Oakley SureView puts insider threats in context

Many content monitoring and filtering and information leak prevention solutions attempt to stop insider threats by reversing the old firewall strategy: They completely block a particular outbound communications channel, such as instant messaging.

Oakley Networks approaches the problem differently by helping enterprises get at the root cause of insider threats. Rather than take the all-or-nothing approach, the system's designers fundamentally believe that bad behavior is perpetrated by certain individuals in specific situations and should be addressed accordingly. For example, SureView policies recognize that online shopping during work causes lost productivity; this might trigger informative messages to users and reports to management that indicate the need for awareness training. However, someone creating a hostile work environment through offensive e-mail or deliberate customer data theft would trigger an aggressive response, including capturing all keystrokes at the offending workstation and then shutting it down.

This solution's basic architecture remains from when I reviewed Version 3.3. There's a master appliance and collectors that monitor managed clients, including desktops and laptops running the SureView agent. With Version 4.0, Oakley Networks improved or overhauled most areas of the product. Agents require fewer system resources, information is collected from more browsers, and administration is easier because SureView uses LDAP or Active Directory group and member information.

SureView's Web operator interface has a contemporary look, logically organizing functions within tabbed areas. Clicking around unearths dialogs to maintain the server and create policies, along with interfaces for conducting investigations and building reports.

You'll probably need some training to create or maintain polices; that's not a usability gripe, rather an indication of how much flexibility and accuracy is in store. To test SureView, I created policies that detected encryption, protected intellectual property, enforced regulatory and privacy regulations, and monitored for workplace harassment.

Polices represent an ecosystem of categories, triggers, rules, and data filters that must be understood and tuned. To give you a sense of how this works, consider intellectual property leakage. Here I wanted to precisely detect when source code was copied to a USB device at certain laptops. Working through different wizards, I defined the type of data, who would be notified of an infraction, and any results, such as capturing several minutes of video to document the event.

To test flexibility, I built several Federal Tax ID triggers; these fired when a Social Security number was sent by e-mail or copied to the clipboard, but not when a user input the number into a Web form of a secure intranet application.

In practice, the system recognized all my restricted actions and triggered the appropriate response. SureView correctly stopped peer-to-peer networking, alerted an administrator when stock information was sent using IM, and caught a profane e-mail.

SureView still doesn't perform message blocking, a standard feature of many other products I've reviewed. But in keeping with Oakley Networks' philosophy, this version adds a few more trigger responses, with Stop Process the most significant. Put simply, the agent will kill the process, such as instant messaging, as soon as possible after detecting its use.

As previously, you can monitor a large range of other dealings and channels for inappropriate use, from printing to terminal server sessions. Version 4.0 now collects interactions from Netscape and Firefox browsers, IBM Lotus Notes, and it has better document fingerprinting. The latter will sense when someone tries to, say, copy and paste sections of a protected document into another application.

I also liked 4.0's much-improved agent management, which let me organize users and computers within groups (which can be derived from LDAP or Active Directory lists). This feature streamlines large-scale rollouts.

A possible trade-off with agents is that they consume CPU cycles, which slowed application response with Version 3.3. This time agents didn't have any measurable effect when I tested SureView 4.0, even on some older Dell Pentium III Optiplex desktops and Latitude 600 laptops. Another welcome change is video replay; normally agents send four frames per second of video to the server for replay but will throttle this down if the client system's CPU is under load.

Reporting wasn't anything special in the last version but has now reached parity with other solutions. The dashboard let me rapidly find all issues within an incident category.

SureView 4.0 is a very good solution for targeted investigations since you can create policies that find very specific types of threats and focus on certain groups of machines. That said, after you discover problems, it's relatively easy to create enterprisewide policies that apply to any user.

With the company's thrust in behavior analysis, Oakley Networks isn't trying to become a Vontu  or Reconnex. Yet some improvements would help, which are expected in a 5.0 release later in 2007. For example, there's planned integration with CoreView (Oakley's network scanning product) so that both can use centrally managed policies, and there will be a common dashboard that displays leading data-leak indicators for all threats identified. Lastly, the end point agent will take a more active role, such as providing a pop-up so users can explain why they performed a task.