Content Inspection

To prevent loss of confidential customer data and safeguard intellectual property, Code Green Networks monitors and analyzes content on the corporate network and enforces corporate data security policies.  Once a Code Green Networks Content Inspection Appliance is deployed at the network gateway, organizations define policies for managing the transmission of their confidential content.  The appliance then compares content traversing the network against these policies for potential matches, sending alerts and blocking traffic as appropriate.

The Content Inspection Appliance itself handles three main functions:

Together, these three functions comprise a powerful and robust content security solution that tracks, analyzes and protect customer data and intellectual property against malicious threats or accidental misuse.

Content Registration

Code Green Networks is able to recognize and register a wide variety of both structured (fields in databases or columns in spreadsheets) and unstructured data (document formats such as Microsoft Office, source code and PDF files).

During the content registration process, organizations perform discovery to find and register specific information they seek to protect.  This discovery process allows organizations to specifically identify customer data, personal information and sensitive or confidential content.  Once the content locations have been identified, the appliance is capable of automatically “smart” crawling the locations to continually identify new or changed content at regular intervals – keeping sensitive data up to date.

Structured data, content contained in databases or spreadsheets such as customer records, is registered by a process known as Data Element Fingerprinting, which creates fingerprints for just the data fields or columns you specify.  For example, you might have a comprehensive set of information stored about clients in a customer database but only want to fingerprint the more sensitive information about them, such as names and credit card numbers.

Unstructured data, content contained in more than 400 file types including MS Office and other documents, is registered by a proprietary, patent-pending process known as Deep Content Fingerprinting, which abstracts text from file format and encoding and works with all languages, including multi-byte character sets.  Entire documents are also fingerprinted for exact file matches.  These processes work during content inspection to find sensitive documents, excerpts from documents, and derivative works.  Unstructured data can be registered by scanning file servers, content management systems, or uploading individual files or clipboard text.

Pattern match rules work during content inspection to find matches to the literal string or regular expression. For example, you might want to guard against all numbers that appear to be valid credit card numbers leaving the network, not just the ones you have stored in a database.

The Content Inspection Appliance has the additional security feature that registered content is stored on the appliance in the form of one-way hashes which cannot be used to reconstruct the original content.

Content Inspection

Once content has been registered, Code Green Networks compares transmitted data against the registered content. If a match is detected, the appropriate user-defined security policy and workflow procedures are then initiated, which may include alerts, encryption, or blocking of transmissions.

During content inspection, the Content Inspection Appliance examines the stream of information flowing through the network gateway and identifies and assembles content across all major TCP protocols, including SMTP, HTTP. FTP, and extended support for online communication tools such as WebMail, blogs and wikis. When used with third-party proxies, the Content Inspection Appliance can also detect encrypted HTTPS traffic.

The Content Inspection Appliance monitors network traffic using three different inspection agents:

Packet Monitor Inspection Agent

If the Content Inspection Appliance is connected to a tap at your network’s ingress/egress point, the Packet Monitor inspection agent monitors all network traffic on HTTP, FTP, SMTP, and other TCP channels and enforces security policies. Policies can be constrained to apply a particular source and destination, characteristics of files being transmitted, or a subset of protocols monitored.

MTA Inspection Agent

The Content Inspection Appliance has a built-in Mail Transfer Agent (MTA). If the appliance is configured to receive mail from an SMTP mail server, then when a policy violation occurs, the email can be blocked pending review or allowed to pass through to a forwarding or rerouting server. The Content Inspection Appliance MTA interface can encrypt email when configured to access the Voltage Security Network™ (VSN). Alternatively, mail judged to be sensitive can be rerouted to an encryption server, such as a PGP Universal Server™ or Voltage SecureMail Gateway™.

ICAP Inspection Agent

The Content Inspection Appliance can serve as an ICAP server when connected to a proxy server acting as an ICAP client. This allows monitoring and blocking of incoming or outgoing HTTP, HTTPS, and FTP traffic, including WebMail or other online communications tools such as blogs and wikis.

Policy Rules & Workflow

Policies lie at the heart of intelligent monitoring and enforcement on the CI Appliance. Each Content Inspection Appliance includes a full set of pre-loaded, easily customizable policy templates to make the initial set-up and policy management simple.

Content authorities assemble policies from registered content, constraints, and an action. Content authorities do not have to worry about which inspection agent will be used. Their options when creating a policy are determined by which inspection agent is enabled, and the options they select are automatically handled by the appropriate inspection agent.

In addition, policies can be created that monitor for information other than sensitive content. For example, incidents can be created for any FTP transfer of a file over a certain size, with subsequent data mining for patterns as to who is sending the information.

Policy actions determine how a policy will respond when its conditions are met. Policy constraints can be added to fine-tune the policy. You can set file filters, source constraints, destination constraints, and protocol constraints and specify whether the monitoring direction is inbound, outbound, or both. Besides constraints, policies can be fine-tuned by attaching other policies that define exceptions, or by creating GreenLists, which specifically exclude content such as boilerplates.

As content carried on network traffic enters the appliance through any of its ports, it is inspected and compared to policies for matches. When the policy conditions are met, the policy creates incidents and can assign them to individual reviewers or groups to be managed in a workflow.

Incidents are subject to role-based access control. Content authorities can only view incidents assigned to them and their groups. If the appliance is configured for incident redaction, content authorities can view incidents assigned to them, but they cannot view information about the source or destination of the transaction that led to the incident.

Reporting features allow charts and tables to be created that group incidents or subsets of incidents into categories that you specify. Exploratory data analysis is facilitated by the ability to drill down on one item in a category with further analysis. For example, routine reports might show that there were a large number of transactions leaving the network that contained credit card numbers, and further analysis might show that these transactions were coming from a single employee.