Clamp down on security leaks (2024)

The InfoWorld Test Center scrutinizes solutions from iLumin, Reconnex, Tablus, Vericept, and Vontu aimed at stopping insiders from spilling your secrets or breaking the law

Your organization’s Sarbanes-Oxley audit is scheduled for this summer. Will you be able to show who has access to financial records and what they’re doing with that data? Just as important, can you prove you’re equipped to take immediate action when policy violations occur?

If regulatory incentives aren’t compelling enough to make you keep a tab on the data flowing within and from your network, consider this: Studies from the Computer Security Institute/FBI, U.S. Congress, Gartner, and others estimate that as much as 75 percent of the $200 billion in measured annual security losses comes from within organizations.

Currently, IT security chiefs allocate the majority of their budgets to protecting network perimeters with firewalls, patch management, anti-virus applications, and intrusion-detection systems. But a new breed of security products guard intellectual property and protect organizations from the public humiliation of lawsuits, fines, and jail time for executives.

One approach for these solutions is to inspect network traffic in real time to ensure that confidential assets are not sent out of the enterprise, intentionally or otherwise. For example, an HR employee may not realize that the new employee’s spreadsheet he just e-mailed to an outside vendor has a hidden column containing private account log-ins.

Inspecting network traffic in real time may seem easy, but it’s extremely difficult to do quickly and accurately. Consider the scope and magnitude of the content-monitoring task: SMTP

e-mail and Web mail, HTTP requests, peer-to-peer file sharing, IM, and FTP, for starters. Plus, there are hundreds of file formats to examine. For each message and file, sophisticated contextual analysis and NLP (natural language processing) must determine whether the content is allowable.

But it’s not just compliance reporting at stake here. The key step is to act immediately against activities that violate policies and put organizations at risk. But this is even harder to accomplish, because companies must not block legitimate communications; doing so would impair productivity. Exceptional reporting is a necessity and must go beyond an executive dashboard; reports should help determine if your security strategy is working and detail breaches and their resolution so you can satisfy legal requirements.

I evaluated five data-loss-prevention solutions that follow this general model. Reconnex, Tablus, Vericept, and Vontu provide real-time monitoring of most Internet communications. Only Vontu’s product innately blocks messages. iLumin’s solution performs intelligent content inspection of e-mail and instant messages and also stops privileged content from leaving organizations through these two channels, making it appropriate to include in this roundup.

In my tests I generated network traffic using various protocols (HTTP, IM, FTP, and e-mail) and sent a variety of content (plain text files, Microsoft Office documents, PDF files, compressed Zip archives, images, and rich media files). To judge accuracy, I embedded C++ source code, credit card numbers, Social Security numbers, and patient health information within messages and attachments. I then made certain the solutions recognized them. Furthermore, I sent e-mails and instant messages containing wording that would likely cause compliance problems such as violations of corporate governance guidelines.

For usability I evaluated each solution’s overall navigation, its ease of creating custom policies and rules, and its incident reports. Additionally, I reviewed forensic functions, such as the type of information archived for compliance auditing and the ability to retrieve historical data.

Several companies make a compelling argument for securing data at the origin, in contrast to the network-sniffing approach. Client agents prevent people from moving files to removable media or both copying and pasting data from the source to, say, an IM session. This host-based approach is initially more expensive to acquire and administer, yet it delivers strong security to complex enterprise environments (see Securing data at the point of use and ITM peers inside the inside threats).

iLumin Assentor Compliance 3.3 iLumin’s Assentor Compliance solution is a mature product that was first used by the financial industry to monitor e-mail and IM. Thus, many of its more than 1,000 recognized violation patterns relate to broker communications and therefore meet Securities and Exchange Commission selective-disclosure and insider-trading rules. However, the latest version branches out, spotting and halting more general communication problems, such as harassing messages that should be acted upon by HR. Although it doesn’t ship with formal policies to meet specific governmental regulations, iLumin’s custom policies could be made for, say, HIPAA or European Union data-protection directives.

Compliance’s administration and user interfaces lack polish, but they become understandable after minimal training. Web forms kept me from fumbling when I updated the dictionary of words, stock symbols, and phrases to be tagged and the words to be excluded from scans. In the same way, I registered documents that lawyers in a legal department had approved for public viewing so the documents would not be flagged.

This solution works in two modes, pre-event and post-event. When the software finds unacceptable or suspect content in pre-event mode, it stops the correspondence and routes the message to a quarantine queue for review by an appropriate supervisor. When it finds suspicious content in post-event mode, Assentor Compliance allows the message through and simultaneously routes a copy to a supervisor for later action.

After streaming test messages through the server, I used the Web interface to check the results. A single window display clusters problem e-mails or instant messages, shows the actual message with the problem areas tagged, and then lists the suspected violations. The NLP did a good job discerning intention (“I am going to sue you”) from a person’s name (Sue), which minimized false positives.

Threshold Management allowed me to improve efficiency by adjusting the tolerance and quarantine action for each problem category. For example, an inappropriate joke might not warrant a manager review, but every attempt at passing insider information should be stopped and subject to review. iLumin’s language understanding was accurate enough to usually discern between these two situations. In the few cases where the software wasn’t certain about a message’s intent, it played it safe and blocked the message.

To streamline and lessen auditors’ work, Assentor provides next to each message icons that quickly invoke commands including Audit Trail, Add Comments, and Send Warning. Other time-saving functions include Mass Approve and Mass Reject.

The system accurately scanned the text of most attachments, including PDFs, and then allowed me to open the files to verify there was a problem. Plus, Assentor detects and quarantines encrypted e-mail.

Version 3.3 has improved reporting. For example, compliance reviewers now get information such as the percentage of messages approved or rejected, plus a list of problem messages organized by groups or employees. Importantly, using the Admin Console, I was able to configure different archive times for different groups, accounting for varying retention periods among employees and subsidiaries.

At a higher level, compliance executives can generate reports that summarize message problems of each type. Additionally, I could audit the system to make certain no one had changed thresholds on content analysis without approval. This additional measure of accountability could prove valuable in an investigation.

Assentor Compliance is a workable solution for monitoring e-mail and IM. Its open lexicon gives the product enough flexibility to handle typical business compliance needs and meet requirements of specific industries such as finance and health care. It stops short of handling all types of communication used to distribute sensitive data. Web mail, for example, isn’t handled. Furthermore, administrators must build policies for specific data-protection regulations.

Reconnex iGuard 3300, Version 1.4 Reconnex offers strong network traffic coverage, comprehensive policies, and above-average reporting. Yet this solution does one better than other solutions in an important way: iGuard’s custom file system writes all communications data at gigabit line speed. In addition to banishing network lag, this feature captures unknown attachments, allowing examiners to do complete forensic analysis. However, iGuard doesn’t block communications that violate policies.

iGuard units typically install below an outbound firewall using network taps, or they connect to SPAN (switched port analyzer) ports on switches.

You get predefined polices and rule sets (filters) for all the top violations, including violations of Gramm-Leach-Bliley, HIPAA, and Visa CISP (Cardholder Information Security Program). Business users can edit these policies and create basic new ones by picking and choosing options from the Web GUI.

There wasn’t a business circ*mstance I couldn’t accommodate. For instance, I defined policies for specific network exit points, document type, and both inbound and outbound traffic. However, creating intricate policies (such as those monitoring full regular expressions) entails using a command line interface, and this requires some expertise. But I appreciated the ability to easily rerun a changed policy on captured data, which helps ensure nothing is missed.

Like Tablus, iGuard is port agnostic: Because it looks for the structure of the protocol, it had no problems monitoring all types of e-mail traffic, IM, and FTP file transfers. Additionally, the system had no difficulty cracking open encrypted messages sent using SMTP, chat, and Web mail.

This solution doesn’t identify attachments by extension. Instead, it uses a special process to look for binary signatures. In my testing, iGuard quickly decrypted compressed .zip and .tar archives, reviewed Microsoft Office documents, checked PDFs, and scanned source code for violations. It also properly identified files purposely renamed with a wrong extension. Although Reconnex’s philosophy is to remain passive (it doesn’t block messages), its alert mechanism worked as well as the alert mechanisms in the other products. In real time (less than 40 microseconds), iGuard sent a message to designated managers when it sensed a violation. Also, the software will send a trigger to your mail server so any existing quarantine technology is invoked.

The supplied reporting engine allowed me to drill down from executive reports on policy violations to details about an incident along with the object that triggered the event. I wished iGuard would highlight the offending part of an attachment, a feature planned for a later release. Reconnex said it will soon offer an offline monitoring console so administrators can view incidents from all appliances in aggregate and also perform forensic searches of data at rest. Currently you need to jump to each individual appliance for reporting, which you can do from one browser.

As with the other products, I could generate reports based on the policy violated or other search parameters, such as sender e-mail address. I also subscribed to incidents that matched a custom filter and scheduled e-mail delivery of these reports. Workflow rules, which aren’t in all such products, saved me a lot of effort in reviewing incidents. I set up iGuard so that, upon detection of source-code violations, it would gather and zip all the evidence and then send it with a summary to the appropriate investigator.

Reconnex’s storage of all traffic (as much as the 1.5TB disk space in each appliance) benefits forensic investigations. For example, you can search past violations, not just for a particular sender, recipient, or IP address, but also for all objects in the same classification, even if they were not involved in past violations. This data store is also handy for making sure testing policies behave as expected before they’re used against live traffic.

Reconnex iGuard does a fine job of analyzing traffic in real time and has the uncommon ability to store everything to disk for post-analysis. Policies address all necessary compliance and data-security needs. Add in high accuracy and incident workflow, and the solution gets high all-around marks. Keeping it from the top spot is the lack of certain features, planned for future releases, including inline blocking, quarantine (which are now accomplished by integrating with third-party applications), and improved usability.

Tablus Content Alarm NW 2.1 Tablus’s turnkey solution has a lot in its favor, including strong structured content analysis augmented by integrated ILM (information lifecycle management), which automatically maintains a catalog of confidential documents, and by multiple scanning engines, which review unstructured data for compliance issues. The system lacks formal policies for specific legislation, but you can comply with regulations by building pattern-matching and related rules. E-mail blocking and quarantine features will be added later this summer.

The solution has three standard components. Content Alarm Controller, aka the S-200, is the main appliance. It maintains information about confidential data and content transmission policies. There’s also a Windows-based application for configuring the controller, and crawlers that run on other systems to automate content classifications. The enterprise edition I tested adds a fourth component: sensors, called S-100s, placed at network exit points. These sensors scale Content Alarm for larger enterprises.

Appliances run a hardened Linux with minimal services. After connecting them to my network and providing some basic information, I began immediately using the Administrator Console to identify protected content and define audit policies and notifications. This solution stresses accuracy, accomplished in several ways. First, Content Alarm infers protocols based on the data it senses, rather than on a specific port, so you don’t have to specify, for example, FTP on port 21.

For unstructured content scanning, Tablus’ linguistic analyzer augments monitoring of attributes, keywords, phrases, and signatures. More than 300 document types are inspected along with messages. Without tinkering with the system, scan results were good. Only a few messages containing unique keywords slipped out.

Fine-tuning the included policies and creating new ones isn’t straightforward; you need to wade through several forms and pop-up windows. Yet you get a lot of flexibility. It didn’t take me long to create pattern matches for Social Security numbers or to look for file attachments of more than a specified size. At this stage I was confident that almost all the remaining bad communications were recognized.

Significantly, Content Alarm further bolsters accuracy with a file crawler — an application that runs on any file server and watches directories of documents, source code, databases, or other data you don’t want transferred out of your network. Once the system spots this “DNA” during a crawl, it registers the signatures on the main controller.

The crawling process notices specific structured data, Tablus identified source code, and other proprietary data that otherwise went unnoticed. Moreover, a document such as a financial press release might be confidential one day and moved to a public folder the next morning. Automatic crawling picks up this status change, eliminating the need for manual document lifecycle management, and this lowers Tablus’ TCO.

On the management side, I received e-mail alerts about policy violations. After logging in to the application as an auditor, I reviewed event details, including message body, attachments, originator’s MAC (media access control) address, security policy information, and markup, which clearly showed why the transmission violated policy. Content Alarm places these results in an encrypted, access-controlled repository for later forensic needs. A planned update will allow reviewers to perform these tasks from a browser.

You can also employ an API that integrates alerts with other security-event management systems. This might be helpful when a virus is transmitted, so a response can be coordinated with other security people and applications. Security executives can measure and reduce risk using company-level customized dashboards. These allowed me to identify and reduce security risks by efficiently grouping violations by department or individual.

Because Tablus emphasizes structured data analysis, Content Alarm is a fine solution for protecting against the loss of personal identification information and for monitoring against ID theft. Automated content classification should reduce management costs. However, detection is only a partial answer to data leaks. For enterprises wanting to go beyond finding problems and plugging holes, an upcoming upgrade (currently in beta) adds blocking. Alternatively, you can complement Content Alarm NW with the agent-based Content Alarm DT or a similar tool.

Vericept Intelligent Protection Platform 7.1 Vericept’s software watches all inbound and outbound Internet traffic for content that falls outside of your acceptable-use policies. Data passes through an analysis engine, which stores and reports on out-of-bounds communications. This system differs from other products: Vericept looks for broad inappropriate behavior by users, such as conflict-of-interest messages or communications that indicate a disgruntled employee. Based on these patterns, you can use positive evidence to stop abusive and criminal behavior. Custom categories for corporate compliance (including compliance with HIPAA, SB 1386, and Sarbanes-Oxley) are weak, but Vericept plans to add this and other functions later this year.

Vericept 7.1 maintains the product’s ease of use. It worked well out of the box, evaluating my entire test network’s traffic without requiring me to create special policies. Moreover, business users should have no trouble accessing a number of key features, including customized monitoring, which enhances accuracy.

The new Category Builder helped me tune several of the 61 Vericept-supplied categories (such as codes of conduct and acceptable use); I specified a range of source and destination IP addresses to watch for. I also specified specific data — credit card numbers, for example — to watch for.

Vericept can’t automatically register content, such as information in a database, for observation, yet several other functions have worth. The Social Security number category now uses information from the Social Security Administration to determine if a number is valid. Furthermore, I manually created custom categories with text related to names of confidential projects.

After establishing the basic monitoring rules, I further tweaked each category by determining when monitoring happened; this lessened false positives. For instance, I permitted Internet shopping after business hours.

Vericept combines multiple inspection engines, which have complementary analysis techniques. These probed all my unencrypted TCP/IP traffic and correctly identified harmful content, including material used in Telnet sessions, bulletin board postings, chat rooms, and peer-to-peer file sharing. Vericept can’t open encrypted IM or SSL Web traffic, but the software can detect their use. This gives you some insight into potential use of rogue encryption.

This solution locally saves extensive metadata about noted incidents (approximately a year of workday monitoring) and has administration commands for archiving collected events on external storage devices for more extensive historical analysis. For my tests I examined several weeks of captured activity using the four types of reports available from the Web user interface (Event Query, Event Summary, Event Search, and Most Recent Events). Most Recent Events showed a list of current bad messages, with links for drilling down to details about the event. Executives using Vericept can view threat summaries, as they can when using Vericept’s competitors.

For analysts, Vericept has some of the better query functions. These functions allowed me to search by one or more categories and then hone in on activity for a specific workstation. To create presentation-quality reports or perform deeper data mining, you need separate software. Vericept has nine Crystal Report templates, which I used with Crystal Report, a third-party application, to build charts and summarized tables.

As noted, Vericept is more attuned to spotting trends than to generating immediate alerts on every troublesome message. Viewed in this context, the software meets its design goals. In this part of testing, I distributed the task of reviewing certain events by creating Workflow Policies and Rules. I assigned an HR user to manage activities such as shopping and game playing under Acceptable Use policies; a security group employee was responsible for nonpublic personal information such as Social Security numbers.

On a set schedule (typically each hour), reviewers receive activity reports about their specific compliance area. After scanning the summaries, auditors can annotate events, reassign the case (even to those who are not Vericept users), or download event details to their workstation.

In Version 7.1, reviewers can now free-form search the metadata fields. I successfully searched Web mail traffic on a particular network subnet for messages containing a particular person’s name.

Vericept’s Intelligent Protection Platform 7.1 accurately scans all forms of Internet traffic using predefined categories. It also offers easy rule customization. The system correctly noted both structured and unstructured proprietary data on the network.

Moreover, it traces this data back to a user, user name, workstation, or IP address. Users in responsible departments received alerts and reports, enabling them to manage problem communications without much effort. If you need categories that address specific compliance legislation or blocking, Vericept isn’t best. But for discovering inside threats before they grow into serious compliance problems, Vericept gets the job done right.

Vontu 4.0 Vontu 4.0 is a feature-rich data-loss-prevention solution that meets or exceeds each of my test requirements. It accurately monitors all network traffic; selectively stops confidential data from going outside an enterprise; is easy to manage with role-based access, even in large deployments; and provides multiple levels of reports to identify risks and demonstrate corporate and regulatory compliance.

Setting up and configuring the Vontu Manager server, network-inspection Monitors, and inline Prevent component (which directs MTAs to block, reroute, or quarantine messages based on content), should take about half a day.

Vontu 4.0’s Policy Authoring contributed greatly to this short setup cycle. I used some of 50 prebuilt templates (including regulatory enforcement, customer data protection, IP, and acceptable use) as the formula for my custom policies. For instance, it was a snap tuning the Gramm-Leach-Bliley template to look for an exact match of Social Security numbers contained in a customer database, to block e-mail containing numerous violations, and to create an autoresponse notification for less-serious infractions. Just as important, I had Vontu 4.0 regularly scan my database for updates; this helped ensure 100 percent accurate detection of structured data.

Similarly, the clear-cut process enabled me to create from scratch a policy to protect source code based on data matches, sender, recipient, geographical location, and other parameters.

This solution performed admirably in all the monitoring and blocking tests. First, the combination of exact data matching, contextual analysis, and natural language processing caught SMTP e-mail with attachments as well as customer data in the body of the message. I also liked the easy approach to adjusting a policy’s threshold. For instance, I allowed one mention of a generic keyword to pass without an alert, cutting down on false positives.

Second, HTTP content monitoring detected financial data sent to an outside e-mail address. I also tried mailing code snippets to both an unknown e-mail address and an approved vendor. This conditional blocking worked as I had written the policy — stopping the message to the unapproved recipient and creating an incident — without any performance hit to my network.

Lastly, Vontu 4.0 identified IM conversations that discussed an unreleased project and blocked instant messages containing employee Social Security numbers.

On the reporting side, this solution is just as strong. Role-based access control allowed me to restrict viewing incidents of a certain nature (such as financial disclosure) to particular analysts. Next, the Incident Snapshot function allowed analysts to easily review and remediate problems. Using clear hyperlinked navigation, I jumped to individual Web page reports containing complete incident content and context, including message body, attachment, sender and recipient, timing, and policy information. Matches are highlighted, so I clearly saw why the message generated an incident.

Vontu thought through the workflow, which includes a variety of commands. You can escalate an incident, add comments, or resolve an incident on the spot by allowing the quarantined message to go through. As a result, organizations should be able to keep analyst time and resource expenditures to a minimum.

Top-line reporting gives senior managers data-loss dashboards, which measure overall risk and compliance; these show both incident history and trend analysis. From these displays, I drilled down to reports that organized incidents by business units and departments during a date range (the system stores and reports on years’ worth of complete historical incident data).

Vontu 4.0 also ships with preconfigured reports, which demonstrate compliance with government regulations. Reports can be created, saved, and run on schedule for any combination of incident attributes, which is useful for weekly or monthly security review meetings.

Vontu 4.0’s data-loss-prevention solution is scalable (individual monitors handle about 40,000 employees and perform exact data matching for as many as 2 billion cells). It accurately detects and blocks bad communication in real time, and its highly usable design should ease the work of security auditors. Those factors and others, such as integration with PGP to enforce enterprisewide encryption and enforcement policies, combine to make this the solution to beat.

Tough choices No one would dispute that you now need to have a process in place for managing and stopping insider threats. Yet there’s a good deal of disagreement about the best way to meet this goal. Some experts say recognizing the problem is enough; but my take is that trying to stop the horse after it’s out of the barn is not the right approach. And judging by most vendors’ plans to add blocking (if they don’t have it already), that’s what customers and regulators want, too. But for that first step — recognition — any of these products is acceptable.

I like Vericept’s overall implementation, but you’ll have to wait until later this year for the company to introduce more-thorough message handling and compliance-specific policies. If your main interest is monitoring and blocking e-mail and instant messages, iLumin is the dark horse of the group. As reviewed, Tablus’ network-monitoring product neither blocks nor quarantines messages. Still, the scalable and centrally managed Content Alarm NW automatically crawls all sorts of data repositories, reducing both false positives and administrator workloads.

Reconnex demonstrates a clear understanding of the networking and management issues security staff face: This system stores all network traffic and goes beyond the requisite analysis functions. Only a lack of native message blocking keeps it from the top spot.

Vontu stands out with its “Goldilocks” solution: It has just the right mix of features and usability. Although it’s one of the pricier solutions out-of-the-gate, if you believe that the key to handling insider threats is not just reporting but also blocking, then it’s hard to miss with this product. When it comes to protecting confidential information from exposure, I envision a blended approach, with agents at the desktop serving as the first line of defense and inline network monitoring serving as the last line of defense, as you’ll find in Tablus’ overall solution. Other vendors will likely follow.