1. Cyberscout – Corporate Security Monitoring
Executive Briefing, July 2009
E i B i fi J l 2009
2. Development
Development
Cyberscout is the most advanced product in its category
• First in the world to interrogate 1G and 10G barriers in real‐time
• Real‐time monitoring and alert for suspected activities, email and internet traffic
Real time monitoring and alert for suspected activities email and internet traffic
• Automated isolation of confidential material and in transit data
• Internet access is a must for employees
Internet access is a must for employees
• Internet provides various modes for information exchange
• Mails
• Chats
• File transfer
• High speed internet aids in transferring data faster
High speed internet aids in transferring data faster
• Internet user can remain anonymous
• Threat of Trojans
• All these can be misused to leak sensitive data
3. How to prevent Data misuse
• Have data leakage prevention tools
g p
• Monitor internet traffic going out
• Block internet content with sensitive information
4. What all can be prevented
p
• An employee sending out
• Parts of a design document
Parts of a design document
• Parts of a design diagram
• Customer details from a database tables
• Credit card numbers of the customers from a database
• And many more
5. Mode of operation
• Active Mode
• All internet traffic are intercepted and examined real time
• Suspicious traffic are blocked
• Forensic mode
• All traffic is logged
• The traffic flow is not intercepted
Th t ffi fl i ti t t d
• Continuous logging of traffic for offline analysis
• No blocking of suspicious traffic only storing
6. Implementation in active mode
Proxy
Server
Se e
Router / switch
Internet
Content Monitoring
device
USERS
Monitoring
person
7. Implementation in passive mode
Proxy
Router / switch Server
Se e
Internet
USERS
Content Monitoring
Monitoring
device
person
8. Using the system
• Prevent leakage of classified information
e e t ea age o c ass ed o at o
• Any document, word, pdf, text, xls, ppt
• Any image, JPEG, JIF
A i JPEG JIF
• Database tables
• Identify objectionable internet usage
• Keywords
• Monitor a troublesome user
• Email address
• Chat address
9. Using the system
• Getting trends of internet operation
Getting trends of internet operation
• Mails send for organization domain to outside
• Mails send from public email ids
• Continuous logging of outward traffic
• Log all mails send
• L
Log all blog entries
ll bl ti
• Log all attachments
10. How it works
Classified Finger prints of
Stored in the
documents the documents
database
uploaded made
Data Data broken Each small part Data matching
transmitted into small compared against the thresh hold
over the net parts the finger print in are retained
is extracted Database
11. Security of the system
y y
• Three level of users
• Lower level login sees only the gist of the information
Lower level login sees only the gist of the information
• Creates reports
• Receive alerts
• Higher level login
• Sees details of messages
• Configures the system
• Super User login
• Sees clear text passwords
Sees clear text passwords
• Data stored in encrypted format
12. Features to guard the internet
• Emails / Chats
Reports all mails going from organization domain to other web mails and vice versa
Reports all the instances of usage of public mails like gmail, yahoo etc.
Logs mails sent by particular user address / IP
Search feature to find emails send/received from particular Address
Generate Reports on basis of Email records stating number of Attempts made to leak the information and by
whom which can be used for FORENSIC analysis
Statistics about number of filters matched for particular timeframe
15. Features of the system
• Alert Mechanism
Al M h i
Cyberscout sends alert when a particular condition or type of records is captured.
• Administrator can customize his own Alert condition
Sends Alert on Specified Email addresses
• For Example :
• If any email send to <Particular Id> Send ALERT
f y
• If any email contains words like “Confidential” , “copyright” send ALERT
• If any Email Attachment contains words like “CV” , “Resume” send ALERT
• If email Id contains <Competitor Domain > Send ALERT
16. Features of the system
Joint Alerts : we can specify more than one condition for alerts
For Example :
If
any email send to <competitors domain>
Or / and
Email contains Attachment
Or / and
Attachment contains words like “CV” , “Resume”
Then
send Alert on <admin@CyberscoutUser.com>
17. Features of the system
• Customizable reports
Customizable reports
Blacklist Domain : Report based on how many communication happened with Competitor
Domain Id s and by whom
Domain Id’s and by whom
Traffic Type : Report based on traffic , which gives summary of HTTP traffic statistics , CHAT , FTP
, POP/SMTP
POP/SMTP
Daily Statistical reports : classified report containing number of records captured in last 24 hrs
Protected files : Report stating , how many times particular file is tried to leaked out and by
whom
Filters (keywords, email id) : Reports indicating, how many times the filter occurred in the
records
19. Features to augment existing defense
Free email sites
F il i
• URL filters do not do deep packet inspection to identify free email sites
• They depend on a predefined database
h d d d f dd b
• New mails sites comes up every day in different corners of the world
New mails sites comes up every day in different corners of the world
• A fraudulent employee needs just one site to do the leakage
p y j g
• Cyberscout can detect these leakages
20. Features to augment existing defense – Proxy sites
• URL filters do not do deep packet inspection to identify proxy sites
• They depend on a predefined database
h d d d f dd b
• New proxy sites comes up every day in different corners of the world
New proxy sites comes up every day in different corners of the world
• A fraudulent employee needs just one site to access his web mails
p y j
• All popular emails sites like yahoo, gmail etc can be accessed using this method
• Cyberscout can detect these leakages
21. Features to augment existing defense – File sharing sites
• URL filters do not do deep packet inspection to identify file sharing sites
• They depend on a predefined database
h d d d f dd b
• New file sharing sites comes up every day in different corners of the world
New file sharing sites comes up every day in different corners of the world
• A fraudulent employee needs just one site to upload sensitive information
p y j p
• Cyberscout can detect these leakages
22. How Cyberscout can strengthen security
• Using deep packet inspection it can
• Identify any user accessing free webmail sites.
• Identify any user accessing proxy sites
Identify any user accessing proxy sites
• Identify any user accessing file sharing sites
• The list provided by Cyberscout can be used by the URL filters to block the sites
• Makes lives difficult for fraudulent users
• Cyberscout can also capture and store the mails with its attachments for further
analysis.
analysis
• Cyberscout can monitor the entire internet activity of an employee who tries these and
can be alerted
23. Identify and detect leakage through own mail domain
• Define heuristics to reduce mails to be analyzed
• Mails send to outside domain only
• Mails with Bcc content
l h
• Mails with password protected files
• Mails with short message or subject line
Mails with short message or subject line
• Apply leakage detection logic on the above mails
pp y g g
• Apply keywords
• Apply logic to find attachments with customer names, marketing information, financial
information
• Apply keywords to find indecent content
• Cyberscout can reduce the mails to be analyzed from 1000 per hour to less than 20 per
hour
24. Get birds eye view of the mail usage
• Get reports on
• Mails send to competitor domain
• Mails send from a group (research, sales)
Mails send from a group (research, sales)
• Mails with attachments
• Mails with short messages
• Mails send with password protected files
• Various attachments
• Use these reports
• Narrow down on the suspects
• Reduce analysis time
25. Why us
• Indigenous product and can be customized for your needs
I di d d b i df d
• Over 7 years of experience in internet monitoring
• Prime mover in the internet monitoring space
• First deployment in 2002
First deployment in 2002
• Over 40 high end deployments in UK , US and outside
• First product to break 1G and 10G barrier in the world
• Over 10 deployments of 1G systems
Over 10 deployments of 1G+ systems