Thursday, December 01, 2005

Visit to Fidelis Security Systems

Over two years ago I mentioned an extrusion prevention product by Fidelis Security Systems called DataSafe (TM). This week I got a call from Tim Sullivan, CEO of Fidelis, who had a copy of my new Extrusion Detection book on his desk. We had exchanged emails months before the book was published, but I never got a chance to look at his company until today. Tim invited me to lunch with some of his team, so I visited his Bethesda, MD offices and got a look at DataSafe.

In brief, I was very impressed by what I saw. DataSafe is an extrusion prevention product that sits either inline or off a tap or SPAN port. The product is software that is installed on Red Hat Enterprise Linux, watching outbound traffic for content deemed to be in violation of a security policy. It can make alert, block, or TCP kill decisions based on its configuration and deployment mode. The following graphic from the architecture page hints at some of DataSafe's capabilities. The four items are not really "steps" in a process. Rather, they are different ways DataSafe can decide if content leaving the network should be passed or blocked. DataSafe implements port-neutral inspection methods (e.g., Web inspection is not tied only to well-known HTTP ports) to identify content. The examples I saw were fairly interesting, such as detecting HTTP -> Google Mail -> MIME encoded attachement -> Zipped file -> Word document -> sensitive account data.

As an analyst I am always sensitive to the amount of data provided to the product operator. Is there enough information given to make a decision, or does the analyst see only an alert with little supporting evidence? I was very pleased to see DataSafe provide guidance on why it alerted (regular expressions, etc.) and what it found. In other words, I could see the sensitive information in the alert itself.

Incidentally, Gene Savchuk, the original author of the Mudpit unified output reader for Snort, and the SNORTRAN (.pdf) optimizing compiler for Snort rules, is the main developer of DataSafe.

If you're looking for a way to identify outbound traffic, and control what leaves your network, I recommend contacting Fidelis.

3 comments:

Anonymous said...

Their site is not working with Firefox 1.5, though. After having filled all the info necessary, in order to be able to obtain their descriptive material, the download php-based link simply leads nowhere ... will setup a VM, later in the day, with some OS capable of running IE, and will try again.

Chris Petrilli said...

Hi. I'm an engineer at Fidelis, and I saw this comment about being unable to access the contact information. I just verified on Firefox 1.5 (WinXP SP2) that it seems to be functioning. If you still can't get to it with Firefox, please feel free to contact me at chris.petrilli (at) fidelissecurity (dot) com.

Anonymous said...

Good luck catching those secrets leaking out over tor.

http://tor.eff.org