SEARCHINFORM DLP CAPABILITIES · 2020. 7. 27. · Each interception module operates as a traffic...

SEARCHINFORM DLP CAPABILITIES

2

Contents

SearchInform DLP Capabilities ............................................................................... 3

1 Capabilities of EndpointController Interception Modules for Windows ............. 3

2 Capabilities of NetworkController Interception Modules .................................. 8

3 Capabilities of NetworkController Integration with Mail Servers, Lync (Skype for Business) and ISA/TMG .................................................................................. 10

4 Capabilities of EndpointController Interception Modules for Linux (Ubuntu,

CentOS, Rosa, Gos, Astra) .................................................................................... 11

5 Blocking Capabilities in SearchInform DLP .................................................... 12

5.1 Blocking at the Level of Agent ....................................................................... 12

5.2 Blocking at the Level of Network ................................................................... 13

5.3 Blocking Email at the Level of Workstation or Mail Server (Agent) ..................... 14

6 Protection of Data at Rest .............................................................................. 15

3

SEARCHINFORM DLP CAPABILITIES

SearchInform Data Loss Prevention (SearchInform DLP) is used to collect and analyse

information flows within the local computer network. Data can be captured in two ways,

depending on the server component: SearchInform EndpointController or SearchInform

NetworkController. Server components are the platforms on which data interception modules

operate. Each interception module operates as a traffic analyzer and controls its own data

transmission channel.

This document provides detailed capabilities of interception modules of SearchInform DLP

server components.

1 CAPABILITIES OF ENDPOINTCONTROLLER INTERCEPTION

MODULES FOR WINDOWS

The table shows capabilities of SearchInform EndpointController that operates through agents

installed on network workstations.

Module Features Capabilities

KeyLogger

1. Capturing key strokes 2. Capturing function keys 3. Capturing text from

clipboard

Filtration for Users/Groups or processes

Capability to exclude system actions

Capability to exclude interception of passwords

Blocking PrintScreen keystroke

Interception of only keyboard keys/clipboard/all

Set up of clipboard size

FileController Control of any event of file system (creating, changing, opening, deleting, etc.) for files or folders



Audit of changes of file/folder access rights

Capability to exclude audit of temporary MS Office files

CameraController

1. Taking snapshots 2. Recording video 3. Connecting to camera in real

time

Capability to set up interval for taking snapshots, options of video recording, particular options for selected applications, users, URLs

Cloud &

SharePoint

1. Google Docs 2. OneDrive 3. Office 365 4. Dropbox 5. Evernote 6. Yandex.Disk 7. Cloud.mail.ru 8. Amazon S3 9. iCloud 10. DropMeFiles 11. OwnCloud 12. SharePoint

N/a

FTPController Capturing files sent over FTP protocol Maximum size of a captured file, update interval, timeouts of last activity

4


ProgramController

Control of time spent in applications and on websites

Control of time spent on websites is possible in the following browsers:

Internet Explorer (from version 8)

Mozilla Firefox (from version 50.1.0)

Google Chrome (from version 55.0.2883.87)

Yandex Browser (16.11.0.2680)

Opera (Presto) (36.0.2130.80)

Opera (Chromium) Safari Tor Browser Netscape Navigator Amigo (from version

54.0.2840.189) Sputnik (from version

2.1.1051.0) Flock (02.06.2001) Avant Browser Lunascape Maxthon SeaMonkey K-Meleon SlimBrowser Edge (from version 38.14) Comodo Dragon (from

version 52.15.25.664) CoolNovo (2.0.9.20)

Cốc Cốc (from version 56.3.150)

Titan Browser (from version 33.0.1712.0 (235591)

Uran (from version 43.0.2357.134)



Capability to disable audit of activity on websites

PrintController

1. Control of printing on local printers

2. Control of printing on network printers

3. Control of printing on virtual printers

Options of quality (compression) for images

Filtration by users, processes, description, printer, and location

Feature of blocking Escape functions (control of a printer by escape commands)

HTTPController 1. Capturing POST queries 2. Capturing GET queries

Limitation by minimum size of POST query

Limitation by intercepted nodes, IP addresses, ports, type (SSL/no SSL), processes

Capability to add a list of anonymizers

Capability to block SPDY and QUIC

Capability to exclude MIME types (audio, video, images)

5


MonitorController

1. Taking screenshots 2. Videorecording user’s

actions 3. Connecting to a user’s

screen in real-time mode

Capability to set up interval of taking screenshots, interval of taking screenshots of Skype video conferences and for URLs, particular options for selected applications, users; color settings, settings for several monitors

Capability to adjust color and exclude background; frame frequency settings

Capability to configure a schedule and operating mode (for all/for selected)

Capability to specify access settings for connection by password or for specified users

MicrophoneController

1. Sound recording with a microphone

2. Connecting to a user’s microphone in real-time mode

3. Audio recognition (speech-to-text transcription)

Capability to specify settings for profiles In Office/Out of Office: maximum duration, noise reduction, quality of recording, speech recognition, list of software, schedule

Capability to configure a schedule of recording

Capability to specify access settings for connection by password or for specified users

MailController

Interception of the following protocols:

IMAP MAPI (without encryption) POP3 SMTP NNTP WebMail as part of:

mail.ru gmail.com tut.by yandex.ru rambler.ru outlook.com office 365 ukr.net yahoo.com qip.ru Google Sync

Etc.

General settings:

Filtration by sender, recipient, domain user, subject, protocol, size, number of recipients

Individual settings for WebMail: capability to activate/deactivate interception of incoming email messages

Blocking outgoing (SMTP) email messages by content and/or context criteria

6


IMController


1. ICQ 2. MMP (mail.ru agent) 3. XMPP (Jabber) 4. MSN 5. Gadu-Gadu 6. Lync 7. Viber 8. Telegram 9. HTTPIM as part of:

vk.com ok.ru facebook.com mamba.ru my.mail.ru LinkedIn Evernote Google+ Yammer Fotostrana Web-Skype icq.com etc.

Interception of contact list

Capturing chats, calls, files, contact; settings of maximum file size, sound and duration

Capturing chats, calls, files, contacts, message history; settings of maximum file size, sound and duration

Audio recognition (speech-to-text transcription)

SkypeController Capturing calls, messages, files, SMS via Skype for desktop

Capturing chats, calls, files, contacts, SMS, message history

Settings of maximum file size, sound and duration

Audio recognition (speech-to-text transcription)

7


DeviceController

a) Audit + Block of Access:

1. USB HID devices (except keyboard and mouse)

2. Printers (USB) 3. Bluetooth adapters (USB) 4. Scanners (USB) 5. All USB devices (except

concentrators) 6. COM ports 7. LPT ports 8. Bluetooth 9. Printers 10. IR ports 11. Media devices 12. HID devices (except

keyboard and mouse) 13. Keyboard and mouse 14. FireWire 15. Smart cards 16. PDA 17. Tape device 18. Block of folders 19. Block of disks

b) Only block of access:

1. Modems 2. Wi-Fi

c) Audit + Block of access + Shadow copy:

1. USB devices

2. CD/DVD-ROM

3. Cameras/Scanners

4. Floppy disks

5. SCSI

6. Network folders

7. RDP disks

8. Portable devices of Windows

Android

Apple

Blackberry

Palm

Windows Phone

All portable devices

d) Available blockings:

1. USB devices 2. Block at the start of

software 3. CD/DVD-ROM 4. Floppy disks 5. SCSI 6. Network folders 7. Clipboard 8. RDP disks 9. Portable devices of

Windows 10. Processes

General capabilities:

Maximum size of a processed file

Exclusion of system users Black and white lists by type,

device, manufacturer, serial number, user, computer

Capabilities for A group:

Users/Groups Computers Full right access/No access Audit On/Off Exclusion of system users

Capabilities for B group:

Users/Groups

Computers

Full right access/No access

Capabilities for C and D groups:

Capabilities described above, as well as:

Shadow copy by file name, file type, process, user, computer

Access by file name, file type, process, user, and computer

Shadow copy of data stored on device

8


Data encryption Encryption of all data types sent to external USB storage devices using a unique key (generated by user)

Encryption is available for selected users or groups

For encrypted files you can configure access settings for:

• All users except specified

• Only specified users

A file can be opened only if agent is available and there is a permission to open

Black/white list settings are also available for encryption

You can configure settings of shadow copy, where ONLY encrypted files will be captured

SSL notifications Notifications about failed attempts of agents to trap connection1

Automatic addition of such connections in exclusions

Filtration by time, computer, user, process, and type

Audit of technical data

Audit of technical data from PCs with agents2:

Installed software Hardware configuration Active user Status of agent and

computer Free space on disk Last agent’s activity Audit of data of task

manager

N/a

2 CAPABILITIES OF NETWORKCONTROLLER INTERCEPTION

MODULES

Below, there is a table of features of SearchInform NetworkController operating under

network data capturing using SPAN technology (mirroring) or under integration with proxy

server3. Blocking capability is available only with integration with proxy server over ICAP.

1 This report can be created only together with HTTPController. 2 The feature is available regardless used protocols. Licensing is not required. 3 All connections established with SSL can be captured only together with integration with proxy server; or certificate substitution scheme + SPAN on specific equipment.

9

Module Where available Features Capabilities

Cloud & SharePoint

Full-fledged operation, as a rule, in ICAP (all connections are encrypted)

Or certificate substitution

+ SPAN (for example, with Palo Alto equipment)

Interception of the following services via web interface (not using application!):

1. Interception of the Google Docs service

2. Interception of the OneDrive (Microsoft) service

3. Interception of the Office 365 (Office Online) service

4. Interception of the Dropbox service

5. Interception of the Evernote service

6. Interception of the Yandex.Disk service

7. Interception of the Cloud.mail.ru service

8. Interception of SharePoint

Limitation by ports

Filtration by hosts, sender, size and content

Block by attributes is available4

MailController SPAN – all is available

ICAP = only web mail



mail.ru gmail.com tut.by yandex.ru rambler.ru outlook.com office 365 ukr.net yahoo.com qip.ru Google Sync

General settings:

Filtration by sender, recipient, domain user, subject, protocol, size, port

Individual settings for WebMail: capability to deactivate/activate interception of incoming messages

Capability to block WebMail by attributes

HTTPController

SPAN and ICAP both

GET will not work for some proxy servers***

Capturing POST queries

Capturing GET queries


Limitation by intercepted nodes, IP, ports, sender, size


You can configure blocking by attributes

FTPController

SPAN and ICAP both

Capturing files sent over FTP

Maximum size of a captured file, update interval, time outs of last activity

4 Blocking is available only via ICAP scheme, it doesn’t work with SPAN!

10

Module Where available Features Capabilities

IMController SPAN – all is available

ICAP – only web IM


ICQ MMP (mail.ru agent) XMPP(Jabber) MSN YAHOO! HTTPIM as part of:

vk.com ok.ru facebook.com mamba.ru my.mail.ru LinkedIn Evernote Google+ Yammer Fotostrana Web-Skype icq.com

Limitation by captured nodes, IP, ports, sender, size


Capability of capturing any specified protocol using HTTP tunneling

Capability to block Web IM by attributes

Telephony Only SPAN

Capturing audio calls and text messages of SIP telephony via the standards:

GSM A-Law u-Law

G.722

Capability to limit by ports, users, computers, IP addresses, and MAC addresses

***

The proxy servers listed below operate in full (incoming and outgoing traffic):

SQUID, BLUE COAT, MCAFEE, WEBSENSE (ForcePoint), ISA/TMG.

The proxy servers mentioned further support only outgoing traffic:

FortiGate, Check Point.

The list is not full and comprehensive. It contains the proxies tested by the SearchInform

experts for compatibility with the SearchInform DLP solution.

3 CAPABILITIES OF NETWORKCONTROLLER INTEGRATION

WITH MAIL SERVERS, LYNC (SKYPE FOR BUSINESS) AND

ISA/TMG

Module Where available Features/Capabilities

Lync/Skype for Business

Interception:

Chats

Audit:

Calls Files

In the integration mode, only messages will be intercepted properly. Sent files and calls will be registered in audit, but their content will remain unavailable.

It is recommended to use the EndpointController platform for full-fledged interception of files and calls.

ISA/TMG 1. Interception of POST queries 2. Interception of GET queries

The solution is fully operational in terms of data capturing, but it cannot block because of the peculiarities of the TMG architecture (this proxy does not support ICAP, that is why we use a

separate integration module).

11

Module Where available Features/Capabilities

Mail servers

1. Control of corporate email boxes via POP3 and IMAP

2. Control of corporate email boxes via EWS

3. Interception of SMTP

These integration methods are not tied to particular manufacturers or versions of mail servers (excluding EWS). They are general and can be used in Exchange, Lotus, Postfix and even a number of public mail servers.

4 CAPABILITIES OF ENDPOINTCONTROLLER INTERCEPTION

MODULES FOR LINUX (UBUNTU, CENTOS, ROSA, GOS,

ASTRA)


Cloud & SharePoint

Interception of the following services working via web interface (not using application!):

Google Docs OneDrive Office 365 Dropbox Evernote Yandex.Disk Cloud.mail.ru Amazon S3 iCloud DropMeFiles

Own Cloud

N/a

FTPController Capturing files sent over FTP protocol Maximum size of a captured file, update interval, timeouts of last activity

HTTPController 1. Capturing POST queries 2. Capturing GET queries


Limitation by intercepted nodes, IP addresses, ports, type (SSL/no SSL), processes


Capability to block SPDY and QUIC

Capability to exclude MIME types (audio, video, images)

MailController



mail.ru gmail.com tut.by yandex.ru

rambler.ru outlook.com office 365 ukr.net yahoo.com qip.ru Google Sync

General settings:

Filtration by sender, recipient, domain user, subject, protocol, size

Individual settings for WebMail: capability to activate/deactivate interception of incoming email messages

12


IMController


1. ICQ 2. MMP (mail.ru agent) 3. XMPP (Jabber) 4. MSN 5. HTTPIM as part of:

vk.com ok.ru facebook.com mamba.ru my.mail.ru LinkedIn Evernote Google+ Yammer Fotostrana Web-Skype webim.ru

Individual settings for:

1 –Interception of contact list

SSL notifications

Notifications about unsuccessful attempts of agent to trap connection

Automatic addition of such connections to exclusions

Filtration by time, PC, user, process and type

5 BLOCKING CAPABILITIES IN SEARCHINFORM DLP

SearchInform Data Loss Prevention does not only perform detailed audit of data in transit and

create shadow copies of document, but it also allows blocking data transfer over a wide range

of data channels. The list of channels that can be controlled and the list of channels that can

be blocked differ, so below we provide a detailed description of blocking capabilities of

SearchInform DLP.

Blocking can be performed at different levels: while transmitting data over network, on an

endpoint, and using customer’s mail server.

5.1 BLOCKING AT THE LEVEL OF AGENT

Blocking any connected device by its type, serial number and other attributes. For

example, blocking COM, LPT ports, printers, scanners, etc. The first table in the

document provides the full list of capabilities of the DeviceController module.

Blocking data sending to storage devices (USB, CD/DVD, SCSI, etc.)

Blocking software launch, including portable versions

Blocking data transmission when working with remote desktop (via connected disks,

network folders and clipboard)

Blocking by type of connected device (Android, Apple, Blackberry, Palm, Windows

Phone, etc.)

Blocking wireless networks and interfaces (Wi-Fi and Bluetooth)

Blocking data transmission to network storages (SMB)

Blocking operation with local folders

Blocking operation with local disks

13

5.2 BLOCKING AT THE LEVEL OF NETWORK

The system also allows blocking HTTP(S) network traffic according to transmitted text,

selected users, hosts, URI, POST, GET and many other attributes*. Such blocking, besides

prohibition to transmit specified text, allows implementing secure schemes of operating with

web mail, chats, forums, cloud storages. For example, it is possible to block sending a file

from company’s network to a cloud storage (downloading remains available). Also, there is a

capability to save drafts and attachments when working with web mail, capability to block

loading to social network (not blocking other functionality of social network), and many other

capabilities.

*

Method Options Can contain

Text

All words Text or regular expression

Any word Text or regular expression

Exact word or phrase Text or regular expression

None of the given words Text or regular expression

Date

Equal Date/month/year

NE Date/month/year

In range Range of dates/months/years

Out of range Range of dates/months/years

Time

In range Hours

Out of range Hours

Day of week

Equal Days of week

NE Days of week

User

Equal Users

NE Users

IP address

Local address Address or range of addresses

Remote address Address or range of addresses

HTTP method

GET

POST

CONNECT

PUT

Web field

URI Contains, missing, present, starting with, ending with,

14

equal, NE, in range, out of range, etc.

HOST Contains, missing, present, starting with, ending with, equal, NE, in range, out of range, etc.

USER-AGENT Contains, missing, present,

starting with, ending with, equal, NE, in range, out of range, etc.

Content-length Contains, missing, present, starting with, ending with, equal, NE, in range, out of

range, etc.

This option is available at the network level, with unencrypted and SSL traffic both. Blocking

can be applied on PC and other network equipment inside a company regardless the

connection (Ethernet or Wi-Fi) for HTTP(S) or FTP(S) traffic.

Combining these rules, one can fine-tune block of services or block of features on these

services. For example,

The rule (Web field = host contains mail.ru) AND (Web field URI contains attaches/add) will

block the possibility to save or send attachments in mail.ru working via web interface.

The rule (Web field = host contains vk.com) AND (Web field URI contains act=do_add or

act=add_doc or act=album_photo) will block the possibility to load files to vk.com.

The rule (Web field = URI contains /objects) AND (Web field host contains

api.asm.skype.com) AND (HTTP method = PUT) will block the possibility to send files over

web Skype.

5.3 BLOCKING EMAIL AT THE LEVEL OF WORKSTATION OR MAIL SERVER (AGENT)

Also, the system allows blocking outgoing corporate email. It is implemented via blocking

agent installed on the destination mail server (edge) or local PC with further check of all

outgoing correspondence. An email message violating security policies will be stopped before

being checked manually. After it is checked, the message can be eventually blocked or sent

to the destination.

Blocking can be:

Context: sender, recipient, file type (over 114 formats**), size, attachment and many

other attributes

Content: based on the presence of confidential data in transmitted documents. For

example, digital fingerprints, phrases, synonyms, morphological forms, regular

expressions, encrypted attachments, images visually similar to passports, credit cards,

documents containing official stamps, falsified documents.

15

6 PROTECTION OF DATA AT REST

SearchInform DLP can audit and detect confidential data inside files in the following data

storages:

Local PCs (Windows)

Roaming user profiles (in Active Directory or Novel eDirectory)

Network folders (Windows, Linux, Unix, Mac)

Corporate NAS (Synology, HP, QNAP, etc.)

Corporate storages SharePoint

Text fields in popular DBMSs (MS SQL, MySQL, PostgreSQL, Oracle, etc.)

Databases of web sites

Web mail

Cloud storages (Dropbox, etc.) – under development

Personal portable storage devices (USB HDD, flash drives) – when connected to

corporate equipment.

Personal mobile devices (telephones, tablets) - when connected to corporate

equipment in the file system access mode.

**

Below, you will find a non-exhaustive list of possible formats that SearchInform DLP can

operate with. Additionally, it is possible to create own types of files and assign parsers to

them (process as binary, text, xml, etc.)

o MS Office files

DOC

DOCX

DOT

XLS

XLSX

XLSB

XLSM

XLTX

XLTM

XLT

PPT

POT

PPTX

RTF

VSD

VST

VSDX

o Local database files

MDB

o Internet files

HTM

HTML

SHTML

CSS

JS

MAFF

o Mail files

MSG

EML

o Windows program files

TXT

CSV

PDF

DJVU

XML

LST

CHM

BAT

LOG

INI

WRI

MHT

HLP

o In archive files

7Z

ARJ

RAR

ZIP

JAR

TAR

ISO

GZ

GZIP

TGZ

TPZ

CAB

LZH

LHA

Z

TAZ

LZMA

BZ2

BZIP2

TBZ2

TBZ

HFS

001

o Programming files

JAVA

PAS

DFM

DPR

BAS

CPP

HPP

C

C++

H

CS

SQL

JSP

ASP

ASPX

PHP

SH

WSDL

PY

PL

INC

VB

VBS

XLA

CMD

o Programming files

(Power Builder)

SRA

SRJ

SRW

SRU

SRM

SRS

SRF

SRD

SRQ

SRP

o Audio/Video

MP3

AVI

WAV

o OpenOffice.org

16

SXW STW ODT ODS

o CAD Files DWG DXF

o Image files JPG JPEG TIF

TIFF BMP

PNG GIF CDR

o Old text formats LEX

INDIA CONTACTBD SOFTWARE DISTRIBUTION PVT. LTD.1209, 12th Floor, Satra Plaza, Plot No.19 & 20,Sector 19d,

Vashi, Navi Mumbai - 400703 MAHARASHTRA.

Phone : +91 829 160 1105

E-mail : [email protected]

Date post:	21-Jul-2021
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

SEARCHINFORM DLP CAPABILITIES · 2020. 7. 27. · Each interception module operates as a traffic...

Documents