To control and secure sensitive data, the solution monitors, intercepts, and blocks user communication channels on workstations, as well as audits local and shared folders for freely available confidential data. SolaredINsight ensures total control over employee communications, their activities on workstations, and corporate information flows:
- Traditional DLP methodology to control information in use, motion, and at rest
- Traffic interception by a gateway/proxy sniffer, a workstation agent (Windows, Linux), and a file crawler to audit data storages
- Control over employee communications via email, messengers, social media, websites, and other popular platforms
- Control over user activities on workstations: copying to removable media, printing, etc.
- Advanced traffic analysis and filtering technologies for accurate identification of confidential data in any format and early threat detection
SolaredINsight is the market’s only DLP optimized for early detection of corporate fraud and full-fledged investigations. To combat economic crimes at enterprises, SolaredINsight leverages a wide range of special tools, including:
- A powerful system for intercepting information and monitoring employee activities on workstations in order to reveal abnormal behavior and wrongful acts before those become a real threat
- A complete archive of employee communicationsfeaturing a quick search for breach evidence and full-fledged investigations
- A toolkit that generates dossiers and maintains them, enabling a company to collect employee details in a single place, define a level of credibility, and profile their behavior
- An analytical platform for analyzing employee communications, identifying connections, and detecting abnormal behavior
- Unique interface for prompt situation analysis and quick start of incident investigation
- Integration with third-party IT systems, such as SIEM, HRM, MDM, and IdM, for obtaining contextual information about employees and incidents
In order to identify a threat in communication traffic, it is necessary first to intercept the traffic for analysis. As a new generation DLP, SolaredINsight 6.4 captures traffic from a wide range of data channels, thus closing all most sophisticated trap doors.
Depending on each channel configuration, the best traffic capture point is selected (mail server, network gateway, proxy server or workstation), thus ensuring business continuity and even load distribution across infrastructure.
A major part of network traffic is intercepted at a gateway by copying it via a router’s SPAN/RSPAN port or a proxy server’s ICAP, including capture and analysis of messages (reading incoming e-mails, social media communications, messages on Internet forums and job search sites, files sent via FTP/WebDav, and much more).
In addition, an active agent on a workstation intercepts traffic over protocols that cannot be intercepted at the gateway; for example, for Skype, printing jobs, clipboard, and USB devices.
SolaredINsight Communications Surveillances
SolaredINsight Communications Surveillances
SolaredINsight is compatible with any proxy server and also can be delivered with its native module, Dozor Web Proxy. Moreover, Dozor Web Proxy can be used as a standalone solution for web risk protection.
Covering all of the most common data channels, SolaredINsight monitors and controls communications via email, messengers and websites or web apps, as well as tracks employee actions on their workstations.
All intercepted information goes to the complete archive of communications for incident investigation purposes.
- Communications via corporate email servers (Microsoft Exchange, IBM Lotus Notes, CommuniGate, etc.). The solution can be installed either in parallel or in-line.
- Detecting IMAP and POP3 messages in the traffic
- Incoming/readable and outgoing emails sent via Yahoo! Mail, Gmail, and 40+ supported webmail services that use HTTP(s), SMTP, and POP3
- OSCAR – ICQ, QIP, etc.
- MMP – Mail.Ru Agent, etc.
- MSN – Windows Live Messenger, etc.
- XMPP – Google Talk, Jabber, etc.
- Yahoo messenger
- Chats, file transfers and calls using Skype,
Mail.ru Agent, and Microsoft Skype for Business
Web traffic control
- Data transferred over HTTP, HTTPS
- File transfer using HTTP, FTP, FTP over HTTP, WebDAV
- SMS/MMS messages sent via special services (500+ domains)
- Intercepting POST requests and documents transferred to external servers over HTTPS via Internet Explorer, Mozilla FireFox, Google Chrome and Opera
- Messages and communications in Facebook, LinkedIn, and other social media
- Messages on phpBB, IP.board, Phorum, Drupal and other Internet forums
- Posts in LiveJournal, WordPress, Mamba, Diary.ru, Juick, Imageboard and other blogs
- File uploading to video, photo and file hosting platforms
- Posting CVs on HH.ru, Job.ru, Zarplata.ru and other job search websites
- Messages on random web services
Depending on customer tasks, SolaredINsight 6.4 can either monitor or block data transfers. Thus, the solution can not only record breaches but also prevent confidential data theft or secret leaks if necessary. In addition, the system can alter message content or attachments by erasing or substituting relevant information. To foster a culture of confidential data treatment amongst employees, SolaredINsight can display a warning window to a security policy violator.
Available reactions to a security event
To control confidential data propagation, SolaredINsight introduces the concept of ‘information object’, which is a class of business-critical information that is subjected to a higher level of security. Data can be transferred in various formats: e-documents, message body, scanned images, archived files, etc. Therefore, it makes sense to set as many presentations of such information as possible and group them by common criteria. As a result, Information Object refers to commonly used documents: financial documents, CVs, strategic plans, meeting minutes, etc.
For instance, to monitor and control a flow of financial documents, the relevant Information Objects can be grouped into a Financial Documents category. Information Objects containing documents handled by the HR team can be grouped into an HR category. Therefore, different control rules can be applied to each Information Object.
Analysis of employee actions on workstations can be a valuable source of information for a security officer, indirectly indicating threats that could emerge. Before committing any crime, intruders have to prepare and thus cannot but leave traces. SolaredINsight keeps an eye on these actions on workstations and catches even slight deviations from typical user behavior.
Additionally? SolaredINsight DLP solution features an agent module for Linux—an obvious benefit for organizations adopting open-source software.
Removable media control
Block removable media through blacklisting and whitelisting by device type and IDs
Intercept, analyze and block file copying to external USB devices and network drives, over MTP as well
Intercept, analyze and block printing jobs on local or network printers
Control files transferred using web service apps, including Dropbox, and other cloud storage
What can be better than crime scene photos? SolaredINsight makes screenshots of an employee desktop at regular intervals as preset, thus supporting incident data with irresistible proof. Screenshots can be taken on schedule or triggered by user actions on a desktop. For example, a screenshot can be taken, once a user presses Enter or Print Screen.
An image archive looks like a user-friendly gallery that supports a variety of filters for easy display and visualization. The solution also lists processes and apps that run on a workstation at the time of screenshot-taking—something which dramatically accelerates obtaining and review of necessary intelligence.
Agent activity status
To make sure monitoring of user actions on workstations is not stopped, even for a second, SolaredINsight controls an agent-module activity status. A security officer can check the connection between agents and a central server almost in any situation when reviewing user groups or certain employee cards. A status indicator will show the officer whether the agent was installed on the workstation and is currently active, and will specify the date and time of disconnection (if any).
SolaredINsight runs data inventory in file storage sites, such as employee workstations and shared folders, identifying confidential data and storage rule breaches by:
Automatic scanning of publicly accessible file storage
Automatic classification of corporate data
Control over information spread within a company and locating unauthorized storage of critical data
SolaredINsight checks traffic, using signature-based data analysis, which gives a deep insight into the structure and content of data being transferred via webmail, social media, and other web services.
Even if employees utilize an anonymizer or TOR, all their activities and communications will be saved and analyzed by SolaredINsight.
An experienced violator may reckon on HTTPS when using web services, but in vain if an organization has SolaredINsight
The solution either 'reads' SSL at the gateway (ICAP) or intercepts it directly on the user workstation before encryption (without certificate substitution in a browser
Transparent stripping of SSL on proxy server
Proprietary Dozor Web Proxy can now strip SSL traffic in transparent mode. As a result, customers can enjoy all the proxy server benefits with no need to tamper with Internet connection settings in browsers and other applications on employee desktops, which are simply connected to the network, while all employee activities on the web, including encrypted traffic, fall under control
As a key function, SolaredINsight automatically detects confidential data or threat signs in information flows, thus preventing data leaks and revealing corporate fraud.
SolaredINsight analytics module analyzes the content and context of intercepted data, accurately identifies the information under protection, catches the meaning of sent messages, and also discovers abnormal employee behavior.
To control and identify the above threats, the storage, processing, and transfer of information are subject to certain sets of rules that are adopted and configured to anticipate any scenario of detecting essential and critical information.
Such preset cybersecurity policies allow for information security events to be generated, interpreted, and automatically correlated with certain types of pressing threats to which a particular organization may be exposed. Knowing the type of threat, a security officer can assess its severity and the damage it may cause.
To catch early signs of corporate fraud in the bulk of communication traffic, a DLP system should offer powerful and easy-to-use analytical tools for investigating potential threats and actual incidents. Sometimes a malicious insider cannot be detected at a glance; therefore, a security officer should have an opportunity to determine and quickly respond to indirect signs of a threat. Before any actions, a person engages in some sort of preparation, thus there are always precursors for the commission of fraud. SolaredINsight helps the security team keep an eye on deviations from normal employee behavior and propose and verify assumptions. SolaredINsight keeps an extended archive of employee communications, accumulates information about user activities on workstations, profiles captured data, and reveals atypical connections and abnormal behavior, thus enabling early detection of emerging threats and prompt investigation against a potential violator.
SolaredINsight 6.4 web interface functions as a command center and enables a security team to quickly assess the internal situation, prioritize tasks, and instantly dive into incident investigation.
A security officer does not have to make sophisticated queries but can immediately see the very data he/she needs—thanks to user-friendly desktop widgets—and can drill down to learn more about events, persons, information objects, and incidents.
With a SolaredINsight incident management system, investigation is not a security team’s headache anymore but a convenient and effective daily workflow. As part of incident lifecycle management, the solution enables a company to assign a person responsible for incident investigation, supervise investigation progress, and get results as quickly as possible.
To assess the in-company situation quickly, SolaredINsight offers a dashboard focusing on essential metrics:
- Business-critical information
- Persons and groups of persons taken under special control
- Breaches (information security events and incidents)
Pursuing this approach, a security officer can quickly size up what is going on and prioritize tasks for detailed review.
Detailed incident review
Having gained a quick overview, a security officer can drill down for further details, which are just a couple of clicks away. The solution interface features an end-to-end drill-down approach to data availability, with almost all interface elements being hyperlinks.
For instance, a security officer can click on either a file name and go to the card of an event related to the file, or an employee name and go to an employee card.
There is no need to make a query each time to retrieve necessary information. Most wanted data slices and reports are preset in SolaredINsight and ready-to-use.
Any corporate fraud investigation drastically needs evidence to be collected—a toilsome and difficult task within the archive of employee communications—to reveal hidden, regular patterns in employee actions and determine cause-and-effect relationships. To untangle tricky schemes, security officers have to handle large volumes of heterogeneous information and can truly benefit from SolaredINsight’s complete archive of communications that features a quick search and offers an incredibly user-friendly and effective experience.
Big Data benefits for the security team
SolaredINsight automatically retains all intercepted communications and event and incident information in a fail-safe long-term archive that boasts of almost unlimited capacity in storage time and volume and provides ample retrospective analysis opportunities.
The archive architecture includes DBMS, which contains indexed information for quick display, and an extended file storage supporting Elastic Search technology. This approach effectively combines quick search in the archive and necessary data export from long-term storage.
Full-text search in the archive
Still try to figure out what section has data you need? Forget about it! SolaredINsight’s search is easy to use, requiring no greater technology skill than that needed to use Google search engine. Even so, the flexible search feature enables retrieval of necessary information from the archive in a matter of seconds, using person-driven, information-driven, and event-driven search modes, as well as being able to search for similar items and use an enormous library of ready-to-use search queries with configurable parameters.
Hundreds of terabytes of heterogeneous information kept safe
Quick data access
High-speed external indexes PostgreSQL/Oracle-based instant archive
Support for inves
Long-term and operational storage management
Saving on resources
Data deduplication and compression to store larger volumes using the existing resources
Record search time
Less than 1 sec in the archive of 17M messages
SolaredINsight allows for a Dossier to be enriched with all necessary information about any persons, whether employees or third parties. A “person” is the core entity of the Dossier that lets the system focus on people themselves rather than their not-always-obvious IDs and email addresses.
A Person card summarizes all information about a particular person and his/her activities:
- Personal, network, and contact details, “Level of credibility”
- List of participated events and incidents
- Received and sent messages/files
- Connections and contacts
Leveraging the integration with external systems, Dossiers can be enriched with data obtained from third-party databases and social media.
Continuous monitoring of suspicious persons
For ongoing monitoring of suspicious persons' activities, SolaredINsight offers widgets for quick access to information about:
- A particular suspicious person to be monitored
- Persons under special control (on probation, employment termination, etc.)
- Persons with lowered Level of credibility due to abnormal behavior registered by the system
Search for hidden connections
The Person’s Connections graph helps identify and visualize informal connections between employees and third parties, find persons of interest, and reveal hidden connections.
Reveal abnormal activities
The solution continuously profiles activities of employees and third-party users and identifies atypical contacts and statistical abnormalities in communications. Calculated for every employee, a level of credibility score helps identify apparent and latent violators and analyze employee behavior.
Workstation control technologies allow a security officer to put a suspicious employee on a watch list to gather more details on such employee.
The archive re-filtration mechanisms are designed to retrospectively analyze previously accumulated data upon the discovery of new facts and to find incidents that were missed earlier.
The solution takes screenshots of employee workstations either at preset intervals, or when triggered by app activation or clicking Enter or Print Screen, thus collecting 'crime scene' photos.
Special search engine and data indexing technologies ensure flexible person-driven, information-driven, and event-driven search, and allow users to search for similar items across the entire communications archive. Once a user starts entering a person's name or part of an email address, the system will show the list of employees whose names/email accounts contain such characters.
SolaredINsight shows coherent chats in the communications flow, thus allowing analysts to see the context of communication and look through previous and subsequent messages of users. By creating a communication search request, security officers will get:
- A list of chats, including a messenger used
- A list of chat participants
- The chat initiator’s details
- The total number of messages and files transmitted
Comments feed in the Incident card
Investigative collaboration is a part of routine made even more convenient. Now, any security officer can add comments to the incident card, thus eventually turning it into a live chat for anyone involved in the investigation.
SolaredINsight effectively manages the entire cycle of information security events and incidents, leveraging its unique incident analysis methodology and end-to-end investigation supervision.
The smart system automatically logs and classifies cybersecurity events by severity levels and offers a special intuitive interface for incident lifecycle management: viewing new events grouped by severity levels and all incidents assigned to a specialist for review, as well as downloading details of a particular event or incident.
SolaredINsight brings automation to security team members throughout an investigation, by use of the following steps:
- Assign a task to a security officer
- Hand over a case or incident to a teammate
- Designate a supervisor responsible for in-depth incident review and investigation
All this contributes to a single and continuous workflow within a security team, speeds up communications, and ties geographically distributed team units.
Executive Desk is a special interface of the SolaredINsight web console for cybersecurity team leaders or business users who need DLP functionality. To help a cybersecurity team leader manage employees who use SolaredINsight, Executive Desk's new interface provides immediate updates essential to make enterprise security-related decisions.
In addition, Executive Desk allows for tracking changes and trends in key indicators of threats across the company to make prompt decisions with respect to ongoing and future investigations. To rapidly assess in-house situations and adjust the work of incident analysts, Executive Desk shows essential data on a set of widgets:
- Groups under Special Control (Top 5 specially controlled groups)
- Information Objects (Top 5 information objects transmitted inside the company)
- Violators ( Top 5 persons under special control)
- Overall Performance (information security event statistics for a selected period)
- IS Officers (Statistics of event processing by information security officers)
- Business Units (Top 5 groups of Organizational Structure)
- Most Recent Reports (3 most recent reports generated)
- Events by Communication Channels (Statistics on events for a period, grouped by communication channels)
- Events by Severity (Statistics on events ranged by threat severity levels)
- Events by Threat Type (Most severe events by threat type)
- Files (Top 5 files transmitted inside the company)
- Trend Filter allows users to monitor changes in indicators for a specified period (i.e., to judge whether a situation becomes better or worse)
When a cybersecurity system requires dozens of clicks per minute and a fast interface speeds up the event processing even more, officers sometimes cannot remember what actions they took and why, but Solar Dozor can.
The Breadcrumbs feature allows a user to see the recently viewed pages and quickly jump back to them, not losing the track of investigation. The system shows the 10 most recent activities, which you can go back to with a single click instead of wasting time trying to recall the prior events.
For accurate and convincing presentation of security team performance, SolaredINsight has adopted a powerful report generation system. Intuitive reports give a complete picture of incidents, violators, information flows, and investigation results. With brief summary reports in hand, security team leaders can see the whole picture and current status of protected information, while more detailed reports give greater depth and reveal shortcomings in a company’s security policy.
Drafting reports can be a headache, notably when done the day before an important meeting. SolaredINsight takes that headache away with its functionality for automatic scheduled reporting based on predefined templates. The reports are created as scheduled and sent in a convenient format (interface/XML/PDF) to all parties concerned using interface and/or email notifications.
Communication heat map
Pursuing the idea of visualized communications, SolaredINsight 6.4 has a new report titled ‘Communication heat map’, which is unique to DLP. This report uses color coding for visualization of the intensity of staff communications or information flows by channels. This tool enables security officers to quickly assess the situation, see risks and hot spots, and create a graphic map focused on an information object or a person of interest.
Person summary report
It’s a common case when business managers ask a cybersecurity team to collect intelligence and build a dossier on an employee. It often goes as “What’ve you got on Johnny?”
Dossier, a functionality very well known to Solar Dozor users, aggregates all the information on an employee in a single place. But now you can even build a so-called Person Summary Report over a specific period of time in a blink of an eye. The report is specifically adapted so it could be immediately put on employee superior’ table, presented on a meeting, attached to HR’s employee record, viewed via a web interface or exported to PDF and printed. This Person Summary Report contains, as the name suggests, a summary of employee's activities: brief description, events and incidents, connections, communications, and files. The report, if needed, can be extended with more details: specific messages, events, and incidents.
Tailored for security officers
The system interface is optimized to accelerate security analyst routines.
Plainly visible Big Data
Special visualizations are used to handle large amounts of monitored events, with less time needed for initial event processing and the most critical events being handled first.
Focus on what really matters
Triggers are highlighted within messages to provide quick insight into where and why a certain monitoring policy rule has triggered.
Ahead of expectations
The system gives tips to analysts on what steps/actions to take next.
Visualized and available data
Data mining is powered by OLAP and BI and followed by drill-downable analytical summary.
Intuitive executive reports
The advanced system generates and emails visual reports to executives and other stakeholders, either one-time or on schedule.
The analytics, investigation, and storage module can be integrated with any third-party DLP.
SolaredINsight 6.4 software suite offers rich diagnostics, administration, configuration, and design capabilities.
- Administration: a variety of system maintenance and status monitoring operations via web interface
- Restricted access to events and incidents for IT admins in order to prevent data compromising by privileged users
- System status monitoring: displaying any errors and system performance concerns. Nothing will be missed. Less operating and maintenance expenses
- System fine-tuning such as network load, CPU utilization, and load balancing across nodes
- Modular structure of the suite: performance, resilience, and speed being adjustable based on the existing tasks, hardware, and traffic. The design helps avoid a single point of failure
- Indicator-defined conditions: email notifications to admins, automatic system actions, and resource utilization forecasts