Oakley SureView puts insider threats in context
With broader app support and improved reporting, Version 4.0 makes targeting risks easier
SureView still doesn't perform message blocking, a standard feature of many other products I've reviewed. But in keeping with Oakley Networks' philosophy, this version adds a few more trigger responses, with Stop Process the most significant. Put simply, the agent will kill the process, such as instant messaging, as soon as possible after detecting its use.
As previously, you can monitor a large range of other dealings and channels for inappropriate use, from printing to terminal server sessions. Version 4.0 now collects interactions from Netscape and Firefox browsers, IBM Lotus Notes, and it has better document fingerprinting. The latter will sense when someone tries to, say, copy and paste sections of a protected document into another application.
I also liked 4.0's much-improved agent management, which let me organize users and computers within groups (which can be derived from LDAP or Active Directory lists). This feature streamlines large-scale rollouts.
A possible trade-off with agents is that they consume CPU cycles, which slowed application response with Version 3.3. This time agents didn't have any measurable effect when I tested SureView 4.0, even on some older Dell Pentium III Optiplex desktops and Latitude 600 laptops. Another welcome change is video replay; normally agents send four frames per second of video to the server for replay but will throttle this down if the client system's CPU is under load.
Reporting wasn't anything special in the last version but has now reached parity with other solutions. The dashboard let me rapidly find all issues within an incident category.
Click for larger view.
With the company's thrust in behavior analysis, Oakley Networks isn't trying to become a Vontu or Reconnex. Yet some improvements would help, which are expected in a 5.0 release later in 2007. For example, there's planned integration with CoreView (Oakley's network scanning product) so that both can use centrally managed policies, and there will be a common dashboard that displays leading data-leak indicators for all threats identified. Lastly, the end point agent will take a more active role, such as providing a pop-up so users can explain why they performed a task.