SearchInform Information Security Perimeter. Contents 1. SENSITIVE DATA PROTECTION: SEARCHINFORM INFORMATION SECURITY PERIMETER...

Transcription

1 1 SearchInform Contents 1. SENSITIVE DATA PROTECTION: SEARCHINFORM INFORMATION SECURITY PERIMETER Control of Data Leak Channels System Components SearchInform NetworkSniffer SearchInform EndpointSniffer Workstations Indexing Server NetworkSniffer and EndpointSniffer: Advantages of Both Platforms SearchInform AlertCenter Analytical Module User Identification Insiders Tricks Recognition Control of Laptops outside the Corporate LAN MEANS OF DATA FLOWS CONTROL... 10

2 System Architecture SearchInform MailSniffer SearchInform IMSniffer SearchInform HTTPSniffer SearchInform SkypeSniffer SearchInform DeviceSniffer SearchInform FTPSniffer SearchInform PrintSniffer SearchInform MonitorSniffer SearchInform FileSniffer and Workstations Indexing Laptops Control SEARCHINFORM SOLUTIONS ADVANTAGES OUR CLIENTS CONTACT DETAILS... 16

3 3 1. Sensitive Data Protection: SearchInform 1.1. Control of Data Leak Channels Today, information is one of the critical assets for success and prosperity of your business. On average, a data leak costs around 2.7M USD to the information owner. SearchInform Information Security Perimeter allows you to efficiently protect your business against losses incurred by data leaks. What are the major data leak channels? There are several data transfer links: , social networks (Facebook, Twitter, etc.), Internet message boards, web blogs, instant messengers (ICQ, MSN, Jabber, etc.), removable media, printers and Skype. Monitoring Skype messages is a vital issue nowadays. If you do not control the above-mentioned channels or control only 1-2 data transmission links, your company s sensitive information may be easily transmitted to the rival companies. State-of-the-art information security system should allow employees to use all data communication channels, and at the same time intercept and analyze data flows transmitted via these channels. Integrated approach to information security is impossible even if only one potential data leak channel is not controlled System Components SearchInform is the leading information security provider in Russia and other countries abroad. It is used in many large companies working in almost any sector from banking to engineering. This software solution allows efficient control of data links at all levels from every single user's workstation to LAN servers. All information transmitted over the Internet is also controlled. SearchInform has a multi-component architecture, i.e. a customer can select only the modules he actually needs. There are two major system platforms: Network- Sniffer and EndpointSniffer. NetworkSniffer intercepts data on a protocol level using a trafficmirroring device. SearchInform EndpointSniffer uses agents installed on user workstations.

4 SearchInform NetworkSniffer SearchInform NetworkSniffer is a traffic mirroring platform, i.e. it processes data not interfering with the existing network processes. It supports the following protocols and data transmission channels (SMTP, POP3, IMAP, HTTP, HTTPs, MAPI, ICQ, JABBER, and MSN) on the LAN level. This platform incorporates the following components: - SearchInform MailSniffer (intercepts all inbound and outbound messages); - SearchInform IMSniffer (allows monitoring text messages and files transferred via Internet messengers (ICQ, QIP, MSN, JABBER, etc.) and popular social networks); - SearchInform HTTPSniffer (monitors information sent to Internet message boards, web blogs, and other web-services). NetworkSniffer Layout Diagram Механизм работы NetworkSniffer Network traffic is captured on a protocol level (Mail, IM, and HTTP). Information can be filtered by domain user names, IP and MAC addresses. All intercepted messages are saved in a SQL data base. All intercepted data are indexed by SoftInform Search Server. Index is a special structure needed for a quick search in the database. SearchInform AlertCenter checks if new information matches a preset search query. Check schedules and query lists are set up by information security officers. If a match is found SearchInform AlertCenter will immediately send a notification to the person in charge SearchInform EndpointSniffer SearchInform EndpointSniffer is a platform for intercepting traffic via agents. It provides additional control of employees outside company s LAN as they may freely transfer confidential data stored on laptops to third parties. SearchInform EndpointSniffer collects all data sent by users and

5 5 transfers them to information security officers for analysis as soon as their laptops are connected to LAN again. EndpointSniffer agents allow intercepting: - SearchInform MailSniffer: all inbound and outbound messages; - SearchInform IMSniffer: instant messages (ICQ, QIP, MSN, and JABBER) and chats in social networks; - SearchInform SkypeSniffer: text and voice messages sent via Skype; - SearchInform DeviceSniffer: data recorded to removable media (USB, CD/DVD); - SearchInform FTPSniffer: information transferred via FTP protocol; - SearchInform PrintSniffer: printed documents data. It also allows controlling and tracking: - SearchInform FileSniffer: actions on files stored in shared network folders and servers. - SearchInform MonitorSniffer: information displayed on user monitors. EndpointSniffer Layout Diagram SearchInform EndpointSniffer agents allow shadow copying printed documents, Skype messages, data recorded to removable media, transmitted via FTP protocol and displayed on user monitors. Agents also track actions on files and send the received data to SearchInform EndpointSniffer Server. The server stores all intercepted data controlled by Database Management System (DBMS). Microsoft SQL Server Workstations Indexing Server Workstations indexing server allows real-time tracking of sensitive information on user work stations, public network resources and other places where it does not belong NetworkSniffer and EndpointSniffer: Advantages of Both Platforms Simultaneous use of both platforms, SearchInform NetworkSniffer and SearchInform EndpointSniffer, is advisable in order to achieve comprehensive data control. If an agent intercepts some suspicious messages a mirror device fails to, then perhaps encryption of traffic is a regular practice in your company used for transmission of sensitive data to third parties. If an agent does not intercept the data a mirror switch does, it becomes obvious your employee somehow managed to deactivate it, which requires immediate investigation.

6 SearchInform AlertCenter AlertCenter is a brain center of all information security system. It queries all data intercepted by information security perimeter against a user-managed query list. If certain key words, phrases or text extracts of the database match a search query, AlertCenter will immediately notify information security officers about it. AlertCenter uses separate policies or alert groups to discover sensitive data in messages, ICQ, Skype voice and text sessions, posts on forums and in blogs, removable media (USB or CD/DVD), and printed documents. The following search functionality is provided to discover sensitive information in captured documents: Search by key words and phrases with morphology, synonym and distance between words analysis; Similar-content search uses an entire text or text extract as a query; Digital fingerprints search enables comparison of all intercepted documents with the original ones; Search by messages and files attributes: date, file size, document type, domain user, e- mail addresses and other file attributes; Search of password protected documents; Complex queries can include two or more simple search queries combined with logical operators; Search by regular expressions allows finding documents based on character patterns rather than exact values (character sequence and type); Using synonymic rows; Optical character recognition; Searching files with changed extension.

7 7 SearchInform ReportCenter SearchInform ReportCenter generates reports providing statistics on incidents and user activities related to the violation of company s security policies. Various types of reports generated by this application give an idea of how employees use their work time and if they comply with the company s security policies: Top 10 employees having the biggest amount of intercepted files and messages; Top 10 employees having the biggest amount of incidents. It also shows statistics on the activities of employees included in the so-called risk group. When investigating an incident you can easily track user contacts within and outside the company via different data communication channels, as the application supports schematic representation of employees social circles. Each report may be generated based on a particular data transfer protocol or based on all protocols simultaneously, which allows a fast data analysis. SearchInform DataCenter DataCenter controls all the indexes created by components. SearchInform DataCenter allows splitting indexes to speed up access to data. It also enables setting the rules for creating new indexes in a particular time period, which simplifies data tracking. SearchInform DataCenter monitors the status of all SearchInform Information Security Perimeter components and sends a warning message in case a failure occurs.

8 Analytical Module The most important part of any information security system is the analytical module. The combined use of multiple search types allows achieving high efficiency in confidential data protection, as well as employing less information security officers to analyze data. All information security products we develop implement the following content analysis modes: 1. Search by words with morphology and synonym analysis. This basic search mode allows finding documents with queried words and phrases in any word form and located anywhere in the document. 2. Search by phrases with locked word order and limited distance between words. This search engine allows analysis of documents using phrases (e.g. "first name - last name") or fixed definitions as a search query and not just separate words. 3. Regular expressions search. This search technology allows you to trace all character or word sequences characteristic say for personal data, financial documents or structured records from the databases. For example, the system will alert you if someone in your network sends a personal record including data like name, birth date, credit card numbers, phone numbers, etc. 4. Digital fingerprints search. This search mode allows you to identify a group of confidential documents and lift digital fingerprints used for subsequent data search. This feature enables you to scan information flows and quickly identify documents containing portions of text from original group of confidential documents. The main advantage of this search type is high running speed. However this search type has two main shortages: it may not work, if the document was substantially modified, and you need to create more fingerprints when new confidential documents are drawn. 5. Proprietary similar-content search algorithm. Features provided by this search mode allow tracing sensitive documents even if they were heavily edited before the dispatch. You can use text fragments or entire documents as queries. The search will return either identical documents or documents similar in content or meaning. This search engine allows spending less time on data analysis thus cutting efforts needed to implement your existing information security policies. 6. Complex queries. Complex queries can include two or more simple search queries combined with logical operators (AND, OR, AND NOT). They are used to resolve irregular search tasks and intercept the right data.

9 User Identification Integration with Windows domain structure enables accurate identification of a user who sent a message via one of the following communication channels: , Skype (see an example of Skype users identification), ICQ, MSN, JABBER, Internet message boards or web blogs, even if he/she used a free box, another nickname or another computer to enter the network Insiders Tricks Recognition Integration of SkypeSniffer with Windows domain structure allows you to easily identify any user if he/she uses a nickname. If a user fails to comply with the company s information security policies, suspects can be easily revealed using the module data. Very often insiders trying to deceive information security officers convert word files to graphic ones, or even encrypt sensitive data. SearchInform allows comprehensive control of all data communication channels: Optical character recognition of any image file and its full-text search; Intercepting encrypted files via all data communication channels; Detecting files with changed extension (e.g. word files converted to graphic ones).

10 Control of Laptops Disconnected from Corporate LAN In the modern constantly changing world of business employees often take their laptops home or on a business trip. Insiders may take advantage of such practice and transfer confidential data to untrustworthy parties. That is why comprehensive control of laptops is a critical issue. Right after such laptops a connected to corporate network again all information sent by users is shadow copied and transmitted to information security officers for analysis. Control of the following data channels is supported: , instant messengers, FTP, Skype, and printed documents. 2. Means of Data Flows Control 2.1. System Architecture All system components have a client-server architecture. Server side is one of the data interception platforms - SearchInform NetworkSniffer or SearchInform EndpointSniffer plus client applications developed to work with the database and make internal investigations. A single search analytical base allows using all of the above-mentioned search modes in full (see. 1.3.) SearchInform MailSniffer SearchInform MailSniffer intercepts traffic on a protocol level, indexes all intercepted messages and provides search in them. It allows tracking leaks of sensitive data. Information security is achieved through control of the following protocols and data communication channels: SMTP (outbound s via a mail client); POP3 (inbound s via a mail client); IMAP (inbound and outbound s via a mail client); HTTPs (inbound and outbound s via a web-browser); MAPI (outbound s); Microsoft Exchange Server, Lotus Domino, etc. (through integration); MS TMG/ISA and other proxy servers (through ICAP integration).

11 11 The contents of all intercepted messages (including attached files) is indexed and stored in the database. Thus a unique database of company s is created. If a mail server fails (which is undoubtedly a misfortune involving great time and financial expenditures), all data captured by MailSniffer will be a unique backup copy. SearchInform MailSniffer client is used to check suspicious documents. It allows viewing history and track user activities during a particular time period SearchInform IMSniffer SearchInform IMSniffer intercepts messages transferred by popular IM clients. The software intercepts data and saves them in a SQL database you can search in afterwards using SearchInform search features (morphology, similar-content search, etc.).you may use specific filters defining which data should be monitored, e.g. correspondence of two employees at a specified time interval. Control over the staff's instant messages will enable you not only to trace possible sensitive data leaks, but also to check how your staff communicates with partners and uses their working hours.

12 SearchInform HTTPSniffer SearchInform HTTPSniffer is developed to intercept messages sent via НТТР protocol, index them and make a full-text search. This unit allows tracking messages sent to Internet message boards, web blogs, chat forums, webmail services or via IM clients. SearchInform HTTPSniffer can also monitor employee activities at work SearchInform SkypeSniffer SearchInform SkypeSniffer is used to intercept and analyze Skype traffic, i.e. interception of voice and text chats, SMS messages, and files transferred via Skype. Having a reputation of being the most reliable VoIP service, Skype is often used by insiders to transfer sensitive information outside the company. Trying to protect their companies from possible data leaks, some employers just disable this data transfer channel, which creates additional obstacles for business communication. SearchInform SkypeSniffer offers control without disabling it SearchInform DeviceSniffer SearchInform DeviceSniffer intercepts data copied to USB devices or recorded to CD/DVD. All intercepted data are indexed and become available for a full-text search and analysis. This software solution controls any data leaks via removable media SearchInform FTPSniffer SearchInform FTPSniffer monitors all inbound and outbound FTP traffic on workstations level. All uploaded and downloaded files are intercepted, saved and indexed in the database. Thus all files become available for a full-text search and analysis. SearchInform FTPSniffer supports FTP and FTPS SearchInform PrintSniffer SearchInform PrintSniffer is used to monitor local and network printers detecting sensitive information in printed documents. PrintSniffer shadow-copies all texts and images sent to printing and saves them in a SQL database for further review and analysis. This solution offers a history feature which allows viewing an employee who printed a particular document, the date when the document was printed, and the amount of copies he/she made. Analysis of printed documents can help you to prevent data leaks and find out if the printers are used as intended.

13 SearchInform MonitorSniffer SearchInform MonitorSniffer is developed to intercept information displayed on user monitors. This software solution captures screenshots at regular intervals and saves them to a database managed by Microsoft SQL Server. MonitorSniffer allows real-time viewing of one or several computer screens simultaneously. Screenshots are made unnoticed to the user SearchInform FileSniffer and Workstations Indexing SearchInform FileSniffer controls actions on files stored in shared network folders and servers. FileSniffer application records any actions via workstation and file server agents (opening, copying, changing file extension, etc.). Workstation indexing allows tracking appearance of sensitive information on user workstations where it does not belong. Combined use of SearchInform FileSniffer and Workstations Indexing allows: 1) Monitoring shared network resources and user workstations; 2) Controlling operations with sensitive data stored in shared network resources and user workstations; workstations of employees included in the so-called risk group (e.g. an employee who converted a text file to an image file format) by means of SearchInform FileSniffer. Laptops Control Today SearchInform EndpointSniffer is the only solution monitoring user activities outside the office being at home or on a business trip. It stores all data sent by users and transfers them to information security officers right after the laptops are connected to corporate LAN again. This software solution supports data sent via (IMAP/MAPI; SMTP/POP3 encryption), instant messengers (ICQ, Jabber, and MSN Messenger), FTP, Skype, and printed documents. EndpointSniffer agents carefully conceal their presence and they cannot be easily discovered even by an experienced engineer.

14 14 3. SearchInform Solution Advantages SearchInform can operate in large corporate environments and has the following advantages: Easy to integrate. To install SearchInform Perimeter components, you only need several hours. In most cases, you will not need to draw outside engineers. It means you will not need to show your corporate internal documents to the supplier's engineers or other specialists. Integration on top of the existing network structure. Integration of the system does not affect the way existing information systems works. End-to-end solution. It enables you to control every supported data transfer channel, while the multi-component architecture allows you to select only the modules you actually need. The only solution able to monitor communication on Skype Full integration with Windows Domain Structure. Similar-content search feature. The similar-content search technology will allow you to easily tune the analytical subsystem so you will not need any assistance from outside of your company. At the same time, you will not need to make a superhuman effort to tune the way the software will analyze intercepted documents. Laptops control. SearchInform EndpointSniffer is the only solution monitoring user activity working outside the office being at home or on a business trip. Data access authentication. You can tune the rights to access intercepted documents. Control over documents stored on user workstations and in shared folders. Workstation-indexing helps you find sensitive information where it doesn't belong. User activity reports. When you have a confirmed incident, you can easily check the userin-question's activities in every available search client. Backup of intercepted documents. It allows tracking the sequence of events in the past. Transparent pricing policy for the software and integration services. Free trial version. We provide cost-free installation of the 30-day full-featured trial version.

15 15 Our Clients SearchInform is used in more than 600 companies in Russia, Ukraine, Belarus, Kazakhstan and Latvia. Only some of our customers are shown below.

16 16 Contact Details Head Office (Moscow, Russia) Address: Potapovski per. d.5, k.1, office 114, Moscow, Russia Head of the office: Dmitriy Riabtsev Phones: +7 (495) (carrier line) +7 (495) , +7 (499) General inquiries - info@searchinform.ru Press and mass-media n.samusenko@searchinform.ru Novosibirsk Office Address: Ul. Vladimirovskaya 2/1, office 204, Novosibirsk Head of the office: Sergey Ananich Phone: +7 (383) s.ananich@searchinform.ru Yekaterinburg Office Address: Ul. Volgogradskaya 193, office 708 Head of the office: Dmitriy Stelchenko Phones: +7 (343) , +7 (343) d.stelchenko@searchinform.ru Samara Office Head of the office: Vladimir Velich Phones: , v.velich@searchinform.ru Representative Office in Belarus Head of the office: Aleksandr Baranovskiy Telephone: ab@searchinform.ru Representative Office in Ukraine Address: Ul. Artema 14/ 72, Kiev Head of the office: Nikolay Lutskevich Phones: , lutskevich@searchinform.ru Partner Relationship Department Head of the department: Galina Sytnik Phone: +7 (495) g.sytnik@searchinform.ru