The Command Post is the management system. It controls the other modules, analyzes their data and provides the administrator interface. The Direct 1000 module, a separate appliance, monitors traffic going from the enterprise directly to the internet. The Mail Sensor, also a separate appliance, manages email.
Although similar in function to the Direct module, the Mail module can quarantine and redirect messages.
We set the three appliances up and, as we found with other products, we had to perform the network setup without the benefit of wizards. All connection and integration with the network infrastructure was performed through the console at the command line. That said, the single sheet (double-sided), quick-start guides for each device walked us through cleanly, and we had no difficulty getting the three appliances talking to the network and our Exchange Servers. The documentation expands on the quick-start guides and contains many screen shots and illustrations, including tables showing which ports connect to what.
Once we were set up on the network, we began configuration of the policies. This starts with the out-of-the-box policies, and these are well thought-out. One can edit these policies, use them as they are or create new ones. The policy management screens on the Command Post have clearly defined, intuitive drill-downs and one can progress from a policy, such as the Health Insurance Portability and Accountability Act (HIPAA), through a rule, such as PHI Record. Clicking on the rule allows editing.
Policies also can contain content, such as credit card numbers, that can be edited simply by clicking on the item and selecting "edit." Channels, another type of policy, allow the administrator to select a target, such as Kazaa, a music subscription service. All of these policies are fully editable, and the nature of the editing depends on the type of policy. Policy files may be uploaded as well.
The dashboard is quite different from others we've seen and consists of two primary pieces, both of which are rather unique. The first is the Radar display, marked by a rotating image that resembles a radar screen and a bar graph showing events within the past seven days. The graph is broken into low, medium, high and critical severity. It also shows the number of alerts per sensor. The radar display shows alerts in near real time and has some interesting display and analysis capabilities.
The radar collects alerts into clusters with similar characteristics. Among those are the severity and the rule being violated. One can set a time horizon that defines the period covered by the alert clusters, and mousing over a cluster triggers a pop-up with all of the information. This allows tracing a particular type of alert to its source and noting its destination.
The second display type of dashboard is the Information Flow Map. Like the radar display, this is unique. It shows how information flows on the enterprise so it can be traced based on sensors. There are multiple ways to analyze nodes that show up on this display, and one can create rules that are unique to a particularly troublesome endpoint that is generating lots of alerts.
Reporting is comprehensive, and there are choices of how reports are created. While reports are built from alerts, they may be put into a PDF, emailed or shown as a trend-line. There are a few standard reports the user can customize. We find that the number of out-of-the-box reports could have been greater.
Emails can be quarantined and managed based on criteria in any of the policies. How the system performs depends a bit on how one configures it and its component appliances. However, the offerings, overall, are extremely versatile - although it does require a significant understanding of one's enterprise and what the goals are. It is not, as is typical for this type of tool, simple to set up and deploy. Its documentation and wizards considerably help, however.
Support is obtained only through logging in. There is no publicly available support, which, given the complexity of the system, we find odd. The starting price is reasonable enough, and the products are available as either hardware or virtual appliances. Depending on the configuration, however, the system could get quite pricey.