SearchInform Information Security Perimeter

Practical Aspects
of DLP System Deployment
SearchInform Information Security Perimeter
Customer Support Center
Customer support center helps companies ready to
deploy our product tune information security based on the
experience of tackling similar challenges (names of our
clients working in similar fields are kept a secret).
Customer Support Center gives tips on:
 Tuning alerts;
 Protecting sensitive data ;
 Differentiating user rights, etc.
Working with Colleges
Quite often college graduates do not
meet employers’ expectations as they
do not have any practical experience
in the information security sphere.
SearchInform is the only Russian
developer of information security
solutions involved in the program of
training graduates.
We provide a free product version to all colleges interested in training
experts able to work with a real product.
Information Security Should
Promote Business, not Hinder It.
All Data Channels Should Be Open
Very often employees are not allowed to use the most
efficient and popular communication channels for the
sake of data loss prevention.
E.g. employees may only use corporate e-mail, while
ICQ and Skype are banned, despite the fact it is a
more efficient way to communicate.
State-of-the-art DLP system allows using all data
channels and at the same time intercepts and
analyzes data flows transmitted via these channels.
Information Security System
Should Control All Data Channels
“The Wizard of Oz” featured a big scary
wolf protecting the gate of the country from
intruders. Nobody could cross the border.
However the rest of the border was just
The same could be said about information security: if copying data to removable
media (USB-devices or CD/DVD drives) is forbidden, confidential data will be
sent by e-mail or instant messengers.
Many employees think it is impossible to intercept data sent via Skype. Being at
work they feel free to use Skype rather than any other Internet messenger. That
is why files, text and voice messages sent via Skype should be controlled by all
Integrated approach to information security is impossible if at least
one potential data leak channel is not controlled.
One man doesn’t make a team?
Intercepted information is useless until it is
analyzed. Reading all captured data is a rather
irrational way of information analysis. A
security officer may only handle 20-50
employees if traditional approach is used. And
what if there is a couple of hundreds or even
thousands of them?
SearchInform Information Security Perimeter offers automatic data
analysis and alerts response (various search engines are used).
This way one security officer can control 1000-1500 employees.
Windows Domain Structure Integration
Integration with Windows
domain structure enables
accurate identification of a
user sending messages via
communication channels: email, Skype, ICQ, MSN,
JABBER, forums or web
blogs, even if he/she used
a free e-mail box, another
nickname or computer to
enter the network.
Components of SearchInform
Information Security Perimeter
Laptops Control
Laptop is not only a popular means of
getting the work done in office, at
home, and during business trips, but
also a serious danger to information
security officers.
Being out of the employer-controlled network, insiders may transfer
confidential data to third parties. SearchInform EndpointSniffer can control
it. It captures all data sent by users and transfers them to information
security officers right after their laptops are connected to network again.
EndpointSniffer agent carefully conceals its presence. It cannot be easily
discovered even by an experienced engineer.
Tricks Recognition
Very often insiders trying to
officers send confidential data in
image file formats or encrypted
DLP’s full-scale control is achieved through the
• Optical character recognition of any image file and its fulltext search
• Intercepting encrypted files via all data communication
• Detecting files with changed extension
Data-Leak Incidents and
Preventive Measures
It is crucial to be aware
of your employees
relationships with their
colleagues, reveal
opinion-shapers, and
control employees ties
with their former
IT or IS?
experience shows drawing
Information Technologies
Security (IS) Departments
is the best possible way to
tune information security in
a company. Each of the
departments has its own
Employing a qualified information security officer would be the best
possible solution.
Three Pillars of Information Security
Preventing Data Leaks
A DLP system should not only detect data leaks but also
prevent incidents at the stage when a potential insider has
just started to express his/her displeasure.
Tracking employee moods
A DLP system can be used to track employee moods by means of
monitoring Internet messengers and social networks traffic (Skype,
ISQ, Facebook, etc.).
Work Optimization
A DLP system helps staying aware of employees’ attitude to
innovations in a company. Thus internal company’s politics can be
effectively controlled.
Data Access Permissions
Each component of company’s information security perimeter is in
compliance with a single access rights differentiation system. It allows
flexible configuration, and you can tune the rights to access intercepted
documents any way you want it.
System Architecture
All system components have a client-server structure. Server side is one of
the data interception platforms - SearchInform NetworkSniffer or
SearchInform EndpointSniffer plus client applications designed to access
the database and make internal investigations.
A single search analytical base allows using all of the above-mentioned
search technologies in full.
SearchInform NetworkSniffer intercepts data using a mirror switch, i.e. it processes data
not interfering with the company’s network.
All information sent over data channels and protocols like SMTP, POP3, IMAP, HTTP,
HTTPs, MAPI, ICQ, JABBER, and MSN are captured on the LAN level. NetworkSniffer
platform incorporates the following products:
System Architecture
SearchInform EndpointSniffer Platform uses agents to intercept
It provides additional control of employees outside company’s LAN as they may
freely transfer confidential data stored on laptops to third parties.
SearchInform EndpointSniffer collects all data sent by users and transfers them to
information security officers for analysis as soon as laptops are connected to LAN
again. Its major advantage is increased failure tolerance (interception is ensured
even if servers are not available). Data transmitted over secure communication
protocols are also captured.
SearchInform EndpointSniffer agents:
Components of SearchInform
Information Security Perimeter
Intercepting Internet Traffic
SearchInform NetworkSniffer allows intercepting sensitive data
transferred over the Internet. All common protocols that may be used by
insiders are supported. It also supports proxy servers: software (Kerio,
Squid, etc.) and hardware (BlueCoat, IronPort, etc.) through ICAP.
E-mail is one of the most dangerous data leak channels as it allows
sending large data volumes. The following protocols are supported:
Insiders can send sensitive information to forums, blogs, social
networks, chats, or use web services to send e-mail or SMS messages.
FTP allows sending large data volumes and may be used by insiders to
transmit the entire data bases, drawings, scanned documents, etc.
Components of SearchInform
Information Security Perimeter
SkypeSniffer is the first DLP solution to intercept files, text
and voice messages sent with Skype.
Instant Messengers (IM)
NetworkSniffer supports ICQ, MSN, Agents, and
PrintSniffer intercepts every printed document, indexes and
saves it to a database. It helps to prevent data leaks and
see if a printer is used as intended thus avoiding excessive
consumption of paper and other consumables, like toner.
Components of SearchInform
Information Security Perimeter
DeviceSniffer intercepts files copied to removable media
(flash drives, CD/DVD, and portable hard disks). It prevents
leaks of large data volumes copied to such types of devices.
MonitorSniffer makes screenshots and saves them to a
database. It can also control monitors of one or several users in
real time and monitor users working via RDP (Remote Desktop
Components of SearchInform
Information Security Perimeter
FileSniffer controls users working with shared network
resources protecting large data volumes that shouldn’t be sent
to third parties. Dishonest employees may use them for their
malicious purposes.
Workstations indexing is the best possible way to monitor
if sensitive data appeared, were deleted or copied to user
computers. Controlling every user PC in a company helps to
discover employees having malicious intent.
Data-Leak Incidents and
Preventive Measures
Together with one of the city
councils SearchInform Ltd. has
worked out an anticorruption
thesaurus including words related
to bribery.
If specific words (money, cash, franklins, etc.) are found information
security officers will be immediately notified about it.
Data-Leak Incidents and
Preventive Measures
A company producing large
volumes of grocery products found
out a significant difference in the
products shipped and the products
SearchInform PrintSniffer allowed tracking illegal output of
unrecorded items organized by a group of employees.
Selling such products was possible due to printing invoice
Data-Leak Incidents and
Preventive Measures
Monitoring ICQ and User Workstations
ICQ monitoring helped to find some
not very flattering “poetry” about
company’s management. This could
be a hard blow to the company’s
reputation. Some lines were made
accessible on the Internet.
The “poets” were found owing to ICQ messages analysis made by
IMSniffer. After the very first message had been tracked, workstations of
several employees were checked. Thus poetry files were found.
Data-Leak Incidents and
Preventive Measures
Cusswords and Offensive Epithets
Curse words + names of top
managers gives food for thought.
Data-Leak Incidents and
Preventive Measures
Any company has sensitive data to protect.
It is crucial to monitor documents containing
 names of employees;
 names of business partners;
 information on developed products.
Data-Leak Incidents and
Preventive Measures
SearchInform’s previous experience shows some employees
should be included in the risk group:
1.Employees having breached company’s security policies at least once,
2.Employees using various tricks (changed file extensions, password
protected archives, etc.),
3.Disloyal employees (negative comments about company’s top
management, etc.),
4.Employees who started ignoring their work for some reason,
5.Employees whose work is closely related to cash flows and some midlevel managers.
Data-Leak Incidents and
Preventive Measures
Common Practice
 Monitoring communication with dismissed employees;
 Monitoring so-called opinion shapers and bursts of activity;
 Monitoring activity of 1-2% of staff for the previous month.
Advantages of SearchInform
Information Security Perimeter
1. Easy to integrate. To install SearchInform Perimeter components,
you only need several hours. Company’s existing information systems
will not be affected in the process of system integration.
End-to-end solution. It enables you to control all data transfer channels,
including Skype, social networks, printers and users activities at file servers.
Similar-content search feature. The similar-content search technology
will allow you to easily tune the analytical subsystem so you won't need
assistance from outside of your company. Besides efficient data protection is
achieved through employing fewer information security officers for data
Windows Domain
Extended search possibilities allow efficient data protection while
employing fewer information security officers for traffic analysis
(one officer is enough to monitor 1000-1500 workstations).
Control your information!
Related flashcards
Create Flashcards