SEARCHINFORM DLP CAPABILITIES
2
Contents
SearchInform DLP Capabilities ...... 3 1 Capabilities of EndpointController Interception Modules for Windows ...... 3 2 Capabilities of NetworkController Interception Modules ...... 8 3 Capabilities of NetworkController Integration with Mail Servers, Lync (Skype for Business) and ISA/TMG ...... 10 4 Capabilities of EndpointController Interception Modules for Linux (Ubuntu, CentOS, Rosa, Gos, Astra) ...... 11 5 Blocking Capabilities in SearchInform DLP ...... 12 5.1 Blocking at the Level of Agent ...... 12 5.2 Blocking at the Level of Network ...... 13 5.3 Blocking Email at the Level of Workstation or Mail Server (Agent) ...... 14 6 Protection of Data at Rest ...... 15
3
SEARCHINFORM DLP CAPABILITIES
SearchInform Data Loss Prevention (SearchInform DLP) is used to collect and analyse information flows within the local computer network. Data can be captured in two ways, depending on the server component: SearchInform EndpointController or SearchInform NetworkController. Server components are the platforms on which data interception modules operate. Each interception module operates as a traffic analyzer and controls its own data transmission channel. This document provides detailed capabilities of interception modules of SearchInform DLP server components.
1 CAPABILITIES OF ENDPOINTCONTROLLER INTERCEPTION MODULES FOR WINDOWS
The table shows capabilities of SearchInform EndpointController that operates through agents installed on network workstations.
Module Features Capabilities
Filtration for Users/Groups or processes Capability to exclude system actions 1. Capturing key strokes Capability to exclude interception of 2. Capturing function keys passwords KeyLogger 3. Capturing text from Blocking PrintScreen keystroke clipboard Interception of only keyboard keys/clipboard/all Set up of clipboard size
Filtration for Users/Groups or processes Capability to exclude system actions Control of any event of file system FileController (creating, changing, opening, Audit of changes of file/folder access deleting, etc.) for files or folders rights Capability to exclude audit of temporary MS Office files
1. Taking snapshots Capability to set up interval for taking 2. Recording video snapshots, options of video recording, CameraController 3. Connecting to camera in real particular options for selected time applications, users, URLs
1. Google Docs 2. OneDrive 3. Office 365 4. Dropbox 5. Evernote Cloud & 6. Yandex.Disk N/a SharePoint 7. Cloud.mail.ru 8. Amazon S3 9. iCloud 10. DropMeFiles 11. OwnCloud 12. SharePoint
Maximum size of a captured file, update FTPController Capturing files sent over FTP protocol interval, timeouts of last activity
4
Module Features Capabilities
Control of time spent in applications and on websites Control of time spent on websites is possible in the following browsers: Internet Explorer (from version 8) Mozilla Firefox (from version 50.1.0) Google Chrome (from version 55.0.2883.87) Yandex Browser (16.11.0.2680) Opera (Presto) (36.0.2130.80) Opera (Chromium) Safari Tor Browser Netscape Navigator Filtration for Users/Groups or processes Amigo (from version Capability to exclude system actions ProgramController 54.0.2840.189) Capability to disable audit of activity on Sputnik (from version websites 2.1.1051.0) Flock (02.06.2001) Avant Browser Lunascape Maxthon SeaMonkey K-Meleon SlimBrowser Edge (from version 38.14) Comodo Dragon (from version 52.15.25.664) CoolNovo (2.0.9.20) Cốc Cốc (from version 56.3.150) Titan Browser (from version 33.0.1712.0 (235591) Uran (from version 43.0.2357.134)
Options of quality (compression) for 1. Control of printing on local images printers Filtration by users, processes, 2. Control of printing on PrintController description, printer, and location network printers 3. Control of printing on virtual Feature of blocking Escape functions printers (control of a printer by escape commands)
Limitation by minimum size of POST query Limitation by intercepted nodes, IP addresses, ports, type (SSL/no SSL), 1. Capturing POST queries HTTPController processes 2. Capturing GET queries Capability to add a list of anonymizers Capability to block SPDY and QUIC Capability to exclude MIME types (audio, video, images)
5
Module Features Capabilities
Capability to set up interval of taking screenshots, interval of taking screenshots of Skype video conferences and for URLs, particular options for selected applications, users; color 1. Taking screenshots settings, settings for several monitors 2. Videorecording user’s MonitorController actions Capability to adjust color and exclude 3. Connecting to a user’s background; frame frequency settings screen in real-time mode Capability to configure a schedule and operating mode (for all/for selected) Capability to specify access settings for connection by password or for specified users
Capability to specify settings for profiles In Office/Out of Office: maximum 1. Sound recording with a duration, noise reduction, quality of microphone recording, speech recognition, list of 2. Connecting to a user’s software, schedule MicrophoneController microphone in real-time Capability to configure a schedule of mode recording 3. Audio recognition (speech- to-text transcription) Capability to specify access settings for connection by password or for specified users
Interception of the following protocols: IMAP MAPI (without encryption) POP3 SMTP General settings: NNTP Filtration by sender, recipient, domain WebMail as part of: user, subject, protocol, size, number of mail.ru recipients MailController gmail.com tut.by Individual settings for WebMail: yandex.ru capability to activate/deactivate rambler.ru interception of incoming email messages outlook.com Blocking outgoing (SMTP) email office 365 messages by content and/or context ukr.net criteria yahoo.com qip.ru Google Sync Etc.
6
Module Features Capabilities
Interception of the following protocols: 1. ICQ 2. MMP (mail.ru agent) 3. XMPP (Jabber) 4. MSN 5. Gadu-Gadu Interception of contact list 6. Lync Capturing chats, calls, files, contact; 7. Viber settings of maximum file size, sound and 8. Telegram duration 9. HTTPIM as part of: Capturing chats, calls, files, contacts, IMController vk.com ok.ru message history; settings of maximum facebook.com file size, sound and duration mamba.ru Audio recognition (speech-to-text my.mail.ru transcription) LinkedIn
Evernote Google+ Yammer Fotostrana Web-Skype icq.com etc.
Capturing chats, calls, files, contacts, SMS, message history Capturing calls, messages, files, SMS Settings of maximum file size, sound and SkypeController via Skype for desktop duration Audio recognition (speech-to-text transcription)
7
Module Features Capabilities
a) Audit + Block of Access: General capabilities: 1. USB HID devices (except Maximum size of a processed keyboard and mouse) file 2. Printers (USB) Exclusion of system users 3. Bluetooth adapters (USB) Black and white lists by type, 4. Scanners (USB) device, manufacturer, serial 5. All USB devices (except number, user, computer concentrators) 6. COM ports 7. LPT ports Capabilities for A group: 8. Bluetooth Users/Groups 9. Printers Computers 10. IR ports Full right access/No access 11. Media devices Audit On/Off 12. HID devices (except Exclusion of system users keyboard and mouse) 13. Keyboard and mouse 14. FireWire 15. Smart cards Capabilities for B group: 16. PDA Users/Groups 17. Tape device Computers 18. Block of folders 19. Block of disks Full right access/No access
b) Only block of access: 1. Modems Capabilities for C and D groups: 2. Wi-Fi Capabilities described above, as well as: c) Audit + Block of access + Shadow Shadow copy by file name, file copy: type, process, user, computer DeviceController 1. USB devices Access by file name, file type, process, user, and computer 2. CD/DVD-ROM Shadow copy of data stored on 3. Cameras/Scanners device 4. Floppy disks 5. SCSI 6. Network folders 7. RDP disks 8. Portable devices of Windows Android Apple Blackberry Palm Windows Phone All portable devices
d) Available blockings: 1. USB devices 2. Block at the start of software 3. CD/DVD-ROM 4. Floppy disks 5. SCSI 6. Network folders 7. Clipboard 8. RDP disks 9. Portable devices of Windows 10. Processes
8
Module Features Capabilities
Encryption is available for selected users or groups For encrypted files you can configure access settings for: • All users except specified • Only specified users Encryption of all data types sent to Data encryption external USB storage devices using a A file can be opened only if agent is unique key (generated by user) available and there is a permission to open Black/white list settings are also available for encryption You can configure settings of shadow copy, where ONLY encrypted files will be captured
Automatic addition of such connections in Notifications about failed attempts of exclusions SSL notifications agents to trap connection1 Filtration by time, computer, user, process, and type
Audit of technical data from PCs with agents2: Installed software Hardware configuration Audit of technical Active user N/a data Status of agent and computer Free space on disk Last agent’s activity Audit of data of task manager
2 CAPABILITIES OF NETWORKCONTROLLER INTERCEPTION MODULES
Below, there is a table of features of SearchInform NetworkController operating under network data capturing using SPAN technology (mirroring) or under integration with proxy server3. Blocking capability is available only with integration with proxy server over ICAP.
1 This report can be created only together with HTTPController. 2 The feature is available regardless used protocols. Licensing is not required. 3 All connections established with SSL can be captured only together with integration with proxy server; or certificate substitution scheme + SPAN on specific equipment.
9
Module Where available Features Capabilities
Interception of the following services via web interface (not using application!): 1. Interception of the Google Docs service Full-fledged operation, as 2. Interception of the OneDrive a rule, in ICAP (all (Microsoft) service Limitation by ports connections are 3. Interception of the Office Cloud & Filtration by hosts, encrypted) 365 (Office Online) service sender, size and content SharePoint 4. Interception of the Dropbox Or certificate substitution service Block by attributes is + SPAN (for example, 4 5. Interception of the Evernote available with Palo Alto equipment) service 6. Interception of the Yandex.Disk service 7. Interception of the Cloud.mail.ru service 8. Interception of SharePoint
Interception of the following protocols: IMAP MAPI (without encryption) General settings: POP3 Filtration by sender, SMTP recipient, domain user, NNTP subject, protocol, size, WebMail as part of: port mail.ru SPAN – all is available Individual settings for MailController gmail.com ICAP = only web mail WebMail: capability to tut.by deactivate/activate yandex.ru interception of incoming rambler.ru messages outlook.com office 365 Capability to block ukr.net WebMail by attributes yahoo.com qip.ru Google Sync
Limitation by minimum size of POST query Limitation by intercepted SPAN and ICAP both nodes, IP, ports, sender, Capturing POST queries HTTPController GET will not work for size Capturing GET queries some proxy servers*** Capability to add a list of anonymizers You can configure blocking by attributes
Maximum size of a captured file, update FTPController SPAN and ICAP both Capturing files sent over FTP interval, time outs of last activity
4 Blocking is available only via ICAP scheme, it doesn’t work with SPAN!
10
Module Where available Features Capabilities
Interception of the following protocols: ICQ MMP (mail.ru agent) XMPP(Jabber) Limitation by captured MSN nodes, IP, ports, sender, YAHOO! size HTTPIM as part of: vk.com Capability to add a list of SPAN – all is available anonymizers IMController ok.ru ICAP – only web IM facebook.com Capability of capturing mamba.ru any specified protocol my.mail.ru using HTTP tunneling LinkedIn Capability to block Web Evernote IM by attributes Google+ Yammer Fotostrana Web-Skype icq.com
Capturing audio calls and text messages of SIP telephony via the standards: Capability to limit by ports, users, computers, Telephony Only SPAN GSM IP addresses, and MAC A-Law addresses u-Law G.722
*** The proxy servers listed below operate in full (incoming and outgoing traffic): SQUID, BLUE COAT, MCAFEE, WEBSENSE (ForcePoint), ISA/TMG. The proxy servers mentioned further support only outgoing traffic: FortiGate, Check Point. The list is not full and comprehensive. It contains the proxies tested by the SearchInform experts for compatibility with the SearchInform DLP solution.
3 CAPABILITIES OF NETWORKCONTROLLER INTEGRATION WITH MAIL SERVERS, LYNC (SKYPE FOR BUSINESS) AND ISA/TMG
Module Where available Features/Capabilities
In the integration mode, only messages will be Interception: intercepted properly. Sent files and calls will be Chats registered in audit, but their content will remain Lync/Skype for unavailable. Business Audit: Calls It is recommended to use the EndpointController Files platform for full-fledged interception of files and calls.
The solution is fully operational in terms of data capturing, but it cannot block because of the 1. Interception of POST queries ISA/TMG peculiarities of the TMG architecture (this proxy 2. Interception of GET queries does not support ICAP, that is why we use a separate integration module).
11
Module Where available Features/Capabilities
1. Control of corporate email These integration methods are not tied to boxes via POP3 and IMAP particular manufacturers or versions of mail Mail servers 2. Control of corporate email servers (excluding EWS). They are general and can boxes via EWS be used in Exchange, Lotus, Postfix and even a 3. Interception of SMTP number of public mail servers.
4 CAPABILITIES OF ENDPOINTCONTROLLER INTERCEPTION MODULES FOR LINUX (UBUNTU, CENTOS, ROSA, GOS, ASTRA)
Module Features Capabilities
Interception of the following services working via web interface (not using application!): Google Docs OneDrive Office 365 Cloud & Dropbox N/a SharePoint Evernote Yandex.Disk Cloud.mail.ru Amazon S3 iCloud DropMeFiles Own Cloud
Maximum size of a captured file, update FTPController Capturing files sent over FTP protocol interval, timeouts of last activity
Limitation by minimum size of POST query Limitation by intercepted nodes, IP 1. Capturing POST queries addresses, ports, type (SSL/no SSL), HTTPController 2. Capturing GET queries processes Capability to add a list of anonymizers Capability to block SPDY and QUIC Capability to exclude MIME types (audio, video, images)
Interception of the following protocols: IMAP MAPI (without encryption) POP3 SMTP NNTP General settings: WebMail as part of: Filtration by sender, recipient, domain mail.ru user, subject, protocol, size gmail.com MailController Individual settings for WebMail: tut.by capability to activate/deactivate yandex.ru interception of incoming email messages rambler.ru outlook.com office 365 ukr.net yahoo.com qip.ru Google Sync
12
Module Features Capabilities
Interception of the following protocols: 1. ICQ 2. MMP (mail.ru agent) 3. XMPP (Jabber) 4. MSN 5. HTTPIM as part of: vk.com ok.ru Individual settings for: IMController facebook.com 1 –Interception of contact list mamba.ru my.mail.ru LinkedIn Evernote Google+ Yammer Fotostrana Web-Skype webim.ru
Automatic addition of such connections to
exclusions SSL notifications Notifications about unsuccessful Filtration by time, PC, user, process and attempts of agent to trap connection type
5 BLOCKING CAPABILITIES IN SEARCHINFORM DLP
SearchInform Data Loss Prevention does not only perform detailed audit of data in transit and create shadow copies of document, but it also allows blocking data transfer over a wide range of data channels. The list of channels that can be controlled and the list of channels that can be blocked differ, so below we provide a detailed description of blocking capabilities of SearchInform DLP. Blocking can be performed at different levels: while transmitting data over network, on an endpoint, and using customer’s mail server.
5.1 BLOCKING AT THE LEVEL OF AGENT
Blocking any connected device by its type, serial number and other attributes. For example, blocking COM, LPT ports, printers, scanners, etc. The first table in the document provides the full list of capabilities of the DeviceController module. Blocking data sending to storage devices (USB, CD/DVD, SCSI, etc.) Blocking software launch, including portable versions Blocking data transmission when working with remote desktop (via connected disks, network folders and clipboard) Blocking by type of connected device (Android, Apple, Blackberry, Palm, Windows Phone, etc.) Blocking wireless networks and interfaces (Wi-Fi and Bluetooth) Blocking data transmission to network storages (SMB) Blocking operation with local folders Blocking operation with local disks
13
5.2 BLOCKING AT THE LEVEL OF NETWORK
The system also allows blocking HTTP(S) network traffic according to transmitted text, selected users, hosts, URI, POST, GET and many other attributes*. Such blocking, besides prohibition to transmit specified text, allows implementing secure schemes of operating with web mail, chats, forums, cloud storages. For example, it is possible to block sending a file from company’s network to a cloud storage (downloading remains available). Also, there is a capability to save drafts and attachments when working with web mail, capability to block loading to social network (not blocking other functionality of social network), and many other capabilities.
* Method Options Can contain Text All words Text or regular expression Any word Text or regular expression Exact word or phrase Text or regular expression None of the given words Text or regular expression Date Equal Date/month/year NE Date/month/year In range Range of dates/months/years Out of range Range of dates/months/years Time In range Hours Out of range Hours Day of week Equal Days of week NE Days of week User Equal Users NE Users IP address Local address Address or range of addresses Remote address Address or range of addresses HTTP method GET POST CONNECT PUT Web field URI Contains, missing, present, starting with, ending with,
14
equal, NE, in range, out of range, etc. HOST Contains, missing, present, starting with, ending with, equal, NE, in range, out of range, etc. USER-AGENT Contains, missing, present, starting with, ending with, equal, NE, in range, out of range, etc. Content-length Contains, missing, present, starting with, ending with, equal, NE, in range, out of range, etc.
This option is available at the network level, with unencrypted and SSL traffic both. Blocking can be applied on PC and other network equipment inside a company regardless the connection (Ethernet or Wi-Fi) for HTTP(S) or FTP(S) traffic.
Combining these rules, one can fine-tune block of services or block of features on these services. For example,
The rule (Web field = host contains mail.ru) AND (Web field URI contains attaches/add) will block the possibility to save or send attachments in mail.ru working via web interface.
The rule (Web field = host contains vk.com) AND (Web field URI contains act=do_add or act=add_doc or act=album_photo) will block the possibility to load files to vk.com.
The rule (Web field = URI contains /objects) AND (Web field host contains api.asm.skype.com) AND (HTTP method = PUT) will block the possibility to send files over web Skype.
5.3 BLOCKING EMAIL AT THE LEVEL OF WORKSTATION OR MAIL SERVER (AGENT)
Also, the system allows blocking outgoing corporate email. It is implemented via blocking agent installed on the destination mail server (edge) or local PC with further check of all outgoing correspondence. An email message violating security policies will be stopped before being checked manually. After it is checked, the message can be eventually blocked or sent to the destination. Blocking can be: Context: sender, recipient, file type (over 114 formats**), size, attachment and many other attributes Content: based on the presence of confidential data in transmitted documents. For example, digital fingerprints, phrases, synonyms, morphological forms, regular expressions, encrypted attachments, images visually similar to passports, credit cards, documents containing official stamps, falsified documents.
15
6 PROTECTION OF DATA AT REST
SearchInform DLP can audit and detect confidential data inside files in the following data storages:
Local PCs (Windows) Roaming user profiles (in Active Directory or Novel eDirectory) Network folders (Windows, Linux, Unix, Mac) Corporate NAS (Synology, HP, QNAP, etc.) Corporate storages SharePoint Text fields in popular DBMSs (MS SQL, MySQL, PostgreSQL, Oracle, etc.) Databases of web sites Web mail Cloud storages (Dropbox, etc.) – under development Personal portable storage devices (USB HDD, flash drives) – when connected to corporate equipment. Personal mobile devices (telephones, tablets) - when connected to corporate equipment in the file system access mode.
** Below, you will find a non-exhaustive list of possible formats that SearchInform DLP can operate with. Additionally, it is possible to create own types of files and assign parsers to them (process as binary, text, xml, etc.)
o MS Office files XML CPP DOC LST HPP DOCX CHM C DOT BAT C++ XLS LOG H XLSX INI CS XLSB WRI SQL XLSM MHT JSP XLTX HLP ASP XLTM ASPX XLT PHP PPT o In archive files SH POT 7Z WSDL PPTX ARJ PY RTF RAR PL VSD ZIP INC VST JAR VB VSDX TAR VBS ISO XLA GZ CMD o Local database files GZIP MDB TGZ TPZ o Programming files CAB (Power Builder) o Internet files LZH SRA HTM LHA SRJ HTML Z SRW SHTML TAZ SRU CSS LZMA SRM JS BZ2 SRS MAFF BZIP2 SRF TBZ2 SRD TBZ SRQ o Mail files HFS SRP MSG 001 EML o Audio/Video o Programming files MP3 o Windows program files JAVA AVI TXT PAS WAV CSV DFM PDF DPR DJVU BAS o OpenOffice.org
16
SXW STW ODT ODS
o CAD Files DWG DXF
o Image files JPG JPEG TIF TIFF
BMP
PNG GIF CDR
o Old text formats LEX
INDIA CONTACT BD SOFTWARE DISTRIBUTION PVT. LTD. 1209, 12th Floor, Satra Plaza, Plot No.19 & 20,Sector 19d, Vashi, Navi Mumbai - 400703 MAHARASHTRA. Phone : +91 829 160 1105 E-mail : [email protected]