Content Alarm 1.1
Price: Starts at $30,000
Information is the fuel of enterprises, and nearly every bit of that information-sensitive, restrictive and unclassified-is passed over network pipes. The last things enterprises want are copies
Tablus' Content Alarm doesn't seal data leaks, but it does let security managers know when someone, or something, is trying to pass restricted data through the network perimeter. Rather than just using keyword matching to find sensitive data in e-mails and attachments, Content Alarm's scanning engine and proprietary linguistics algorithm inspects all network traffic.
Tablus won't disclose the nuts and bolts of how Content Alarm works, but our tests found it quite effective at detecting portions of sensitive documents that had been "cut and pasted." Rewritten documents that still contained sensitive data weren't overlooked, either. Content Alarm scrutinizes numerous protocols and data transmissions, including HTTP and FTP.
Content Alarm is a reactive system. Even with its strong detection capabilities, it can't block unauthorized data transmissions. It merely reports data leaks after the fact. Real and suspected infractions instantly trigger notification via SNMP or e-mail.
Content Alarm is fairly easy to set up and administer and doesn't require extensive technical knowledge. Security managers will need a firm understanding of their enterprise's data security policies and classifications. Monitoring policies can be extremely detailed and can range from "detect all financial data" to "flag e-mails containing financial data not coming from the accounting department." Equally granular is Content Alarm's ability to determine exempted data based on destination, protocol, sender, etc. For instance, you can set a policy that flags the transmission of financial data and Social Security numbers, except for the CFO and certain members of the accounting group.
Content Alarm continually scans network traffic, updating itself when files are added or changed. Security managers can use the management console to audit logs for compliance and trend information.
With this seemingly intense inspection, you might expect a performance hit. Content Alarm is a passive, out-of-band solution that has no impact on network traffic throughput.
One drawback is that Content Alarm can't inspect encrypted traffic. Tablus acknowledges this limitation, but dismisses the issue, estimating that less than 2 percent of network traffic is encrypted. While this may be true, it provides a loophole that a knowledgeable insider could exploit. Further, most Web-based e-mail systems are accessible via SSL, and enterprises are expanding their use of SSL VPNs to access backend applications and databases.
For enterprises concerned about the security of proprietary and classified information, Content Alarm is excellent at spotting plaintext leaks, albeit it at a pretty steep price compared to competitors who offer blocking functionality as well.
About the Author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.
This review orginally appeared in Information Security magazine.
This was first published in August 2005