Microolap EtherSensor

Microolap EtherSensor is a software platform for the analysis of network traffic in real time which will recognize such objects of the user and system communications as messages, files and network events.

The main objective of EtherSensor — substantial increase of efficiency of the cybersecurity systems at the expense of qualitatively solved task of the analysis of network traffic. EtherSensor is a passive system, it works only with the copy of traffic, without influencing network infrastructure in any way.

Tasks

• Extraction from network traffic in real time:
  • the messages which are sent/received using web mail, social networks and so on taking into account opportunities of functional modules;
  • the files sent and loaded using file exchange services, services of instant messages, cloud services, etc.;
  • different actions in Internet services;

• Filtering of obviously uninteresting taken events;
• Analysis and receiving metadata of events;
• Sending events and their metadata to consumers under different protocols in a required format for the further analysis and storage.

The EtherSensor functions are grouped in the modular circuit that allows to solve problems, also grouping them according to security policies of the customer.

Modules

• Web mail — selection from traffic by method of passive interception of outgoing messages of services of web mail (Mail.RU, Yandex.RU, Pochta.RU, GMail, etc. (40+ of domains) and also services on popular webmail-engines).
• Social networks — selection from traffic by method of passive interception of messages of different types (authorization, messages, comments, etc.) on social networks and at forums: Facebook, LinkedIn, Vk.com, Odnoklassniki, Mamba.ru, phpbb, ipb, vbulletin, mybb and also SMS/MMS message of users sent through specialized web services (500+ of domains).
• Email — selection from traffic by method of passive interception of the e-mail messages transferred under protocols SMTP, POP3 and IMAP4.
• The ICAP server — allows to use as a traffic source for selection of messages the HTTP traffic taken from HTTPS traffic and delivered under the ICAP protocol by external systems: SQUID, BlueCoat SG, Cisco WSA, Webwasher, Websense, FortiGate, etc.
• The server of Agents of EtherSensor — serves for identification of users and their binding to the intercepted messages. For example, during the work of users through a terminal server.
• File transfer — selection from traffic by method of passive interception of the files transferred under the HTTP, FTP, SMB/CIFS and WebDAV protocols.
• Instant messages — selection from traffic by method of passive interception of the messages sent and received through the instant messaging services working under XMPPJabber the IRC, MSN,/, MRA protocols, Yahoo and OSCAR (ICQ Skype Google Hangouts Mail.Ru Agent etc.).
• Reading the entering web mail — selection from traffic by method of passive interception of incoming messages of services of web mail (Mail.RU, Yandex.RU, Pochta.RU, GMail, etc. (40+ of domains)) and also services on popular webmail-engines.
• Job search — selection from traffic by method of passive interception of messages, vacancies, responses and other events of services of vacancies and job search, such as HH.ru, Superjob.ru, Job.ru, etc. (150+ of domains).
• Lotus Notes is selection from traffic by method of passive interception of messages of the IBM Notes system (before Lotus Notes). If enciphering of traffic is applied, messages can be taken from Lotus Notes Transaction Log (this method does not influence IBM Notes work in any way).

In case of obtaining the messages decoded by the proxy server and sent to EtherSensor under the ICAP protocol it is necessary to use in addition with the available set of modules the module the ICAP server.

Principle of Work

The principle of work of the EtherSensor platform is divided into 3 logical partitions:

• Receiving network traffic — EtherSensor receives through Mirror-ports (SPAN, rx and tx packets), under the ICAP protocol from proxy servers, via PCAP files with the traffic written earlier and also through integration sources, such as Lotus Notes, MS Exchange or Skype for Business (Lync);
• Data analysis — after receiving network traffic of EtherSensor makes the signature analysis on compliance to detectors of protocols since channel (L2) up to the application layer (L7) of a network model of OSI and also on compliance to detectors of specific web services that allows EtherSensor to get events of security of different levels using information security policies of varying complexity;
• Delivery of events to consumers — according to the configured security policies of EtherSensor makes sending events to systems consumers in a type, suitable for them; for example, in the EtherSensor DLP systems directs correspondence of users in messengers, web mail, social networks, blogs and forums, and to SIEM systems — information on all network connections with result of checks in DNS Black Lists or file exchange. At the same time events of Internet activity of users form in an original form that simplifies their analysis for service cybersecurity.

Works of EtherSensor are result intercepted:

• messages and investments of web mail, including entering;
• events of social networks (registration, input, correspondence, unloading of files, comments);
• messages of corporate and personal e-mail;
• correspondence, files, contact lists of messengers (including Skype and Google Hangouts);
• actions at forums and blogs;
• registration, events of an input, creation and updating the summary and responses to vacancies in job search services;
• events of file storages and cloud services (protocols FTP/S, HTTP/S, WebDAV/S);
• the events containing the undesirable text or content;
• search queries of users;
• events of connection to proxy servers, uses of anonymizers, interaction events with hosts from DNS BlackList;
• and many other network events.

EtherSensor does not execute archiving of results and search in them, and sends events to the further analysis and storage to any DLP, SIEM, eDiscovery, and other information security systems.

Specific Features

• Without agents at workstations
• Has no impact on network infrastructure
• High performance allows to use the serial equipment, including the virtual server, with low system requirements for the analysis of big data streams (gigabits per second without loss of packets)
• Completely domestic development
• Microolap Technologies performs direct technical support of users and partners in the Russian and English languages.

Scopes of application

There are classes of solutions for which the high-performance analysis of network traffic, among them is crucial: DLP (Data Loss/Leak Prevention, systems of "prevention" of leakages of confidential data), SIEM (Security information and event management, security event management), DPI (Deep Packet Inspection, deep analysis of network packets).

The EtherSensor platform will help with solving of tasks of all listed above types of systems, namely:

• will collect complete statistics on network connections, solving thereby problems of DPI;
• will take messages, files and all necessary metadata and also will carry out their analysis, solving thereby the most part of problems of DLP in real time
• without connectors will prepare for any SIEM data on events in the necessary formats and in real time according to the specified security policies;
• will deliver events and/or content of messages in all necessary systems.

For example: EtherSensor will intercept the e-mail sent through Gmail using the anonymizer containing in an investment the customer base of users and also 4 unsuccessful attempts of an input in this Gmail account. As a result a DLP system will receive the sent message with an investment for more careful analysis and the subsequent storage of an incident, and a SIEM system will receive events about attempts of an input in Gmail account with indication of per specific host and also an incident event about sending the customer base.

Encoded traffic

Microolap company together with Artx company developed the product SSLSplitter which provides the copy of the data transferred in SSL connections in EtherSensor for the analysis of SSL traffic. If in the organization other product solving a problem of interpretation of SSL traffic is already installed, EtherSensor is integrated with it under the ICAP protocol or by listening of additional Mirror-port.

Performance

The EtherSensor platform is capable to analyze flows more than 20 Gbps without loss of packets on one server, both physical, and virtual. Such results are achieved due to development of own technologies of interception of traffic and inter-process communication.

Network statistics

Delivery of EtherSensor includes EtherStat — the tool for collecting, storage and enrichment of network statistics allowing to carry out the retrospective analysis of network activity of users and to build reports on use of network traffic.

2018: Updating to version 5.0.3. Integration with SecureTower

On August 10, 2018 the company Mikroolap Teknolodzhis provided updating of the EtherSensor 5.0.3 platform. In addition to other updates, in this version of the platform became possible integration with DLP- a system SecureTower from the company Falcongaze.

Most often EtherSensor finds application at solving of tasks on prevention of leakages of confidential data (DLP system), event management of information security (SIEM system) and archiving of corporate messages (Compliance Archiving). The software solution SecureTower is intended for the solution of the first problem — from EtherSensor a system most quickly obtains data for the analysis.

The joint integration solution Falcongaze SecureTower and Microolap EtherSensor combines strengths of products, qualitatively covering the main pool of channels of date leaks, both on perimeter of network, and on the party of workstations. I find such solution very demanded for the large organizations paying due attention to information security Alexander Akimov, CEO of Falcongaze company

The previous version of EtherSensor was capable to process data streams more than 20 GBps, at the same time taking and analyzing application level objects in real time. In the version of EtherSensor 5.0.3 Mikroolap Teknolodzhis came very close to an opportunity to process the traffic flows which are found at the solution of operator tasks. SecureTower, in turn, is ready to analyze this traffic regarding violations of security policies and leakages of confidential data.

We always considered Falcongaze SecureTower the qualitative DLP solution and opportunities to use their analytical functionality for processing of the network events organized by EtherSensor are very glad. In the joint solution Falcongaze SecureTower undertakes an applied part of problems of information security, and Microolap EtherSensor - quantitative regarding high-performance extraction of events and their content from network traffic. The received synergy sharply increases the level of the joint solution in terms of efficiency of measures of protection of information in the organization. Eduard Smirnov, CEO Mikroolap Teknolodzhis

2017: Integration with DeviceLock DLP

The companies Smart Line Ink Mikroolap Teknolodzhis announced also on August 4, 2017 implementation of transparent technology integration of own solutions for optimization of solving of tasks on prevention of leaks of corporate information and also increase in flexibility and width of opportunities DLP- technologies at identification investigation of incidents. As result, the first full-fledged hybrid DLP system allowing to integrate different technologies of control of data transmission channels in a whole was created.

As a result of integration of the DeviceLock DLP DLP complex and a software platform of interception and the analysis of network traffic of Microolap EtherSensor into the uniform hybrid DLP system of the organization have an opportunity of simultaneous use of opportunities of two adjacent solutions with partially crossed functionality for ensuring DLP control of corporate information in different scenarios. Product management is exercised independently of each other, but at the same time the single database of event recording and shadow copying is maintained that allows to make identification and incident analysis of information security for the broadest spectrum of potential channels of date leak – from ports and devices before modern web services, on a centralized basis within one solution.

Microolap EtherSensor allows to control at the level of the gateway of access to internet use internal and external e-mail, web mails, including reading incoming mail social networks, forums and blogs and also SMS/ the MMS messages of users sent through specialized web services by the analysis of network traffic (including SSL/TLS traffic). Besides, are analyzed file transfer under protocols HTTP, FTP and to cloud storages, a wide number of messengers and job search services. The intercepted events of security are transferred to DeviceLock DLP for the subsequent storage and the analysis, including opportunities of full-text search in search server DeviceLock Search Server.

As network traffic control is implemented in DeviceLock DLP at the level of the workstation irrespective of a method of Internet connection and includes, in addition to recording, shadow copying and disturbing notifications, also a possibility of blocking of undesirable or inadmissible data transmission by contextual parameters or on the basis of the analysis of contents of transmitted data (content filtering), users of the hybrid solution DeviceLock DLP + EtherSensor have an opportunity to create selective DLP politicians with different levels of control and reaction to events. Besides, the possibility of simultaneous use of two different DLP technologies for network traffic control increases reliability of a hybrid system in the solution of a problem of prevention and identification of information leaks.

Sharing of DeviceLock DLP and EtherSensor solves several problems and the tasks facing Information Security Services at once — monitoring of network traffic from computers and mobile devices on which for technical reasons it is impossible to set or operate the Endpoint-agent, or decrease in load of workstations of users due to separate control of different network services and protocols at the different levels. For example, when a part of network applications is controlled by the Endpoint-agent with the deep analysis of contents and decision making in real time, and other part of loading is given to work to the setecentrichny DLP platform for interception and the analysis at the level of perimeter. At the same time to users remain all functions of control (blocking, monitoring and the disturbing notification) access to devices and local ports, including removable drives, a clipboard data and to the channel of printing are completely available that is possible only when using Endpoint of the DLP agent, emphasized in Smart Line Ink and Mikroolap Teknolodzhis.

Automatic switching or shutdown the DLP politician for network traffic control in the agent of DeviceLock DLP depending on existence of connection to corporate network and/or corporate servers allows to set flexible control of the mobile employees using laptops and notebooks when, for example, at the level of the agent when finding the laptop at office control of devices, printers and critical network applications and services is retained — in particular the using End-to-End enciphering which analysis is essentially unavailable at the level of perimeter, and control and inspection of other network protocols passes to EtherSensor.

The joint integration solution is a confident step to creation of the hybrid DLP system combining the best qualities of approaches of the Network of DLP (Microolap EtherSensor) and Endpoint DLP (DeviceLock DLP) providing the organizations the maximum control over observance of security policies in large corporate environment thanks to significant increase in width of a scope of data transmission channels and the qualities traced by security DLP event system — Eduard Smirnov, the CEO of Microolap Technologies said.

The synergy of solutions of two developers received as a result of integration gives the chance as to the largest companies of Russia in about tens and in hundreds of thousands of jobs which are nowadays using our developments independently of each other and the smaller organizations to broaden area of a scope and flexibility of DLP control of data streams in the organization — Ashot Oganesyan, the technical director and the founder of DeviceLock reported.