In the second round of our Rolling Review of data loss prevention systems, we took Code Green's CI 1500 Content Inspection Appliance for a spin. Having reviewed Safend Protector, which is primarily a host-based DLP offering, we were eager to try out a true network-layer DLP product.

Founded in late 2004 by the same team that built SonicWall, Code Green had initial success by aiming at banks and financial institutions. Now the regulatory climate has accelerated the company's expansion into healthcare, retail, and other sectors where robust DLP is required to ensure compliance and protect privacy and intellectual property.

Our Rolling Review seeks to evaluate vendor DLP solutions in many areas, including endpoint protection, data discovery, reporting, threat detection and response, range of communication channels that can be protected, along with pricing and ease of management. The CI 1500 performed well in many areas, and not so well in others.

The appliance is a rebranded Dell PowerEdge server running a modified version of Red Hat Linux Enterprise under the hood. It ships with eight Ethernet interfaces that serve a multitude of capabilities, including interfaces for mirrored packet analysis, messaging analysis, ICAP redirection, and device management.

The appliance itself is relatively simple to set up--all that's required is a little work at the Linux console to get your management network interface running, after which all device management is Web-enabled.

Look Out For Leaks
A quick look at the management GUI reveals Code Green's emphasis on robust pattern matching as critical data traverses the LAN/WAN via SMTP, HTTP/S, FTP, and other TCP protocols. Out of the box, the CI 1500 contains an impressive array of patterns and file filters that can be used to detect leaks, including filters for credit card and Social Security numbers, stock ticker symbols, and unique filters that can determine who's shopping their resumé out to your competitors.

The simple-to-use Boolean engine lets administrators refine or marry multiple pattern policies, and develop complex expressions that pinpoint and detect the most troublesome data leaks. Most environments will be able to implement policies right away using the out-of-the-box patterns, but creating custom patterns on the CI 1500 could have been a little easier. User-defined patterns must be entered using standard Perl-compatible regular expressions; it's not rocket science, but it does take some effort to learn the delimiters necessary to build your custom expressions.

Wake Up From The Nightmare
While pattern matching is important, it could turn into an administrator's worst nightmare from a false-positive perspective. That's where Code Green's Data Element Fingerprinting comes in. The fingerprinting capabilities can scan entire file systems, using over 400 recognized file types, to identify key elements inside spreadsheets and documents that when leaked would violate policy. Fingerprinting improves the appliance's accuracy beyond standard pattern matching or file filtering.

Rolling Review

DATA LOSS PREVENTION PRODUCTS

Business value
An ounce of loss prevention can be worth thousands of dollars of remediation and damaged reputation. We'll test DLP options' ability to detect, report, and remediate trouble on handheld devices and PCs.

Reviewed so far
• Safend Protector Endpoint
Delivers impressive endpoint security, but lacks application awareness and can't stop data leaks via printing of sensitive data or screen captures.

• Code Green CI 1500
Offers solid data discovery and complex pattern matching is tops, but its endpoint protection capabilities could be better.

Still to come
RSA, McAfee, Symantec, Vericept, Websense

More about this rolling review >>

For example, it might not violate policy to e-mail a customer spreadsheet to a colleague that contains name and address data, but if that spreadsheet also contained credit card data and was fingerprinted by the CI Appliance, then that transmission could be blocked. Better yet, because the fingerprints are married to the original content, cutting and pasting vital credit card data, or perhaps intellectual property in the form of C++ code, won't fool the CI appliance.

CI's support for ICAP also lets administrators work in tandem with leading proxies to apply policy and prevent leaks via HTTP/HTTPS and FTP. The appliance also supports scrubbing of all outbound e-mail through CI's Message Transfer Agent. We were able to discover the contents of each message and apply policy on all outbound e-mails. Messages with sensitive content can be off-loaded to an encryption engine or can be blocked.

Code Green does offer integrated endpoint protection with central policy distribution from the CI appliance, but the feature set is generally limited to physical port security. In addition, the endpoint agent requires the client be joined to the corporate domain where policy will be enforced. This is a potential issue for organizations that use contractors and other third parties for mission-critical projects.

We were unable to place checkmarks next to some of the more important items on our endpoint protection wish list, such as the ability to prevent users from joining unsecured Wi-Fi networks, or the ability to prevent printing or screen capture of sensitive documents.

Last but not least, the CI Agent software isn't as tamper-resistant as Safend Protector. With Protector, any effort to kill key processes or registry keys to disable the agent and circumvent security would fail. Unfortunately, the CI Agent doesn't yet possess such protection from tampering.

The Discovery Channel
The CI appliance offers administrators an impressive array of data discovery capabilities. Using the pre-defined patterns supplied by Code Green, IT can centrally scan unstructured data and file systems, along with structured databases.

Discovery is a key feature because while administrators and business unit owners have a general idea of where critical information resides on the network, we all know that such information tends to end up in unexpected places, whether an old file server or a user's laptop. The discovery capability helps administrators sniff out these caches of sensitive information on the network and on endpoints.

The only glaring weakness we discovered was the need to have an endpoint agent intermediate the discovery process between the CI appliance and the data source being crawled.

In future revisions, we'd love to see Code Green implement truly streamlined enterprise data discovery, but what's available now is robust enough to meet the discovery needs of most environments.

Reporting is also well implemented on the CI appliance. Administrators can generate custom reports and apply them to a customizable reporting dashboard that can be used to quickly check the security state of the network. In addition, database administrators can hook into the CI appliance database via ODBC or JDBC drivers for integration with an enterprise network monitoring or incident management system.

The CI appliance's threat detection, alerting, and mitigation capabilities met most of our needs. The appliance won't block malicious peer-to-peer applications from running on your network, but it will protect your critical data from being absorbed by such applications, so we found that complete data discovery and data fingerprinting was vital to successfully protecting our data in the test lab.

The CI 1500 did a good job alerting us via e-mail and on the main dashboard when a particular policy violation was detected, and it also prevented data leakage via SMTP, FTP, and HTTP when used in conjunction with our Bluecoat Proxy SG via ICAP.

The only spot where the CI appliance fell short was its inability to prevent the leakage of sensitive data within the internal corporate network. The Packet Monitor can only report these leaks; it can't stop them. As a result, it's possible for someone to copy sensitive data to a workstation on the internal network or to a third-party laptop that's unprotected by the CI Agent, and from there leak sensitive data to a thumb drive or some other external device.

Our Take

DATA LOSS PREVENTION TOOLS

Code Green's CI 1500 Content Inspection Appliance has a raft of out-of-the-box random pattern templates that should meet the requirements of most data privacy regulations and security needs. Built-in Boolean logic engine lets administrators easily create complex constructs that can be used to minimize false positives and pinpoint the most egregious violations. The CI 1500 falls short as a holistic solution, particularly with endpoint protection, but shines as an intelligent and robust content inspector.

Final Words
The CI appliance is a solid performer in the data discovery area, and aces complex pattern matching. We were a tad disappointed with Code Green's endpoint protection capabilities, but were satisfied with the range of threat detection, alerting, and mitigation features offered.

To build a truly comprehensive data loss capability, you'll need to add more robust third-party endpoint protection. However, there's no doubt that the CI Appliance can be an effective player as part of your overall DLP strategy.

The CI 1500 Appliance lists for $25,000 and includes protection for 200 users. Licenses for additional users are available. The company recommends a maximum of 5,000 users per CI 1500 Appliance. The CI Agent software is licensed separately and ranges from $7.50 per client to $24 per client based on license count.

Randy George is an industry analyst covering security and infrastructure topics.