October 03, 2007 | Comments: (0)
Preview: Websense Content Protection Suite brings Web smarts to DLP
Websense acquired PortAuthority Technologies in late 2006 shortly after I reviewed PortAuthority 5.0. Renamed Websense Content Protection Suite, version 6 blends in some Websense technologies along with enhancements that PortAuthority already had in the pipeline. Content Protection Suite 6 improves detection accuracy by looking at the destination of a message -- a technique seen in Websense ThreatSeeker, a technology that protects against Web-based threats. And it enhances the existing PreciseID NLP feature, which uses natural language processing to tell whether similar data is confidential or risk-free; this further boosts detection rates without going through the step of uploading and scanning individual files (fingerprinting).
Additionally, this latest version monitors all network protocols when deployed in-line, classifies and extracts content from more formats than previous versions (over 370 file types), and offers additional remediation capabilities (such as custom notification options). Further, all modules are managed from a single graphical interface.
A typical Websense configuration includes a management appliance with the management and reporting Web UI, management server, policy enforcement server, plus PreciseID NLP and fingerprinting server, and any number of Protector appliances. The management hardware easily connects to any network hub or switch. Protectors are set up the same way in passive mode, or they can be installed in-line to block HTTP and SMTP communications.
Like other top-quality data leaks solutions, Websense has evolved to discover, monitor, and protect data throughout your network. It can spot social security numbers, proprietary source code, financial data, sensitive strategy plans, and other sensitive data in SMTP or Web mail, instant messaging, and FTP file transfers, on scanned file shares, and even as it is copied to USB drives on laptops.
One big change in v6 is the single management and reporting console, which simplifies administering policies, reviewing incidents, and viewing reports. While I think the interface could stand a little more tweaking -- for example, PreciseID fingerprinting is accessed from the System Status area while it would seem better placed under Policy Administration -- overall I like the new design.
Thankfully, you no longer have to switch among separate applications to scan files at rest or register information in databases. As with past versions, 150 built-in policies and reports cover major regulatory statutes (Websense provides automatic updates to these templates). Then, with a few clicks using a Policy Wizard, you can refine policies so they apply to certain user groups or physical locations, such as a particular remote office. Also, one policy applies across data in motion (e-mail, IM, FTP), at rest (file shares), and in use (laptops and other endpoints).
Content Protection Suite 6 reduces a lot of the drudgery when you need to make policies even more granular. For instance, enhancements to the Protect appliance's Intelligent Protocol Discovery means you don't have to specify the communications channel to monitor; the system automatically checks for leaked information over known protocols (such as HTTP, FTP, and IM transmissions) on every port. Moreover, the improved PreciseID function automatically applies various detection algorithms to each potential exit point. These detection methods include rules, lexicons, dictionaries, exact and partial content matching, and statistical analysis.
The new Black Listing option lets you add another layer of protection by blocking domains and Web site categories in any combination. But here's another important synergy with the ThreatSeeker technology: Websense's security labs monitor when good Web sites are infected with spyware or otherwise compromised. As a result, even if you allow access to a legitimate site, Websense can automatically place it on your Black List -- often within hours of the discovery of the threat.
Content and context awareness helps set Content Protection Suite apart from other competitors. At the highest level, the system is aware of who is doing what, where, and how. For example, you can create a policy that allows a chief financial officer to communicate with board members using Yahoo! mail, yet still prevents the CFO from posting on Yahoo! message boards.
The redesigned management console makes it easier to review critical events by policy categories and then act on individual incidents. For example, clicking the Gramm-Leach-Bliley Act category on the main dashboard opens a filtered view of the incident management screen where you can review details of each GLBA infraction. From this same page you can quickly select the desired action, including releasing the message or assigning it to another person for more investigation. Conveniently, the next reviewer can quickly see a history of previous actions and also access forensic features (such as searching for similar infractions by the same user).
Another new feature lets you filter reports according to the same context and content classifications that you use to create custom policies. Discovery Reports list data-at-rest files containing sensitive data, providing details about the questionable files and the violation that triggered the incident. I’d like to see, however, data-at-rest statistics rolled up to the main executive dashboard.
Websense Content Protection Suite 6 can discover and protect sensitive data in most any form, sent over various channels and to many destinations. The new natural language processing capabilities, which classify content based on the context in which it was being used, should improve accuracy. Various deployment options -- and the ability to have one server operate in multiple modes (passive monitoring, inline monitoring and enforcement, or proxy mode) -- can lower your overall cost. Lastly, it offers easy management from a central Web interface -- though there's still a bit more work to do in the system's overall usability.
Websense Content Protection Suite 6
Cost: Starts at $33,000 for software components
Platform: Available on a variety of supported hardware platforms or on hardened appliances sold at cost. Uses a proprietary operating system derived from Linux. Endpoint agents supported on Windows 2000 and later.
Verdict: Websense Content Protection Suite discovers sensitive data most anywhere in your enterprise -- whether at rest, in use, or in motion. This solution’s pre-built policies and reports, plus automated data classification and protection, should result in fast de-ployments. Version 6 improves accuracy with content and context awareness, and natural language processing capabilities. Moreover, it now monitors all protocols when deployed in-line.
Posted by Mike Heck on October 3, 2007 06:00 AM
October 02, 2007 | Comments: (0)
Preview: Reconnex 7 takes a smarter view of insider data leaks
Picking a data leak prevention (DLP) solution used to be fairly easy -- it all depended on what you needed to protect. One solution might best handle data in motion (such as e-mail), while another used agents to sniff out sensitive data in use on desktop systems and laptops. And yet others guarded intellectual property resting in data repositories. Now the major solutions -- Vontu, Websense (formerly PortAuthority), Tablus, and Reconnex (click for reviews) -- cover all three situations, and their protection is darn good.
I've been investigating the key differences among these solutions today and have narrowed it to three areas: usability for security staff performing investigations; quick ways to fine tune rules so that more types of malicious activity are caught, yet false positives are reduced; and the ability to review past communications that may have originally appeared benign. The forthcoming Reconnex 7 appears to have a solid grip on each area.
First, version 7.0 introduces a new user interface, the inSight Web console (see above). The redesigned dashboard now shows security violations based on an investigator's role. Role-based access means that human resources personnel can no longer see incidents covering financial disclosure, for instance. Moreover, Reconnex helps you quickly make sense of what could be a lot of activity. For example, you can group results by rules (such as offensive language or communications to a particular country), and then filter each grouping by sender, time, department, or other parameters.
Next, workflow is better integrated with these reports, so less time should be needed to remediate problems. Clicking on an incident in the dashboard immediately takes you to a details screen containing destination, suspect content, and protocol (see screen image above). Yet Reconnex 7 is different from other products because you may collect what might initially seem like unrelated incidents and bundle them as a new case. Other solutions typically turn each possible security breach into a unique case, making it more difficult to connect the dots.
The other main difference with Reconnex is that the iGuard Appliance continues to capture all communications. Here's where that comes into play in version 7. Say you spot a new incident where an employee tries to send confidential information to a competitor. You could do a historical search to find what else the employee might have done, perhaps sending files to a Yahoo! e-mail address owned by another competitor -- transmissions that weren't initially flagged because there were no rules at the time. In Reconnex 7, these new findings are then added to the existing case, making it much stronger if you must take disciplinary or legal action. This version, the company tells me, will also have new methods of indexing to make searches much faster.
Admittedly, a solution's detection methods should be robust enough to catch data leaks without writing specific rules. The previous example notwithstanding, I've found that Reconnex's algorithms generally don't require adjustments to spot at-risk information. Still, there will always be special cases, such as registering a unique file type your organization uses. This process usually entails hit-or-miss experiments using real-time communications. Reconnex 7 will let you test changes against your historical data; this should help ensure that rules work properly the first time they're applied to live traffic.
The bar is set high for these products as insider data leaks (intentional or not) and breaches of private data and intellectual property continue to make headlines. Reconnex 7 appears to clear the bar in usability and data protection. Further, its forensic capabilities and excellent value set the mark even higher in these two areas for competitors.
Reconnex 7.0
Availability: October 2007
Pricing: Starts at $34,995
Verdict: Reconnex 7.0 doesn't make any startling changes to the iGuard hardware. However, the core inSight centralized management application gets a re-architected user interface that reduces time to act on any possible data leak violations. Workflow is smarter in this version, and role-based access limits what investigators can see, protecting employee privacy. And because the solution captures all communications, enterprises can perform more effective investigations -- and more quickly create and adjust rules.
Posted by Mike Heck on October 2, 2007 10:00 AM
TOP STORIES
ADDITIONAL RESOURCES
- Do you have the power to resolve technical issues with one call?
- Take control of your content- leverage Microsoft SharePoint
- Keeping the E-Mail Flowing
- SGI Adaptive Data Warehouse: Building a High-End Oracle Data Warehouse
- Five Steps to Secure Outsourced Application Development
- Global Shared Memory: Performance and Productivity Breakthroughs
