And one more time about SearchInform CIB: sorting out the news
Anna Popova, Head of the Infosecurit DLP Group, continues to share her impressions of using different DLP systems. This article will deal with SearchInform CIB.
The first of those for whom I want to update the knowledge will be the SearchInform CIB, which is quite logical, since I worked with this solution longer than with any other, and of course, I’m very interested in what happens to the vendor. Therefore, I did not refuse to offer in the comments to test the new version of the software.
I didn’t manage to complete a full test by the end of the year, but I managed to dive a little into the study of new products.
')
So, in order.
Who knows me or read my previous review, I know that I have been waiting for the analyst console from the vendor for a long time. And finally, she came out!
Visually, I liked it, because it didn’t appear anything over-heaped (so it would be bad, it seems to me), but at the same time it combined what is convenient to have in one console - a common client, a reporting center and a profile center .
In the current releases, the alert center is not built into it (it was left without any particular visual changes), but, for example, it does not frighten me, because lately I’m more often engaged in the spot monitoring of employees than setting policies and creating rules for catching all kinds of goodies .
To work with events, I have always been more comfortable with the general client.
Also, a module of online computer monitoring (LiveView) was taken out of a common client into a console, which I also liked because I use it quite often. On the other hand, it’s convenient to separate it from the general viewing console; I don’t like it when everything is in the same window and constantly resets one to another.
Well, the presence in the same console of all possible reports from the former report center is a big plus.
So I am pleased with this change.
Cute and also quite simple, for lovers of minimalism immediately plus. It still embodies the web version of the alert and report. The administration of the alert remains in the thick client, but they promise a quick transfer - also to the web.
File auditor
The new module, which now acts as a universal space scanner with the possibility of grabbing shadow copies and document markup. Previously, this task had to be solved by two different modules - the file controller and the IRS. The second, by the way, is also redesigned and has become much faster and more convenient to set up.
Cloud Storage Scan
The thing is most likely to be in demand, because more and more companies fly into the clouds every day. In fact, it is also a scanner that will collect shadow copies, mark up files and provide an opportunity to work with them, including through alert-center policies.
Removable media
Shadow copy of files on removable media.
That's cool, really. How many problems I personally experienced with when I really needed to look, and what about the files on the flash drive that the employee connected to the computer. You sit for a long time and catch a moment in the video in the hope that the employee has at least partially opened them.
Encryption of data written to media. Someone will be useful, well, less problems with additional encryption for flash drives. Tweaking the parameters of write access to the media. By file sizes, for example.
Keylogger
There is a tick, clicking which you can stop blindfolding while monitoring, and just stop seeing passwords.
Rejoice freedom fighters and riders of the GDPR!
Interception of instant messengers
One of the most popular, I think, questions from customers. And they like to ask even about those messengers that are not used at all in the company, or use one person. Anyway.
So here. The new CIB intercepts all of our favorite watsap, carts and Viber in both versions: web and desktop. By the way, this is apparently an exclusive, in terms of vatspapa for sure.
Work mail in blocking mode
There is support for all the most used protocols: IMAP, NNTP, POP3, SMTP, HTTP (S), and MAPI.
Interception is implemented for the above, including using s \ mime. Blocking is available for outgoing protocols, again including MAPI and s \ mime.
Desktop video and webcams
A webcam image control module has appeared, that is, each incident now has a “human face”. Similar to the format of screenshots, you can enable recording only in conjunction with certain processes or even sites.
Linux
Traffic control on the entire Astra Linux, Ubuntu and CentOS family. Soon they promise that device sniffer will be added.
Agents
One of my favorites.
Added control agents. If the agent does not tap the server for some time, it will be reinstalled.
And now the agent needs only the Internet for the update to connect to the server, and even not necessarily to be inside the corporate network.
Report Center
He is no longer a separate entity. Hallelujah! And we forget about the constant synchronization of its bases - now it is cyclical.
Profile center
Its benefits to me are obvious. Why catch after-the-fact incidents, if some of them can be foreseen. Yes, and know your employee, not only in the face for me right bread and butter.
It is difficult for me to say how this works in the technique, but visually the tab with it looks very modest and minimalist, which means you don’t have to worry about the settings.
Honestly, who cares how these algorithms work there. People who have developed this product have obviously devoted many years to profiling and working with real people. If people who can be super-developers and super-engineers, but do not understand anything in psychology, would be engaged in such development, then it would be quite strange.
Need to test. There is a market need for such a product, especially in security services and very advanced HR. Well, at least there are no competitors in the Russian market of UBA and DLP.
According to the vendor, on average 1-2 months you need to accumulate data to build a reliable employee portrait. Yes, as in the films by instant brain sucking through the ear does not work yet, if anyone dreamed about it.
Search speed
About the speed of the search and whether something has changed in it, I can’t say anything, you will not understand it by visual analysis. The developer talks about the release of a fundamentally new search engine, devoid of old problems. It is explained by the new 64x architecture, which has no software limitations (as it was in the old engine) from memory, cores and threads. From a technical point of view, it sounds quite reasonable, but I don’t presume to judge the actual speed. Looking for data. Lots of real data ...
Once again the digest :
Well, I tried to collect the cream on the surface and a little bit to analyze the main changes to the CIB.
I hope that I will have the opportunity to dive deeper into the new CIB and tell you many more interesting things.
Maybe even take an interview with provocative questions from the vendor and show all that is hidden.
Until we meet again, DLP-dependent!
Anna Popova, Head of the DLP Block, Infosecurity a Softline company
The first of those for whom I want to update the knowledge will be the SearchInform CIB, which is quite logical, since I worked with this solution longer than with any other, and of course, I’m very interested in what happens to the vendor. Therefore, I did not refuse to offer in the comments to test the new version of the software.
I didn’t manage to complete a full test by the end of the year, but I managed to dive a little into the study of new products.
')
So, in order.
Analyst console
Who knows me or read my previous review, I know that I have been waiting for the analyst console from the vendor for a long time. And finally, she came out!
Visually, I liked it, because it didn’t appear anything over-heaped (so it would be bad, it seems to me), but at the same time it combined what is convenient to have in one console - a common client, a reporting center and a profile center .
In the current releases, the alert center is not built into it (it was left without any particular visual changes), but, for example, it does not frighten me, because lately I’m more often engaged in the spot monitoring of employees than setting policies and creating rules for catching all kinds of goodies .
To work with events, I have always been more comfortable with the general client.
Also, a module of online computer monitoring (LiveView) was taken out of a common client into a console, which I also liked because I use it quite often. On the other hand, it’s convenient to separate it from the general viewing console; I don’t like it when everything is in the same window and constantly resets one to another.
Well, the presence in the same console of all possible reports from the former report center is a big plus.
So I am pleased with this change.
Web version
Cute and also quite simple, for lovers of minimalism immediately plus. It still embodies the web version of the alert and report. The administration of the alert remains in the thick client, but they promise a quick transfer - also to the web.
New chips
File auditor
The new module, which now acts as a universal space scanner with the possibility of grabbing shadow copies and document markup. Previously, this task had to be solved by two different modules - the file controller and the IRS. The second, by the way, is also redesigned and has become much faster and more convenient to set up.
Cloud Storage Scan
The thing is most likely to be in demand, because more and more companies fly into the clouds every day. In fact, it is also a scanner that will collect shadow copies, mark up files and provide an opportunity to work with them, including through alert-center policies.
Removable media
Shadow copy of files on removable media.
That's cool, really. How many problems I personally experienced with when I really needed to look, and what about the files on the flash drive that the employee connected to the computer. You sit for a long time and catch a moment in the video in the hope that the employee has at least partially opened them.
Encryption of data written to media. Someone will be useful, well, less problems with additional encryption for flash drives. Tweaking the parameters of write access to the media. By file sizes, for example.
Keylogger
There is a tick, clicking which you can stop blindfolding while monitoring, and just stop seeing passwords.
Rejoice freedom fighters and riders of the GDPR!
Interception of instant messengers
One of the most popular, I think, questions from customers. And they like to ask even about those messengers that are not used at all in the company, or use one person. Anyway.
So here. The new CIB intercepts all of our favorite watsap, carts and Viber in both versions: web and desktop. By the way, this is apparently an exclusive, in terms of vatspapa for sure.
Work mail in blocking mode
There is support for all the most used protocols: IMAP, NNTP, POP3, SMTP, HTTP (S), and MAPI.
Interception is implemented for the above, including using s \ mime. Blocking is available for outgoing protocols, again including MAPI and s \ mime.
Desktop video and webcams
A webcam image control module has appeared, that is, each incident now has a “human face”. Similar to the format of screenshots, you can enable recording only in conjunction with certain processes or even sites.
Linux
Traffic control on the entire Astra Linux, Ubuntu and CentOS family. Soon they promise that device sniffer will be added.
Agents
One of my favorites.
Added control agents. If the agent does not tap the server for some time, it will be reinstalled.
And now the agent needs only the Internet for the update to connect to the server, and even not necessarily to be inside the corporate network.
Report Center
He is no longer a separate entity. Hallelujah! And we forget about the constant synchronization of its bases - now it is cyclical.
Profile center
Its benefits to me are obvious. Why catch after-the-fact incidents, if some of them can be foreseen. Yes, and know your employee, not only in the face for me right bread and butter.
It is difficult for me to say how this works in the technique, but visually the tab with it looks very modest and minimalist, which means you don’t have to worry about the settings.
Honestly, who cares how these algorithms work there. People who have developed this product have obviously devoted many years to profiling and working with real people. If people who can be super-developers and super-engineers, but do not understand anything in psychology, would be engaged in such development, then it would be quite strange.
Need to test. There is a market need for such a product, especially in security services and very advanced HR. Well, at least there are no competitors in the Russian market of UBA and DLP.
According to the vendor, on average 1-2 months you need to accumulate data to build a reliable employee portrait. Yes, as in the films by instant brain sucking through the ear does not work yet, if anyone dreamed about it.
Search speed
About the speed of the search and whether something has changed in it, I can’t say anything, you will not understand it by visual analysis. The developer talks about the release of a fundamentally new search engine, devoid of old problems. It is explained by the new 64x architecture, which has no software limitations (as it was in the old engine) from memory, cores and threads. From a technical point of view, it sounds quite reasonable, but I don’t presume to judge the actual speed. Looking for data. Lots of real data ...
Once again the digest :
- the interface has not lost its simplicity and clarity;
- a common client with a report got married and adopted a profile center; this is how a friendly family turned out - the analyst console;
- the alert center does not give up yet and lives in a separate apartment;
- LiveView is now in a separate window of the combined console;
- keylogger surrendered and turned on the password collection prohibition mode;
- agents have learned to deal with the cruelty of this world and now use automatic reinstallation, monitoring their own health, and other goodies;
- the mysterious profile center looks very friendly;
- Shadow copy of data stored on a flash drive - for security officers who are especially interested in their work;
- when you are morally ready to go to Linux, you can already begin to rejoice;
- file controller atavism reincarnated into a cool scanner with data markup;
- carts, sleds, skis and other vatsaps: we are not afraid of you, we intercept you in all poses;
- scan the clouds for those who keep up with the times.
Well, I tried to collect the cream on the surface and a little bit to analyze the main changes to the CIB.
I hope that I will have the opportunity to dive deeper into the new CIB and tell you many more interesting things.
Maybe even take an interview with provocative questions from the vendor and show all that is hidden.
Until we meet again, DLP-dependent!
Anna Popova, Head of the DLP Block, Infosecurity a Softline company
Source: https://habr.com/ru/post/434332/
All Articles