Security Policies inspects every packet flowing across a network and sending an alert when prohibited by security policy data is found. The intercepted data is analyzed in an automatic mode based on an assigned list of security rules. If any documents or information satisfying the requirements listed in security rules are detected, the module automatically sends alert notifications to a specified email address. SecureTower automatically extracts and analyzes text data from files transmitted in the network.
Client Console is used for configuring the Security Policies and for assigning security policy rules.
The module structure includes various groups of rules depending on a security aspect that these rules are to cover. You can drag&drop security rules between groups.
You can specify e-mail addresses of the relevant security officer for a group or rule, and, thus, each security officer will receive notifications on breaches associated with the specific security aspect they are responsible for. For example, a you can configure a group of rules and notification delivery by email to a security officer who is responsible for legal issues, or for the one responsible for financial data control, etc.
Security Policies supports scripts that can be assigned to a particular rule or group, and then started in accordance with the result of the associated rule processing. For example, you can add the scripts that generate incidents for incident response platforms (IRP) or send notifications to common messenger’s chat.
- Configuring security notification delivery
- Assigning a security policy
- Viewing security notifications
- Inspecting activity of Security Policies users
- Data export/import in Security Policies
Configuring security notification delivery
Assigning a security policy
In the Manage Security Policies window, the list of security rules and groups is displayed.
By default, the FalconGaze SecureTower Security Policies Group of rules is assigned as core group. Within this group, one can create other groups of rules or just create rules only if there is no need in managing groups of rules. The default group cannot be deleted.
Also, if some email address is specified in the settings of this group, notifications will be sent to the specified address for all the security rules and security rule groups that this group includes.
Creating a group of security rules
Assigning a security rule
Security rule operates as alerts with specified parameters.
A general security rule notifies about activities of a certain user, IP address, or involving specific text, etc.
Security policies based on control by thesaurus are used for automatic detection of words and expressions included in specific subject thesaurus.
A statistical rule is used to notify of certain network activities the number of which is above or below the specified number over a term per user or per network. For example, the security department can receive notifications of chat conversations if there have been more than 10 IM-conversations per user within a business day, or of email messages if there have been less than 5 messages per user within 4 hours (for a company that actively employs direct mail marketing).
A digital fingerprints security rule enables configuring notifications in case any matches are detected between a classified document for which a digital fingerprint has been created, and any data transmitted by users.
Managing the structure of Security Policies
SecureTower supports the following script types:
- CMD (bat, cmd);
- Powershell (ps1);
- Python (py).
Applying security policies to Active Directory groups
Viewing security notifications
There are two ways to view the Security Policies notifications: in the Security Policies window of the Client console and with an email client software.
- Viewing notifications in Security Policies
- Viewing notifications with an email client software
Viewing notifications in Security Policies
- Specifying personal options for alert viewing
- Filtering status of the incident
- Selecting a view mode
- Sorting notifications
- Statistic security rules notifications
Specifying personal options for alert viewing
Filtering status of the incident
– incident has not been investigated
– incident has been investigated
– incident investigation has been postponed
– important incident
– unimportant incident
– false positive
Data type (Email, Messengers, Web traffic, Files) filtering
By default, all notifications will be displayed that are available for the security rule. To filter the list, click specific data types to deactivate them.
Selecting a view mode
You can select one of the two view modes in the notification area ribbon toolbar:
In the notification area ribbon toolbar you can also select a notification sorting parameter and direction (descending or ascending).
- Statistic security rules notifications
Viewing notifications with an email client software
Inspecting activity of Security Policies users
SecureTower system saves information on actions of all users, authenticated in Security Policies.
Data export/import in Security Policies
SecureTower supports export of set of custom security groups, rules, thesauri and regular expressions to output file for effective configuration of the same settings in another LAN or workstation.
- Data export
- Data import