PacketSentry Overview

PacketMotion designed PacketSentry with one goal in mind: To provide internal network visibility without impacting application availability or performance. The result is an appliance-based User Activity Management (UAM) solution that delivers real-time control of insider threats by capturing user transactions at an unprecedented level of granularity and applying your policies to that data. No client/server agents or in-line appliances means PacketSentry is easily installed and integrated into your environment with no risk to applications. PacketSentry enables:

Insider Awareness and Threat Management
Compliance Reporting and Audit
Protection of Sensitive Data
Security Investigations
Network Activity Monitoring
Access Control Permission Change Management

In summary, PacketSentry is the only solution that can quickly and efficiently solve the internal visibility challenge with a single tool and one-day integration effort.

The PacketSentry Difference

PacketMotion listened carefully to its clients’ pressing internal security challenges and lack of visibility and designed PacketSentry™ to be managed from a business and identity perspective, rather than by packets and ports. The PacketMotion solution:

Records full transaction details of employee, contractor and unauthenticated user access to critical assets. It creates a permanent record of user activity for Windows and Unix file sharing, databases, email, web, SharePoint, file transfer, and more.
Decodes not only the application used, but also the user action: read, write, delete, SQL select, URL get, Email send with attachment, etc.
Facilitates security investigations via a fast, simple search interface that scans month’s worth of activity data in seconds.
Provides a large number of flexible reports that can be used for a wide variety of requirements including compliance audits, user activity baselining, shared account utilization monitoring, application usage by employee, tracking access to sensitive assets, VPN user activity monitoring, etc.
Includes a centralized real-time policy engine. This supports writing rules to restrict access to critical data by user and group (e.g. allow employees but not contractors) or action (e.g. allow read but not delete). Rule violation detection is immediate, and can trigger logging, Emails, and even real-time enforcement.
Includes a Custom Group facility which supports creating user, application and server groups without requiring updates to Active Directory. This allows the security team to customize polices and reports without depending on IT administration.
Provides network-level monitoring of application and server usage by employee, without requiring inputs from logging systems or NetFlow collection.

PacketSentry Solution Components

PacketSentry is designed to easily integrate with almost any network environment, and consists of the following components:

Manager: A single Manager appliance is deployed centrally to hold the database of user activity records, manage real-time policies, maintain synchronization with the user directory store, and support the web-based administration interface. Four Intel multi-core processors, embedded Oracle Enterprise, and six terabytes of RAID storage enable the Manager to reliably handle large dynamic environments.
Probes: One or more Probes are deployed either in front of data centers or in remote locations to passively gather data, decode application-level activity, and send the resulting user activity records to the Manager. The Probes also implement the real-time policies, allowing the solution to respond to policy violations in under one millisecond. The Probes may be deployed via passive taps, or connected to monitor (“SPAN”) ports on network switches. They are never deployed in-line with user data, meaning there’s no implementation risk. Optionally, the enforcement port can be used to block user actions that violate critical policies. See the PacketSentry Probes Data Sheet for more information.
Directory Synchronization: Critical to turning meaningless network data based on IP addresses into business-relevant auditing and policies is user correlation. PacketSentry synchronizes continuously with Active Directory or other LDAP-compliant directories, collecting the necessary user and group information to assign user identity to all traffic, and to facilitate reporting and policies based on identity. Our patent-pending synchronization solution does not require any kind of agent on the directory system.

PacketSentry’s unique architecture is crucial in enabling our customers to integrate the solution into their environment in a matter of hours, without having to worry about the possible performance impacts or organizational challenges related to agent-based approaches.