Enterprise Data Loss Prevention & Device Control

DeviceLock EtherSensor - Server-Based Network Traffic Monitoring and Analysis

DeviceLock EtherSensor, an optional network resident server module of DeviceLock DLP, is a high-performance network event and message extraction system that enables organizations to implement comprehensive monitoring, capturing, and analysis of corporate network traffic in real-time with the aim of reconstructing, filtering, and collecting transmitted application-level data objects (messages, files, posts, etc.), their metadata, as well as logging relevant events. EtherSensor-collected messages, metadata, and logs can be delivered to the central log database of DeviceLock DLP, as well as to any Security Operations Center subsystems including SIEM, eDiscovery, UEBA, and more. DeviceLock EtherSensor supports streamed traffic processing in 20 Gbps+ channels while running on dedicated or virtualized Windows servers. EtherSensor only takes up a small server footprint while ensuring minimal resource consumption with the desired level of network communications monitoring.

A hybrid DeviceLock DLP solution with the DeviceLock EtherSensor server

By tapping corporate network traffic in the server mode, DeviceLock EtherSensor can capture and log network events, as well as reconstruct and collect messages and files of several thousand Internet services without involving DeviceLock Agents in order to monitor internal and external data exchanges via email, webmails, social networks, instant messengers, job seeking services, blogs, and forums. Files transferred by corporate users through HTTP and FTP protocols, as well as those uploaded to cloud storage, can also be captured and logged. Collected events and data are stored in the DeviceLock DLP central log database for further analysis, which would include indexing and full-text searching with the DeviceLock Search Server component of the DLP Suite.

Advantages of Hybrid DeviceLock DLP Solution

The coordinated use of DeviceLock Agents enforcing full-function preventive DLP controls on their host computers in combination with a network-resident DeviceLock EtherSensor that monitors, captures, and analyzes all traffic in the corporate office, enables organizations to implement an effective hybrid DLP solution with the following additional benefits:

How DeviceLock EtherSensor Works

DeviceLock EtherSensor performs the following three primary tasks:

DeviceLock EtherSensor data sources:

  1. Network traffic from either a network tap or the Ethernet port of an active network appliance where network traffic duplication from specific ports is configured (mirroring, rx and tx packets). In the very same way, DeviceLock EtherSensor can receive network traffic from various external sources, such as SSLSplitter and next-generation firewalls (e.g. Palo Alto Networks, FortiGate) - when a copy of decrypted SSL/TLS traffic is delivered to a network interface of DeviceLock EtherSensor.
  2. Plain HTTP and FTP traffic received over the ICAP protocol from external proxy servers capable of decrypting HTTPS or FTPS sessions (e.g. SQUID, Blue Coat Proxy SG, Cisco WSA, Webwasher, FortiGate, Entensys UserGate, etc.).
  3. PCAP files can be used for processing the traffic stored to the local directory in pcapng and tcpdump/libpcap formats.
  4. Data from local and remote Lotus Notes Transaction Log directories can be copied by DeviceLock EtherSensor in order to monitor, reconstruct, and analyze messages from the Lotus Notes system. At the same time, unencrypted Lotus Notes traffic can be captured and processed in real-time for extracting Lotus Notes events, messages, calendar events, etc.
  5. A custom plug-in for Microsoft Lync (Microsoft Skype for Business) server with Edge role can use the ICAP protocol to copy LYNC messages to DeviceLock EtherSensor for monitoring, capturing, and processing.

Facebook message interception by DeviceLock EtherSensor

The fundamental feature of DeviceLock EtherSensor is its non-intrusion in the traffic delivery of the monitored network. EtherSensor captures traffic passively, so it does not affect network infrastructure in any way. The only requirement of its normal operations is to allow access to the network traffic using a mirror port or network sniffer. DeviceLock EtherSensor works independently from DeviceLock Agents and ensures full monitoring of network traffic of up to 20 Gbps bandwidth while detecting and extracting data from several thousand Internet services. In order to further reduce processing expenses, raw traffic data captured from network interfaces and PCAP files can be pre-filtered by the built-in Berkeley Packet Filter module for excluding garbage traffic and unwanted data from further analysis.

Network Communications Controlled by DeviceLock EtherSensor

DeviceLock EtherSensor monitors, captures raw traffic, and extracts application-level data from the following network communications:

Social Media: various data (authentication credentials, text messages, comments, etc.) from social media communications: social networks including Facebook, Instagram, Twitter, LinkedIn, MySpace, Blogger.com, LiveJournal.com, VK.com, etc.; phpbb-, ipb-, vbulletin-, and mybb-based forums; SMS/MMS web-based messaging services (including over 500 domains).

Email: email messages and attachments transmitted over SMTP, POP3, and IMAP4 protocols.

Webmail: outgoing and incoming messages and attachments from the following webmail services: Gmail, Yahoo Mail, Hotmail (Outlook.com), Mail.ru, etc. (over 40 domains), as well as all services based on the SquirrelMail core.

IBM (Lotus) Notes: Lotus Notes events and data, including messages and attachments, calendar events, etc. For encrypted traffic, messages are extracted from the Lotus Notes Transaction Log. These methods do not affect the operation of Lotus Notes.

Instant Messages: messages and files sent and received via instant messaging services over Skype (including MS Lync/Skype for Business), XMPP/Jabber, IRC, MSN, Yahoo, and OSCAR protocols.

File Transfer: files transferred over HTTP, FTP, SMB/CIFS, and WebDAV protocols.