Raytheon | Websense SureView Insider Threat
Strengths: Very strong investigation tool.
Weaknesses: A bit pricey and advanced support is charged by the hour instead of an annual subscription. This can get expensive in a hurry at the relatively high hourly rate.
Verdict: Large organisations will benefit from the investigative capabilities SureView puts on the endpoints. Given that the endpoint either is the last stop on the way out – exfiltration – or the first stop on the way in – attack or malware – having that capability is not trivial.
SureView Insider Threat is largely an investigative platform. There are three basic components: the agent, the collector and the administrative workbench. Agents are installed at every endpoint and they monitor that endpoint for violations of policy. They also analyse users' behaviour online, including internet and social media. This information then is sent to a collector. The collector captures the data from the agent and sends the information on to the administrative workbench for analysis. There data is aggregated and the analyst has a complete view of user behaviour across the enterprise.
The SureView module reviewed here focuses on identifying and investigating insider threats. It collects data across the enterprise, including behavioural data for users. This allows it to form a context for each user and respond to anomalistic behaviour. This, in turn, can lead to a targeted investigation. The investigation can be done without alerting the target. The events being investigated can be replayed at the investigators' dashboards.
Typical implementation for a large enterprise consists of collector nodes - enough to cover the enterprise, the master node and a database, usually an Oracle Real Appliance Cluster. Agents on the endpoints report to the collector nodes. The endpoints can be on the enterprise, over the internet or connected directly from another organisation site. Everything in the SureView Insider Threat module is policy driven. The policy engine is straightforward. A basic set of policies comes with the system and those can be used as is or customised. You also can build your own policies or the vendor will assist you.
Once you have SureView Insider Threat up and running with some agents in computers, you can begin using it immediately. The dashboard is excellent and the drill-down is good as well. The replay feature is very useful. For example, if the target visits sites that are likely to be infected with malware, the entire browsing session can be replayed as it actually happened. Events can be directed to email alerts and to SIEMs for analysis and alerting.
One of the chief benefits of this tool is its value as a forensic investigation resource. The level of detail available allows drill-down with significant granularity. Such things as file extensions, for example, are ignored in favor of analysing the file itself to determine file type. That can mean looking at the header of the file content.
Another benefit of SureView is that it knows about sensitive types of data, such as data that would violate PII rules, and it does not collect those data. The policy implementation is interesting. SureView can observe violations of a policy and put the violators into a group for further monitoring or investigation. The tool thinks of policy as a task while groups are considered missions. Thus, if a user is placed in a particular group - either by SureView or by the administrator - it is because that user is engaging in some activity that is consistent with other members of the group.
Where encryption is involved, SureView pre-collects files prior to encryption. Then the playback of the encryption event shows in detail what was encrypted, by whom and why. Once everything has been gathered, SureView can create files exportable in html. Policies can be created to watch superusers, such as administrators or root users. It can monitor and scan the registry for changes and is able, through detection of anomalous behavior, to identify malware, including zero-days.
Overall, SureView Insider Threat maintains endpoint security through reactive identification of bad events and investigation of the source and root cause of those events. Even though it is reactive, its reaction time is so rapid - in registry scanning, for example - that the effect is pro-active.
Documentation is excellent, as one would expect from a Raytheon company. Basic support is included with advanced support available for an additional fee. At £114,000 for the hardware version of the product supporting 1,000 users, the price is not cheap. However, the value is returned the first time data being exfiltrated is caught in time or a ransomware attack is prevented.