ANB’s DataNforcer® is a software solution that protects organizations from inside threats. ANB DataNforcer® enforces data protection policies as part of an organization’s general security policy on each user’s computing machine, which is used for accessing the organization’s protected and critical data. User computing machine can be a PC, a desktop or a laptop. ANB DataNforcer® works as an independent security authority regardless of user SID (Security ID) and access rights. Therefore any user activity including supervisors and administrators activities are being monitored under the ANB DataNforcer® radar.
One of the major advantages in ANB DataNforcer® technology is that the mechanism protection is based on generic and general O/S internal processes thus does not require dedicated interfaces with various applications. It is a GUI-less and silent DLP (Data-Leak Protection) mechanism that provides real-time data protection via extensive and powerful tools, enabling the organization’s Security team to implement, monitor and enforce enterprise security policy.
The protection mechanism concept of DataNforcer® is based on code injection of proprietary GUARDS that monitor any program loaded into memory and evaluate in real-time which information each program is accessing. This way, by defining white list of data exchange channels and white list of acceptable programs (exe files), DataNforcer® effectively monitors all data access activities. In addition, by controlling the operating clipboard that provides the only internal tool to copy-paste information, unauthorized activities can be easily blocked. Another operating system object being monitored is the GDI (Graphics Device Interface), the core operating system component responsible for representing graphical objects and transmitting them to output devices such as monitors and printers. By design, any attempt to terminate the live DataNforcer® GUARDS will cause an automatic critical alert and PC shutdown.
Detects, Alerts, Records, Blocks
Detects: ANB DataNforcer® detects forbidden activities/events in real-time that are being executed by any logged user and/or any program that uses the user privileges to access the protected data. This data protection capability is accomplished by integrating a sniffing mechanism within the DataNforcer® security agent. The DataNforcer® security agent is a tiny program (80K bytes only) that is being partly injected into all running applications (in the memory space where they are physically running) at user level (User mode). ANB DataNforcer® agent is not being injected into system services and programs that run in O/S level (Kernel mode). ANB DataNforcer® detects in real-time Microsoft Windows operating system events (working environment platform) and consequently any running applications events that are interfacing and/or asking for system resources from the O/S kernel. This feature supports removable device events and mounting events.
Alerts: ANB DataNforcer® alerts the organization security team in real-time for each high-risk event as derived by the organization’s security policy. ANB DataNforcer® includes administrative tools and analysis tools designed for the organization’s security team, which enable them to explore any suspicious activities and respond to them in real-time. Unauthorized data access events by default are considered suspicious activities. A forbidden activity may be initiated by the O/S and/or by third parties running software applications and/or by an authorized user operating the users credentials (SID – Security Token). Any running program has a logical identifier (a ‘process’) with a unique ID, at least one thread, virtual memory address space and unique handles to the O/S resources. These resources are transparent to ANB DataNforcer® security agent, which monitors any process, its threads and activities.
Records: ANB DataNforcer® documents any detected event transactions in a central database, which is part of the organization’s network domain. This central database is highly secured and can be used for responding to any threats in real-time by providing forensic information about any activity inside the organization’s domain for further inspection and inquiries. The recorded security transactions provide forensic services in real-time rather than recovering digital forensic information based on the evidence. Many times, recovering forensic tracks is impossible and/or expensive due to data encryption techniques. ANB DataNforcer® forensic services overcome any encryption limitation by recording the events in real-time while it is being displayed to the user in decrypted mode. The recorded event transactions provide a clear picture about any security policy breach, which is executed by the end-user or by third party applications using the user’s credentials.
Blocks: ANB DataNforcer® can block forbidden activities as derived by the enforced security policy, and by doing that can minimize the overall risks and damages caused by any malicious activities and/or accidental employees’ malfunctions.
Figure 1: Detecting, Alerting, Recording and Blocking Events.
Detecting and Blocking events occur at each user desktop PC by the ANB DataNforcer® based on the enforced security policy. Blocking events are optional.
Alerting: Alert messages are generated by the ANB DataNforcer®, sent immediately to the Enforcer web service for archiving, and also redirected to the organization’s security team tools.
Recording: All events’ transactions are being recorded at the DataNforcer® web service for further inspection by the security team and for future forensic inquiries.
GUI-Less Silent protection
ANB DataNforcer® is a GUI-less silent application that allows the organization to protect its critical IT resources against data leakage and/or information theft from inside the operation. In effect, the ANB DataNforcer® works as an inside firewall.
There are four major types of events that are being monitored by ANB DataNforcer®:
I. Data Leak Protection: A data leak event occurs when a user copies digital information from internal resources and pastes it onto a forbidden application or to external sites via, for example, email. ANB DataNforcer® detects all forbidden activities based on the enforced security policy and immediately and in real time, reports the activity to the security team. The ANB DataNforcer® may immediately block such activities as per the organization’s policy.
II. Printscreen Activities: In this case, inside information that is accessed and displayed on the end-user monitor can be copied/pictured as a digital image to an unknown outside resource, device or web site. ANB DataNforcer® detects all Print-Screen activities, reports these activities to the security team and, depending on the organization’s security policy, may block such attempts in real time.
III. Removable storage devices: To avoid data leak, many organizations restricts the usage of Disk-On-Key USB devices, including DVD/CD burners, SD memory cards and any other removable memory devices that are attached to peripheral devices. Such unauthorized activities can be used by inside users to extract inside information from the organization. ANB DataNforcer® detects USB Disk-On-Key and other removable device insertions, alerts the security team regarding such forbidden activities and, depending on the organization’s security policy, may block the new volume drive by dismounting it. All such transactions are being recorded as a forensic activity in the central database.
IV. Files and folders management activities: Another way to extract information from inside the organization is by renaming an original file with a dummy filename, which may be automatically classified by the O/S as a valueless file. The organization’s security policy can classify such an event of filename renaming as a suspicious activity by sending security warnings. Any attempt to rename a file can be reported to the organization’s security team in real-time and has its pre-defined risk rank. In addition, ANB DataNforcer® can be used for providing extensive protection for sensitive files. The highly protected files/folders are being selectively defined by the security team. Other files with reduced protection are being monitored and alerted without further protection. File/folder deletion events, file/folder renaming events, file/folder moving events that are executed by a user or by any running application and/or by the O/S are detected in real-time and responded to based on the pre-defined security policy. The organization’s security team can easily protect sensitive data by using file/folder high protection tags. Based on that, the protected files/folders are being monitored while they are being moved and/or copied in the organization domain and endpoint PCs. All protected files are under the ANB DataNforcer® radar and can be monitored regardless of whether the user has maximal or minimal access rights.
Comment: Most of the file deletion activities are being performed automatically by the operating system and by third party applications on temporary files. These activities are monitored for forensic purposes as a background activity. They reflect the user activities while running specific applications and/or using the O/S working environment.
Running ANB DataNforcer® in Microsoft Active Directory
The ANB DataNforcer® can be integrated with the Microsoft Active Directory in order to support group and user policies. The organization’s security team can easily define a protection policy according to the organization’s specific requirements.
In general, ANB DataNforcer® runs in two different modes: Online and offline.
Online Login Process
The user (organization-authorized employee) logs into the organization’s domain using his/her personal text-password and/or biometric identity and/or personal smart card. Within this process, the user gets his/her credentials as derived from his/her user’s account privileges, in the organization’s Active Directory. This is the standard login process to the domain server while the user is connected (online mode). Within this process, the ANB DataNforcer®, which runs on the user’s PC, loads the user’s DataNforcer® security policy from the domain controller (Active Directory). The user’s DataNforcer® security policy is derived by the user membership in users’ groups as defined in the organization’s Active Directory.
Figure 2: Online user’s login process to the organization’s Domain Controller
a) (1)The user logs into the Domain Controller using his/her text-password and/or biometric identity and/or Smart card key (Private Key).
b) (2)The user gets his/her credentials (SID – security token) and ANB DataNforcer® loads the user’s personal DataNforcer® security policy.
Offline Login Process
While the user’s PC is disconnected from the organization’s Domain Controller, the user (organization-authorized employee) logs on to his/her working PC using his/her personal text-password and/or biometric identity and/or personal smart card. Within this process, the user gets his/her credentials as derived from his local user’s account privileges, in the working PC. This is the standard offline login process to the working PC while the user is disconnected (offline mode). Within this process, ANB DataNforcer®, which runs on the user’s PC, loads the user’s DataNforcer® security policy from the ANB Application Folder (encrypted binary file). The user’s DataNforcer® security policy is identical to the last logged user’s DataNforcer® security policy in the Active Directory. The user’s DataNforcer® security policy is derived by the user membership in users’ groups as defined in the organization’s Active Directory.
Figure 3: Offline user’s login process to the user’s working PC (locally)
(1) The user logs into his working PC using his text-password and/or biometric identity and/or Smart card key (Private Key).
(2) The user gets his credentials (SID – security token)
(3) DataNforcer® Agent loads the user’s personal DataNforcer® security policy from a encrypted binary file which is stored locally.
Once the user is logged into his PC (Online or Offline modes) the ANB DataNforcer® loads the user personal DataNforcer® security policy and only then the ANB DataNforcer® DTP Service is activated.
Integrating with ANB BioSign Identity and access Management solution
ANB DataNforcer® Agents can be integrated with ANB’s BioSign® or ANB’s BGP Solutions, or may be implemented as a stand-alone security solution with the ANB Sniffer Agent™.
Integrating with IBM Mainframe and Mini-frame systems
ANB DataNforcer® Agents can be integrated with IBM Personal Communication solutions which are used for accessing sensitive information stored on the IBM Mainframe system / IBM mini-frame system (“Z” system and “I” system respectively). In this case, any buffered communication between the IBM Terminal Emulator software which runs on the user endpoint PC is being monitored. Any attempt to access highly classified information by the user, which usually uses different access rights in the IBM Mainframe/Mini-frame systems, is being monitored, reported, and based on the organization’s policy may be alerted and blocked in real-time. In this case, any attempt to selectively copy the displayed data to other unmonitored resources is being blocked.
ANB DataNforcer® supports Unicode and multi-language recordings.
Extending ANB DataNforcer® protection to eliminate Trojan activities
ANB DataNforcer® Agents protection can be extended in order to eliminate Trojan activities. Any attempt by a Trojan program to access/copy protected information can be easily detected, alerted, recorded and blocked by ‘freezing’ and/or ‘crashing’ the Trojan program and its working memory.
This option can create a sterilized working environment were the ANB DataNforcer® and other malicious programs cannot coexist while running in parallel. The ANB DataNforcer® security agent automatically injects itself into the Trojan program and prevents attempts to access protected data and/or use the O/S resources to copy and export data to the outside world, and/or record user activities (Printscreen opened documents, record password using key-loggers etc.)