INFORMATION LEAKAGE
iGuard v5 from Reconnex
Price: Starts at $50,000
The Internet has revolutionised business, enabling real-time
commerce and the easy flow of information in and out of your
organisation. Therein lies the problem: It's all too easy to
inadvertently or intentionally expose critical intellectual
property and confidential information.
Reconnex's iGuard addresses this threat at the perimeter,
copying and analysing all inbound and outbound traffic for policy
violations. It can be an important tool for confidential data
protection, regulatory compliance and investigation.
Installation/Configuration: B
Tuning a complex product like iGuard to detect sensitive data while
reducing false positives and negatives is a complex process.
Although the quick start guide can get you up and running quickly
with default policies and rule sets, be prepared to invest time
tuning your rules.
This is what makes it an effective technology: Without this
tuning process, the confidential data leaving your enterprise gets
lost in the clutter--imagine looking for five true positives in a
million emails. The tuning can take weeks or even months, setting
rules and polices in a Linux command line interface; you may want
to engage professional services to help.
Effectiveness: A-
We realised some successes out of the box using the default
regulatory and acceptable-use policies. The challenge isn't that
you're not seeing your intellectual property leave the enterprise;
it's that you're seeing far more than anticipated.
Overall, iGuard proves to be an important tool for proactively
finding intellectual property leaving the enterprise, and
reactively using the information to conduct an investigation and
comply with regulations.
That said, iGuard's value grows through its integration with
other security products, feeding content analysis to gateway
content filters, SIMs and email security tools.
iGuard is not an automated prevention tool. Most large companies
we've spoken with agree that blocking on detection is not practical
in the real business world--it assumes that you know what all of
your confidential information is, where it resides and to whom it
may be sent.
The hardened Linux appliance resisted all our attempts at
compromise.
Management: B-
The Web interface presents a clean, easy-to-navigate executive
dashboard. One of the first items that strikes you is that, while
you can drill down for details in the text, the graphs are
static.
You can call up detailed information on entire emails,
documents, FTP sessions and SSL-encrypted sessions. iGuard
understands 80 protocol types.
However, the product shows its immaturity in the tedious process
of creating rules. You must first create the search terms,
protocols and IP addresses, then repeat the action for the mail and
messages, images and file transfer pages. Then you go to yet
another page to activate the rule. There is no wizard or radio
buttons to simply select which page you want or what to search for.
There is no context-sensitive help.
Reporting: C+
The reporting request page has a simplistic, clean interface. It
contains a few canned reports, such as incident and executive
summaries, with nice graphs showing which rules were tripped and
how often. But, there are only a handful of canned reports, and you
have a limited ability to create custom reports, which can be
critical for audit and operations. Reports are drillable and
exportable to .pdf only.
Verdict
iGuard is maturing, though it still needs some usability
improvements such as wizards, customisable reports and the ability
to drill down on the graphs. Its integration with other tools makes
it an excellent value.
Testing methodology
This review is based on an evaluation of information leakage
products, including iGuard, at the reviewer's company.
This article originally appeared in the December 2006 edition
of Information Security magazine.