Product showcase: SearchInform Risk Monitor – next-gen DLP based insider threat mitigation platform

Basically, DLP systems are aimed at prevention of data leaks, and in real-life mode they monitor and block (if required) transmitting of confidential data. However, the traditional approach to DLP system isn’t sufficient. That’s why SearchInform offers the next-gen platform for internal threat mitigation – Risk Monitor (hereinafter RM). The solution deals with tasks of Data-centric and User-centric approaches; offers functionality for proactive incident prevention, as well as provides forensic tools; keeps an archive of data, related not only to incidents, but on all users’ actions instead; helps to comply with regulators’ requirements.

Briefly speaking, the RM deals with a few sets of tasks:

How does the Risk Monitor platform work?

The Risk Monitor platform contains the following modules:

Risk Monitor = DCAP + DLP + UBA + Forensic Suit + Performance Evaluation

Risk Monitor is the complex platform, offering plenty of functionality. In this overview we’re going to reveal some crucial functions and describe basics of the platform’s work principle.

Data classification and data access rights audit by Risk Monitor

The first step of data protection is data at rest monitoring and protection. Risk Monitor ensures this with the help of the FileAuditor product, which is the DCAP class solution.

This is how FileAuditor works:

FileAuditor ensures:

• Data classification.
• Access rights audit.
• Monitoring and blocking user actions.
• Critical documents archiving.

FileAuditor may work as a part of a single platform (no additional agent is required) or as an independent solution.

To learn more about the solution’s functionality please refer to the FileAuditor review.

Briefly speaking, the solution ensures the highest standard of data protection and can’t be deceived, thanks to content analysis functionality. The solution analyzes each documents content, thus, it knows precisely, whether any confidential data is present in the document and operates basing on this information.

Data transfer monitoring

SearchInform Risk Monitor ensures control of maximum amount of data (text, graphic, audio) transfer channels:

• Email (sent via apps and from the web interface).
• Complete list of messengers (WebEx, Lync, WhatsApp, Skype, etc.) is (control of correspondence, calls and files transmitted.)
• Connected external devices and actions with them (data recording, file execution etc.)
• Cloud storages.
• Printing of files.
• Remote access tools such as TeamViewer, etc.

The solution also monitors user activity in applications and on websites.

This is done with the help of specific modules, each of them controls its own data channel (the customer can choose to purchase only the required modules). The list of modules includes: Mail controller; Cloud Controller; IM Controller; HTTP Controller; Device Controller; FTP Controller; Monitor Controller; Print Controller; Program Controller.

However, it’s only half the battle to gather all the data. It’s not less important to appropriately analyze it. Risk Monitor complements traditional search technologies with the unique ones, including AI.

Methods of data search, performed by Risk Monitor

The advanced analytical capabilities enable users to fine-tune any security policy in addition to 250 + presets, which are universal and industry specific policies, pre-configured beforehand. Thanks to them, no single incident will be missed, what’s more, they will help to minimize the number of false positives.

Details on all alerts can be obtained in the AlertCenter. Risk Monitor also enables keeping an archive of user traffic and actions. This helps to perform retrospective investigations. More detailed information about investigations will be provided below.

Example of complex query search configuration

Gartner analysts recognized SearchInform system’s analytical capabilities as one of its core strengths.

Data leak prevention: Blockings

In Risk Monitor, blockings, which prevent incidents, are activated basing on the data content and context (attributes and properties), what ensures the highest level of data protection. The data analysis is performed on the endpoints, what speeds up the process of blockings activation, as no data processing on servers is required. Advanced data search technologies enable to perform efficient data search and analysis according to the security policies set.

The following types of blockings are available:

• Content and context web blockings (enable to block access to specific resources or group of resources, e.g. online-casino and sending of confidential files).
• Content and context blockings:
  In messengers. (Zoom, Slack, Telegram and WhatsApp, you can prevent sending files of selected formats, extensions and with specified content.)
  In clouds. You can prohibit to write files with specified content or of a certain type to cloud storage.
  In Email. You can configure blockings according to the content (e.g. prohibit sending of Trade secret documents or attachments of .dwg format)
  Of print operations. It is possible to prevent printing of documents with specified content.
  Of operations with devices. You can prohibit to connect any or chosen devices to all PCs or selected ones, grant access rights to use flash drives only on demand.
  Of access to files by arbitrary processes (in case integrated with FileAuditor). The Risk Monitor reads labels, added by FileAuditor and is capable of blocking files according to the label without necessity to speed extra resources on reading the file content.

Example of blocking configuration

Example of blocking activation (the solution prevents sending of a confidential document to a third-party user)

Solution by SearchInform offers flexible approach, which enables to ensure monitoring and implement blocking (if necessary) simultaneously. The combined approach is more efficient, it doesn’t interrupt business processes, ensures protection and also enables to make conclusions basing on the results of investigations and fine-tune business processes to make sure incidents won’t reoccur in future.

Investigations and digital forensics

RM contains set of tools to perform incident investigations. As it was mentioned above, RM performs the full-scale archiving of the important data, even if it wasn’t initially related to some incident, what significantly contributes to the efficiency of investigation process. Thanks to the rapid and precise search among data arrays the full-scale comprehensive retrospective investigation can be performed.

An information security specialist can delve into the circumstances of the incident from the unified AnalyticConsole: examine users’ communications; reveal, where exactly they sent documents and analyze the documents’ content; find out, what processes they launched, who was using the computer at the time of incident, what exactly they were doing and much more.

For ease of use, RM comes with more than 30 report templates preconfigured, which representatively visualize operations. Below you may find examples of a couple of them.

Content routing

In the representative and easy for understanding manner the specific report helps IS officer to:

• Find out the primary source of information dissemination.
• Reveal, who viewed the confidential data.

Content routing report in SearchInform Risk Monitor

Relational graph

The graph lines’ color depend on the intensity of communication. IS officers can always identify the culprits of the incident.

Besides, RM offers the functionality of watermark adding, which is crucial for detection of the source of a data leak. Thus, IS-officers can easily detect the source of leak and the culprit of the incident even in case a user took a screenshot or a photo of data with a smartphone. When a screenshot or a photo is taken on a protected computer, a search in external sources allows information security specialists to easily determine the source of the leak. This is possible because the watermark contains an indication of the PC and the employee who works on it.

The example of watermark, indicating the workstation and the user, who attempted to leak a confidential document

Task manager

Risk Monitor offers the Task manager for the IS department with convenient functionality for handling complex investigations.

It allows to:

• Set the roles of IS analysts.
• Prioritize tasks.
• Gather all evidence.
• Maintain dossiers on insiders and their associates.
• Export the results of an investigation.
• Upload external files that can assist in the investigation.

Performance evaluation and user-centric security

Risk Monitor enhances efficiency of business processes and team management, as well as contributes to more fair distribution of work tasks. It enables to reveal employees, who overwork or even on the verge of a burnout, as well as helps to identify idlers.

The RM platform monitors user activity, analyzes, which applications are run by users and which websites are visited. For each employee or a group of employees it’s possible to create specific policies, which enable to efficiently asses user’s productivity. The solution analyzes the data gathered and provides employees in charge with a report.

User productivity report

In order to mitigate the risks of information security incidents’ occurrence due to employees’ mistakes, RM offers a few useful functions.

To counter phishing threat and mitigate risks of work station compromise and accidental data leaks, the solution detects potentially dangerous emails in the staffs’ mailboxes. Phishing emails recognition function works on the principle of comparing MessageID and Sender (From) attributes, so, the system detects cases when the domain and the sender’s real address differ. In case these parameters are not the same, the DLP system marks the letter as a phishing one and notifies an information security officer.

Phishing email detection

RM helps to manage the passwords usage. The system checks the reliability of passwords used by employees and monitors usage of corporate credentials on external resources. In case corporate account password is not strong enough or is used on external resources, system sends IS officer the notification.

SearchInform RM report on users’ authorizations

Summary

All in all, SearchInform Risk Monitor is the next-gen internal threat protection platform, which helps to deal with a wide range of tasks. It’s based on the advanced DLP system with extended functionality, and is complemented with a few other tools, including UBA and AI related technologies; suit for e-forensics; tools for time tracking and performance evaluation. The solution can be deployed within a few hours, it operates on the single agent and can be seamlessly integrated with other tools by the vendor. Risk Monitor is the reliable solution, which protects businesses against multiple internal threats and helps to increase business efficiency.

To learn more about how Risk Monitor deals with the abovementioned tasks and how else it can contribute to your business you may visit this page.