practical aspects of dlp system deployment

Practical Aspects of DLP System Deployment

www.searchinform.com

SearchInform Information Security Perimeter


Customer support center helps companies ready to deploy our product tune information

security based on the experience of tackling similar challenges (names of our clients working in similar

fields are kept a secret).

Customer Support Center gives tips on:

Tuning alerts;Protecting sensitive data ;Differentiating user rights, etc.

Customer Support Center


Working with Colleges

Quite often college graduates do not meet employers’ expectations as they do not have any practical experience in the information security sphere.

SearchInform is the only Russian developer of information security solutions involved in the program of training graduates.

We provide a free product version to all colleges interested in training experts able to work with a real product.



Very often employees are not allowed to use the most efficient and popular communication channels for the sake of data loss prevention.

E.g. employees may only use corporate e-mail, while ICQ and Skype are banned, despite the fact it is a more efficient way to communicate.

State-of-the-art DLP system allows using all data channels and at the same time intercepts and analyzes data flows transmitted via these channels.

Information Security Should Promote Business, not Hinder It.

All Data Channels Should Be Open


“The Wizard of Oz” featured a big scary wolf protecting the gate of the country from intruders. Nobody could cross the border. However the rest of the border was just painted.

Information Security System Should Control All Data Channels

The same could be said about information security: if copying data to removable media (USB-devices or CD/DVD drives) is forbidden, confidential data will be sent by e-mail or instant messengers.

Many employees think it is impossible to intercept data sent via Skype. Being at work they feel free to use Skype rather than any other Internet messenger. That is why files, text and voice messages sent via Skype should be controlled by all means.

Integrated approach to information security is impossible if at least one potential data leak channel is not controlled.

One man doesn’t make a team?

Intercepted information is useless until it is analyzed. Reading all captured data is a rather irrational way of information analysis. A security officer may only handle 20-50 employees if traditional approach is used. And what if there is a couple of hundreds or even thousands of them?

SearchInform Information Security Perimeter offers automatic data analysis and alerts response (various search engines are used).

This way one security officer can control 1000-1500 employees.


Windows Domain Structure Integration


Integration with Windows domain structure enables accurate identification of a user sending messages via one of the following communication channels: e-mail, Skype, ICQ, MSN, JABBER, forums or web blogs, even if he/she used a free e-mail box, another nickname or computer to enter the network.


Laptop is not only a popular means of getting the work done in office, at home, and during business trips, but also a serious danger to information security officers.

Components of SearchInform Information Security Perimeter

Laptops Control

Being out of the employer-controlled network, insiders may transfer confidential data to third parties. SearchInform EndpointSniffer can control it. It captures all data sent by users and transfers them to information security officers right after their laptops are connected to network again.

EndpointSniffer agent carefully conceals its presence. It cannot be easily discovered even by an experienced engineer.


Tricks Recognition

Very often insiders trying to deceive information security officers send confidential data in image file formats or encrypted archives.

DLP’s full-scale control is achieved through the following:

• Optical character recognition of any image file and its full-text search

• Intercepting encrypted files via all data communication channels

• Detecting files with changed extension

It is crucial to be aware of your employees relationships with their colleagues, reveal opinion-shapers, and control employees ties with their former colleagues.

Data-Leak Incidents and Preventive Measures

IT or IS?

SearchInform’s previous experience shows drawing the line between Information Technologies (IT) and Information Security (IS) Departments is the best possible way to tune information security in a company. Each of the departments has its own goals.

Employing a qualified information security officer would be the best possible solution.


Three Pillars of Information Security

Preventing Data Leaks

A DLP system should not only detect data leaks but also prevent incidents at the stage when a potential insider has just started to express his/her displeasure.

Tracking employee moods

A DLP system can be used to track employee moods by means of monitoring Internet messengers and social networks traffic (Skype, ISQ, Facebook, etc.).

Work Optimization

A DLP system helps staying aware of employees’ attitude to innovations in a company. Thus internal company’s politics can be effectively controlled.


Data Access Permissions


Each component of company’s information security perimeter is in compliance with a single access rights differentiation system. It allows flexible configuration, and you can tune the rights to access intercepted documents any way you want it.

All system components have a client-server structure. Server side is one of the data interception platforms - SearchInform NetworkSniffer or SearchInform EndpointSniffer plus client applications designed to access the database and make internal investigations.

A single search analytical base allows using all of the above-mentioned search technologies in full.

SearchInform NetworkSniffer intercepts data using a mirror switch, i.e. it processes data not interfering with the company’s network.

All information sent over data channels and protocols like SMTP, POP3, IMAP, HTTP, HTTPs, MAPI, ICQ, JABBER, and MSN are captured on the LAN level. NetworkSniffer platform incorporates the following products:


System Architecture

SearchInform EndpointSniffer Platform uses agents to intercept traffic.

It provides additional control of employees outside company’s LAN as they may freely transfer confidential data stored on laptops to third parties.

SearchInform EndpointSniffer collects all data sent by users and transfers them to information security officers for analysis as soon as laptops are connected to LAN again. Its major advantage is increased failure tolerance (interception is ensured even if servers are not available). Data transmitted over secure communication protocols are also captured.

SearchInform EndpointSniffer agents:

System Architecture


E-mailE-mail is one of the most dangerous data leak channels as it allows sending large data volumes. The following protocols are supported: SMTP, POP3, MAPI, IMAP.

HTTPInsiders can send sensitive information to forums, blogs, social networks, chats, or use web services to send e-mail or SMS messages.

FTPFTP allows sending large data volumes and may be used by insiders to transmit the entire data bases, drawings, scanned documents, etc.

Intercepting Internet Traffic

SearchInform NetworkSniffer allows intercepting sensitive data transferred over the Internet. All common protocols that may be used by insiders are supported. It also supports proxy servers: software (Kerio, Squid, etc.) and hardware (BlueCoat, IronPort, etc.) through ICAP.


SkypeSkypeSniffer is the first DLP solution to intercept files, text and voice messages sent with Skype.

PrintSnifferPrintSniffer intercepts every printed document, indexes and saves it to a database. It helps to prevent data leaks and see if a printer is used as intended thus avoiding excessive consumption of paper and other consumables, like toner.

Instant Messengers (IM) NetworkSniffer supports ICQ, MSN, Mail.ru Agents, and JABBER.




DeviceSniffer intercepts files copied to removable media (flash drives, CD/DVD, and portable hard disks). It prevents leaks of large data volumes copied to such types of devices.

MonitorSniffer makes screenshots and saves them to a database. It can also control monitors of one or several users in real time and monitor users working via RDP (Remote Desktop Protocol).



Workstations indexing is the best possible way to monitor if sensitive data appeared, were deleted or copied to user computers. Controlling every user PC in a company helps to discover employees having malicious intent.

FileSniffer controls users working with shared network resources protecting large data volumes that shouldn’t be sent to third parties. Dishonest employees may use them for their malicious purposes.


Thesaurus

Together with one of the city councils SearchInform Ltd. has worked out an anticorruption thesaurus including words related to bribery.

If specific words (money, cash, franklins, etc.) are found information security officers will be immediately notified about it.



Printer

A company producing large volumes of grocery products found out a significant difference in the products shipped and the products stored at the end-seller’s warehouse.

SearchInform PrintSniffer allowed tracking illegal output of unrecorded items organized by a group of employees. Selling such products was possible due to printing invoice duplicates.




ICQ monitoring helped to find some not very flattering “poetry” about company’s management. This could be a hard blow to the company’s reputation. Some lines were made accessible on the Internet.

The “poets” were found owing to ICQ messages analysis made by IMSniffer. After the very first message had been tracked, workstations of several employees were checked. Thus poetry files were found.

Monitoring ICQ and User Workstations


Cusswords and Offensive Epithets

Curse words + names of top managers gives food for thought.

www.searchinform.ru


Any company has sensitive data to protect.

It is crucial to monitor documents containing

names of employees;

names of business partners;

information on developed products.



SearchInform’s previous experience shows some employees should be included in the risk group:

1.Employees having breached company’s security policies at least once,

2.Employees using various tricks (changed file extensions, password protected archives, etc.),

3.Disloyal employees (negative comments about company’s top management, etc.),

4.Employees who started ignoring their work for some reason,

5.Employees whose work is closely related to cash flows and some mid-level managers.



Common Practice

Monitoring communication with dismissed employees;

Monitoring so-called opinion shapers and bursts of activity;

Monitoring activity of 1-2% of staff for the previous month.




1. Easy to integrate. To install SearchInform Perimeter components, you only need several hours. Company’s existing information systems will not be affected in the process of system integration.

Advantages of SearchInform Information Security Perimeter

2. End-to-end solution. It enables you to control all data transfer channels, including Skype, social networks, printers and users activities at file servers.

3. Similar-content search feature. The similar-content search technology will allow you to easily tune the analytical subsystem so you won't need assistance from outside of your company. Besides efficient data protection is achieved through employing fewer information security officers for data analysis.

4. Windows Domain Structure Integration allows accurate user identification.

5. Extended search possibilities allow efficient data protection while employing fewer information security officers for traffic analysis (one officer is enough to monitor 1000-1500 workstations).

Control your information!


practical aspects of dlp system deployment

Documents

data channels

information security

information security

confidential data

data flows

captured data

security officer

intercepted information