Over two years ago I mentioned an extrusion prevention product by Fidelis Security Systems called DataSafe (TM). This week I got a call from Tim Sullivan, CEO of Fidelis, who had a copy of my new Extrusion Detection book on his desk. We had exchanged emails months before the book was published, but I never got a chance to look at his company until today. Tim invited me to lunch with some of his team, so I visited his Bethesda, MD offices and got a look at DataSafe.
In brief, I was very impressed by what I saw. DataSafe is an extrusion prevention product that sits either inline or off a tap or SPAN port. The product is software that is installed on Red Hat Enterprise Linux, watching outbound traffic for content deemed to be in violation of a security policy. It can make alert, block, or TCP kill decisions based on its configuration and deployment mode. The following graphic from the architecture page hints at some of DataSafe's capabilities. The four items are not really "steps" in a process. Rather, they are different ways DataSafe can decide if content leaving the network should be passed or blocked. DataSafe implements port-neutral inspection methods (e.g., Web inspection is not tied only to well-known HTTP ports) to identify content. The examples I saw were fairly interesting, such as detecting HTTP -> Google Mail -> MIME encoded attachement -> Zipped file -> Word document -> sensitive account data.
As an analyst I am always sensitive to the amount of data provided to the product operator. Is there enough information given to make a decision, or does the analyst see only an alert with little supporting evidence? I was very pleased to see DataSafe provide guidance on why it alerted (regular expressions, etc.) and what it found. In other words, I could see the sensitive information in the alert itself.
Incidentally, Gene Savchuk, the original author of the Mudpit unified output reader for Snort, and the SNORTRAN (.pdf) optimizing compiler for Snort rules, is the main developer of DataSafe.
If you're looking for a way to identify outbound traffic, and control what leaves your network, I recommend contacting Fidelis.