InfoWatch Traffic Monitor. On the blade of bugs and features

    “Igor, he has TWO hearts !!!”

    Anna Popova, Head of the DLP Block of the GC Infosecurit, continues to share her impressions of using different DLP systems. In the last article she told about the pros and cons of SearchInform CIB solution. Today, as promised, let's talk about the InfoWatch product line. Just let us immediately determine that we do not pretend to an objective comparison.

    In general, it is difficult to understand what an objective opinion about the system is. Objective characteristics are the compliance of the DLP system with the technical requirements of the customer, the requirements of the FSTEC, etc., as well as their correlation with the necessary capacities. Everything else is subjective, for the reality is that the functionality that one client has “taken off” will fall from another. And even more so, one does not have to talk about the objective superiority of one system over another, if we are talking about its use by analysts. Someone likes one interface, someone else, someone does not like uploading events, someone does not care about it.

    Much has been said about the DLP product from InfoWatch; many copies broken around it. Opinions are very diverse - from the most polar to neutral. Over time, both the company and the product had a chance to go a long and thorny path of development, to grow more than one useful function and even get into the “magic quadrant” of Gartner. So let's try to figure out what the product managed to achieve, whether it’s good (or bad), as they say.

    Architecture (who is who)

    First of all, you need to understand what we are working with. The InfoWatch Traffic Monitor software complex consists of the following components:

    InfoWatch Traffic Monitor is the main component responsible for network interception and analysis of intercepted data (collected over the network and from agents). Powered by RHEL / CentOS 6. It is also responsible for rendering the web interface, which is the main entry point for the information security officer when working with the system.

    InfoWatch Device Monitor - this component is responsible for managing agents (including agent policies). Works on Windows Server. It has a separate management console, which can be installed on any Windows machine - the main thing is that the network access to the Device Monitor server should be open.

    InfoWatch Crawler- a module that enables the scanning of specified user directories and network directories. It runs on a Windows Server (can be installed on a machine with a Device Monitor server), but is interface-integrated into the Traffic Monitor web console and is controlled from there.

    InfoWatch Vision is an optional component that allows you to significantly simplify the process of investigating security incidents through visualization. Represents events from Traffic Monitor in the form of automatically tunable interactive graphs. Powered by Windows Server and based on the QlikSense platform.

    InfoWatch Person Monitor is also an optional module that provides time management functionality. It works on the Win Server, takes its roots from the legendary, in some way, the system "Stakhanovets."

    Blocking functionality

    Since the system has the proud status of DLP (which, we recall, means Data Leakage Prevention - data leakage prevention), first of all, we will consider the “classic” functionality for such systems - prevention. What can this software package offer us?

    Even in the minimal installation (Traffic Monitor, Device Monitor), the functionality is quite rich: it is possible to block mail, prevent recording to removable media based on content analysis or white lists of media, prohibit applications from running, prohibiting the use of FTP. With the connection of the Person Monitor module, the functionality is somewhat extended: the ability to clear the clipboard, the prohibition of downloading files to the Internet is added.

    It will not be easy for an unprepared user to first understand the variety of different control consoles: for example, one of the special features when working with the system is the need to “turn on” some interception channels in Device Monitor.

    In general, the prevention functionality causes no questions, there is where to roam; although the most demanding customers will probably still have to turn to more flexible competing products. As for the working time accounting functionality, in IWTM it is implemented in an original, but quite convenient way.

    Working time control functionality

    The DLP market, especially in the CIS countries, today is not limited solely to prevention functionality. DLP systems little by little incorporate the functionality of another class of products - systems for monitoring the working activity of employees.

    The product in question was no exception and also absorbed something. How good is the quality?
    You can control employees using the Person Monitor module - starting with keylogger and ending with video from the desktop, as well as monitoring the webcam and sound from the microphone. However, not everything is so rosy. Above mentioned that this module is an interpretation of the acclaimed "Stakhanovtsa". From here and minuses - for example, absolute lack of integration with other modules of the complex and guaranteed coverage with “complete control” of only fifty cars. The special protection was delivered by the database protection - encryption is not needed, the data in the database is stored only in a modified encoding. "So that no one would guess! .."

    By the way, regarding the affection: when you first open the web interface, the Person Monitor warns that the connection is not encrypted (plain http, I mean) and offers a link to the manual, according to which everyone can configure https himself. Why this was not done out of the box is unclear.

    There is also a very interesting voice recognition feature in the text. This is implemented through the Google API, which will be a problem for many customers: firstly, the server’s connection to the Internet is required, and secondly, not everyone agrees to transfer their confidential information to a third party.

    When conducting investigations on the information collected by the Person Monitor, we experienced discomfort, because we were accustomed to working with all the available information from all available channels and all employees. In addition, local search by nasniffan keyloger data has only the most basic functionality - for example, there is a morphology, but it will not be possible to construct interesting and complex text search rules. Nevertheless, it is quite possible to live with this on small volumes of traffic and in small companies.

    From a technical point of view, the Person Monitor consists of an agent that collects data from a user's workstation, a database server (MSSQL), where this data is then stored, and Apache for Windows, which renders the system's web interface. At the user's request, a SQL query is compiled, and its result is presented to the user in the form of a html report page.

    Speaking of small and large companies, we smoothly move to another module - Vision. It was as if created by our order - it allows you to organize the data intercepted by the Traffic Monitor for visual presentation and besides it gives you the opportunity to rebuild requests on the fly. All this is possible, not least thanks to the QlikSense platform, which handles events drawn from Traffic Monitor in the RAM of the Vision server.
    Events need to be uploaded once in a certain period of time - for example, every night, since downloading large amounts of data takes a long time.

    Overall impression

    The considered system, like any other, is not without flaws. Unfortunately, there are still some “childhood sores” stretching from earlier versions (for example, the Person Monitor's listed problems); Some solutions look controversial - it is not always clear if this is a bug or a feature (consoles disunity and the use of different databases for storing events). If you need to focus on a specific functionality, rather than a comprehensive solution, it is recommended to continue studying the DLP market.

    Once we began to study the DLP market with InfoWatch Traffic Monitor, so the minuses immediately caught my eye:

    • even with a minimal installation, two servers are required — Traffic Monitor, Device Monitor — on systems of different families;
    • at the maximum installation, the installation of two agents on an employee's workstation is required;
    • the user of the system is forced to use in operation not one console, but two to five (Traffic Monitor, Device Monitor, Person Monitor, Person Monitor, Vision settings console);
    • With all the above integration, the Person Monitor with the rest of the complex simply does not exist - the feeling that you are working in a separate system.

    However, having continued to study the market further, we discovered many advantages (truly, everything is learned in comparison):

    • work stability;
    • simplicity and speed of rolling. There is a kickstart image of Traffic Monitor, and Windows components are installed using the “Next - Next - Ready” pattern;
    • system flexibility. Having mastered the interface of all consoles, you can wind up quite complex triggering rules, which will be applied immediately when traffic arrives;
    • speed of investigation. Despite the fact that the Vision is still young and not overgrown with a sufficient number of functions for us, its speed and clarity compensate for this. When working with past major customers, he would be very useful to us as part of the combat system.

    In preparing the article, we interviewed our fellow practicing analysts what impression the InfoWatch DLP system made on them. Summarizing all the above, we single out a few pros and cons.


    • consoles incoherence;
    • non-functional access control (like there is, but it is not always possible to customize how you want - for example, dashboards);
    • one of the modules generally collects information that the kernel cannot analyze;
    • already two agents are used, some functions are included in both;
    • data needs to be distilled between bases;
    • it is impossible to place full functionality in one server even in the most minimal implementation;
    • The PM operation logic (operating not with events, but with reports) does not allow comfortable using it for the entire coverage area, but exclusively “pointwise”.


    • readiness to implement functionality, if necessary;
    • easy installation (kickstart);
    • scalability;
    • He sees a lot, understands a lot - a large selection of channels, work with mobile traffic, a large selection of methods for detecting confidential data;
    • relatively fast search and convenient previewer with different colors highlighting different objects;
    • detailed description of technologies and objects of protection;
    • automatic determination of criticality, unloading officer, etc .;
    • Much attention is paid to the visualization of the collected information. One of the best solutions on the market.

    Of the minuses - yes, alas, this is a multi-console and not always logical division of the functional between them. This is not only inconvenient, but also completely ineffective when it is necessary to collect the evidence base for the investigation, and the data in different databases cannot be reduced to one type by the means of the system itself. A lot of extra manual work analyst or bezopasnika.

    We were pleased with the desire of the vendor to implement improvements for potential customers, i.e. without a binding contractual relationship. This is an absolutely real example: six months after the discussion of the heap of improvements we declared on the pilot in one of the clients, we saw them in the implemented functionality, which was extremely nice.

    Moreover, IW is one of the few vendors who is attentive to the discussion of such problems, does not bounce on the tag - and why is it necessary, you are the first to ask about it, etc. (Sasha Klevtsov, we give you a separate hello and best wishes :)).

    In the bottom line, we have a fairly balanced system that covers most of the requirements of the most boring customers and does not have excessive system requirements. InfoWatch consistently “pumps” its complex, adding new cool features. It remains only to carefully sew them together :).

    Anna Popova, Head of the DLP Block, GK Infosecurit
    Nikita Shevchenko, Head of the Group of Engineering Support of the Block DLP, GK Infosekurity

    Also popular now: