The sum of DCAP capabilities allows mitigating the risks associated with data storage and access to it. At the meeting, we will demonstrate how to monitor the current state of access rights, control changes, and prevent violations. How to promptly detect information assets that need protection by grouping documents by meaning.
Today's event is led by Oleg Mitichkin, Senior Product Development Manager at InfoWatch.
Why has DCAP functionality recently become so interesting to both information security officers and IT professionals, and why has there been a resurgence of interest in these systems?
About 5-6 years ago, Gartner first mentioned the need for such systems within the perimeter of any company. But this topic didn't catch on, and it quickly faded away. Now, Gartner, Forrester, and our analytical agencies are promoting the idea of security platforms rather than DCAP systems. But then the pandemic hit, and the world changed to such an extent that it required changes in approaches to information security and IT, and changes in existing business processes. During the pandemic, many people, especially those who worked remotely, got used to the idea that they could work for almost any company in their field. The tradition of sitting in one place for years vanished instantly. And now people change jobs probably as often as they change phones on Android.
In our country, as well as abroad, many social studies are conducted. In our country, there is a fairly strong school of the Higher School of Economics (HSE), which studies the behavior and motivation of employees. We receive the latest information about what is happening within the framework of studying various social groups that are formed within companies, their motivations, etc. And we see that the number of so-called disloyal employees in organizations is growing. At least 30% of employees leave the company within the first two years, and probably after the first six months of work, having already mentally decided that they will not stay here, they begin to neglect their duties, sometimes even engage in sabotage and sabotage. And in large companies, this number of personnel can reach up to 30%. And, of course, information security officers should take into account the fact that, despite the fact that the main value of any company is its personnel, not all employees are equally good. And the task of the security officer is to protect his own company and its business from its own employees. But at the same time, without manifesting himself in any way and without interfering with the current work of business processes.
The next trend that we are observing is a huge increase in the amount of information. The number of systems that a security officer encounters in his work has long exceeded 10, and in some cases even 20. The implementation of such systems, which combine events from various information systems, allows for a faster response to threats. They can only partially close this problem. And, of course, those modern products that are released on the market and help in solving certain problems, and we are talking about the problems that DCAP systems solve, must first of all be able to quickly identify possible risks and point the security officer to those places where there are security problems.
We often conduct audits of information systems. We have a consulting department for this, which is engaged in this work. Its employees come to the company, study business processes, help optimize them, look at what systems are in place, how they can be integrated with the DLP system. Perhaps many have already carried out these works on their Traffic Monitor projects. And the amount of data that is currently circulating or lying in organizations is huge.
Of course, the DLP system is aimed at protecting against leaks. Not such a large percentage of what lies inside actually goes outside, out of the company. But! If we talk about what lies inside, it is simply a huge mass of documents that you need to be able to understand and control access rights to them, because documents that are generated within the framework of certain business processes can represent great value and importance for the company and its clients for many years.
And here it is necessary to note the strengthening trend of interaction between IT and IS. Because IT departments, which closely monitor the functionality of such systems, must work with security officers together. Otherwise, the problems that security officers register in these systems will not be quickly resolved, and this is a direct damage to the business. Thus, the trends of the last year are the unification of efforts, and even the creation of some kind of unification of their own business processes between IT and IS. Pay attention to such a nuance of recent years - this is a fairly close interaction of departments that work with information systems.
Each security officer has his own model of behavior. But we have often met managers who not only wanted to monitor and control, but also to influence business processes in order to make it easier for them to control. This should never be done. IS managers should understand that their service for the company should be effective, but invisible. Corresponding requirements are imposed on products. And we have always focused on ensuring that our products provide as much useful and important information as possible for the security officer, but at the same time do not worsen current business processes, or, at least, do not increase their execution time.
DCAP, which is built on DUP engines, actually carries DLP functionality inside itself. And DLP systems of Russian production are actually of high quality. And it is focused on certain real scenarios that are in demand and needed just for IS specialists. And DCAP, which is based on DLP, because the task of DCAP is to detect and identify valuable information that is inside, is actually built and based on the capabilities of the DLP system. In our case, this is our Traffic Monitor. The classic DLP system is aimed at countering leaks. That is, we look at what information goes outside the company. It doesn't matter through which channels it goes, it can be web or mail, it can be a personal device or a corporate one. And DCAP is located inside the organization's perimeter. Previously, what was located in the organization's perimeter was always considered a green zone by default. Everything is fine there, our users are doing their work, there are some interactions between employees, there are documents, there are many of them, there are document repositories, etc. For a security officer, this has always been a green zone that you don't need to control. But, as you can see, the modern trend dictates that even inside this green zone there are quite gray areas.
Thus, I am trying to promote the idea that DCAP is DLP "inside". Because DCAP is based on DLP capabilities. Of course, we do not need to protect and analyze all the tons of information that is inside the company. Our task is to identify only valuable, confidential information, to know where it is located, who has access to it. And the task of DCAP is to signal in time if this access changes in some way not according to the business process or if the access does not correspond to what it should be.
Thus, having a powerful base in the form of a DLP system, it was logical for our company to start developing its own DCAP. And in order to develop our own DCAP, we, first of all, needed to add new functionality.
And, if the classic DCAP includes components for scanning file storage, and file storage can be not only classic, it can be mail systems, and much more. A lot still remains in the data storage system from NetApp. And all this needs to be analyzed and looked at, because initially the security officer does not know where valuable information may be located. He needs to identify storage locations. And the next step is to look at what access rights these data have, who enters there, check if IDM is in place, if it is not in place by agreement, possibly with the heads of the department, check that the access rights are really the ones that are needed. And the third step is to control changes to these rights so that an unauthorized employee does not gain access to valuable, important, confidential data. Or, in the event of a system hack, which also often, unfortunately, happens, an external person would not gain access due to found vulnerabilities, increased access rights, etc.
And it is our separate product, Data Access Tracker (DAT), that is responsible for controlling changes to access rights. Scanning file storage and content is carried out by Data Discovery, which goes both as part of Traffic Monitor and as a separate solution for conducting audits. I will show a new version later, which will be released in the near future. We are stabilizing it now. And I think that in December this product will be available to you in a commercial release.
And the third important step for DCAP is what to do with all this information if we understand that there is a lot of information, and we need to somehow control access rights and changes to these access rights. It is desirable to have some policies, because we are dealing with Big Data here. Life shows that Big Data cannot be disassembled just like that, you need special tools for this.
Any DCAP system should offer means of visualizing events, because we are still visual people by nature, and, of course, we absorb information much better and faster, which is presented in the form of graphs and drawings, than in the form of large tables. Often the problem with SIEM is that there is so much information that SIEM simply becomes ineffective. And therefore, modern SIEM systems, with which we also integrate and can enrich SIEM events, just provide the ability to create so-called playbooks and quickly respond.
Now I want to move on to the first product, Data Discovery, and tell you about it briefly.
Here we will focus on the most important thing, on what directly relates to DCAP: parsing documents, parsing the gray area, controlling access rights. In the previous version of Data Discovery, such a mechanism as document categorization appeared. What is its meaning? Imagine that the management comes to the head of IS and says that they need to understand where certain documents are located and who has access to them. There was a suspicion that these documents were stolen, because our competitor operates with the data that was only inside our company. What should a security officer do in this case? Use Traffic Monitor to scan terabytes of information? You yourself know that this can take a very long time. Only when all the information is collected, indexed, and analyzed with the help of Data Discovery, only after that the work on changes will take place much faster. Well, what to do from scratch? For this case, a new intelligent component is used, which is engaged in data categorization. That is, Data Discovery takes documents from storage locations where it can reach. Takes these documents for analysis, extracts content from these documents independently without Traffic Monitor and gives it to the analysis system and categorization of information, which in the future combines similar documents by meaning and tags them. The functionality is new, but, nevertheless, we have been testing it for more than a year on our loyal customers.
These are all quite powerful algorithms for finding similar documents. What does "similar" mean? It means "similar" either in meaning or created on the basis of the same templates. And, thus, all the documents that we caught, which are categorized, are divided into groups. And in the interface you can see these groups, which are characterized by so-called tags or semantic expressions. You can easily understand that this group refers to documents that talk about some dollar transactions. Here is something on medical topics. You can see where these documents are located, who has access to them, etc. That is, in fact, very quickly disassemble all the gray area that has not yet been cleared.
Here is an example of how it works in the interface. Moreover, in the next version of Data Discovery, which will be released in 2-3 weeks, we have added the ability to conduct content analysis based on protection objects formed in Traffic Monitor.
Why is this important for a DCAP system? Because the DCAP system must understand that there is a document in front of it that represents value. And Data Discovery, which is part of the DCAP concept and implements part of the DCAP functionality, now has the ability to determine those protection objects configured in Traffic Monitor that already exist. This is actually very important for the DCAP system. Because, if you suddenly decide to implement something in a DCAP system in which the DLP engine, DLP policies differ from what is already configured in Traffic Monitor, this means that you will have to do additional work. I'm not even talking about the fact that you will actually have to spend money on another DLP engine, which will need to be configured, and which will require large production capacities and additional resources to work with these systems. Here, Data Discovery already uses what is configured and what is actively used in the company. Thus, we quickly clear the gray area with the help of the clustering system. Thus, there is an additional opportunity to fine-tune the DLP system. For example, your business process changes in the company, new documents appear, or a new business process appears. These are completely new types of documents. With the help of the document clustering system, categorization by meaning, you will see new business processes in the form of the appearance of new groups of documents, and you will see changes in business processes in the form of documents that do not contain protection objects. At least, this is how we see our clients who piloted this component, which we call Data Analysis Service.
The main task of Data Discovery is to conduct a file audit so that we can see where what is located and who has access to it. Now, with information about the content of the document, Data Discovery allows the security officer to quickly understand where the documents are located and whether these documents are publicly available. By setting the simplest filters in the investigation center interface, we can see, for example, that an important financial document is located in public folders, which is a serious violation.
Data Discovery audits files and documents within the company and also shows access rights. Currently, Data Discovery has two additional powerful components. Firstly, it is the categorization of documents by meaning, it does not require DLP, it is an internal component of Data Discovery. Moreover, I would like to emphasize that it is free for our clients. This component will allow you to quickly break down all documents by meaning. And, secondly, content analysis appears with the same protection objects that are already configured in Traffic Monitor. This is the beauty of cross-product interaction within a single investigation center.
And, of course, Data Discovery remains one of the components working with Traffic Monitor and, practically, ensuring the implementation of the data at rest concept and the natural response of policies within Traffic Monitor.
Let's move on to the capabilities of the second product, which is also included in our DCAP concept.
We are now talking about only one part of DCAP. What about access rights? We know that access rights to the "documents" folder can be changed in several ways. Firstly, it is the direct assignment of access rights, these are access rights through groups and this is inheritance. Classic DLP systems that only work with lists are blind to changes in groups or inheritance. We were faced with the question of how to control these changes? If we talk about groups, they mainly occur in the directory service. We need functionality related to the operation of the directory service. Currently, we are working with Active Directory and are also actively communicating and working with ALD developers. I think we will support ALD and ALD Pro in the near future.
Thus, the idea of a new product appeared, we called it Data Access Tracker, whose task is to conduct research, studies, and changes in the directory service in order to identify changes in access rights to documents. Because the specificity of DCAP is to understand how legitimately access rights are granted, how valid their changes are. And changing the composition of groups is a rather important scenario from the point of view of DCAP, so this slide just focuses us on the execution of the scenario when a user for some reason illegally ended up in a privileged group. Remember, at the very beginning I talked about disloyal employees, and that there are quite a lot of them appearing in organizations? We must get used to the idea that something needs to be done about this. Moreover, recent studies show that such disloyal employees tend to flock together, and these groups may consist of employees from different departments. And the scenario that one person gave access to another is regularly encountered in real life. Temporary access, permanent access. I'm already silent about the work of various viruses, ransomware, which increase all privileges, create fakes in accounts, include them in various access groups and sometimes receive unlimited rights to make changes in the system.
In this scenario, the employee also gains access to certain files that are of great interest and value to the company by including him in the privileged groups. Data Access Tracker (DAT) solves this problem. He will immediately show the security officer that the composition of this controlled group has changed, and will offer to see if this was done legitimately, who did it, and who was added. Perhaps this is a threat.
In addition, Data Access Tracker as a system for working with directory service events/ At the same time, DCAP is not only about auditing the directory service, it is generally about data protection and working with rights. As in any DCAP system, Data Access Tracker has quite a lot of reports. Even in the first version, which we released about six months ago, there were already more than ten reports focusing the security officer on various problems of configuring the active territory. We conduct interviews with our customers, we collect feedback and refine the system according to customer requirements. They are all based on real-life scenarios. And Traffic Monitor and Data Discovery, and activity monitors, and vision, they are all built on live scenarios. There is no empty functionality there that it is not clear how to use. The same thing here, Data Access Tracker has a large number of reports, but they are all important, there is always a certain scenario hidden behind them.
For example, changing or resetting the password by administrators. This is when a high-ranking employee goes on vacation, his password is reset by one of the administrators and a new one is temporarily set. From under this employee who went on vacation, you can get access to a large amount of data. When the employee returns, he offers to change the password to a new one, he changes the password and suspects nothing. At this time, the person who worked under his account sits and rejoices at how much interesting things he found in his own company.
Further, if we talk about DCAP, then not only reports are important here, but also a system for their visualization.
Because whoever worked with Netflix remembers that there is a huge reporting system there. More than 200 reports were pre-configured. Naturally, it is impossible to figure it out and spend a lot of time studying each one. Therefore, for any DCAP system, a real-time Dashboard monitoring system is important. And the system should focus the security officer on the problems that exist at the moment. If there is no such visualization, then it is almost impossible to understand the event reports. Now we have a version that will appear in two or three weeks, Data Access Tracker, DDA, will be released almost simultaneously by the end of the year. There will be widgets that will allow security officers to actively respond to changes and threats that may come from changes in objects and attributes of the directory service.
36_20
We are sometimes asked the question, but in fact we are working with the directory service, all this can be surrounded by scripts, we will be happy. Often in different companies we see that scripts are used, but, I will say right away, we often found that these are scripts downloaded from the Internet. They work crookedly and incorrectly.
Thus, Data Access Tracker, firstly, is not only a system for auditing, changing the directory service, but also has the functionality to control the transfer of access rights to Exchange servers. So far only Exchange, because the mail system now prevails. We hope that very soon this system will change to something more native and familiar to us. For example, the Atlantis system is developing very actively.
In the new version, it will also be possible to control changes in access rights to directories that are shared in the company. If Data Discovery, as you noticed, focuses on working with files, then DAT allows you to work with directories, control changes and control the delegation of access rights.
Data Access Tracker is a young product. We are actively developing it now, so if you want to pilot it, we will be happy to talk to you and collect feedback.
And the third solution, no less useful, is called Device Control. We released this solution recently. When we talk about controlling file directories or controlling changes in the directory service, we forget about one important aspect. And who, in fact, does all this? We forget about the users. What actually happens is that the security officer will come to a certain employee and ask him why you did this, why did you change the rights, why do you need this document? The employee did get access to valuable information that he shouldn't have at all. And the inquisitive employee is trying to figure out how to take this information somewhere and share it with the whole world, because it is very important. The employee knows that there is a DLP in the circuit, which means that transferring this file somewhere to the mail or to the web is pointless. He will immediately get caught, and he will be punished for such an action. So, there remains the possibility of doing something with a personal device. It is possible to encrypt it so that the agent does not see it, rename it, change the extension, etc. And here Device Control will stand guard so that the user does not have the opportunity to use some personal portable devices. And the task of Device Control is to control the use of such external plug-in systems.
A fairly extensive list just closes all possible ways to steal an important document, rewrite it somewhere, etc. The policies used in Device Control allow, firstly, to prioritize them, and secondly, to group them. You can group by departments, by employees, by employees under suspicion, who uses AMOV Prediction. You can automatically determine which devices are connected to users' personal computers and include them in policies. And Device Control is just based on such concepts as user-device-computer. Those who work with network devices, I think, understood the reference to the so-called Zero Trust, when we do not trust anyone. If we talk about network devices and Zero Trust, it's a user-computer-application. We have the same approach, only the device is added. And in the policy, you can just set everything rigidly. Either we want to completely block the connection, or we want to give only the opportunity to read information from this device, but in no case to write. And, of course, in the usage events, the IT security officer will see what actions the employee performs with an externally connected device. It is now very popular to connect phones via wire. Phones will be connected in this way, but will not be available.
Thus, we have a trio of interesting products to close the DCAP functionality. And, as you understand, DCAP is not only security of access, but also security of the data itself.
If an employee is disloyal, for example, gets access to such data, he has the opportunity to simply delete it. We had cases when tons of information were simply deleted. And if there are no backups and fresh copies, then such problems become global. After all, there are documents on which the company's business strongly depends. Not only reputation, but also business. If some management documents, contracts, etc. disappear, then business processes simply stop. And this is the basis of any company's life.
Thus, we can say that DCAP is a basic product or a basic set of functionalities. We have placed antivirus software next to it. Now, of course, it is difficult to imagine a corporate machine without antivirus software. But now it is increasingly difficult to imagine a company's infrastructure without a DCAP system. Because without a DCAP system, you will constantly be in a gray area, catching something going outside, but inside the company, which has long ceased to be a green zone, you will be practically helpless.
And, of course, DCAP complements such systems very well and works in conjunction with IDM. The task of IDM, as we know, is to normalize the access matrix, and here the DCAP system will supply real data from the fields about what accesses we have. In order for the security officer to be able to adjust these access rights without having to coordinate with the head of the department.
Naturally, DLP is present here. Because DCAP and DLP are related systems, and DCAP uses functionality with the possibility of existing DLP settings, and, of course, there are powerful systems at the top, in which it is also possible to integrate DCAP into the same SIEM, thereby facilitating interaction with these systems and improving the manageability of the information system.
And just a few words about DCAP functionality. Thus, in our company InfoWatch, DCAP functionality is not some kind of monolith.
Someone offers DCAP as a monolithic product, offers to purchase it and continue working with it. But we are now developing such a concept as infrastructure solutions that are united by a single investigation center. Someone tells us that this is monovendorism, but in fact it is not, because we have a certain specificity associated with content analysis. And we are only talking about this. And in DCAP this is the main functionality. And the three solutions on which DCAP functionality is based are Data Discovery for data auditing, Data Access Tracker - for analyzing changes in access rights, Device Control - for controlling workstations. They represent DCAP functionality, but, nevertheless, they can work both in conjunction with our other solutions and even independently.
Illustrations provided by the press service of Infowatch