Nowell Group SpyForce-Al, v2.0
Product Rating
Features:
Ease of Use:
Performance:
Documentation:
Support:
Value for Money:
Overall Rating:
For: An unusual approach to managing the insider threat
Against: Bit pricey, bad acts embedded in acceptable behavior go unnoticed
Verdict: We don't recommend this as your only extrusion prevention tool, but it can be beneficial if used along with one of the other tools reviewed here
By
Peter Stephenson,
Dec 6, 2007 3:02 PM
Tags:
NOWELL |
SPYFORCE-AI |
V2.0 |
That is a bit different from simple extrusion detection. Even more peculiar, however, is the way SpyForce works. Unlike other products that inspect packets, SpyForce evaluates user behaviour.
We had no trouble installing and configuring. Once SpyForce-AI is up and working, and you have set up the configuration for the servers, it begins to enroll users. Each user goes through a 15-minute “learning session.”
During this session the product queries the user about things that only the user will know how to answer. The process is simple and SpyForce uses the information if it suspects that a user is abusing their rights or if someone is masquerading as the legitimate user.
If the software detects user behaviour that is abnormal for the particular user, it stops the activity and conducts an “Interrogation Session.” This session replays the learning session information and expects rapid, correct answers from the user. If it does not get them, it takes appropriate action and reports to the administrator. It takes about five logins over a particular period of “modelling time” to learn a user’s habits.
As the user continues to use the computer that SpyForce is monitoring, the software learns basic behavior and builds, using its AI capability, a profile for the user that it continually updates and refines. When the user departs from the learned pattern, an interrogation session ensues and, if passed, the new behavior can be made part of the user’s profile.
We found, as we expected, several false positives. Until SpyForce began to learn our behaviour, when we would purposely behave badly the software would catch us and interrogate us. While this is not traditional extrusion prevention software, it does have several benefits for controlling insider behaviour. We found it interesting, but are unsure of its value.
The web site has the usual support options and 24/7 phone support is available Monday through Saturday. At US$89.99 per computer, the product can get a bit pricey in larger installations.