Translated by

Solar Dozor DLP system

Developers: Rostelecom-Solar (before Solar Security, Solar Sekyyuriti)
Last Release Date: 2020/01/13
Technology: Cybersecurity - Information loss preventions


The solution Solar Dozor is intended for control of communications of employees, identification of early signs of corporate fraud and conducting investigations. As a classical DLP system, Solar Dozor solves problems of monitoring, filtering and the analysis of each message on availability of confidential information. Besides, Solar Dozor performs also accumulation of all correspondence of employees that allows to carry out further the retrospective analysis and investigations on all volume of the saved communications of employees.

2020: Compatibility with Red OS

On January 13, 2019 the company RedSoft reported that the system of prevention leaks of confidential information Solar Dozor successfully passed test for compatibility from the Russian operating system family Linux RED OS. According to the results of the carried-out works "Rostelecom-Solar" and RED SOFT signed the bilateral certificate of compatibility.

We consider technology cooperation with software developers as one of bases of successful business development in the field of IT. On the Russian information security market system work on ensuring readiness of state companies for import substitution is conducted. Rostelecom-Solar in return aims to help these companies regarding easier and trouble-free transition to the Russian developments, having provided the maximum compatibility of the technologies with the domestic systems of other classes. Compatibility of our flagship product of Solar Dozor with domestic RED OS – one of major steps in this direction,
noted Galina Ryabova, the director of the Center of the products Solar Dozor of Rostelecom-Solar company

Use of the Solar Dozor system in the environment of the RED OS operating system will allow the client to provide the high level of information security of the processes. Together with partners are glad to provide one more import-independent solution,
commented Rustamov Rustam, the deputy CEO of RED SOFT


Solar Dozor 7

On October 8, 2019 the Rostelecom-Solar company announced entry into the market of the Solar Dozor 7 DLP system with the integrated module of the advanced analysis of behavior of users of Solar Dozor UBA. A system solves a wide range of the problems of security which are beyond protection against leaks and allows to reveal using the automated analysis early signs of violations from the staff of the company.

Rostelecom-Solar provided the DLP system of new generation of Solar Dozor 7 with the module of the advanced analysis of behavior of users (UBA)

According to the company, Solar Dozor 7 is the system of protection against leakages of the next generation based on the advanced concept of People-Centric Security. This concept means transition of Information Security Service from monitoring of hundreds and thousands of notifications on incidents with data to the analysis of behavior of employees and identification of deviations in behavior.

The module of the deep analysis of behavior of users was a part of Solar Dozor 7 (UBA – User Behavior Analysis). The module allows to reveal automatically in behavior of staff of the company of anomaly who can demonstrate early signs of corporate fraud, origin of corruption schemes, premises to emergence of information leaks, etc. It gives the chance to security services to work with risks preventively, using the automated analysis tools.

For October, 2019 we accurately see two trends in development of DLP systems. On the one hand, possibilities of the systems of protection against leaks were beyond the tasks lying only in the field of information security. They become the effective instrument of risk reduction in the field of economic, own, personnel safety of the companies. On the other hand, and the information security expands the view of the world, passes from the analysis of events and data to the strategy of security with focus on the person.

Galina Ryabova, the director of the center of development of the products Solar Dozor "Rostelecom-Solar" told

Methods of the analysis of the module Solar Dozor UBA are based the naalgoritma of the class unsupervised machine learning (unsupervised learning) which are not requiring preset tuning and adaptation of a system under operating conditions. A system analyzes behavior of employees in two directions at the same time. On the one hand, observation of each employee on a set of indicators which are measured with high frequency and taking into account personal features of behavior, a business context, role in collective and some other factors is performed. The history of activity of the user which is saved up within 2 months is enough to define his steady behavior and to begin to detect anomalies of his behavior. Such digits are received during approbation of Solar Dozor UBA technology on a number of the companies in a scale from 1000 staff.

On the other hand, the module Solar Dozor UBA defines the most vulnerable employee groups in terms of business and the employees with suspicious behavior, carrying them to different patterns of behavior (combinations of behavioural features and anomalies). For October, 2019 in a system there are about 20 patterns among which: "dead souls", employees with anomalies of external communications, with existence of shadow personal contacts (so-called private egos networks), etc. On each of patterns the constant control of dangerous trends approximate to real time is conducted.

Information collected using the UBA module significantly enriched the module of the File of the Solar Dozor 7 DLP system. Now it focuses in itself(himself) the most complete information about the person (the employee, an employee group and other participants of communications) and together with quick end-to-end search and the configured cuts of data is the optimal environment for conducting investigations which does not have analogs in other DLP systems. There was available also a profiling of personnel on indicators of use of working time.

Solar Dozor 6.8

On May 28, 2019 the Rostelecom-Solar company reported that it released upgraded version of the Solar Dozor DLP system. Its key improvements of steel completely updated agent for control of workstations, control of communications in Viber, protection of confidential design documentation and support of ICAP traffic against different proxy servers.

According to the company, during creation of this version of Solar Dozor in focus of attention of developers there was a task of completion of the module Dozor Endpoint Agent intended for control of activity of employees at workstations. In particular, the interception mechanism under protocols was seriously improved HTTP/HTTPS SMTP, POP3 and IMAP, stability and speed of operation of the module is increased. The list of controlled communication channels was replenished messenger with Viber.

Message card with the intercepted Viber conversation
Message card with the intercepted Viber conversation

Besides, for the purpose of mastering of the technologies of virtualization which for May, 2019 are widely used in modern IT infrastructure in Dozor Endpoint Agent support of "a gold image" of Citrix VDI, the agent allowing to set on virtual machines together with a packet of the standard office software is implemented (Microsoft Office, 1C, etc.).

In the strategy of development for the Solar Dozor DLP system our priorities are not only accumulation of number of functions, but also depth of their study.

Implementation of processing of ICAP traffic from different proxy servers in real time became an important step forward. To the data transferred under the ICAP protocol the same rules, as can be applied to messages on other channels. In particular, in policy special action "appeared Block ICAP" which allows to prohibit both sending data for web resources, and downloading from them. Besides, integration of Solar Dozor into the module of control of web traffic Dozor Web Proxy gained deeper development. Now the security officer can keep the uniform file on the employee, an employee group or the partner: all changes made in Dozor Web Proxy will be reflected in Solar Dozor and vice versa.

The version of Solar Dozor 6.8 has specialized potential to automatically determine files of engineering packets of CAD systems and to take from them text information (data of drawings, schemes, specifications, models, etc.). The DWG, STL, STEP, ADEM CAD, M3D formats, etc. are supported.

Considerable development in this version was gained by integration into Microsoft Active Directory (AD). Now the security officer can get access to a system without use of the login and the password — the data entered at an input into OS are applied. For authentication the Kerberos protocol is used.

That it was simpler to distinguish visually from each other the data of persons imported from AD, in upgraded version there were Organizational Unit and Security group indicators helping at object search for a system, setup of policy and other situations when it is required to know type of group in which the person consists. Besides, data loading about the person from several AD is possible now that it is important, for example, for the companies which are in process of merge or absorption by other organizations. At the same time duplication of accounts is excluded — duplicates automatically integrate in one card.

Section of the File: indicators of types of the OU and SG groups
Section of the File: indicators of types of the OU and SG groups

For the purpose of fall forward of response to incidents in Solar Dozor 6.8 search capabilities were finished. So, the event or an incident can be found by its number (identifier) now. Besides, in Solar Dozor there are two search modes of objects – fast and expanded. However quick search in the text of the message with a possibility of the choice of difficult attributes, as in expanded in certain cases can be necessary. In this version such opportunity appeared that will allow to find more precisely and quicker the necessary information.

Control of actions of users is also improved: now in the magazine of actions of users most detailed information, including the IP addresses of devices, actions with policy objects, roles of users and system reference books is displayed.

Module Solar Dozor Web Proxy 3.0

On February 12, 2019 the Rostelecom-Solar company announced a release of the next version of the module of the Solar Dozor DLP system for control of web traffic — Dozor Web Proxy 3.0. All changes, starting with updated the graphical interface and finishing with automatic synchronization of the file of the employee in the module Dozor Web Proxy and the Solar Dozor DLP system, according to the developer, are designed to simplify and accelerate work of cybersecurity specialists. According to the statement of the company, an exit of Dozor Web Proxy 3.0. is the first step on the way to selection of the module to the independent product direction Rostelecom-Solar.

Solar Dozor Web Proxy 3.0

The updated control interface of rules of security policy, the logic of work with which was completely changed, is provided to Dozor Web Proxy 3.0. In the provided version of the rule of security policy are grouped in layers (rule sets), each of which carries out certain tasks: authentication exceptions, opening of HTTPS, redirection on ICAP and also filtering of requests and answers. Layers are displayed in the interface in that order in which Dozor Web Proxy 3.0 processes rules of policy. Such approach allows the security officer more conveniently and quicker to configure rules, the developer claims.

As noted in Rostelecom-Solar, it became simpler to work with security policies thanks to change of visual representation of rules from treelike on tabular. Besides, security policy elements which are used for formation of rules are grouped according to the frequency of their use at setup.

"When developing Dozor Web Proxy 3.0. we first of all were guided by fall forward and conveniences of work of cybersecurity specialists with a system. The ergonomics of the solution are not less important for us, than its functionality. Simplification of interaction of security officers with all modules Solar Dozor is a part of the uniform strategy of development for our DLP solution".

Dozor Web Proxy 3.0 automatically synchronizes the file of the employee, a crucial analytical element, with the Solar Dozor DLP system that provides permanent completeness of information on the specific person regardless of the used tool, emphasized in Rostelecom-Solar.

According to the developer, notable changes affected also the mechanism of configuring of a web proxy implemented in the previous versions. The ergonomic control interface of settings of a configuration allows to perform quick search of parameters of traffic filtering and access for users and applications according to the main objectives of the system administrator.

In Dozor Web Proxy 3.0 the functionality allowing to manage more flexibly settings of authentication for access of applications to the Internet is implemented. In the provided version it is possible to configure exceptions for applications which do not support authentication function, for example, for services of software updating, bank and to that similar applications. To also some hosts Internet access without authentication — for example is necessary, for the servers equipped with antivirus protection. Exceptions of authentication can be set as in transparent, and opaque operation modes of a proxy, noted in Rostelecom-Solar.

According to information for February, 2019 Dozor Web Proxy is entered in the Unified register of domestic software (No. 2874) and can be used for substitution of foreign analogs. Preparation for certification of the solution in FSTEC of Russia is conducted.


Solar Dozor 6.7

On November 23, 2018 the Rostelecom-Solar company released the next version of the of the Solar Dozor DLP system. According to the company, in version 6.7 the functionality which will strengthen counteraction to abuses of regulations of storage of confidential information in corporate environment and protection against input by users of critical corporate data in different applications is implemented.

In Solar Dozor 6.7 the possibility of active counteraction to abuses of regulations of storage of confidential information in corporate environment using the module File Crawler became key. Now the officer of information security can configure File Crawler work so that the scannings found in result the files breaking policy of cybersecurity automatically were located in safe storage location (the quarantine directory).

This function for November, 2018 is unique for the domestic market. It allows to prevent leak of confidential information, without waiting until the security officer notices violation and will take necessary measures for its elimination.

Galina Ryabova, head of development of the products Solar Dozor

Besides, in the next version the possibility of interception of data entry in different applications from input devices is implemented. The matter is that many applications cipher the data passing through them. That the officer of cybersecurity could check that users of corporate information systems enter into different applications, in this version the functionality allowing to intercept these data before they are included in applications is implemented. In particular, Solar Dozor 6.7 performs interception of the data erased by the BACKSPACE key, PrintScreen key presses (control of pictures from the screen), the different key shortcuts processed by applications, the logins and passwords entered by users, etc. At the same time the security officer can configure interception only of that information which is especially critical for the organization.

For November, 2018 a system also allows to see the events which were taking place at the workstation (the terminal / a remote desktop) for several minutes before and after data entry in the application. For this purpose directly in the magazine for each record search of the first in time screenshots is implemented.

For the aid to the officer of cybersecurity for the organization of more convenient analysis of network traffic in Solar Dozor 6.7 the feature for filtering of the same messages containing coinciding headings, actions of users and types of such actions and also date and time of actions is added. Function is intended to reduce interception of not informative traffic.

Besides, the binding of files to messages at interceptions on mail resources in ICAP/ICAPS servers operation modes set by default is implemented. Interceptions of files happen not right after loading, and depending on a resource become attached to interceptions of sending the message and/or preserving of the draft copy. Investments are unloaded on a timeout if during this time the user did not send the message.

Integration with EDMS CompanyMedia

On August 16, 2018 it became known, Rostelecom-Solar as the company INTERTRUST completed integration the products: EDMS CompanyMedia DLP- the Solar Dozor systems and IGA-platforms Solar inRights. Their joint use will allow customers to differentiate access rights of employees in an electronic document management system and to be protected from leaks. In more detail here.

Integration into FortiGate firewalls

The solution for protection against date leaks of Solar Dozor from Solar Security and firewalls of the next generation FortiGate next-generation firewall virtual appliances of Fortinet company are tested on compatibility. On May 7, 2018 reported about it in Solar Security company.

The DLP solution controls activity and communications of employees at workstations, in corporate network and the Internet. Technically this functionality is provided at the expense of modules which are deployed in the customer's infrastructure during an implementation project and control different types of traffic.

The solutions FortiGate next-generation firewall virtual appliances perform monitoring of traffic for the purpose of blocking of access to the infected websites and uses of dangerous applications and also prevention of viral infections and ensuring pro-active protection against invasions. At integration with Solar Dozor on ICAP all web traffic passing through FortiGate next-generation firewall virtual appliances gets for the analysis to a DLP system.

After this Solar Dozor creates schemes of communications of employees, profiles their behavior and detects anomalies that with a high accuracy to reveal and prevent information leaks, explained in Solar Security.

Integration into solutions of Fortinet will make Solar Dozor implementation process more simply and quicker as it will allow not to deploy additional tools for collecting and interpretation of web traffic, and to use the solution which is in most cases already set at the customer. Thus, we will be built in already available infrastructure without the need for purchase of the module web proxy at us or other producers of the similar systems — Vasily Lukinykh, the business development manager of Solar Dozor of Solar Security company told.

Solar Dozor 6.6

The Solar Security company, the developer of products and services for target monitoring and operational management of information security, provided on April 11, 2018 Solar Dozor 6.6, the next version of a control system of communications of employees, identifications of early signs of corporate fraud and conducting investigations. Solar Dozor 6.6 controls actions of privileged users and protects confidential data in a cloud.

Developers built in a cloud crawler version 6.6. It is the specialized tool allowing the security officer to scan cloud storages which are used by employees.

In a corporate segment Microsoft Office 365 therefore first of all we implemented OneDrive audit — in the relation of both corporate, and public cloud storages was widely adopted. In the future we are going to scale this technology and on other cloud services. The security officer should have an opportunity to control information regardless of where it is stored — Vasily Lukinykh, the business development manager of Solar Dozor of Solar Security company told.

Besides, according to developers, in the provided version of an opportunity of Solar Dozor were significantly expanded due to functions of own security of a DLP system. Solar Dozor 6.6 offers business the tools allowing "control controllers" is a management of access rights and audit of actions of users of a DLP system.

The flexible management system for access rights of users allows to manage accounts and roles of users easily. The solution supports the granulated access control differentiating the rights to separate sections of the interface, objects and functions of a system.

The magazine of actions of users of Solar Dozor 6.6 contains the detailed records about the one who when and that did in a system. With its help it is possible to control actions of both specific cybersecurity specialists, and all users of a DLP system. If someone tries to make inadmissible actions in a system, the notification on an incident will be immediately sent to interested persons.

As well as each updating of Solar Dozor, version 6.6 includes improvements of the interface. In this case it is about a help system. Now from any window of a DLP system the context help containing all information on the section in which it is is available to the user. The reference is issued in uniform Solar Dozor style and supports instant search of the necessary information.


Integration with NeuroDAT SIEM

Solar Security companies and the Center of security of information at the beginning of November, 2017 completed integration of the DLP solution Solar Dozor and an information security monitoring system of NeuroDAT SIEM. Within technology cooperation the scheme of interaction of solutions which allows to enrich NeuroDAT SIEM with information on incidents from Solar Dozor is implemented.

Solar Dozor reveals and prevents internal threats of information security of the company. The solution collects information on the movement of confidential information and communications of staff of the company through corporate and personal mail, different messengers, web resources and many other channels.

Besides, unlike other DLP systems, Solar Dozor fixes not only the fact of information leak, but also non-standard, suspicious behavior of staff of the company. Such information is result of difficult analytics and helps to reveal preparing or is reserved the conducted attack imperceptible for classical technologies of prevention of leaks.

The companies developed the connector allowing to transfer this information from Solar Dozor to NeuroDAT SIEM. As the result, now in NeuroDAT SIEM the automated formation of different types of incidents of information security on the basis of the analysis and correlation (comparison) of events happens to use of one more important supplier of events.

At integration with Solar Dozor NeuroDAT SIEM aggregates and analyzes events from the sources tracing not only external, but also internal threats of information security. Thanks to it the security officer receives the broad picture of the events in the company from one console, can use uniform analytical tools to all information on events. It allows to reveal instantly conducted attacks and to react quickly to them — Vasily Lukinykh, the business development manager of Solar Dozor of Solar Security company noted.

Considering that NeuroDAT SIEM performs collecting of events of security not only from DLP systems, using the mechanisms of correlation of events implemented in NeuroDAT SIEM, security officers will receive the additional instrument of reduction of number of false operations at detection of the incidents connected with date leak — Ivan Aksyonenko, the Center of security of information added.

Integration with MaxPatrol SIEM

Solar Security and Positive Technologies companies announced in October project completion on integration DLP- the solutions Solar Dozor and MaxPatrol SIEM ― the system intended for identification of incidents of cybersecurity in real time. Now Solar Dozor transfers data to MaxPatrol SIEM thanks to what the security officer receives the broad picture of events and incidents of cybersecurity in the company, including data on transfer of confidential information on different channels, from one source.

Solar Dozor 6.5

On October 12, 2017 the Solar Security company submitted the next version of Solar Dozor created to optimize processes of configuring and self-diagnostics of a system. A number of the functions simplifying setup of a system and also deployment and management of agents entered release.

In the ergonomic interface management of the Solar Dozor 6.5 settings became simpler. It is reached thanks to intuitive grouping and quick end-to-end search of parameters of a system.

In particular, the system of deployment and management of agents was finished. Solar Security 6.5 allows the officer of cybersecurity to install on a centralized basis agents on workstations, to configure politicians and to trace their status. In version 6.5 there is the card for each workstation where technical data about it, information on all logging-in users, data on the status of the agent and relevance of settings and the politician are reflected. It allows the officer of cybersecurity to control smooth operation of agents of Solar Dozor.

Besides, the officer of cybersecurity does not need to apply to system administrators for up-to-date information any more about an infrastructure status because in Solar Dozor 6.5 the tool for a research of a local network regarding emergence of new nodes and services appeared, specified in Solar Security.

That the Solar Dozor setup did not cause excess difficulties, in version 6.5 the interactive reference which can be opened in any place of the system interface is also implemented.

Postgres Pro support

On September 19, 2017 the company Solar Security, the developer of products and services for target monitoring and operational management of information security, announced implementation in the Solar Dozor system of support Postgres Pro, a domestic branch DBMS PostgreSQL.

According to developers, optimization of archive of events — an important part of development of Solar Dozor. In a product mechanisms of management of long-term and operational storage which lift limits for storage life are implemented and provide a big "shoulder of investigation" on any interval of time. Support of PostgreSQL was implemented in the version of Solar Dozor 6.1, and thanks to specially developed system of sectioning PostgreSQL reducing costs for data storage and increase in sweep rate on archive was reached. The confirmed possibilities of Solar Dozor archive make over 10 years of data storage and more than 850 TB of volume. In the latest version of a DLP system full-text search on archive takes only several seconds.

Postgres Pro DBMS is included into the register of the Russian software that does a linking of Solar Dozor — Postgres Pro by an optimal solution for the companies planning substitution of foreign IT systems domestic.

Solar Dozor 6.4

On April 11, 2017 the Solar Security company announced a release of the version of Solar Dozor 6.4 DLP technology.

In this version the effectiveness of investigations and convenience of work of the user with a system is increased. According to the statement of developers, Solar Dozor 6.4 at each stage helps the security officer to obtain quicker necessary information, to save time on routine transactions and to do bigger amount of works at smaller labor costs[1].

Solar Dozor 6.4 offers the security officer the tool — summary analytics on the person. "The summary analytics on the person" contains the complete report of activity of the employee — the main information, statistics on events and incidents, communications, communications and files. The report is adapted so that it was possible to send it to the head at once, to provide at a meeting or to attach to the personal record of the employee in HR department. It can be displayed in the web interface or to unload the PDF file for printing.

One more instrument of optimization of investigations — the analysis of the archive of e-mail of employees created before implementation of DLP. "Helps glance functions of scanning of mail servers in the past". Any mail server, a cloud or public service of e-mail, with support of the IMAP protocol, can be connected to Solar Dozor 6.4 and to analyze archive of correspondence, having applied policy and the rule of filtering. It reduces time of obtaining the first results on pilot projects as after the first scanning service cybersecurity obtains information on the incidents which took place before Solar Dozor implementation.

Own Solar Dozor Web Proxy proxy server works in the transparent mode now, including at deployment SSL-enciphering. Such approach allows to use all opportunities of the proxy server without need to enter additional settings internet- connections at workstations. They are just connected to network, and all web activity of employees, including the ciphered traffic, appears under control.

More than 100 changes are added to the Solar Dozor 6.4 interface. Possibilities of the interface allow to create quickly an incident from the message, to add the person to group of special control, to find objects in the file, politicians and information objects, to leave comments on a card of an incident and another.

In the version of Solar Dozor 6.4 the functionality "Grain crumbs" is implemented. He allows to browse and if necessary quickly to return to 10 last actions in a system. It simplifies accomplishment of routine tasks of the security officer when in a work progress with a DLP system he has to make a set of mouse clicks in a minute, passing from the main branch of investigation to collateral. Now the user does not need to keep a chain of the actions in memory quickly to return to the main branch.

From the very beginning we aimed to create the product other than other solutions of the Russian market of DLP — optimized regarding analytics, convenient in work and focused on use of technologies in the same degree, in what and on comfort of the user. In Solar Dozor 6.4 we continued to develop analytical tools of the security officer, having concentrated on simplifying process of investigation of incidents. Besides, we are convinced that a DLP system should adapt to the user, and not vice versa. Therefore the most part of work on release was devoted to completions regarding a usability. As a result in spite of the fact that Solar Dozor 6.4 are the cornerstone the most difficult technologies, a system became simpler and convenient in use.

Galina Ryabova, head Solar Dozor of Solar Security company

Solar Security and Kraftway will present the joint protected solution

Solar Security announced the beginning of technology partnership with Kraftway. Prtnera will bring to the market the joint solution focused, first of all, on the organizations of public sector which impose increased requirements to security and origin of infrastructure solutions.

Joint development represents the hardware and software system including the system for protection against internal threats of Solar Dozor unrolled on the entrusted Kraftway servers. They can be running one of the certified domestic operating systems, including Astra Linux Special Edition 1.5 (release Smolensk), "GosLinux" or Zircon 36K.

To Kraftway hardware developed for increase in the trust level and realizes the concept of the entrusted platform. The increased security of the Kraftway servers is reached due to use in their architecture of the motherboards developed in Russia and also source codes of the built-in microprogram providing key nodes (BIOS motherboards and a firmware of microcontrollers). Means of protecting and control of information are deeply integrated into motherboards at a design stage and are started at the most initial stage of operation of devices, before start of the operating system, with the guaranteed execution priority over all other equipment rooms and program functions. On all servers of the company specialized software tools of own development for data collection and processing about events of security and monitoring and infrastructure management are also established. Equipment manufacturing at the plant in Russia with ability to integrate into a production cycle of special checks and researches reduces to zero the probability of existence in the server hardware of not declared opportunities and covert channels of management.

"The state information systems turn into more and more attractive target for the cybercriminals acting defiantly and sophisticated, – Shumilov Maxim, the associate director of development department of business of Kraftway noted. – In modern conditions problem solving of information security is impossible without the vulnerabilities which are lower than the OS level in microprogram providing on motherboards, in firmwares of microcontrollers. The hardware and software systems created on the basis of the entrusted platforms of Kraftway are deprived of such vulnerabilities and have additional functionality for reflection of the low-level attacks on information infrastructure. Therefore use as a hardware basis of the entrusted Kraftway server hardware allows software developers and integrators to bring the modern, reliably functioning, tested complexes which will help the state organizations and the enterprises to create really effective system of preventive protection of the confidential and classified information to the market".


On Solar Dozor and the AMT InfoDiode the HSS for control of communications of employees is announced

In November the companies Solar Security also AMT GROUP announced creation of a hardware and software system for control of communications of employees and identification of early signs of corporate fraud in the companies with the isolated protected environments. The solution is implemented based on the products Solar Dozor and AMT InfoDiode.

Development is focused, first of all, on public sector, including, law enforcement agencies, the industry, fuel and energy complex and also the commercial enterprises of any industries using the isolated circuits of network infrastructure. Application of DLP systems in such organizations imposes certain restrictions for storage and processing of the analyzed data. Even if collecting is performed in the unprotected circuit, the analysis and information storage should be carried out in the closed perimeter unavailable from the outside. It allows to provide reliable control of communications of employees and the guaranteed confidentiality of corporate information.

The hardware and software system represents the solution Solar Dozor 6 deployed in the opened and closed circuits on the protected InfoDiode servers separated by the hardware unidirectional gateway. Application of Solar Dozor 6 together with the AMT InfoDiode allows to guarantee protection of critical segments against external threats, and, therefore, to provide the unprecedented level of security at implementation of controlled unloading / loading of information. Collecting and data filtering is performed on both servers, but all data obtained in an open circuit are transferred to the closed segment where are stored and processed.

Data can be transferred as according to application layer protocols (FTP SMTP CIFS, etc.), and on transport layer protocols (TCP, UDP). The solution is only from Russian a component as in a program component (including, the Russian certified operating system Astra Linux), and in the hardware.

Solar Dozor 6.2

On September 28, 2016 the Solar Security company announced release of release of the version of Solar Dozor 6.2.

In the version of Solar Dozor 6.2, in addition to a usual desktop of the analyst, the functionality under the name "Desktop of the Head" is implemented. It is the section of a control panel providing to the head of department of cybersecurity or to the business customer of a DLP system an opportunity to obtain necessary information for the analysis of an operational situation.

The main objective of this software solution - the help to the chief of cybersecurity department in management of the subordinates using Solar Dozor. The head of service cybersecurity can see on one screen summary information on the number of events and incidents, on that how many from them it is processed or in a consideration stage who responds to analysis of this or that event, can browse data of the last reports created by security officers[2].

Graphic widgets on a desktop of the head give more high-level and general idea of a situation in the company, dynamics of number of incidents and level of threats. Widgets are grouped so that to provide to the head of service cybersecurity necessary data for fast assessment and entering of amendments into work of the analysts analyzing incidents.

In this version of Solar Dozor search and display of the connected messages of messengers in the form of conversations is implemented. According to developers, this usual and clear method of representation allows to estimate whether operation of a system is an incident, simplifies and accelerates conducting investigations.

That the security service had confidence in accountability of workstations of employees, Solar Dozor 6.2 traces and displays the status of activity of agents. When viewing the list of the persons entering into the corresponding group, or cards of the person, the security officer will obtain information on presence of the agent at the workstation and his activity.

Many DLP systems still remain a peculiar "black box" for users, they pointwise notify on cybersecurity events, but do not help the security officer to create a uniform picture of what happens in the organization. We care for that the analytics in Solar Dozor was transparent and clear, and for this purpose constantly we work on improvement of reports. The desktop of the head is the next step in this direction: it brings together all top level analytics, providing completeness and integrity of vision of the situation in the company.

Solar Dozor 6.1

The new analytical Solar Dozor 6.1 tool is "The thermal card of communications" which visualizes intensity of communications of employees or the movement of information, at the same time the intensity of communications by channels is coded in color. This tool gives to the officer on security the chance to quickly estimate a situation, to see potential risks and "hot spots". Using this tool, the officer on security can construct the graphic card on the information object interesting him or the person.

The functionality on control of users through the analysis of screenshots of their jobs is also expanded. Removal of the image from the screen of the user can be configured according to the schedule, on clicking of the set sequence of keys, on an active user window or the application, for example, on clicking of PrintScreen in the CRM window, the ERP system or the design application. All screenshots are included in "The file on the person" now. For convenient display, search and visualization the base of screenshots is presented in the form of the modern gallery, usual for users, supporting various filters, for example, the name of the active application. The possibility of obtaining the process list and the applications started at the workstation at the time of removal of a screenshot is implemented.

The expanded card of communications of information objects containing statistics on all communications connected with transfer and storage of information objects for a specific time frame became one more new tool. Earlier an opportunity to look at the card of communications of one information object was available, in the new version the card of categories of information objects became available. As a result the officer on security, having estimated the general situation, maybe quickly, in one click to receive detailing on the information object which interested him with a possibility of transition to the specific message.

As well as in the previous versions, when developing Solar Dozor 6.1 much attention was paid to reporting system. Results of work with all new tools are available also in reports which can be browsed as in the web interface of the solution, and to unload in the PDF and/or XML format. Also there is an opportunity to configure mailing of reports on e-mail to all interested persons according to the schedule.

Continuing a course towards support of import substitution and opportunities of use of freely extended software, in this version possibilities of application of PostgreSQL which first support was implemented in 2005 were expanded. In particular, the mechanisms of long-term storage of data bulks which are not conceding, according to developers, on volumes to commercial DBMS are finished.

In Solar Dozor 6.0 by 5 times image understanding speed is increased

In June, 2016 Solar Security announced significant development of the module Solar Dozor OCR developed on the basis of sensing technologies of texts of ABBYY company. This module allows to control a flow of confidential data within the Solar Dozor DLP system and to prevent their leak due to recognition of text information in different images.

The number of the transmitted data as outside, and in the organizations constantly grows, the risk of leak of confidential information thereby increases. Solar Dozor OCR allows to distinguish graphic images of the text in image files which employees can report on network channels, send to printing, copy on external carriers or save in network storages. Use of this module within a DLP system helps the organizations to protect confidential data from leak even if they were converted into graphics – are printed and scanned, photographed, saved in PDF, removed from the screen in the form of screenshots, etc.

Increase in a flow of the transmitted data leads to growth of load of the equipment and, as a result, to forced expansion of infrastructure on the party of the customer. Therefore the staff of Solar Security and ABBYY made the decision on development of the module OCR within the Solar Dozor DLP system. Speed of recognition of the module was increased by 5 times in comparison with its basic indicators that allows to process images in an information flow with a capacity more than 700 GB a day, without slowing down at the same time work of a DLP system. Increase in speed managed to achieve due to preprocessing of images: the module performs correction of distortions of lines and their distortions, defines top and a bottom of the document and initially reflected text and also allows to recognize the multicolumnar text.

Solar Security of the first was released by the DLP agent for control of workstations on Linux

In the spring of 2016 Solar Security of the first among domestic DLP- developers put on the market the module of control of Dozor Endpoint Agent for Linux workstations which is a part of the Solar Dozor 6.0 DLP system, intended for work with Astra Linux and GosLinux (GosLinux).

Development of Dozor Endpoint Agent for Linux is an important stage of development of the first Russian Solar Dozor 6.0 DLP system. Creation of the module is dictated first of all by requirements of the Russian market as the increasing number of the organizations within import substitution passes to free OS based on Linux.

Dozor Endpoint Agent for Linux allows to control contents of data on removable mediums, printing on local and network printers and also performs audit of workstations and the connected network storages regarding violation the politician of storage of confidential data, using the content and contextual attributes.

The module Dozor Endpoint Agent for Linux can be used in the organizations where there are increased requirements to secure systems, the possibility of blocking of data transmission for effective protection of the most critical information is provided in it.


Solar Dozor 6.0

In September, 2015 Solar Security announced release "essentially new" versions of a DLP system – Dozor 6.0. The company notes that it was developed taking into account changes of a vector of work of corporate security services: according to Solar Security, instead of fight against separate leaks of confidential information of the bezopasniki are more and more focused on fight against internal fraud, protection against disloyal employees and employees from the risk groups capable to cause economic damage to the employer now.

That Dozor was suitable for the solution of these tasks better, in it the analytical functionality and search opportunities was expanded and also the interface according to new logic of work is processed.

In the new version of Solar Dozor took absolutely new appearance
In the new version of Solar Dozor took absolutely new appearance

"When developing the new version of Solar Dozor by 6.0 specialists of the company the extensive research which generalized practice of use more than 100 installations of the previous versions of a system was carried out, - say in Solar Security. - Result of this work was significant updating of a system which allows users of Solar Dozor 6.0 to reveal, block and investigate not just leaks of confidential information, and to fight fully against complex circuits of corporate fraud".

Analytical opportunities

Among new analytical opportunities of Dozor – an opportunity to reveal anomalies in behavior and in communications of employees (for example, communication with atypical contacts), a possibility of data analysis on the basis of OLAP and BI technologies with instant detailing, the hint of the following steps when conducting investigations. Also in a system there was a directory of the revealed fraudulent schemes and their early signs with industry specifics which can help in the analysis of events and incidents.

In the new version of Dozor the file function significantly extended: in the previous version of the program it was possible to make "file" only separately on each employee and to separately calculate the trust level to each of them, entering the main part of information for this purpose manually. In the new version of a product of the file it is possible to make also on employee groups, and data in a system can automatically be loaded from external systems –HRM and the systems of check of partners. The technology of creation of the trust level of the employee was also improved.

In addition to employees, "file" can be made also now on information objects which are understood as a document group and information messages of a certain subject: for example, minutes of meetings, summary of strategy and plans. Also in Dozor the ability to integrate the module of analytics, investigation and storage with any third-party DLP system was added.

Search opportunities

According to statements of developers, the updated Dozor is capable to perform search with a speed less than 1 sec. in archive from 17 million messages. According to the CEO of Solar Security Igor Lyapunov, earlier search could borrow from several minutes to 30-40 minutes, depending on the data array volume on which it was performed.

Lyapunov explained that the company conducted a research that is looked for more often by users what most typical search queries at these or those investigations, and on many requests created ready cuts of data. At the expense of it up to 85-90% of requests should be processed by quick search, expect in Solar Security. The interface of search at the same time is executed now in style of traditional Internet search systems.


The Dozor 6.0 interface significantly differs from the interface of the previous versions of a system: it took "a space form", and its basis is the situational center for internal threats allowing to solve the majority of operational problems within a uniform dashboard. the m for further monitoring and reaction allows.

The Dozor 6.0 interface is adapted for work on two main scenarios: regular monitoring of an operational situation and conducting investigations.

On a uniform dashboard information on the most important results of system operation, such as critical events, persons and groups of special control, the protected information objects, anomalies in behavior of employees and also summary information on the threats existing at present is available. As envisioned by the company, it should simplify to employees of security services monitoring of events and allow to estimate quickly an operational situation and to select tasks priority at the moment.

In the situational center Solar Dozor 6.0 the case management for management of lifecycle of an incident is also implemented: a system allows to appoint investigation, responsible for carrying out, to control its course and to see result.

Price policy

Speaking about the cost of the licenses Dozor 6.0, the CEO of Solar Security Igor Lyapunov told TAdviser that on average it remained same as for licenses of the previous version of a product, however on the most widespread installations cost will be slightly lower: in view of difficult economic country situation, the company made changes to structure of licensing and optimized a product at the price.


Patrol Jett 5.0.4

On September 18, 2014 the Jet Infosystems company announced an exit of new release of software package "Patrol Jett" 5.0.4. Key feature of release — existence of incidental model of investigation. The updated managerial system interface allows to interpret and visualize data, necessary for investigation, in a convenient form with the different detail level.

The incidental model turns a DLP system into the instrument of investigation of the facts of violation of information and economic safety increasing efficiency cybersecurity and SATURDAY services, allowing them to reveal and stop the facts of fraud or commercial collusion of employees on initial stages.

The new functionality allows to analyze incidents at three levels:

  • operational level: a system automatically conducts monitoring and the analysis of all corporate communications of employees, creating incidents on events of cybersecurity and appropriating them the necessary level of criticality. On the basis of these data the trust level to each employee also forms. The employee of cybersecurity or SB at this level can redirect separate incidents for deeper check or mark an incident as wrong;
  • tactical level: the analyst of cybersecurity has an opportunity directly from a window of an incident to browse the file of participants of communication, to make the deep analysis and investigation of an incident, including on the basis of the internal interrelations revealed by a system between participants of suspicious communication (as in the company, and outside). Result of work — investigation and qualification of an incident of cybersecurity, identification of the group of people, involved in it. According to the results of investigation the report for the management forms;
  • strategic level provides work of the head of services cybersecurity or SATURDAY and the business guide to acceptance of the management decisions based on reports created in a system.

The technologies used in "Patrol Jett" allow at the increased amount of works, executed by a complex, to save the high performance of filtering system: the data stream is intercepted and analyzed at a speed up to 10 Gbps.

"This release transfers a product from the classical cybersecurity systems to a class of the business systems used including, and for providing economic safety. After the module "The file of employees', increase in speed of analysis of traffic and the transition to data storage on Big Data technologies implemented in the previous releases "Patrol Jett' introduction of incidental model of investigations became logical. It is the natural step allowing to pass to creation of a large-scale system of investigations of incidents of cybersecurity and a deep business intelligence of corporate communications" — Igor Lyapunov, the director of Information Security Center of Jet Infosystems company told.

Patrol Jett 5.0.2

On July 16, 2014 the Jet Infosystems company announced "Patrol Jett" an exit of release 5.0.2 of a complex of protection against information leaks.

Developers reconfigured a complex: starting with this version the complex consists of three functional units integrating 12 modules according to type of solvable tasks.

Innovations have organizational character − they affect licensing and modular configuration and do not concern a technical solution architecture: modules are grouped according to specific objectives of protection against information leaks now. Are as a result optimized logic of implementation and operation of a product and also technological capabilities on further accumulation of its functionality are expanded.

According to new modular structure, the license policy changed. It became effective since July, 2014 and differs in bigger transparency and flexibility.

"More than in 15 years in the Patrol Jett market there passed the way from mail archive up to one of the most mature DLP solutions in the Russian market. The functionality of a complex was repeatedly updated according to current trends in the market, however its structure remained invariable, − Igor Lyapunov, the director of Information Security Center of Jet Infosystems company noted. – As a result we faced difficulties of start of new opportunities within the structure which is not corresponding to them. Aiming to improve this process, we created conceptually new product structure based on which we will continue its development. It influenced also change of license policy. In fact, we "restarted" "Patrol Jett"".

Structure "Patrol Jett" 5.0.2

  • the Dozor Monitor block intended for conducting passive monitoring and the analysis of corporate communications including verification of e-mail messages, the systems of instant messages, files and other data on compliance to provisions of domestic policy of use of Internet resources and internal information resources of the company. Also it provides investigation of incidents in the field of information and economic safety in corporate information environments;
  • the Dozor Prevent block − provides active control and confidential data protection, allowing not only to trace, but also to prevent information leak from corporate network on different communication channels;
  • Dozor Full Archive is the third block, integrates means of expanded archive and conducting investigations. This block contains the Artificial Intelligence elements (technology of processing and data retrieval) and allows to carry out segmentation of databases, search of similar documents, categorization of e-mails.

Blocks and modules of a complex can be combined and scaled according to the value of the organization (from the companies of the sector of SMB to large holdings with the difficult distributed branch network).


Patrol Jett 5.0.1

In version 5.0.1 control of means of cloud distribution and file sharing, such as Dropbox, "Yandex.Disk", SkyDrive is implemented – and this list constantly is replenished. The popularity of cloud computing gives the richest opportunities for development of DLP, especially if to speak about new agents, network interaction because volumes of these data are huge.[3]

One of the main and essentially new functionality which appeared in the fifth version is called File. It is about collection of data on people who are suspected of insider actions. The technology uses different algorithms of receiving additional information and its processing and is formed on integration of the cybersecurity systems and other IT systems. The DLP solution became one of key nodes in a safety management system and is capable to give the most complete answers to the questions interesting the security officer from a position of protection of corporate information (What the person is? What does it do? What did it do yesterday? Whether there is in its actions something suspicious?).

Search modes and information extraction in the course of the analysis very much: it is search in a part of coincidence or in statistical marks. Search modes are configured on levels of accuracy, reliability. Search in indistinct parameters includes search and documents with replacement, and that which are compilations of other known documents. In the new version of the product "Patrol Jett" the mechanism of exact search of confidential data which we call the sample document is implemented. It will reduce the number of false operations.

Patrol Jett 5.0

In November, 2012 announced Jet Infosystems a release of version 5.0 of a complex of the protection against information leaks "Patrol Jett" 5.0 having considerable improvements. "Patrol Jett" 5.0 differs in the intuitive interface and filtering with a raised system performance up to 10 Gbps and also existence of new functional modules. Operation is significantly simplified and processing of results of work of a complex and investigation of incidents are optimized.

The new interface of the Patrol Jett complex 5.0 does work of the officer of cybersecurity with a system more convenient and visual. For example, became possible quickly to compare results of several requests and to estimate a condition of all complex online. Control of distributed systems of a complex is exercised from a uniform point via the web interface. At the same time permanent monitoring of operability of all services and as necessary their automatic restart are provided. It significantly reduces time necessary for the officer of cybersecurity for system maintenance and increases its controllability and reliability.

System performance of filtering of the new version of a complex is increased more than twice and allows to intercept a data stream at a speed of 10 Gbps. Thanks to porting of filtering system of a complex on the Crossbeam platform it is possible to increase flexibly its performance and to provide the necessary level of reliability and security.

Information processing algorithms in the fifth version of a complex are optimized for work with considerable data arrays. In particular, application of the hybrid data warehouse in "Patrol Jett" 5.0 allows to store directly in databases only "easy" metadata of letters and indexes. "Heavy" data (investments and so forth) are stored in file storage. At the expense of it 60% reduction of the taken place on a disk subsystem in comparison with last versions of a complex is reached, the speed of the placement of data to base is significantly increased (hundredfold growth of an indicator is in certain cases recorded). Also the fifth version of a complex allows to work more effectively with historical data, connecting their necessary blocks in the automatic mode and independently controlling correctness of this process. Improvement of differentiation of the concepts "sender" and "addressee" of messages allows to lower many times admissible error by search of necessary information in the conditions of a set of different sources of messages.

Systems capabilities are expanded using new functional modules. Thanks to the integration module with BI- the platform QlikView the Patrol Jett complex 5.0 can effectively be used for control of execution business processes of the company, monitoring of level of loyalty of employees, drawing up top level reports of a picture of information exchange clear to business at simultaneous simplification of work of officers of cybersecurity.

Mechanisms of deep data analysis in the fifth version of the Patrol Jett complex are complemented with the tool allowing a message search of documents, similar in contents, and to receive a complete picture of information exchange on a certain subject. This approach is implemented in the special module allowing the officer of cybersecurity to define by couple of clicks subject of the detected document of any volume due to selection of the most typical words and phrases and to perform search of similar information in the saved-up archive.


Patrol Jett 4.0.26

In the version of the Patrol Jett system 4.0.26 an opportunity to perform monitoring not only the sent, but also received messages from the mail systems of Google, Mail and other websites is put. At the same time, specialists of Jet Infosystems company completed development of the new version of the special agent for workstations who allows to exercise control of the documents printed (local and network), control of bilateral correspondence, voice calls and file transfer on Skype.

The analysis of the unstructured text — one more of new opportunities. A system automatically analyzes any unstructured text, finds in it the most significant words and expressions and creates their list. After that a system compares this list to dictionaries, for example, of commercial lexicon. It allows to increase the accuracy of operation of the notification about leak and by that to increase performance of work of the administrator, explained in Jet Infosystems.

In this version of the Patrol Jett complex the efficiency of the method of "digital fingerprints" allowing to find in confidential documents of coincidence to reference texts or images and to trace cases of unauthorized use of information, critical for business, is also increased.

Regarding innovations, interesting to administrators, it is possible to note more convenient, the intuitive interface and the new mechanism of self-checking of a system. With its help the volume of the "free" place in databases is automatically determined, and it is possible to set rules of data scrubbing of archive. At the same time search mechanisms on the saved-up base began to work quicker and more precisely. Besides, the new mechanism of intellectual search works: a system will independently recognize the addresses entered by e-mail and performs search in the e-mail address that accelerates work for the administrator.

Among important innovations it should be noted ability to integrate with the center of operational management of information security (Security Operations Center) that allows security officers to obtain the structured information about cybersecurity events in the single interface. Specialists will estimate also a new possibility of a complex to work with Oracle 11 R2 and Oracle Exadata Machine and also to use Real Application Claster technology from Oracle, consider in Jet Infosystems.

In addition to everything, in the new version of a complex specialists of Jet Infosystems company added a feature for monitoring of corporate mail and the workflow system on the basis of Lotus-Notes software which is demanded for many companies today.

The connector for integration "Patrol Jett" and ArcSight

The Jet Infosystems company developed in the summer of 2011 the special connector for integration of a system of the class SIEM (Security Information and Event Management) of ArcSight and a complex of protection against information leaks "Patrol Jett". With its help information obtained by a monitoring system of events of cybersecurity of ArcSight from the Patrol Jett DLP system will quickly arrive to officers of information security. It will allow the companies to minimize financial and reputational risks, precisely and quickly revealing the events and incidents connected with information leaks, says Jet Infosystems company.

Development of the connector took place in several stages. At first specialists of Jet Infosystems selected the main types of events for which the centralized collecting using solutions of ArcSight is necessary. As transport the syslog protocol as the most convenient was selected from implementation: the standard syslog-connector is used that allows to do without purchase of additional licenses for a monitoring system, explained in Jet Infosystems. Further the connector was finished and tested at stands of the company. Based on testing correlation rules were in addition written and the consoles designed to help security administrators with work with a system are made. At the final stage stress testing which showed capability of the connector is held to process an event stream from several servers at the same time.

"We watch closely demand, constantly updating and improving functionality of a product — Kirill Viktorov, the associate director on business development of Jet Infosystems company noted. — Most of our customers needed a uniform point of collecting of all logs, and now it is possible to integrate our system with the solution ArcSight with little effort".
"It was quite difficult, but at the same time interesting project — Artem Medvedev, the head of the Centers of operational management of cybersecurity of Jet Infosystems company told. — Any company having a monitoring system of events of cybersecurity in an arsenal thinks of need of its consolidation with the DLP solution sooner or later. We in practice were convinced that integration of the products ArcSight can be carried out actually with any application".