Staffcop: side view

    Hello! My name is Michael, and I work with data in information leakage prevention (DLP) class systems and behavioral analysis systems. For many years of work in the field of information security I was lucky enough to get acquainted with many systems. One of the recent acquaintances is StaffCop Enterprise v.4.4.

    In this review I will share my impressions of the use of the StaffCop system.


    For such products, an intelligent, user-friendly interface is very important, yet the analyst has to work with it every day.

    Desktop snapshot:

    I liked the way everything is structured, but the arrangement of the panels initially causes a slight stupor. However, you later get used to such an implementation and quickly begin to perform tasks.

    And for the successful display of information StaffCop worth praise! When analyzing events, such measures as table, line chart, pie chart, graph and tree are available. In different tasks, these data representations can greatly help in finding a solution.

    To view the events, you can use a table, list, snapshots, correspondence, forming conversations by topic, and a thermal diagram that allows you to look at the situation as a whole and quickly detect suspicious activity.

    The only thing that upsets so far is the lack of case management, that is, full-fledged work with incidents.


    Now about the tasks that had to be solved and how to do it with the help of StaffСop.

    Important note: so far I have not had experience using Staffcop on large volumes, so I cannot say anything about the speed of searching in deep archives.

    1. What is the employee doing in the workplace?

    Click the ONE button and load the measurement card (in this case by employee):

    It has a lot of useful information: data from AD, last activity, activity on websites and applications, information on which PCs the user has authorized, contacts and graphs of correspondence, search queries and time tracking.

    Moreover, the system has the ability to edit this card, i.e. You can add / remove various modules of information. There are measurement cards for many other entities: for example, by file, site, device, etc.

    But there are some shortcomings, when you try to upload a card for sending, you must send it to print and save it in PDF format. Inconvenient, besides there are problems with scaling: in some cases, too small fonts are used.

    2. Control of employees in real time

    It is about connecting to the desktop of a specific employee and monitoring his actions. Yes, yes, do not be surprised, such tasks are not uncommon.

    Such a mechanism exists, and it really works, and in the current version, the so-called “quadrator”, that is, the simultaneous display of several desktops, was introduced.

    But, as always, I want more. For example, if an employee blocked the desktop and went away on business, you will still see his desktop. Notice that the employee himself does not exist, it is possible only by stopping time on the clock.

    The ability to capture control checked for test purposes. It works well, but in practice it has not been useful yet.

    3. Anomaly detector and tasks for tracking file movement

    Immediately, I note that not all such systems have this functionality, so I’ll tell you more about these tools.

    Excerpt about the detector anomalies from the vendor knowledge base:

    A new kind of report in which “anomalies” are expressed in intercepted events on user workstations.
    An anomaly is the excess of the number of events of a certain type per hour, if it is 10 or more times the standard value calculated for the last week of the system.
    The system threshold for anomalies can be changed. This threshold is set as a digit exceeding the number of times from the standardized values ​​of events collected over a certain period of operation.

    It looks simple and clear, and how to use the information depends only on you.

    Separately on the distribution map.

    To search for a mention of a file, you need, as in the case of an employee, to open the file measurement card. It contains information about who, where, when and how he worked with him. At the same time, you can quickly build a visual flow of information.

    What is it for? To solve the standard problem: find me who worked with ... / leaked the sales report.

    4. Employee performance reports

    This is one of the most important tools for products of this class that go away from DLP in a pure form. StaffCop has a lot of different report options, and they give out quite realistic information.

    This topic is probably close to those who tried to make reports on user activity, for example, using web-proxy systems. Usually, the user has thousands of draws on banners opened on the site, and it’s almost impossible to calculate how much he actually “surfs” on the Internet.

    Moreover, there are about the same requests from the management, which do this or that employee about as much as the task of investigating information leaks. In the case of StaffCop, it takes only a minute to compile such a report, and with other DLP systems that do not have such tools, you can ditch the whole day to complete such a task.


    StaffCop is developing rapidly. The main focus is on the control of the workplace employee. In the arsenal there are such features as control of software installation / removal, the registry of this software and hardware, which are far from being available to all systems on the information security market.

    Now StaffCop is a system for monitoring employee time with a number of convenient tools and some DLP features. What it will be tomorrow is an open question.
    Yes, there are drawbacks: somewhere, something is not displayed or intercepted. Vendor tries to fix such bugs promptly.

    In general, StaffCop is a worthy product for solving non-standard IS tasks.

    Mikhail Godzhaev, Head of Event Analysis, DLP Block, Infosecurity a Softline Company.

    Also popular now: