On 11-15 October, Sochi hosted SearchInFORUM annual private event. Company’s top officials summed up results of the outgoing year, presented new solution – SearchInform Event Manager (SIEM) – and shared products development plans that are to be implemented by the end of 2016 and in 2017.
SearchInFORUM became a platform for closed professional community, members of which could deliver their speeches, share experience, as well as openly discuss problems and solutions to them. We got a feedback that helps make products applicable: products are developed not for the sake of development, but for solving particular tasks about which clients are currently concerned.
We present a review of the most important upgrades and updates in SearchInform products in 2016:
Advanced search capabilities by video simplified data analysis process. Now, information security officer just needs to choose the activity in which employee’s actions can pose potential threat (TeamViewer start, work in 1C, etc click now.) – and start watching video from a particular moment. Now, it is not required to watch the whole video to find and view one specific fragment.
The updated versions of SearchInform products allow protecting computers that are running under Microsoft Windows 10. TimeInformer is capable to work properly in the environment, and SearchInform DLP supports work of interception agents and client parts in the newest operating system.
This allows customers of SearchInform to update safely OSs on corporate computers to the latest versions of Microsoft OSs. The level and quality of protection against data breaches remain as high as before.
Previously, SearchInform DLP could work with popular virtualisation environments, but in VDI environment, there were problems. During integration of capturing agent into the system image, it was assigned an identifier which, due to the VDI scheme peculiarities, could be repeated.
The upgrade changed behaviour of the Endpoint server, and data from each agent began to be identified unambiguously.
Support of the communication standard allows SearchInform DLP and TimeInformer work properly in the networks of new type. The IPv6 parameter is an additional attribute and can be included in search, which significantly extends device identification capabilities.
It allows solving information security issues more efficiently in remote offices where there are less workstations and/or narrow channel of communication with headquarters.
Operating principle: data from workstations is captured by agents and transferred to ES Hub where it is filtered, processed, compressed, and encrypted. Then, data is transferred to the main EndpointSniffer server.
Advantages:
This feature allows you to control access to critical data: hides/locks folders of top management, denies access for even privileged users (system administrators, technical experts, etc.). Differentiation of access to resources (folders and disks) is performed only at the DLP level and cannot be canceled either at the system level or at the domain level.
Before, SearchInform DLP and TimeInformer users had to manually classify every unknown web-site, which occupied much time. Now, resources are classified automatically. Once in 10 minutes, programs collect and process all unknown resources distributing them by categories: dating web-sites, social networks, online games, news web-sites, shopping, job sites, etc. Currently, more than one million web-sites are categorised.
Any audio data can be recognised and transformed into text. It allows you to solve a range of tasks that previously could be solved only through audio interception. The whole process is local: data does not leave the network, external services like Yandex SpeechKit and Google Speech are not used. The feature is at its experimental stage and tested by clients.
SearchInform DLP is integrated with Astra Linux OS. DLP system fits well into Astra Linux eco-structure and allows solving issues of internal information security. In particular, it provides a level of protecting classified information “Top secret”.
The innovation of SearchInform allows monitoring transmission of scanned documents by standard stamp samples. Stamp scanner is available for all SearchInform clients without additional fees. The component is integrated into the system by default and no additional technology is required.
Quality and speech of image recognition in SearchInform DLP broke new ground. Due to the technology of optical character recognition (OCR) from ABBYY, the system classifies files and separates personal data circulating inside company.
Recognition and image classification technologies automatically determine the type of personal data. ABBYY classification module helps identify any standard document: passport, credit cards, etc.
Some clients use simultaneously two products of SearchInform: for instance, control e-mail with SearchInform DLP, and other tasks are solved with TimeInformer work time control system. Before, agents of two systems used to conflict upon installation on the same workstation. Now clients can start two systems simultaneously without any problem.
New licensing plan gave the possibility to manage licenses centrally from one place. Before, a user had to differentiate license on every server separately, now it is enough to make changes once, and license will be applied to all servers. Flexibility of licensing also increased.
You can separate necessary number of licenses from key for every particular server, or choose dynamic scheme for automatic license distribution.
Agent of any DLP is integrated in the main system features. Thus, integration of two agents on one user workstation will result in a conflict. Users and technical support both encounter problems. To avoid this, SearchInform DLP was equipped with the feature of detecting other agents.
This feature allows information security officer to make sure that other solutions were not left accidentally (for example, after trial) or not used by other departments intentionally. SearchInform DLP detects all popular DLP systems which are in demand in the market.
Interaction of DLP and ICAP Proxy enabled monitoring all traffic. When security policy is violated, traffic can be blocked. The technology allows securing company’s network regardless types of devices.
Due to this technology, unambiguous files identification became possible, analytical capabilities of DLP were extended, and search was simplified.
It is possible to control all operations with particular file or device and unambiguously recreate the situation of violation.
Both SearchInform DLP and TimeInformer feature setting up rules and list of efficiency.