0 makes targeting risks easier
Many content monitoring and filtering and information leak prevention solutions attempt to stop insider threats by reversing the old firewall strategy: They completely block a particular outbound communications channel, such as instant messaging.
Oakley Networks approaches the problem differently by helping enterprises get at the root cause of insider threats. Rather than take the all-or-nothing approach, the system's designers fundamentally believe that bad behavior is perpetrated by certain individuals in specific situations and should be addressed accordingly. For example, SureView policies recognize that online shopping during work causes lost productivity; this might trigger informative messages to users and reports to management that indicate the need for awareness training. However, someone creating a hostile work environment through offensive e-mail or deliberate customer data theft would trigger an aggressive response, including capturing all keystrokes at the offending workstation and then shutting it down.
This solution's basic architecture remains from when I reviewed Version 3.3. There's a master appliance and collectors that monitor managed clients, including desktops and laptops running the SureView agent. With Version 4.0, Oakley Networks improved or overhauled most areas of the product. Agents require fewer system resources, information is collected from more browsers, and administration is easier because SureView uses LDAP or Active Directory group and member information.
SureView's Web operator interface has a contemporary look, logically organizing functions within tabbed areas. Clicking around unearths dialogs to maintain the server and create policies, along with interfaces for conducting investigations and building reports.
Click for larger view.
Polices represent an ecosystem of categories, triggers, rules, and data filters that must be understood and tuned. To give you a sense of how this works, consider intellectual property leakage. Here I wanted to precisely detect when source code was copied to a USB device at certain laptops. Working through different wizards, I defined the type of data, who would be notified of an infraction, and any results, such as capturing several minutes of video to document the event.
To test flexibility, I built several Federal Tax ID triggers; these fired when a Social Security number was sent by e-mail or copied to the clipboard, but not when a user input the number into a Web form of a secure intranet application.
In practice, the system recognized all my restricted actions and triggered the appropriate response. SureView correctly stopped peer-to-peer networking, alerted an administrator when stock information was sent using IM, and caught a profane e-mail.