New features in the SearchInform solution: investigation management and blocking on the fly

04.06.2021

Back to news

Blocking within the agent

“Blocking” section has appeared in the Endpoint Controller, it brings together blocking rules managing programs for websites, printing, messengers and files. Their peculiarity is that they work within the agent – they don’t depend on a network connection or a server with the installed SearchInform solution. This allows for a continuous control and proactivity – data gets processed quicker, traffic doesn’t overload network infrastructure, as the system doesn’t have to transfer data between an employee’s PC and a server with the SearchInform DLP on it in order to make a decision whether to permit or limit.

Blocking instrument interface in EndpointController

The boundaries for websites and documents sent to print work by content, thus the system will automatically stop downloading information to a web page or printing if it contains sensitive data. In the "Messengers" tab, you can configure the list of applications that can or can’t be used, as well as restrict certain actions - for example, sending attachments. It also became possible to block messages with unwanted content - if an employee decides to send extracts from confidential documents to Slack, the messages simply won’t be received by the addressee.

File blocking features are available when integrating DLP with FileAuditor: this DCAP solution assigns tags to all documents depending on their type and content, and DLP adjusts the “operating instructions” to all files of the selected category by tags. As a result, an information security specialist can restrict user access to files through any program, whether it is a text editor or an email client - unauthorised users will not be able to send an email attachment or even open it to read.

Clipboard blocking settings

Another new thing - there are fine blocking settings for the clipboard now. Restrictions can be set by user, PC, and process. They are configured in the DeviceController and operate by content - information security specialists can specify text, a sequence of characters or regular expressions that will be subject to restrictions. Complex queries are also supported. As a result, for example, you can prohibit copying texts containing bank card numbers and sending them to messengers, browsers, etc.

Smart quarantine

Quarantine is now also faster. Checking email traffic is no longer occupied by the main DLP server, but by an especially allocated engine in the Endpoint Controller - it provides fast scanning and analysis of message content, including analytics for text, attributes and attachments, including using OCR. As in the case of blocking within the agent, this increases the speed of detection and response to suspicious incidents.

For ordinary users, there is the opportunity provided to decide whether they are ready to accept the risks and send or not send a letter with confidential content. Having written such a letter, an employee will see a warning - an automatic email notification - that the transfer of the data contained in the email may lead to a violation of information security policies. If a user is sure that everything is within the rules, then he will be able to confirm the sending by clicking on the link in the notification or by a reply email. This will unload the information security department, which manually parses suspicious email content, and reduce the number of situations when an important email gets blocked and a delayed sending can harm business processes.

Investigation tools

The Task Management tool was created in the DLP to make it easier for information security departments to investigate incidents. It can be compared to the Jira system, with the difference that in Task Management everything is done with consideration of infosec specialists’ specific needs. Analysis of each incident turns into a full-fledged project, for which you can set the time frame, performers, observers, urgency status and add all the necessary information about interception. Additionally, Task Manager supports the upload of external files that can assist during investigation. It is possible to combine several incidents into one project, collect an archive of details about persons involved and keep supplementing the collected information in real time. There are special filters that work to find the projects you need, for example, those where the same employees appear.

Task Management interface

As a result, each employee of the information security department will be aware of the latest tasks for current and new investigations - a notification system is developed for this. The level of access to the Task Management section for specific employees is configured by managers. This can be Full Control, Read Only, or Denied. In the latter case, Task Management is not displayed in the Analytics Console user interface.

Also, within the framework of the DLP, the concept of People-Centric Security was elaborated - an approach in which the investigation of incidents is launched beginning not with the data that could have been leaked, but with a person who could have committed a violation. It has become more convenient to carry out such work thanks to the new tools in the User Cards section. There it became possible to add psychological portraits to information about each employee - if a company has the ProfileCenter installed, the data will be "pulled up" automatically. A summary report from the ProfileCenter is displayed in the Profile tab in user cards: character strengths and weaknesses, personality traits, core values and criminal tendencies if any. It also provides recommendations on how to interact with an employee more efficiently and minimise security breach risks.

"Profile" tab in a user card

Convenient integration

The DLP expands the control perimeter - now it is easier to connect external data sources to the system and "export" data protection functionality to other IT systems.

The Analytic Console now comprises a security policies managing program and work criteria for the External API module. It allows a specialist to quickly configure control over external sources - for example, data from systems that aren’t connected to agent or network interception, but are needed to understand whether users transmit confidential information outside the control perimeter. In the policy manager, in two clicks you can set the rules in accordance with which the DLP will search for security incidents in third-party sources through the External API. All types of searches are available in policies, including those combined into complex queries. The results of the check are displayed in the system that interacts with the DLP via the External API.

Manager of criteria for checking via External API

The "Run external script" function is now available: one can access it in the Alert Center when setting up security policies. Using external scripts, the DLP transmits information about incidents to third-party applications. This allows you to comprehensively respond to negative events. In the security policy manager in the Alert Center, you can configure a list of attributes for uploading that will be especially useful in a third-party system. For example, if a policy about an abnormally high number of sent emails is triggered, you can configure the transfer of this data to the UEBA system - it will correct data about typical and atypical user behavior.

External scripts can also react to emails in Quarantine that fall under the intended launch of an external program policy.

Adding an external script when configuring security policies in AlertCenter

More features for Linux

The functionality of agents for Linux is supplemented with the capabilities of the ProgramController. It is designed to track the time employees spend in applications. Now information security specialists in companies with Linux-based infrastructure will be able to receive full data on the activity, productivity and efficiency of personnel. The module monitors active processes and window titles on employees' PCs and determines who is busy working in job-related software, and who is idling or using suspicious programs. One can customise checklists as required. There, for example, employees who don’t need to be monitored can be specified.

Configuring activity monitoring in ProgramController for Linux

In addition, PrintController functionality is now available for Linux users. Thanks to this, what and how much employees print is transparent for the top management now - information security specialists can control who can use printers, which documents can and can’t be printed. Text and graphic content of printouts can be excluded from interception in order to not overload the data storage.

Thus, the functionality of all DLP modules is now available to control PCs on Linux OS.

 

All the updates are available in a full 30-day trial version

Try for free