And one more time about SearchInform CIB: sorting out the news
Anna Popova, Head of the DLP of Infosekyrit DK Group, continues to share her impressions of the use of different DLP systems. This article will talk about SearchInform CIB.
The first of those for whom I want to update the knowledge will be the SearchInform CIB, which is quite logical, since I have worked with this solution longer than with any other, and of course it is very interesting to me what happens to the vendor. Therefore, I did not refuse to offer in the comments to test the new version of the software.
I didn’t manage to complete a full test by the end of the year, but I managed to dive a bit into the study of new products.
So, in order.
Who knows me or read my previous review, I know that I have been waiting for the analyst console from the vendor for a long time. And finally, she came out!
Visually, I liked it, because it didn’t appear anything over-heaped (so it would be bad, it seems to me), but at the same time it combined what is convenient to have in one console - a common client, a report center and a profile center .
In current releases, the alert center is not built into it (it was left without any particular visual changes), but, for example, it does not frighten me, because lately I’m more often engaged in the spot monitoring of employees than setting policies and creating rules for catching all kinds of goodies .
For working with events I have always been more comfortable with the general client.
Also, a module of online computer monitoring (LiveView) was taken out of a common client into a console, which I also liked because I use it quite often. On the other hand, it’s convenient to separate it from the general viewing console; I don’t like it when everything is in one window and constantly resets one to another.
Well, the presence in the same console of all possible reports from the former report center is a big plus.
So I am pleased with this change.
Cute and also quite simple, for lovers of minimalism immediately plus. It still embodies the web version of the alert and report. The administration of the alert remains in the thick client, but they promise a quick transfer - also to the web.
File Auditor
A new module, which now acts as a universal space scanner with the ability to grab shadow copies and markup documents. Previously, this task had to be solved by two different modules - the file controller and the IRS. The second, by the way, is also redesigned and has become much faster and more convenient to set up.
Scanning of cloud storages The
thing is most likely to be in demand, because more and more companies fly into the clouds every day. In fact, it is also a scanner that will collect shadow copies, mark up files and provide an opportunity to work with them, including through the alert center policies.
Removable media A
shadow copy of files on removable media.
That's cool, really. How many problems I personally experienced with when I really needed to look, and what about the files on the flash drive that the employee connected to the computer. You sit for a long time and catch a moment in the video in the hope that the employee at least partially opened them.
Encryption of data written to media. Someone will be useful, well, less problems with additional encryption for flash drives. Tweaking the parameters of write access to the media. By file sizes, for example.
Keylogger
There is a tick, clicking which you can stop blindfolding while monitoring, and just stop seeing passwords.
Rejoice freedom fighters and riders of the GDPR!
Interception of instant messengers
One of the most popular, I think, questions from customers. And they like to ask even about those messengers that are not used at all in the company, or 1 person uses it. Anyway.
So here. The new CIB intercepts all of our favorite vatsap, carts and Viber in both versions: the web and the desktop. By the way, this is apparently an exclusive, in terms of vatspapa for sure.
Work mail in blocking mode
There is support for all the most used protocols: IMAP, NNTP, POP3, SMTP, HTTP (S), and MAPI.
Interception is implemented for the above, including using s \ mime. The lock is available for outgoing protocols, again including MAPI and s \ mime.
Desktop video and webcams
A webcam image control module has appeared, that is, every incident now has a “human face”. Similar to the format of screenshots, you can turn on the recording only in connection with certain processes or even sites.
Linux
Control traffic on the entire Astra Linux, Ubuntu and CentOS family. Soon they promise that device sniffer will be added.
Agents
One of my favorites.
Added control agents. If the agent does not tap the server for some time, it will be reinstalled.
And now the agent needs only the Internet for the update to connect to the server, and even not necessarily to be inside the corporate network.
Report Center
He is no longer a separate entity. Hallelujah! And we forget about the constant synchronization of its bases - now it is cyclical.
Profile-center
Its benefit is obvious to me. Why catch after-the-fact incidents, if some of them can be foreseen. Yes, and know your employee, not only in the face for me right bread and butter.
It is difficult for me to say how this works in the technique, but visually the tab with it looks very modest and minimalist, which means you don’t have to worry about the settings.
Honestly, who cares how these algorithms work there. The people who developed this product have obviously devoted many years to profiling and working with real people. If people who can be super-developers and super-engineers, but do not understand anything in psychology, would be engaged in such development, then it would be very strange.
Need to test. There is a need for such a product on the market, especially in security services and very advanced HR. Well, at least there are no competitors in the Russian market of UBA and DLP.
According to the vendor, on average 1-2 months you need to accumulate data to build a reliable employee portrait. Yes, as in the films by instantly sucking the brain through the ear does not work yet, if anyone dreamed about it.
Search speed
About the speed of the search and whether something has changed in it, I cannot say anything, you will not understand this by visual analysis. The developer talks about the release of a fundamentally new search engine, devoid of old problems. It is explained by the new 64x architecture, which has no software limitations (as it was in the old engine) from memory, cores and threads. From a technical point of view, it sounds quite reasonable, but I don’t presume to judge the actual speed. Looking for data. A lot of real data ...
Once again the digest :
Well, I tried to collect the cream on the surface and a little bit to analyze the main changes to the CIB.
I hope that I will have the opportunity to dive deeper into the new CIB and tell you many more interesting things.
Maybe even take an interview with provocative questions from the vendor and show all that is hidden.
Until we meet again, DLP-dependent!
Anna Popova, Head of the DLP Block, Infosecurity a Softline company
The first of those for whom I want to update the knowledge will be the SearchInform CIB, which is quite logical, since I have worked with this solution longer than with any other, and of course it is very interesting to me what happens to the vendor. Therefore, I did not refuse to offer in the comments to test the new version of the software.
I didn’t manage to complete a full test by the end of the year, but I managed to dive a bit into the study of new products.
So, in order.
Analyst console
Who knows me or read my previous review, I know that I have been waiting for the analyst console from the vendor for a long time. And finally, she came out!
Visually, I liked it, because it didn’t appear anything over-heaped (so it would be bad, it seems to me), but at the same time it combined what is convenient to have in one console - a common client, a report center and a profile center .
In current releases, the alert center is not built into it (it was left without any particular visual changes), but, for example, it does not frighten me, because lately I’m more often engaged in the spot monitoring of employees than setting policies and creating rules for catching all kinds of goodies .
For working with events I have always been more comfortable with the general client.
Also, a module of online computer monitoring (LiveView) was taken out of a common client into a console, which I also liked because I use it quite often. On the other hand, it’s convenient to separate it from the general viewing console; I don’t like it when everything is in one window and constantly resets one to another.
Well, the presence in the same console of all possible reports from the former report center is a big plus.
So I am pleased with this change.
Web version
Cute and also quite simple, for lovers of minimalism immediately plus. It still embodies the web version of the alert and report. The administration of the alert remains in the thick client, but they promise a quick transfer - also to the web.
New chips
File Auditor
A new module, which now acts as a universal space scanner with the ability to grab shadow copies and markup documents. Previously, this task had to be solved by two different modules - the file controller and the IRS. The second, by the way, is also redesigned and has become much faster and more convenient to set up.
Scanning of cloud storages The
thing is most likely to be in demand, because more and more companies fly into the clouds every day. In fact, it is also a scanner that will collect shadow copies, mark up files and provide an opportunity to work with them, including through the alert center policies.
Removable media A
shadow copy of files on removable media.
That's cool, really. How many problems I personally experienced with when I really needed to look, and what about the files on the flash drive that the employee connected to the computer. You sit for a long time and catch a moment in the video in the hope that the employee at least partially opened them.
Encryption of data written to media. Someone will be useful, well, less problems with additional encryption for flash drives. Tweaking the parameters of write access to the media. By file sizes, for example.
Keylogger
There is a tick, clicking which you can stop blindfolding while monitoring, and just stop seeing passwords.
Rejoice freedom fighters and riders of the GDPR!
Interception of instant messengers
One of the most popular, I think, questions from customers. And they like to ask even about those messengers that are not used at all in the company, or 1 person uses it. Anyway.
So here. The new CIB intercepts all of our favorite vatsap, carts and Viber in both versions: the web and the desktop. By the way, this is apparently an exclusive, in terms of vatspapa for sure.
Work mail in blocking mode
There is support for all the most used protocols: IMAP, NNTP, POP3, SMTP, HTTP (S), and MAPI.
Interception is implemented for the above, including using s \ mime. The lock is available for outgoing protocols, again including MAPI and s \ mime.
Desktop video and webcams
A webcam image control module has appeared, that is, every incident now has a “human face”. Similar to the format of screenshots, you can turn on the recording only in connection with certain processes or even sites.
Linux
Control traffic on the entire Astra Linux, Ubuntu and CentOS family. Soon they promise that device sniffer will be added.
Agents
One of my favorites.
Added control agents. If the agent does not tap the server for some time, it will be reinstalled.
And now the agent needs only the Internet for the update to connect to the server, and even not necessarily to be inside the corporate network.
Report Center
He is no longer a separate entity. Hallelujah! And we forget about the constant synchronization of its bases - now it is cyclical.
Profile-center
Its benefit is obvious to me. Why catch after-the-fact incidents, if some of them can be foreseen. Yes, and know your employee, not only in the face for me right bread and butter.
It is difficult for me to say how this works in the technique, but visually the tab with it looks very modest and minimalist, which means you don’t have to worry about the settings.
Honestly, who cares how these algorithms work there. The people who developed this product have obviously devoted many years to profiling and working with real people. If people who can be super-developers and super-engineers, but do not understand anything in psychology, would be engaged in such development, then it would be very strange.
Need to test. There is a need for such a product on the market, especially in security services and very advanced HR. Well, at least there are no competitors in the Russian market of UBA and DLP.
According to the vendor, on average 1-2 months you need to accumulate data to build a reliable employee portrait. Yes, as in the films by instantly sucking the brain through the ear does not work yet, if anyone dreamed about it.
Search speed
About the speed of the search and whether something has changed in it, I cannot say anything, you will not understand this by visual analysis. The developer talks about the release of a fundamentally new search engine, devoid of old problems. It is explained by the new 64x architecture, which has no software limitations (as it was in the old engine) from memory, cores and threads. From a technical point of view, it sounds quite reasonable, but I don’t presume to judge the actual speed. Looking for data. A lot of real data ...
Once again the digest :
- the interface has not lost its simplicity and clarity;
- a common client with a report got married and adopted a profile center; this is how a friendly family turned out - the analyst console;
- the alert center does not give up yet and lives in a separate apartment;
- LiveView is now in a separate window of the combined console;
- keylogger surrendered and turned on the password collection prohibition mode;
- agents have learned to deal with the cruelty of this world and now they use automatic reinstallation, monitoring their own health and other goodies;
- mysterious profile center looks very friendly;
- Shadow copy of the data on the flash drive - for security officers who are especially fan of their work;
- when you are morally ready to go to Linux, you can already begin to rejoice;
- file controller atavism reincarnated into a cool scanner with data markup;
- carts, sleds, skis and other vatsaps: we are not afraid of you, we intercept you in all poses;
- scan of clouds for those who keep up with the times.
Well, I tried to collect the cream on the surface and a little bit to analyze the main changes to the CIB.
I hope that I will have the opportunity to dive deeper into the new CIB and tell you many more interesting things.
Maybe even take an interview with provocative questions from the vendor and show all that is hidden.
Until we meet again, DLP-dependent!
Anna Popova, Head of the DLP Block, Infosecurity a Softline company