CyberSight: FeaturesCyberSight™ V7 Feature Overview
CyberSight V7 - a complete, highly cost effective solution for Educational Security & AdministrationThis is not a definitive list of capability - space precludes a complete overview Simple to installInstallation, and ongoing management, is an area that is frequently "glossed over" by developers. After all if you are deploying a system to monitor and protect thousands of clients you would expect it to be difficult wouldn't you? We do not believe that there is any correlation between effectiveness, complexity and deployment. Just because a product is effective, highly complex and market leading should not mean that installation is therefore difficult, time consuming, costly and riddled with opportunities for mistakes. A primary design criterion for CyberSight was that it must be simple to install and we have achieved this aim. Installation on the designated server takes less than 5 minutes using standard installation scripts. Once the server is installed the CyberSight agent (the extremely small application that is deployed to the clients) is created with just a mouse click. Distribution of the agent can be via e-mail, manually or, typically by some form of software distribution tool; Tivoli or BMC Patrol for example. On deployment the agent immediately begins to report back to the server on every aspect of its client host. This is the only time during the operation of the system when some degradation of overall performance may occur and the process typically takes between 10 - 60 minutes, depending on the amount of data and files on the particular client. The client is usable during this process, which we refer to as a Legacy Scan. Often disabling any AV product on the client prior to installation will considerably speed up the scan process. As with any installation, consideration should be given to phasing in order to ensure a smooth roll-out. Scan hundreds or thousands of systems with virtually no overheadMost security products work by blocking, filtering or comparing, regardless of the technology used they all have one thing in common; they restrict usage, impair performance and reduce the very functionality that the system is meant to provide. CyberSight has a totally different architecture; the CyberSight agent reports back to the CyberSight server (which can be stand-alone or an existing system). In this way the CyberSight server is able to build a complete virtual image of the network; the clients, their software, details of the network itself and, most important of all, the agent reports back on every change that occurs on a client system. The Cryptic Software "Threat Database", which is trickle updated according to preferences, (real-time, once an hour, once a day and so forth) is also resident on the CyberSight server. As the server knows all the information on the clients it can easily and extremely quickly compare this information with the information held in the threat database, with no impact on the normal day-to-day performance of the systems. This architecture has multiple benefits:
Undetectable by usersBy this we do not necessarily imply that installation should always be "stealthy"; it is up to individual organisations to make that decision. We actually believe that the mere fact that users are aware that their activities can or are being monitored is in itself a powerful tool in the fight against user abuse. By undetectable we mean that the overhead of our agent running on a client is undetectable by the user. Typically the CyberSight agent utilises less than 0.05% of the client processor. AV products have two major problems at the end user level; they require regular updating, they slow the client considerably; in fact more than one well known organisation has been attacked (successfully) because users disabled their AV products due to their impact on performance. The architecture of CyberSight, and the base products used in its development, provides a level of performance that cannot be compared to other security applications. Whilst an AV product may slow the client, during some operations, sometimes by a factor of ten, CyberSight providing the same functionality does not. No need for additional training or high level of IT skillThere is no point in having a product that is simple to install if you need a rocket scientist to run and maintain it. Whilst large organisations may have an IT Department, and some even have dedicated IT Security staff, many do not. Their IT is often handled by people with only a broad knowledge of IT. CyberSight is a complex, highly functional product embodying multiple technologies and providing a wide variety of features. However, the input required to run the system is minimal; with many major features fully automated; for example hardware and software auditing requires no input at all, it is simply there, all that is required to print out is a mouse click. Handling threats and user abuse is simplified by providing menu driven options that obviate the need for detailed knowledge of either security or networks. It is this "ease of use" that is making CyberSight the security implementation of choice. However it is important not to confuse "ease of use" with lack of function. CyberSight provides greater functionality and performance than nearly all other security products together. Protect against hacking attacks internal, external and wirelessHacking attacks do not necessarily come from hackers. The advent of the Internet has lead to a proliferation of easy to use hacking tools that are as well written and presented as commercial software. Anyone can download these from the Internet. The assumption that hacking attacks come from the Internet is only partly true; it may have been true ten years ago but all recent statistics point to the majority of attacks (c. 80%) being initiated from the inside. The Internet's primary role is that of an "open all hours" hacking superstore. Even DIY build your own virus kits are available. If you want to protect your data the only real answer is don't put it on a computer - write it down and lock it away. Even then we know of an organisation that did the IT equivalent of this, every night they disconnected their server, this worked really well until they were burgled and the server was stolen. It goes to prove there is no easy or certain way to be protected. All that can be done is to minimise the risk. Internal AttackBy far the most common and extremely difficult to detect; a simple definition of attack is attack can best be classed as an attempt. CyberSight™ benefitsThere are many benefits and some are not so obvious Some of the benefits of using CyberSight are listed in the menu on the left but there are many, many more. A selection of the benefits we've thought of so far are listed below. User benefits:Detect whether users have visited particular web sites, regardless of the URL: There are thousands of web sites that you don't want your employees browsing using company resources, and not all of them are pornographic. But there may be sites in particular that users must not access. If, for example, there is information about a confidential project on a secure, internal web site, then images and pages from that site can be indexed in CyberSight™ and you can instantly see which users have visited the site and when they visited. Using this method to monitor Internet access means that it doesn't matter how the user obtains the web pages or images, or if the URL (web address) ever changes. Many web sites today have addresses which change on a daily basis. With CyberSight™ installed it's quick and easy to see whether users are misusing their Internet connection. Pirated software, new installations, pornography, hacking tools and much more are all picked up and reported on quickly, easily and stealthily. Enforce corporate policy:Until now it has been very difficult to enforce company policy - detecting whether files like databases can be undetectably altered, whether users are downloading illicit or illegal material from the Internet, whether users machines are acting as a gateway through your current security for hackers (internal or external), and so on, is almost impossible. CyberSight™ detects tens of thousands of threats to IT systems unobtrusively and gathers and correlates all of the events at a central console. It's even possible to index your own threats which might be specific only to your company or even department. For example it would be possible to index project plans, sales tenders, unreleased product photos, customer databases, etc. and see instantly whether they exist anywhere on the system where they shouldn't be. Audit: Know exactly what and when a user installs software on their machine, and whether it's legal or not: There are many web sites containing libraries of free utilities, games, hacking tools, screen savers, etc. In fact any program you can think of and usually more. Some of it is shareware or freeware which may not be illegal but it's usually against company policy for users to install it and use it on company PC's - it's usually against company policy for users to even look for it. But a lot of the software is illegal because it has been cracked or someone has copied and uploaded it to their site. There are several very widely used, very useful utilities for which cracked versions or license key generators are widespread. These utilities might be part of the company software package in which case a cracked version may go undetected on your network. Unauthorised software uses company resources, the most expensive of which is time which has been wasted while the user looked for, downloaded, installed, played with and then probably deleted the software. It's also untested software and often has the client side of a hacking tool wrapped in it. This gets installed totally stealthily when the software is run (sometimes even if it crashes!) and is designed not to be detected by existing security methods. CyberSight™ can detect cracked versions of software, license key generators, newly installed software and more. It's even possible to add your own files to the detection database to instantly see whether a previously unknown executable (or other file) exists anywhere on your system. Product benefits:Adaptable to change:Security software needs to be different from typical application software. It needs to be under constant change; to improve the detection process and to ensure that new threats are included as soon as they are discovered. CyberSight™ has been developed to detect any old, current and even new threat that has not been written yet. Because it works at the lowest level possible it isn't possible for a threat to go undetected. If a new threat is discovered, and a good example was the "Love Bug" virus, then simply drag the offending files and drop them onto the CyberSight™ icon and within 2 mouse clicks it can be detected and removed company wide. This sort of adaptability is getting more important as threats get more sophisticated. Some viruses are now "net-updatable" allowing them to update themselves to avoid detection by virus checkers. CyberSight™ can detect any header infecting virus (the most common type) by monitoring for changes in the header of executable files and can fix them all completely. Very quick: CyberSight™ has been written to minimise the effect it has on a system. Clients can be installed as simply as using the copy command (no registry settings or entries in .ini files) making installation and distribution very quick indeed. Also hundreds of megabytes of data can be scanned for new threats in split seconds. This means that a user's hard disk will make more noise from swap file activity than from the CyberSight™ client, even if it's set to run every hour. The user is also less likely to be interrupted and will therefore not be tempted to try and find out what's running and have a go at deleting it. CyberSight™ detects tens of thousands of threats - it does not focus on any one area of security. Also, if you have files that are specific to just your company, or even your own department, these can be easily indexed for detection company wide. No false positives:If it's detected by CyberSight™ then you've asked to be alerted about it, and probably need to know about it. The probability of getting an event that you did not ask for (a false positive) is smaller than the probability of winning a rollover lottery four weeks on the trot. This is extremely useful as many products, like some content checkers, generate lists of events that are not threats at all and just waste administrators' time. Will detect threats even when wrapped and encrypted:A very common way to hide files is to "zip" them using a compression utility. Some even give you the ability to encrypt the zip file by giving it password protection. CyberSight™ will unzip and un-encrypt any zip files it encounters on the fly. And if they contain zipped and encrypted files it will unzip and un-encrypt them, and so on, until it has examined all of the files contained within. This is a very quick process and is one of the many unique, patentable technologies in this software. Is very resource friendly:The server side of CyberSight™ is relatively small for what it does and does not need dedicated hardware to run. The only requirement of the machine on which it is installed is that the clients can see a share that must be created. Also, because the product is not complicated to use, it will not take hours of expensive time to learn all about how to set up and run it. The clients are very small indeed, incredibly easy to install and only take seconds to run to detect new threats. Also, all of the network traffic is from the clients to the CyberSight™ server, and if there are no events to send then the amount of network traffic even from several hundred clients is negligible. One event sent from a client generates just over 250 bytes of network traffic so the network load is not great anyway. And the CyberSight™ server doesn't even need to be running to collect events from the clients! It doesn't get much more resource friendly. Has a remote console:Even with several CyberSight™ servers installed it's possible to view all of the events from a central location by using the tiny remote console utility. Simply connect to each servers' database and view the events as they come in. The software on each server does not need to be running to use this utility. |
||
