Zecurion Zgate

SECURIT Zgate is the software for network traffic control for prevention of leaks (theft, loss, accidental transfer) of confidential information. Zgate treats family Information Protection and Control/ DLP- systems and allows to control SMTP- HTTP- HTTPS- FTP- and another Internet traffic. For search and blocking of confidential data transmission in Zgate different technologies of detecting are used: signatures, linguistic analysis regular expressions, Bayesa method, "digital fingerprints".

Zgate allows to control

• Correspondence in corporate e-mail.
• The letters sent through services of web mail.
• Messages of Internet messengers.
• Communication on social networks, at forums and blogs.
• The files transferred on FTP.

Protocols:

• HTTP;
• HTTPS;
• FTP;
• FTP-over-HTTP;
• SMTP;
• ESMTP;
• OSCAR (ICQ);
• XMPP (Jabber);
• Mail.Ru Agent;
• Yahoo! Messenger;
• Windows Live Messenger (MSN Messenger);
• AOL Instant Messenger.

Main opportunities of Zgate

• Filtering of the entering, outbound and internal traffic.
• Compatibility with any mail system (MTA), working under the SMTP protocol: Microsoft Exchange Server IBM Lotus Domino to Kerio MailServer Communigate Pro Sendmail Postfix , etc.
• Work both in the mode of active data filtering, and in the mode of the analysis of the mirrored traffic for archiving and monitoring of network activity.
• Flexible politicians of check, blocking and archiving of data with a possibility of setup up to 30 parameters.
• Application the politician depending on transmission time, the directions of traffic and location of users.
• The content analysis transferred messages and files using any combination of methods of an automatic categorization.
• Support more than 100 file formats for the analysis of their structure and contents and also the analysis of archives of the set nesting level.
• Convenient tools for management of the dictionaries describing different categories of documents.
• Possibility of manual verification of suspicious messages and files.
• The analysis of the files attached to messages and special politicians for the ciphered investments ((RAR ZIP DOC DOCX XLS XLSX PDF ODB ODF ODG).
• Modification of messages and possibility of the notification of users on results of filtering.
• Integration into third-party applications for additional processing by antiviruses and the systems of fight against spam.
• Possibility of maintaining complete archive of transmitted data, including attached files, in the Microsoft SQL Server or Oracle Database.
• The scalability and modular architecture allowing to consider the most strict requirements to performance.
• Installation and management via the single console for all products SECURIT.
• Ample opportunities for separation of roles of administrators.
• Support of import of statistical information in different designers of reports, for example, Crystal Reports or FastReport.

The used technologies of detecting

Signatures

The simplest control method — search in a data stream of some character sequence. Sometimes the prohibited character sequence is called "stop expression", but in more general case it can be given not by the floor, but any symbol set, for example, a certain tag.

Regular expressions

Search in regular expressions (to "masks", based on REGEXP) is also long ago the known method of detecting of necessary contents, however in DLP systems began to be applied relatively recently. Regular expressions allow to find coincidence in a form of data, it is impossible to specify in it precisely exact value of data, unlike "signatures". Such method of detecting is effective for search:

• TIN,
• CHECK POINT,
• account numbers,
• credit card numbers,
• phone numbers,
• passport numbers,
• client numbers.

Search in "masks" is allowed to provide compliance to requirements of more and more popular PCI DSS standard developed by international payment systems of Visa and MasterCard for financial institutions.

Digital Fingerprints

The essence of work of "digital fingerprints" is quite simple and is frequent it and attracts — a certain standard document template is transferred to an IPC system, from it "digital fingerprint" is created and registers in the database of "digital fingerprints". Further in rules of content filtering percentage compliance to a template from base is configured. For example, if to configure 75% compliance to "digital fingerprint" of the delivery agreement, then at content filtering a system will detect practically all agreements with changes in several paragraphs (i.e. no more than 25% of all volume of the text).

Linguistic methods (morphology, stemming)

Analysis method most widespread today in IPC systems is linguistic analysis of the text. It is so popular that often it in a popular speech hereinafter is referred to as "content filtering", i.e. bears on itself(himself) characteristic of all class of methods of the analysis of contents. The linguistics as science consists of many disciplines — from morphology to semantics, and linguistic methods of the analysis differ among themselves. There are in linguistic methods and the prints which are based on statistics; for example, the document undertakes, fifty most used words are considered, then it is selected on 10 the most used from them in each paragraph. Such "dictionary" represents almost unique characteristic of the text and allows to find the meaning quotes in "clones".

Bayesa method

The artificial intelligence — the method used in the majority of systems for fight against spam works by the principle of determination of probability of belonging of this or that document to category of confidential. Distinctive feature of the Bayesa method is the possibility of self-training which significantly broadens the sphere of its application. Accuracy of work on different estimates is up to 97%.

Manual check ("quarantine")

Any information which gets under rules of manual check, for example, in it meets the word "key", gets to the console of the specialist of information security. The last in turn in manual browses such information and makes the decision on the admission, blocking or a delay of data.

2015

Mutual integration with PT Application Firewall

On April 13, 2015 the Zecurion company announced mutual integration of the Zecurion Zgate DLP systems (Traffic Control) and the firewall of the application layer PT Application Firewall from Positive Technologies company.

Vendors expressed confidence in increase in efficiency of the created business information security systems in the light of full-fledged compatibility of two products of one class.

Interaction algorithm

At sharing the products Application Firewall obtains information from the Zgate system on existence of confidential data in the sent messages and files. For this purpose a DLP system carries out the analysis of the acquired information by the set rules of filtering and with a high accuracy defines discrepancies to security policy, using more than 10 specialized technologies of detecting. After the analysis Zgate generates for the Application Firewall system the special message with information on the user, confidential data and the worked rule.

In case of detection of the message breaking security policies, the PT AF firewall blocks information transfer and by that prevents leakage of confidential data.

By means of the mechanism of the identification of the attacks acting on the basis of the analysis of anomalies, the firewall of the application layer PT Application Firewall provides protection against all widespread vulnerabilities on classification of OWASP and WASC, including SQLi, XSS and XXE and also from the popular attacks of HTTP Request Splitting, Clickjacking and the difficult client attacks (DOM-based XSS).

The Application Firewall system reliably identifies vulnerabilities of zero day, including the errors similar to Heartbleed, Shellshock and GHOST, and blocks the related attacks even without updating of signatures. Function of virtual patching gives the chance of fast setup of protection while the development team of the vulnerable application works on updating creation.

In addition to creation of an ecosystem of protection against information leaks (Zecurion Zgate) and hacker attacks on web applications (PT Application Firewall), integration of two analytical tools helps to implement a number of relevant scenarios of use:

• spam filtering in client applications,
• access control to confidential documents,
• verification of content on different corporate platforms.

Integration of the Zecurion Zgate and PT Application Firewall systems reduces the volume of the "empty" traffic falling on a DLP system.

Zgate 6.0

In the sixth version several innovations in functionality of leak detection and data analysis appeared at once. Now Zecurion Zgate is able to create digital fingerprints of databases and to distinguish fragments of information which is stored there. It is possible to configure blocking of letters which contain, for example, personal data more than five clients of the organization. At the same time the sequence of information, fields and records does not matter. Also in Zecurion Zgate 6.0 there was a search taking into account sounding of words that will allow to analyze more effectively texts with intermittent errors or even with intended distortions.

The module of the reporting Zecurion Reports was replenished with the mass of ready templates for the different industries. Significantly possibilities of access isolation to reports and also settings of their automatic generation and sending to security officers extended. Additional opportunities of Zecurion Zgate became a categorization of Internet resources on subject and further access lock to them depending on security policies.

2014: Zecurion Zgate 5.0

On November 25, 2014 the Zecurion company submitted the version of the flagman DLP system for network traffic control of Zecurion Zgate (Traffic Control) of version 5.0.

The main differences of the fifth version are innovative technologies of data analysis which expanded possibilities of Zecurion Zgate. The support vector machine of SVM is also easy-to-customize, as well as the technology of digital fingerprints, however, considers bigger quantity of factors and allows to define category of the analyzed data even more precisely. By experience of pilot implementations the SVM technology was demanded for protection of information, most important for the organization. One more new ImagePrints technology for the first time used in DLP systems detects the documents containing certain images, for example, printing of the organization.

In an arsenal of technologies Zecurion Zgate (Traffic Control) the feature to create digital fingerprints of data from different information systems and databases, including SAP was also added 1C SharePoint, Oracle Database and Microsoft SQL Server. In addition in version 5.0 protection against attempts to deceive a system was improved. Now Zecurion Zgate successfully defines the disguised files, for example, Word- the document which is "stuck together" with PDF.

Inclusion in a product of own proxy server became the main infrastructure innovation of Zecurion Zgate 5.0. Zecurion Zproxy is intended for interception and the analysis of the majority of widespread protocols, including HTTPS, and expected use in medium-sized companies from 500–1000 active users or in separate segments of the large organizations. An additional possibility of Zecurion Zproxy is the possibility of selective access lock to Internet resources, for example, to social networks or the news websites.

"One of key vectors of market development of DLP is expansion of a range of controlled channels and resources now. In this version of Zgate we added full support of Outlook Web Access (OWA) and cloud environments, in particular, Microsoft Office 365 and Cloud of Mail.Ru — Alexey Rayevsky, the CEO of Zecurion says. — We actively develop a product line in the direction of mobile technologies and means of virtualization, we keep harmonious development of IT infrastructure of customers and we try to respond adequately to modern threats of internal security".

2013: Integration with Internet gateway X

On October 1, 2013 the press service of Zecurion reported: a number of the Zecurion Zgate functions became a part of the Internet gateway X developed by A-Real Consulting company.

Within partnership of the company Zecurion and "A-Real Consulting" integrated information security systems from leaks Zecurion Zgate and "Internet Control Server" the Internet gateway (X).

2012

Zecurion Zgate 3.0

In this version the list of controlled network channels was significantly expanded. In addition to ICQ, "Mail.Ru to the Agent", Jabber (XMPP), Google Talks and to other Internet pagers supported by Zgate were added MySpaceIM, Microsoft Lync (MicrosoftOffice Communicator) and Skype. Besides, in version 3.0 support of post office protocols POP3, IMAP and SMTP, used for work with external mail servers Gmail Mail.Ru, "Yandex. Mail", etc. appeared.

In the third version of Zgate there was a possibility of closer integration with popular proxy servers — Microsoft Forefront TMG (Microsoft ISA Server), Blue Coat, Cisco ACNS, Squid and any other, supporting the ICAP protocol (Internet Content Adaptation Protocol). Zgate 3.0 can intercept, analyze and block HTTP/HTTPS traffic and messages of Internet pagers passing through proxy servers. Use of Zgate together with already operated proxy server will allow to minimize interventions in the existing network infrastructure of the organization and expenses on implementation.

One of essentially new opportunities of Zgate 3.0 is control of search queries. Zgate performs interception, archiving and the analysis of requests of the users entered by search through popular services "Yandex", Google, Mail.ru, Yahoo, Bing, MSN, Rambler and Nigma. The analysis of search queries allows to identify potentially disloyal employees at an early stage and in time to take measures for prevention of potential leak.

Zecurion Zgate 4.0

In December, 2012 the Zecurion company announced release of the new version of Zecurion Zgate 4.0. The quality of tools for the reporting and analytics in a new solution is unique for products in information security field.

Bilateral interaction with top management plays a key role in activities of divisions for data protection. Qualitative and evident reports for work help to secure with trust from heads and to visually show results of work. Understanding the tasks facing Information Security Services Zecurion developers offered convenient tools for their solution. In the latest version of Zgate there was a reporting and analytical module Zecurion Reports, unique by the opportunities, allowing to create and study reports with any detail level and a different data format. In particular, in Zecurion Reports creation of the aggregated reports in an evident graphic form is possible. Information can be presented in the form of different types of charts or diagrams. Graphic reports are interactive – at clique according to the chart the table part corresponding to the selected area opens.

The graphics mode is also used for detection of patterns in work of employees. Deviations from typical scenarios can indirectly indicate violations of security policies. Thus, graphic reports help to reveal violations at early stages and to prevent possible information leaks. According to the experts Zecurion, the new analytical module allows to reduce significantly manual work by preparation of reports and in general saves not less than 12-15% of working time of the security officer servicing a DLP system.

The most interesting from the point of view of the security officer studying activity of insiders is the mode of reports like Conversation. Using reports of this type it is possible to reveal a circle of contacts and communications of any user. In the Conversation mode the administrator can browse all correspondence of the specific user performed on different communication channels and using different e-mail accounts, web services, instant messaging services, etc. For convenience all messages of the selected user are grouped in interlocutors and sorted by departure time.

In the new version of Zecurion Zgate possibilities of text recognition are expanded. In particular, now the module of text recognition works in any virtual environments, including VMware and Microsoft Hyper-V. Among other innovations there is a support of popular photo and video hostings, including YouTube, Picasa, Panoramio, and all most widespread personnel services, including Superjob.ru, HeadHunter, Rabota.ru, Job.ru, Zarplata.ru and others.

In addition

• Article in BYTE/Russia: Control system and archiving of the Zgate 1.2 mail [1].
• Article in "CIO: head of information service": Practice of the choice of IPC for protection against internal threats [2].

See Also

• Zlock — protection against leaks on endpoints of network (USB COM LPT Bluetooth CD DVD local and network printers).
• Information Protection and Control;
• Data Loss Prevention;
• Morphology;
• E-mail filtering;
• Personal data
• Bayesian spam filtering
• Information security

Links

• Official Zgate page
• Official page of SECURIT developer