Devicelock

Architecture

DeviceLock Service is a DeviceLock agent that is installed on each protected computer and runs at the Microsoft Windows kernel level. It starts automatically, it is invisible to the local user. Includes DeviceLock Base, NetworkLock and ContentLock components, with optional licensing of components depending on customer needs.

DeviceLock Enterpise Server (DLES) is an additional component (optional) that is used for centralized collection and storage of shadow copy and audit data (which in turn uses MS SQL Server ). The second DLES function is monitoring the current state of agents and applied policies, as well as for deploying agents on a local network. Not licensed, can be used in any quantity to create any infrastructure for collecting audit data.

DeviceLock Search Server (DLSS) - an additional component (optional), used for indexing and full-text search by the contents of shadow copy files and logs stored in the DeviceLock Enterprise Server database. Full-text search is especially useful when you need to search the contents of documents stored in the shadow copy database.

DeviceLock Endpoint DLP Suite consists of complementary functional components - DeviceLock, NetworkLock, ContentLock, and DeviceLock Search Server (DLSS). The DeviceLock module is basic and required, ContentLock and NetworkLock modules are optionally licensed. Installation of all modules of the complex is carried out at a time (single distribution). To enable the functionality of the NetworkLock and ContentLock modules, it is enough to download the appropriate licenses and set policies accordingly to control network communication channels and content filtering.

DeviceLock Discovery is a stand-alone product that allows you to scan workstations and network storages in order to detect data of a given type through content analysis, with the performance of specified actions to eliminate identified violations. The methods for analyzing the content of stored data are identical to those presented in the ContentLock component.

DeviceLock DLP Suite is comprised of a combination of DeviceLock Endpoint DLP Suite and DeviceLock Discovery products.

Centralized Management

DeviceLock has a remote control system that allows you to manage all the functions of the product from the workstation of the system administrator.

There are four Management Consoles in the product for system management:

• DeviceLock Management Console - is a snap-in for Microsoft Management Console ), with a standard interface that is intuitive to any Windows administrator. Designed to connect to a separate computer (DeviceLock agent) or DeviceLock Enterprise Server.
• DeviceLock Group Policy Manager is a snap-in that integrates into the Windows Policy Editor and allows you to manage the system through Windows Group Policies in the Active Directory domain.
• DeviceLock Enterprise Manager is an additional console with its own interface for batch management of DeviceLock in networks that do not use Active Directory .
• DeviceLock WebConsole is an additional console implemented as a web-interface for any browser.

The full integration of DeviceLock into Windows Group Policies allows for the initial automatic deployment of the product, the automatic installation of agents on new computers connected to the local network, and the automatic configuration of agents. Installation of agents is possible with predefined settings (MSI packages created by the administrator in the DeviceLock Management Console are used).

For networks where there is no Windows domain, support for LDAP directory services, such as Novell eDirectory , Open LDAP , etc.

• Access control of devices and ports . The DeviceLock component allows you to control the access of users and user groups to any local I / O devices depending on the time and day of the week. For removable media, drives, hard drives, CD / DVD drives, and tape drives, you can set read-only access .
• Control of network communications . The NetworkLock component provides control of network communication channels on working computers, including recognition of network protocols regardless of the ports used and the method of connecting to the Internet, detection of communication applications and their selective blocking, reconstruction of messages and sessions with the restoration of files, data and parameters, as well as event logging and shadow copying of transmitted data. The component controls the transmission of mail messages through open and SSL-protected SMTP sessions (with separate control of messages and attachments), web access and other HTTP / HTTPS applications, MAPI and IBM / Lotus Notes mail services, Gmail , Yahoo! web mail! Mail, Windows Live Mail , Mail.ru , GMX.de , Web.de and others, instant messengers Skype , ICQ , MSN Messenger , Jabber , IRC , Yahoo! Messenger , Mail.ru Agent , WhatsApp Web, social networks Twitter , Facebook , LiveJournal , LinkedIn , MySpace , Odnoklassniki , VKontakte , etc., file transfer via FTP and FTP-SSL, file sharing services (such as Dropbox , SkyDrive , Yandex. Disk, Cloud Mail.ru, etc.), as well as Telnet sessions and the Torrent protocol.
• Content analysis and data filtering . The ContentLock component provides content monitoring and filtering functions for files and data transferred from / to removable media and in network communication channels. ContentLock content rules can be prohibitory and permissive. Content filtering technologies are also used to filter shadow copy data in order to save only those files and data that are potentially significant for forensic analysis and information security audit tasks. ContentLock extracts and filters the content of data from files and objects, including those transmitted in instant messaging services, web forms, social networks, etc. Content filtering is based on administrator-created regular expression patterns (RegExp) with various numerical and logical conditions matching the template with criteria and keywords. Among the parameters that can be used to set such patterns, there are such as users, computers, user groups, ports and interfaces, devices, channel types and data transfer direction, date and time ranges, etc. ContentLock also allows you to set passive content analysis rules not prohibiting the transfer of data, but revealing the presence of the specified content in the transmitted data in order to send an alert or create an appropriate entry in the journal. ContentLock includes an Optical Character Recognition (OCR) module, which also functions directly on a controlled computer.
• Scanning and discovery . The DeviceLock Discovery component allows you to automatically scan workstations and network storages remotely or using a small proprietary agent in order to detect data of a given type through content analysis. When using the agent-based scanning mode, it is possible to carry out the actions specified by the administrator to eliminate the detected violations (notifying the user, sending an alert, deleting the file, changing access rights to the file or encrypting it, logging). Based on the scan results of the set targets, a detailed report on the scan results is generated.
• Alarms (alert) . DeviceLock provides real-time alerts for security incidents (alerts). Alerts (alerts) can be sent via SMTP and / or SNMP. There are two types of alerts: administrative and device-specific and protocol-specific. Alerting exists in parallel with audit rules in order to meet the requirements of incident management and cancels the audit, which is the basis for collecting the evidence base of IS incidents.
• White list of USB devices . The DeviceLock module allows you to set a list of devices for certain users / groups, access to which will always be allowed, even if the use of a USB port is prohibited. Devices can be identified by model and unique serial number.
• White list of network protocols . The NetworkLock module allows you to set security policies based on the principle of a "white" list of network protocols, which can be further detailed by IP addresses and their ranges, subnet masks, network ports and their ranges. In addition, you can use parameters such as email addresses of the sender / recipient and account names in instant messengers (for the corresponding services and protocols).
• Temporary White List . DeviceLock allows you to provide temporary access to USB devices in the absence of a network connection to the agent (in cases where direct management of the agent from the administrator’s console is not possible, for example, when a user with a laptop is on a business trip). The administrator informs such a user with a special short code, which temporarily unlocks access only to the required device for the time specified by the administrator.
• White list media . DeviceLock allows you to allow the use of only CDs / DVDs authorized by the administrator, while prohibiting the use of the drive itself. The list is defined by users and user groups. The function may be useful, for example, to ensure “licensed cleanliness” of user computers.
• Journaling . DeviceLock provides a detailed logging of all user actions with devices and network protocols upon access to them, transfer of files and other data (copying, reading, deleting, chat, etc.). Optionally, you can enable system event logging in DeviceLock and administrator actions.
• Shadow copying . DeviceLock allows you to save exact copies of files and data copied by users from their computers to external devices and media, printed documents, data transmitted via COM and LPT ports, and in network communication channels.
• Centralized storage of audit and shadow logs . Audit data and shadow copies of files copied by users can be stored both locally on user computers and in the DeviceLock Enterprise Server database, which allows centralized processing of audit data.
• Clipboard control ( Clipboard ) . DeviceLock intercepts and controls the use of the Windows system clipboard to prevent data transfer between applications, blocking screenshots ( PrintScreen ). This function is especially useful when monitoring terminal sessions, allowing you to prevent or record data transfer between the terminal server and the remote host.
• Lock keylogers . DeviceLock detects most of the hardware USB keyloggers and blocks the keyboards connected to them. For PS / 2 keyboards, scrambling technology is applied that distorts the data entered from such a keyboard (“garbage” is written to the keylogger ).
• Support for offline policies . DeviceLock can automatically switch between two control modes - online and offline, applying one set of access and audit policies for the situation when the workstation is connected to the corporate network (online), and the other when disconnected from the network (offline).
• Encryption support . DeviceLock does not encrypt devices on its own, but allows for guaranteed disk encryption through integration with third-party crypto products (Windows 7 BitLocker To Go, PGP Whole Disc Encryption, TrueCrypt , DriveCrypt , VipNet SafeDisc ). There is also support for hardware encryption of flash drives Rutoken Disk, Lexar and others.
• Detecting and filtering file types . DeviceLock allows you to expand the control of devices and ports to the level of file types - the agent determines the actual file type. The administrator can set up access control, audit, and shadow copy policies specified to file types. The binary-signature method for detecting file types is used; more than 4000 file types are supported.
• Advanced control of PDAs and smartphones . DeviceLock allows you to set advanced access control and audit policies for mobile devices running Windows Mobile , Palm OS , iPhone / iPod devices. The administrator can set permissions for various types of objects (files, contacts, mail, etc.) transferred from / to the PDA. Refined policies for auditing and shadow copy rules are set similarly. Advanced control of synchronization protocols with mobile devices does not depend on the type of connection of the mobile device (USB, COM, IrDA, BlueTooth, WiFi).
• Reports . DeviceLock allows you to generate graphical and summary reports based on data stored in the DeviceLock Enterprise Server database, as well as reports on current settings and on devices used at workstations. A dynamic link graph for communication analysis is also provided.

DeviceLock supports desktop and application virtualization solutions from three major developers - Microsoft (RDS / RDP), Citrix (XenApp, XenDesktop) and VMware (VMware View).

By transparently integrating DeviceLock agents into virtual environments (VDI or published applications), DLP policies control the flow of data between the virtual desktop or published application and peripheral devices redirected to remote desktops or personal computers, including removable drives, printers, USB ports, and buffers data exchange. User network communications within a terminal session are also controlled by DeviceLock DLP mechanisms. In addition, a centralized logging of user actions and shadow copying of files and data transferred by him is carried out, alerts are generated.

Technologies for supporting virtual environments in DeviceLock (VirtualDLP) are especially relevant for solving security problems in the BYOD model. DLP protection for virtual environments and the BYOD model based on virtualization of workspaces and applications is universal and works on all types of personal devices. Among them can be any mobile platform - such as iOS, Android and WindowsRT, thin terminal clients running Windows CE, Windows XP Embedded or Linux, as well as any computers running OS X, Linux or Windows.

• Centralized monitoring . DeviceLock Enterprise Server allows you to monitor the current state of agents on workstations and current security policies (compared to the saved reference policy), and also keeps a monitoring log. It is possible to automatically replace current policies with reference. When checking the status of an agent on a remote computer, DeviceLock Enterprise Server can also install or upgrade the agent.
• Protection from local administrator . DeviceLock provides control over the integrity of its service and protection against unauthorized connection to the service, its stopping, deletion or modification of applicable policies. The function is implemented by blocking access for all users except those included in the internal DeviceLock Administrators group.
• Full text search . The optional DeviceLock Search Server component (search server) provides full-text search by the contents of shadow copy files and logs stored on DeviceLock Enterprise Server. DeviceLock Search Server can automatically recognize, index, find and display documents of many formats (Adobe Acrobat (PDF), Ami Pro, Archives (GZIP, RAR, ZIP), Lotus 1-2-3, Microsoft Access, Microsoft Excel, Microsoft PowerPoint, Microsoft Word, Microsoft Works, OpenOffice, Quattro Pro, WordPerfect, WordStar and many others). DeviceLock Search Server includes an Optical Character Recognition (OCR) module for extracting and indexing text data in image files and images embedded in other documents.
• Control access to devices and interfaces of computers running OS X. A separate version of DeviceLock for Mac is available.

The copyright holder and developer of DeviceLock DLP is the Russian company Smart Line Inc. (SmartLine Inc.). The company was founded in 1996 ^[8] and was initially focused on the development of software for the administration of computer networks, and later focused on the tasks of information security, namely the prevention of data leaks. The company declares more than 70 thousand customers in 90 countries of the world - state, military, medical ^[9] , educational, largest financial and commercial institutions, as well as small and medium-sized businesses. DeviceLock software has been installed on more than 7 million computers (as of 2017).

Since 2008, Smart Line has released only the DeviceLock DLP product. The development and support of previously released products Active Network Monitor, Active Ports Monitor and Remote Task Manager has been discontinued. In addition to DeviceLock DLP, the company provides a free utility “DeviceLock Plug-and-Play Auditor” for analyzing connected USB devices at network workstations ^[10] .

The headquarters and office for the development and technical support of the company are located in Moscow, Russia. The company also has sales and support offices in the USA, UK, Germany and Italy. Financial performance indicators are not disclosed. The company employs about 70 people, including about 40 developers.

• Data Leak Prevention
• Information Protection and Control
• Leak prevention
• Information Security
• Personal Information
• Information system

• Official site
  • Frequently Asked Questions (FAQ)
  • DeviceLock Product Forum
• Legal risks of employee monitoring , Anti-Malware, 2018
• The article "On some information leaks in 2017 in Russia" , Banking Review, 2018
• Protecting Medical Knowledge - Why, Why, and How , ItSec, 2018
• We control the printing of documents - the threat is old, but not outdated , National Banking Journal, 2018
• Data leakage protection through messengers and digital fingerprint support in DeviceLock DLP , ItWeek, 2018
• Prevent, not spy: how to ensure security without violating the rights of citizens , CNews, 2018
• Channel Leak article , “Say no to your pirates,” ItWeek, 2017
• Hybrid DLP Systems Article , ItSec, 2017
• Business security: prevent leaks or just pretend? , CNews, 10/31/2017
• DeviceLock Named a Leading DLP Market Player , Marketwired - The Radicati Group Rating "Content-Aware Data Loss Prevention Market, 2013-2017
• Overview of the standard of the BR BR IBBS-2.9-2016 standard in relation to DLP , Anto-Malware, 2016
• Overview of DeviceLock DLP on AntiMalware 2015
• Interview with the founder of the company Ashot Hovhannisyan , AntiMalware, 2015
• "We have nothing to hide." Interview with Ashot Hovhannisyan in the magazine Information Security, 2015
• DeviceLock Managers Interview with CNews 2011
• DeviceLock Overview , IXBT 2007
• Overview of DeviceLock 6.0 , ComputerPress 11'2006