SearchInform EndpointSniffer

EndpointSniffer will allow the organizations to fight effectively against information leaks directly in workplaces, including, and against the leaks happening through the corporate notebooks and netbooks used by personnel.

In recent years the increasing number of employees of both the commercial, and state organizations began to use in the work the portable computers allowing to have near at hand necessary information and programs both in a workplace and in a business trip or at home. At the same time, laptops are not only the convenient working tool, but also serious threat for corporate information security as, being beyond limits the controlled employer of network, the employee can report confidential corporate data from the notebook to the third parties.

The new product of SearchInform company solves this problem, allowing to control the traffic transferred from corporate laptops and outside corporate network. During operation the employee of the house or in a business trip EndpointSniffer collects data sent them which will be transferred for the analysis to department of information security at once as soon as the laptop appears in corporate network again. Also EndpointSniffer is effective during the work at stationary workstations, representing to the security expert an opportunity to perform interception of all user traffic directly on the client computer.

Now work with the data sent via e-mail (IMAP/MAPI/SMTP/POP3, including through the last two protocols with enciphering), instant messaging systems (ICQ, Jabber, MSN Messenger), FTP, Skype is supported. Also the documents transferred to printing are intercepted. In case the employee is not connected to corporate network a progressive tense and SearchInform EndpointSniffer exhausts the disk space which is taken away for storage of the intercepted data, new data automatically register atop the oldest.

The module EndpointSniffer installed on workstations or laptops carefully hides the presence on the user's computer and to detect it not easy even to the qualified specialist. Important feature of EndpointSniffer is also the possibility of full monitoring of actions of users on terminal servers as at other methods of interception of the user traffic in such networks user identification is complicated.

EndpointSniffer is effective not only when conducting the internal investigations connected with already occurred incidents in the field of information security but also for identification and prevention of systematic leakages of confidential data.

SearchInform EndpointSniffer is a component of the complete solution "Circuit of Information Security of SearchInform" allowing to control information flows and to protect from leakages of confidential data of the organization of any size and any pattern of ownership. Thanks to a full integration with domain structure of Windows security experts can reliably and unambiguously identify the employee who sent confidential information out of limits of the organization. And the unique patented search algorithms will allow to detect in the intercepted traffic even those corporate documents which were specially changed by the sender for difficulty of their detection.

SearchInform EndpointSniffer 3

SearchInform EndpointSniffer 3.5

Solution performance which increased almost on two orders which can be used for work at much bigger number of workstations and laptops now became a key innovation in upgraded version of EndpointSniffer 3.5, reported in SearchInform. Thanks to internal optimization the server has an opportunity to service bigger number of the agents set on the user computers, avoiding at the same time the delays caused by load of the server at traffic handling. Also an agency part of a product which loads network and the server due to reduction of volume of transmitted data less now underwent optimization.

In addition, in SearchInform EndpointSniffer 3.5 the search capability on attribute of the ciphered data is for the first time implemented that will allow security experts to trace the suspicious files accepted and transferred by users. Are also optimized work of a product in the big networks consisting of a set of domains and interaction with the working groups. For audit of the software user set on the computer in the new version of a product own agent is used now.

SearchInform EndpointSniffer 3.6

Implementation of the new module – MonitorSniffer became a key innovation of this version of EndpointSniffer. MonitorSniffer is intended for interception of information displayed on monitors of users. MonitorSniffer operation principle - in fixation through the configured intervals of contents of the user screens and preserving them in a graphic format in the database under control of the Microsoft SQL Server. Besides, MonitorSniffer allows to control contents of screens of the selected users in real time. SearchInform MonitorSniffer is a component of the complete solution "Circuit of Information Security of SearchInform" intended for control of information flows and data loss prevention in the organizations.

As for other innovations of EndpointSniffer 3.6, among them - full support of terminal servers thanks to what there was a possibility of full control (interception) of activity of the users working in terminal sessions (remote connections, including through "thin" clients in workplaces).

Optimization of data processing on the server became one more feature of upgraded version of EndpointSniffer that will allow to control a bigger number of workstations without the need for updating or installation of additional servers. Also the interface of the managing console is considerably simplified that does a product more "friendly" and clear even for unprepared users.

As the technical director of SearchInform Gallatin Andriy, "thanks to emergence of MonitorSniffer noted, the new version of EndpointSniffer will allow the large organizations to control more effectively activity of employees at workstations. EndpointSniffer which are carried out by us optimization are directed to significant fall forward of data processing on the server that gives to corporate customers the chance to use the available resources for control of the bigger park of the user computers even taking into account the increased number of modules and controlled channels of communication".

SearchInform EndpointSniffer 4.0

The new version of SearchInform EndpointSniffer supports the premises of the mailings containing the suspicious text or investments in "quarantine". The information security specialist can, having browsed these letters, to make the decision on permission or prohibition of their further transfer to the addressee.

Also in new SearchInform EndpointSniffer support of interception of protocols of instant messaging (IM) at workstations of users is implemented. Work with all protocols which were controlled by the SearchInform IMSniffer application, including chats of popular social networks earlier that allows to provide more security blanket of laptops out of corporate network is supported. At this SearchInform EndpointSniffer allows to perform, unlike SearchInform IMSniffer, interception of the data transferred on the channel protected using SSL enciphering. In particular, interception of mail sent via the Web interface of a popular mail service Gmail is possible.

In the new version of SearchInform EndpointSniffer the compatibility of the program with antivirus software is improved that significantly simplifies setup as EndpointSniffer and antivirus software at their sharing. In particular, now it is possible to execute once configuring for almost any corporate antivirus, without changing further setup when updating antivirus software and SearchInform EndpointSniffer.

Besides, in the new version of a product there was an opportunity to configure exceptions for monitoring of traffic on hosts that is useful, for example, when the Web applications working from the browser do not allow monitoring of HTTPS. At the same time all other HTTP and HTTPS traffic will still remain under control.

SearchInform EndpointSniffer 4.1

The module EndpointSniffer intended for protection against date leaks at workstations of users and corporate laptops in the new version supports adding in exceptions of folders, processes and properties of files that allows to reduce the volume of the "garbage" data which are obviously not bearing information on possible leaks. An opportunity to automatically add an exception on agents is implemented: in unsuccessful attempts of connection on the protected protocol the exception which will be displayed in the server console automatically will be created and will allow the security department specialist to customize quickly a system for correct work with the clashing software. Determination of processes is executed according to information now in the EXE file to which process belongs that gives the chance to distinguish processes with identical names. Also in the new version of the module there was an opportunity to see the number of agents set and active at present.

Updating of the beginning of 2013

The new version of SearchInform EndpointSniffer – a product for prevention of leakages of confidential data and control of information flows at workstations of personnel and corporate notebooks – appeared a possibility of queued updating of agents that allows to make this process completely imperceptible for end users. At activation of this option the loaded updates will become effective only after reset of a system. Also SearchInform EndpointSniffer can receive the list of users not only directly from the Active Directory now, but also from the SearchInform DataCenter database. From this base updated at each synchronization of a product with the Active Directory, SearchInform EndpointSniffer reads out domains and users in them that allows to reduce the number of addresses from a component of Circuit directly to AD. Among other improvements, information security specialists had an opportunity to perform a stop and start of agents through the EndpointSniffer menu.

In the SearchInform Endpoint Sniffer platform intended for interception of traffic through agents at workstations and laptops of employees the user component was improved. Now the security officer can install or uninstall all protocols (Mail Sniffer, IM Sniffer, HTTP Sniffer, etc.) in one click. For simplification of work function of exceptions on computers on which it is impossible to install agents was improved. Also there was a possibility of transfer of agents to offline mode. In case of need, information from agents can directly be accumulated by machines of users, and be sent for the analysis to the preset time (for example, at night). Thereby became possible significantly to lower load of network of the enterprise in working hours. As practice showed, similar approach is actively applied in the organizations with small capacity of the channel.

Range of controlled channels in Endpoint Sniffer was replenished with Facebook Messenger – the popular client allowing to communicate in Facebook without the browser. The functionality and DeviceSniffer extended: the possibility of complete access control to scanners, support of Windows Portable Device technology and also access control of record of files on devices on their expansion was implemented. In other words, on external carriers it is possible to limit record of separate types of files, for example Word documents now. Support of WPD, in turn, is necessary as many employees even more often instead of USB drives use players, cameras, e-books, etc.

SearchInform EndpointSniffer 5.0

First of all the architecture of the platform was changed. Earlier for full control of SearchInform EndpointSniffer information channels it was necessary to use together with the network SearchInform NetworkSniffer platform, responsible for "analysis" of traffic under some protocols. In version 5.0 EndpointSniffer completely incorporated this functionality, having become completely autonomous product. In other words, now the platform can independently intercept and analyze any traffic:

• entering and the outgoing e-mail (including protected), including transferred and received through webmail services;
• messages of Internet pagers (ICQ, QIP, Mail.Ru the Agent, JABBER, etc.) and also communication on popular social networks (Odnoklassniki, LinkedIn, Facebook, etc.);
• voice and text messages of Skype, the transferred files and the SMS;
• information written on different external devices (for example, USB USB sticks, CD/DVD disks);
• information sent to Internet forums, blogs and other web services;
• information transferred under the FTP protocol;
• contents of the documents sent to printing;
• transactions with the files which are stored on servers and in the shared network folders;
• information displayed on monitors of users;
• activity of the employees working with corporate mobile devices based on iOS;

  Nevertheless, the network  SearchInform NetworkSniffer platform intended for control of network activity of employees will still remain in a portfolio of offers of the company, and works on improvement of this product are continued. The release of the 64-bit version of SearchInform NetworkSniffer became confirmation of it. For the realization account of more advanced architecture, the platform had an opportunity to work with even more serious loadings without performance penalty. This aspect is especially critical for the large organizations. Also in the updated SearchInform NetworkSniffer, in the module Mail Integration, in addition to increase in speed of analysis of letters, the possibility of reading of letters from several mailboxes was implemented at once. In other words, at integration into mail servers, there was an opportunity to read letters at once in several flows.

In addition to changes of architecture, in SearchInform EndpointSniffer the new modules expanding features for interception of information on endpoints were added. Were a part of the platform:

• ProgramSniffer is the module keeping account of activity of users in the started applications throughout the working day; Time which the employee spends in each application Is fixed. Further, on the basis of collected information detailed reports on efficiency of use by employees of working time can be constructed. This module appeared on numerous wishes of clients of SearchInform.

• LyncSniffer is the module which is responsible for interception of information from Microsoft Lync (chats, calls, the transferred files). Today LyncSniffer is the only solution intercepting both text, and voice communications of employees in Microsoft Lync. It should be noted that the SearchInform company not for the first time acts as the pioneer. So, in 2008 the company released the product SkypeSniffer – the only solution capable to intercept text and voice messages of Skype, the transferred files and the SMS. Other vendors could implement similar interception only last year.

2016

Control of branches with a "narrow" communication channel

On February 24, 2016 the SearchInform company announced release of the upgraded EndpointSniffer platform. The update of a system will help to resolve more effectively tasks of information security at remote offices of the companies.

Screenshot of the EndpointSniffer (2015) window

For implementation of the Circuit of information security in geographically distributed branches of the company, in each of which a small amount of workstations and/or a "narrow" communication channel with head office is used, the EndpointSniffer Hub component is added to the platform.

Mechanism of operation of the EndpointSniffer Hub console:

• data from workstations are intercepted by agents and transferred to ES Hub.
• data are filtered, processed, contract, are ciphered.
• the intercepted information according to the schedule and other settings arrives on a primary server of EndpointSniffer.

The upgraded functionality of SearchInform EndpointSniffer will help:

• optimize load of data transmission channel. The main data transmission channel will not be involved in hours of peak loads, agents of the Circuit of information security of SearchInform will report data on a local network to EndpointSniffer Hub, and in due time – to a primary server.
• create the general base of the intercepted documents. EndpointSniffer Hub in different branches transfers the intercepted data to a primary server of SearchInform EndpointSniffer. He keeps the centralized processing and record in uniform base of interception.
• to manage on a centralized basis set on places to EndpointSniffer Hub through a primary server of SearchInform EndpointSniffer.

The EndpointSniffer Hub installation helps to save on equipment procurement and software for branches (OS, DBMS). ES Hub has less serious system requirements, than a primary server of SearchInform EndpointSniffer.

The EndpointSniffer Hub component is delivered to the acting clients free of charge.

Access control to information and the software controlled installation

The SearchInform company presented in March, 2016 upgraded version of the EndpointSniffer platform which will allow to set individual rules of protection of computers and information placed on them.

Access control to folders and disks

• Rules "Access to Folders"

Now the platform allows to block access to certain folders and their contents to all users, except for specified. Access control is exercised using setup of the rules "Access to Folders".

• Rules "Access to Disks"

Similarly updated system allows to manage access to logical disks and their contents. Setup of rules allows to permit access to all disks of certain workstations only to the specified users, other users access to all disks (except for system) will be blocked. Access restriction also extends to the connected disks having logical name (for example, F:).

The ability to manage accesses will be useful to services cybersecurity: security officers will be able "to close" folders and disks with confidential data for all, including system administrators. Actions in these folders / disks do not get to audit.

"If earlier the agent Kontura of information security of SearchInform was intended for control of information flows (and the employees, respectively), then now its development happens also in the direction of protection, – the technical director of SearchInform Mershkov Ivan comments. – In any organization there are people who work with confidential data of the highest level, – and prohibition of access to them and to their computers does a security system of even more reliable.

Take, say, the top manager or the security officer on whose computers always the mass of the files closed for the third parties. It is possible just to monitor that information did not fall into "the left hands", and it is possible to prohibit access and to exclude a possibility of leak".

Software controlled installation

The updated platform allows to block also installation of undesirable software on workstations. The agent takes a picture of a system, fixing the list of the installed programs. In attempt of new installation (including through MSI a packet) there is a blocking.

Such opportunity optimizes work of IT department. However first of all updating is focused on top management and cybersecurity departments which information at workstations is of special value.