GTB Enterprise-Class DLP Suite Overview === Dmitry Creed --- **Table of Content:** [TOC] # 1. Introduction The constant increase in the amount of information, the number of users and mobile devices used by employees leads to a situation where it is almost impossible to control the movement and use of confidential data without special tools. DLP-systems became a good help in solving this problem. You can control the movement of confidential data and prevent their leakage. One of the tasks of the DLP system is to monitor the movement of information within the company. At the same time, DLP systems do not allow controlling access to data that resides in the company or leaves its infrastructure. For example, data is unauthorized transmitted within the company to colleagues or the device on which important information was stored (and DLP systems cannot encrypt data on devices). To solve this problem, data encryption systems can be used, including IRM systems (Information Rights Management). With the help of IRM systems, data usage policies are defined that allow answering four basic questions: * WHO can use data; * WHAT you can do with the data (read, write, print, transfer to third parties); * WHEN this can be done (for example, in what period of time); * WHERE you can carry out these actions (for example, only on a corporate laptop). Most importantly, by encrypting the data, IRM systems guarantee confidentiality even if the data are trapped by unauthorized persons. However, IRM does not control the movement of confidential data (inside or outside the company's perimeter) or detect leaks. DLP systems must handle this. As you can see, DLP and IRM systems are complementary systems. The DLP + IRM bundle allows full control over confidential data both inside and outside the company’s perimeter. And also provide a complete picture of the use of data and access to them. In 2012, the comprehensive GTB Enterprise-Class DLP Suite DLP system was introduced. Its uniqueness lies in the fact that it already incorporates the full-fledged component of GTB IRM. It is designed to distinguish and structure the rights to access important data. Conveniently, both functions are integrated in one product. This reduces the total cost of ownership of the system (the licensing policy takes into account the number of users), and also increases the security of company data. # 2. GTB Enterprise-Class DLP Suite Architecture GTB Enterprise-Class DLP Suite consists of several systems: * GTB Inspector; * GTB IRM (Information Rights Management); * GTB eDiscovery; * GTB Endpoint Protector; According to the developers in the latest version of the system, GTB eDiscovery and GTB Endpoint Protector modules are combined into a single agent. * GTB Central Console. In addition to these systems, the GTB Enterprise-Class DLP Suite includes support components: * GTB Security Manager; * Name Resolution Helper Logon Script (NRH). Software-hardware monitoring system "Information in motion" - GTB Inspector is designed to intercept and view data that is sent to the Internet using various protocols (HTTP, HTTPS, SMTP, FTP, etc.). The GTB Inspector also includes: * "GTB SSL Proxy" - a proxy server that provides data transmission and interception of messages in encrypted protocols; * "GTB Mail Transfer Agent" is a mail server that allows you to intercept and redirect e-mail, as well as add information to the MIME headers of the letter. **GTB IRM** (Information Rights Management). This system is designed to provide access to confidential information. It is a ready-made VMware virtual machine with an integrated Seclore IRM solution. GTB IRM is fully integrated with LDAP (Active Directory). It is also possible to work GTB IRM without integration with LDAP. When working together with GTB eDiscovery, GTB IRM allows you to differentiate access to important information for different users, control actions with files (view, edit, save, print, track screenshots, etc.). It is possible to set time intervals for file access. **GTB eDiscovery** is an agent-based system designed to control information stored on the hard drives of various devices anywhere in the infrastructure. Files of any formats, including binary, are supported. **GTB Endpoint Protector** allows you to control information transmitted via removable media. A large number of device types are supported. GTB Endpoint Protector runs in an Active Directory environment. **GTB Central Console** is the management console for GTB eDiscovery and GTB IRM, policy settings, a tool for analyzing registered events and viewing reports. **GTB Security Manager** is a program that creates digital fingerprints of protected information and is loaded into the GTB Inspector database. **Name Resolution Helper Logon Script** (NRH) is required for the rules to work correctly for Active Directory user groups in the GTB Inspector. Following figure shows a schematic diagram of the organization of the GTB Enterprise-Class DLP Suite.  # 3. GTB Enterprise-Class DLP Suite System Requirements **GTB Central Console** Minimum requirements: - CPU – Intel Core Duo 2GHz or higher (2 cores). - RAM – 2GB or more. - HDD free space – 250GB or more. - External or internal CD/DVD-ROM connected to the Server. The recommended requirements provide general requirements: - CPU – Intel Core Duo 2GHz or higher (4 cores). - RAM – 4GB or more. - HDD free space – 500GB or more. - External or internal CD/DVD-ROM connected to the Server. **GTB Central Console** Minimum requirements: - CPU – Intel Core Duo 2GHz or higher (2 cores). - RAM – 2GB or more. - HDD free space – 150GB or more. - External or internal CD/DVD-ROM connected to the Server. The recommended requirements provide general requirements: - CPU – Intel Core Duo 2GHz or higher (4 cores). - RAM – 4GB or more. - HDD free space – 200GB or more. - External or internal CD/DVD-ROM connected to the Server. **GTB IRM Policy server** VM Host Minimum Requirements - CPU – Intel Core 2 Duo 2GHz or higher. - RAM – 4GB or more. - HDD free space – 160GB or more. - The VMware Player/Workstation installed on the host server. Minimum Requirements - CPU – Intel Core 2 Duo 2GHz or higher. - RAM – 3GB or more. - HDD free space – 120GB or more. # 4. GTB Enterprise-Class DLP Suite Functional Features GTB Enterprise-Class DLP Suite allows you to intercept and analyze various types of network traffic, to control access to data on various devices on the network. And also to control access to information in file network storages and on removable devices. All these features are provided by the systems that are part of the GTB Enterprise-Class DLP Suite. Determining what data can be considered confidential is possible by the following methods: * Creating digital fingerprints from protected data. * Create dictionaries and templates that contain sample data that is considered confidential. * Create a sample from databases and tables using the Microsoft ODBC module. All this data is stored in a single database, which is stored in the GTB Inspector system, except for templates and dictionaries. Templates and dictionaries are created for each system separately. To facilitate the integration of this data, it is possible to export them to a TXT file. ## 4.1. The functionality of the system GTB Inspector "The Information on the Move" monitoring system - GTB Inspector allows solving the following tasks: * Prevention of confidential information leakage; * Blocking visits to unwanted resources; * Blocking instant messaging systems; Control email, erroneous email sending; * Accumulation of incident files for retrospective analysis; * The accumulation of statistical data; * Formation of reporting on events; * Incident Notification. GTB Inspector allows you to intercept and analyze network traffic using the following protocols: * HTTP / HTTPS * FTP * SMTP + ESMTP * IMAP POP3 (as well as protocols using encryption: POP3S, HTTPS / SMTPS) * SSH * Network Printing Protocols (LPD, IPP) * SSL * RDP * VNC * NNTP * Support Webmail * Yahoo Mail * GMail * MS Hotmail * AOL Webmail * Netscape Mail * Messengers * ICQ * AIM * Yahoo Messenger * MSN Messenger * Google Talk (without TLS support) * IRC * Jabber (XMPP, without TLS support) * P2P protocol * The rest of the protocols are understood in terms of TCP. Also, GTB Inspector allows you to identify and track protected content, including: * MS Office (password-protected Word, Excel and PowerPoint files); * ZIP; * PDF; * PGP; * S / MIME; * Rar. The depth of the nested archives can reach 10. With regard to the intercepted data, the following actions can be applied: * Registration of a security policy violation with delivery blocking or delivery permission; * Security Officer Notification; * Quarantine email before making a decision; * Redirecting email to an encryption host; * Skip content without inspection. In the case of using GTB Inspector in high-loaded networks, it is possible to balance the network network load with load distribution among several installed GTB Inspector modules with clustering. The load on one link of the cluster can be more than 100 Mbit / s. ## 4.2. GTB IRM (Information Rights Management) System Functionality Control of information located on workstations and in the network is carried out using the GTB eDiscovery system, which can work in conjunction with the GTB IRM (Information Rights Management) system and the GTB Endpoint Protector. This allows complete control over access to important information by applying rules for distributing access to information based on configured policies. GTB eDiscovery supports all file formats (text and binary). A distinctive feature of this system is the ability to view temporary files for the presence of protected information. Also, the GTB eDiscovery with GTB IRM together, provides the ability to encrypt data according to the specified conditions. What can be very useful, for example, in case of loss of a laptop or other portable device. The GTB eDiscovery agent can work in both automatic and manual mode. In case of detection of illegal actions of the user, the agent sends a notification to the security officer. When working in tandem with GTB IRM, the agent can apply the policies set in GTB IRM, limiting user actions with data: * Policies can be used both within the local network and outside it; * Allowing users to view files only; * Permission to access files only at certain times; * Clipboard control; * Prevent writing to file; * Prohibiting the use of PrintScreen; * Disallow print file. Full integration with Active Directory (or other LDAP-user base) provides the ability to control and delimit access to data at the user and domain level. The ability to create multi-level policies is supported. One of the most important features is support for access control to data on hardware identification of the device (MAC address), network, IP address or range of IP addresses. Thus, GTB Enterprise-Class DLP Suite allows you to control access to data located in cloud environments. For example, you can deny access to corporate e-mail if the device is disconnected from a domain or is located on another network / subnet. GTB IRM also allows you to control the use of information on various devices. Users who brought their devices and connected to the corporate network can view files using a web browser (webconnect), but cannot save them to their devices. This relieves network administrators of ongoing control over the installation of agents on mobile devices. ## 4.3. The functionality of the system GTB Endpoint Protector GTB Endpoint Protector is a powerful data leak prevention system for: * Removable devices; * MP3 players (including iPod); * CD / DVD discs; * SD cards; * Floppy disks; * Firewire; * Wi-Fi; * Bluetooth; * Other devices and I / O ports. One of the key features is the ability to control IM-based applications and cloud services, such as: * Skype; * QQ; * GTalk; * DropBox, Evernote, Salesforce, Skydrive, Google Drive. GTB Endpoint Protector is fully integrated with Active Directory, which allows you to control data for groups of users and individual users, computers and domains. It also provides the ability to work in online mode / OffLine (when the device is out of the domain). In case of detection of illegal actions of the user, GTB Endpoint Protector can: * Block data transfer; * Block read from device; * Block the launch of applications from the device; * Register violation with blocking transmission or without; * Encrypt data on the device; * Create a shadow copy of the data; * Notify the user about the wrongful act; * Notify security officer about the violation. ## 4.4. Other features **Analysis of the data.** All the data obtained is carefully analyzed for decision-making based on the given policies. The analysis of information is carried out according to various attributes, technologies of content analysis and linguistic analysis are applied, compared with reference samples. **Creation of digital fingerprints, templates and dictionaries of protected information.** To set the criteria for confidential information and upload them to the GTB Inspector common database, the GTB Security Manager program is used. It allows you to create digital prints from anywhere on the network (folders, network folders, individual files). **Integration with third-party solutions.** Integration with the following systems is supported: * LDAP; * Microsoft Active Directory; * Proxy servers using ICAP; * SIEM; * Email encryption gateways support Voltage, Zix, Secureworks, Secure Computing, PostX, Tumbleweed, Symantec, Frontbridge, Exchange, Postini Perimeter * Cloud Storage Systems DropBox, Evernote, Salesforce, Skydrive, Google Drive **Reporting System.** For convenience, visibility and comfort employees of the security service, GTB Enterprise-Class DLP Suite includes a powerful and convenient reporting system, through which you can always display a clear picture of the actions of employees when working with data. There is an accumulation of incidents in the archive for the retrospective analysis of events. # 5. Working with the GTB Enterprise-Class DLP Suite using the example of GTB Inspector and GTB Central Console Show the complete operation of the entire system and tell in detail about each section, we are not able to because of the complexity and bulk of the product as a whole. Therefore, we restrict ourselves to a brief description of **the old version DLP Suite** interface and some parameters. All work with GTB Inspector and GTB Central Console is done via a web console.  ## 5.1. GTB Inspector The first tab that is displayed after authentication in GTB Inspector - Events. Here you can see statistics on all the incidents that occurred. Detailed incident statistics in the GTB Inspector:  Various filter options are available for easy viewing of statistics. Also here the opportunity to provide statistical data in the form of graphs. Graphic display of incidents in GTB Inspector:  This graph shows the ratio of recorded incidents by protocol. Other options are available for sorting and displaying graphic information. Including it is possible to display graphs in the form of a pie chart, columns and a table. The next tab is the Rule Editor. Here you can create and manage traffic interception and analysis rules. GTB Inspector Rules Management tab:  First you need to specify the objects to which the rules will be applied. As objects, you need to specify the protocol that will be analyzed. Next, you need to create a rule that will be applied to this or that object. The third tab - Quarantine. Displays email messages that have been intercepted and, according to specified rules, were sent to quarantine before making decisions on them. Configuration tab. This tab contains all the menus for managing the settings of the GTB Inspector. Configuration tab of the GTB Inspector web console:  Briefly tell about the purpose of each menu on this tab. Central Console IP - in this menu we specify the IP address of the GTB Central Console to connect to this component of the GTB Enterprise-Class DLP Suite. Network is the network interface configuration menu for GTB Inspector to work correctly. Setting up network interfaces and parameters for GTB Inspector:  Alerts - setting parameters for receiving notifications about incidents detected by the system. The settings menu for sending and receiving incident notifications for GTB Inspector incidents:  The Notifications menu provides a variety of incident message format settings. GTB Inspector Incident Report Format Setup Menu:  All this is necessary in order to provide notice to staff in a convenient form, to facilitate the analysis of the information received. The next menu is Inspection Settings. It specifies the global settings for analyzing intercepted messages or files. Global settings for analyzing captured messages or files in the GTB Inspector:  The following three menu items contain settings for analyzing intercepted files, analyzing intercepted content by database and by templates created using the GTB Security Manager. Setting up analysis of intercepted attachments in the GTB Inspector:  Setting up the analysis of captured data on the database in the GTB Inspector:  Setting up analysis of captured data by templates in the GTB Inspector:  Since GTB Inspector supports clustering, in this mode of operation it is necessary to distribute the network load between the cluster shoulders. These settings can be made in the Load Balancing menu. Setting up network load sharing in GTB Inspector:  Name resolution & LDAP. This menu contains settings for integration with LDAP and the Name Resolution Helper add-on module, which is required for correct operation with Microsoft Active Directory. Settings for connecting GTB Inspector to an LDAP server:  In the SSL / TLS menu, you can enable or disable support for encrypted traffic interception. Quarantine & Encrypt - GTB Inspector settings menu for working with intercepted e-mails. Configure GTB Inspector to work with intercepted e-mails:  Log & Audit - in this menu, system logging of the OS that manages the device with the GTB Inspector is configured. Mail Transfer Agent - this menu contains the GTB Inspector settings necessary to configure it as a mail server. Setting GTB Inspector as an email server is necessary for intercepting and analyzing email messages. GTB Inspector Mail Server Settings:  The ICAP menu allows you to enable the built-in ICAP server and specify its port, and the SIEM menu contains settings for integrating the GTB Inspector with third-party SIEM solutions. The GTB SSL Proxy menu allows you to configure the built-in SSL proxy server, which is needed to intercept and analyze encrypted traffic. Setting up a proxy server built into GTB Inspector SSL:  In the Logs tab, we can view the system.log file, the OS system log, under which the device runs with the GTB Inspector. View device logs with GTB Inspector:  The Statictics tab displays the hardware and OS settings of the device with the GTB Inspector. Displaying the software and hardware parameters of the device with the GTB Inspector:  The SSL-keys tab allows you to manage SSL certificates necessary for the correct analysis and decryption of encrypted traffic. The Administration tab allows you to update the device software with the GTB Inspector, specify a valid GTB Inspector license number and manage some additional features of the GTB Inspector. Tab Device Administration with GTB Inspector:  This concludes our brief overview of the GTB Inspector console and proceeds to reviewing the GTB Central Console. ## 5.2. GTB Central Console Consider working with another component - GTB Central Console. It is part of the GTB Enterprise-Class DLP Suite and allows you to manage the operation of the GTB eDiscovery, GTB Endpoint and GTB IRM modules, configure policies, analyze logged events, and view reporting. Endpoint and eDiscovery are the only agent in the latest version. As with the GTB Inspector, the web console is also used to control the GTB Central Console. After authentication, the first display is the Dashboard page with a summary of the events registered in the system. Dashboard. Summary statistics of GTB Central Console incident events:  Widgets are used to display additional data. To facilitate the work and analysis of the provided data, you can customize the Dashboard "by yourself" by disabling unnecessary widgets or adding new, more necessary ones. For ease of navigation between widgets, there is a floating menu on the left side that allows you to quickly switch to the desired widget. The Network, Endpoint and eDiscovery tabs display incidents registered on the network by eDiscovery agents and Endpoint agents. It supports a dynamic graphical representation of the statistics of incidents, filtering by various criteria and uploading statistical data to a file. Since we have no recorded incidents, the magazines are empty. For all three of the above tabs presented a single interface. GTB Central Console log of online incidents:  The Reports tab contains graphical reports of all events that occurred, registered on the network, by Endpoint and eDiscovery agents. The graphs are empty because there are no recorded events. Bookmark Reports in the GTB Central Console:  The Network Status tab displays the status of all connected GTB Inspector inspectors and Endpoint agents. This feature allows you to quickly monitor and control the status of the entire system. Monitoring connected GTB Inspector to GTB Central Console:  In the next tab, we can manage the accounts that are used to work with the GTB Central Console. Account Management GTB Central Console:  The Logs tab displays the events transmitted by eDiscovery agents, as well as the GTB Central Console audit log. Device audit log with GTB Central Console:  The DLP Settings tab includes sections that include menus required to configure the entire DLP system, including rights management rules. The first section is System. Unlike GTB Inspector, the GTB Central Console interface supports several localizations. Localizations available for the GTB Central Console interface:  In the Network menu, the network parameters of the GTB Central Console are configured. In the LDAP menu, you can configure settings for connecting to LDAP servers. The parameters that are needed to connect to the devices on which shadow copies will be stored are located in the Shadow Location menu. In the Emails menu, settings for sending email notifications about events that have occurred are configured. The Date and Time menu includes settings for the system date and time of the device with the GTB Central Console. The most important menu is Security Policy. Predefined security policies are displayed here. And also provides for the possibility of editing and creating your own policies. The security policy management menu in the GTB Central Console:  The Inspection section contains menus for managing the search parameters for important information in attachments, by digital fingerprints, databases, and templates. The IRM (Information Rights Management) section allows you to manage access policies that are superimposed on files with sensitive information. In the eDiscovery section, you can configure eDiscovery agent settings. Configuring eDiscovery agents connected to the GTB Central Console:  Control of devices is configured on the Endpoint & Device Control tab. Configure Endpoint & Device Controls connected to the GTB Central Console:  In the Policy Management section, there are menus for managing objects for DLP policies, a policy editor, and a policy set management tool. Predefined policy objects in the GTB Central Console:  The Service tab provides the ability to create and restore a backup. And on the Help tab, links to GTB Enterprise-Class DLP Suite documentation are available, as well as a link to download the GTB Endpoint agent. This concludes our brief overview of the GTB Enterprise-Class DLP Suite. It is not possible to consider the whole in the complex in view of its volume and complexity. # 6. Conclusion In this review we looked at the modern multi-component GTB Enterprise-Class DLP Suite DLP system. This is a corporate-level product that provides comprehensive protection of information against leaks. Advantages: * The ability to scale the system, which allows you to create complex configurations for work in high-loaded infrastructures; * Integration with information security monitoring and event management systems; * Presence of predefined search templates for confidential data; * A large number of supported protocols for analysis and interception; * Control cloud storage services; * Webmail control; * Simple and convenient deployment in the customer's infrastructure; * Ability to check the network for unauthorized copies of sensitive data; * The ability to track not only text documents, but also binary files (audio and video files, CAD drawings, etc.); * The ability to track the movement of documents in the infrastructure; * Improved and augmented linguistic and content analysis technologies; * Control clipboard and temporary files; * Good accompanying documentation; * The ability to encrypt data on devices, depending on the prevailing conditions; * The ability to redirect e-mail messages to encryption nodes, which will ensure centrally controlled encryption of electronic messages when exchanging with partners and customers; * Tracking the erroneous sending of mail messages, to minimize the risks associated with the fact that secret information will go to an undesirable recipient; * The ability to export reports in CSV format. Disadvantages: * Lack of control of search queries; * The lack of Russian-language documentation; * Incomplete Russian localization; * No voice traffic recognition.